For a variety of reasons we outlined in Chapter 1, WEP is with us to stay, no matter how good and secure the replacements for WEP are. Just to refresh your memory, a few of these reasons are as follows:
WEP is easy to set up and any 802.11-compliant system supports it.
Legacy hardware might not support new security protocols and companies might not want to throw it away after investing millions in acquiring it and setting it up.
Newer hardware will fall back to the security level of legacy hardware to interoperate.
Many users and system administrators are security-ignorant or just plain lazy and won't upgrade their firmware and drivers to support more secure
replacements for WEP.
There is more effort and cost involved in setting up newer wireless security systems, forcing users to upgrade and invest in personnel training. Some companies might opt against it for financial or administration reasons.
Implementing the final 802.11i/WPAv2 CCMP will require a complete hardware upgrade that won't be considered reasonable by many.
There is still a circulating opinion that WEP is sufficiently secure for small office and home office networks. Unfortunately, there are "security
professionals" unfamiliar with the reality who still support this opinion.
For these reasons, attacks against WEP are not obsolete even if WEP is; the tools to run these attacks should be reviewed with a great attention.
AirSnort
The most commonly used WEP cracking tool is AirSnort from the Shmoo group (http://airsnort.shmoo.com; see Figure 6-1).
Figure 6.1. Shmoo group AirSnort in action.
[View full size image]
AirSnort has a very intuitive GTK+ interface and is straightforward to use for both network discovery and WEP cracking. It supports both Prism and Hermes chipset cards with the applied Shmoo patch. AirSnort can dump the logged data in a pcap file format, as well as open and crack pcap-format files collected using other tools like Kismet. This opens a variety of interesting possibilities linked to WEP
cracking; for instance, packet collection using a PDA followed by cracking the WEP key on the auditor's desktop that lacks wireless interfaces. Alternatively, you
might try to port AirSnort to StrongArm CPU and embedded Linux distributions.
The majority of CF 802.11b cards are Prism-based, which should be a great help to anyone trying to port AirSnort to Intimate, OpenZaurus, Familiar, or Embeddix.
Wepcrack
Although AirSnort is the most popular WEP cracking tool that uses the Fluhrer, Mantin, and Shamir (FMS) attack against WEP, Wepcrack was the first tool to implement the theoretical attack described by these famous cryptologists in practice. Wepcrack is a collection of Perl scripts that includes WEPcrack.pl,
WeakIVGen.pl, prism-getIV.pl, and prism-decode.pl. Prism-getIV.pl takes a pcap-format file as an input (e.g., perl prism-getIV.pl
<Kismet-`date`.dump>) and collects packets with initialization vectors (IVs; see Chapter 11) that match the pattern known to weaken WEP keys. It also dumps the first byte of the encrypted output and places it and the weak IVs in a log file called IVFile.log. IVFile.log is used as an input to crack WEP with WEPcrack.pl.
Real-time WEP cracking a la AirSnort using Wepcrack is straightforward:
arhontus:~# tcpdump -i wlan0 -w - | perl prism-getIV.pl
Then edit your crontab (crontab -e) to run perl WEPcrack.pl <IVFile.log>
command at the chosen interval (e.g., every three minutes).
To be analyzed by prism-getIV and WEPcrack scripts, the dumped file should be generated using a libpcap library that understands 802.11 frame format. This is not a problem for current versions of libpcap (get it from
http://www.tcpdump.org/#current).
Although AirSnort is considered to be a more advanced WEP cracking tool than the Wepcrack scripts, there are several advantages to using Wepcrack:
It is educational. If you want to know how the FMS attack works, reading the code of Wepcrack scripts is probably the best way to learn about it. In fact, WeakIVGen.pl is included as a proof-of-concept tool that generates a weak IVs file from a given decimal-format WEP key value. Thus, by reading its code you can learn how the weak IVs come about. Also, the prism-decode.pl script demonstrates how pcap() format dump files can be decoded to display the 802.11 header information, which could be useful for anyone developing a 802.11 sniffer in Perl or otherwise (also see Perlskan.pl).
You can run Wepcrack scripts without X-server and GUIs (similar to the older AirSnort 0.9 version). This has multiple advantages, including preserving CPU cycles, battery power, and endless scripting possibilities.
It is flexible and enables you to implement possible improvements to the FMS attack and integrate with other wireless security auditing tools, such as
Kismet and Wellenreiter.
You don't care about the card chipset as long as you can put it into the RFMON mode (think of WEP cracking on 802.11a networks, WEP cracking using HostAP drivers, etc.).
You can run Wepcrack on PDAs as long as Perl is installed. At the same time, no port of AirSnort to Intimate, Familiar, or Embeddix running on StrongArm CPU architecture machines exists at the moment.
Thus, the very first publicly available WEP cracking tool remains very useful and cannot be dismissed by a serious wireless security auditor or enthusiast.
Dweputils
A part of the BSD-airtools suite, Dweputils consist of dwepdump, dwepcrack, and dwepkeygen. Dweputils employ an improved FMS attack as outlined in the
H1kari's "Practical Exploitation of RC4 Weaknesses in WEP Environments" article at http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt. Because this chapter is devoted to utilities and not the description of attack methodology, we return to this article and other details of improved WEP attacks in the appropriate section of Chapter 8.
Dwepdump is a prism2dump-like pcap-format file dump utility, specifically written to provide data for dwepcrack and non-FMS brute-forcing attacks against WEP.
Current specific features of dwepdump include:
Logging only weak keys for use with the dwepcrack -w option.
Ongoing statistics showing how many weak IVs have already been found (n.x -> n:x when x >= 60 you can attempt cracking).
Ability to specify the maximum packet size, so you only capture small packets.
This makes cracking via key space brute-forcing faster.
You do not need to specify an interface, so that multiple pcap files can be filtered together into a single one. This is useful if you have a lot of standard pcap files dumped with tcpdump, and so on, and want to filter out the weak IVs or converge weak IV dumps for cracking.
Use of advanced IV filtering methods beyond the standard FMS attack for faster capture time.
Thus, when cracking WEP with dwepcrack, using dwepdump for data collection is preferable to using prism2dump or any other pcap-format file-dumping tools such as tcpdump or Ethereal.
Dwepcrack is a WEP cracking utility created for all kinds of known attacks to determine a WEP key. It implements several techniques in a single package, which lets you run a full test of WEP key security using all currently available methodologies for WEP cracking. In particular, dwepcrack supports the following:
The optimizations of FMS attack described in the "Practical Exploitation of RC4 Weaknesses in WEP Environments" article
An ability to crack WEP using both FMS and brute-force attacks
An ability to brute-force the entire key space and use dictionary lists
Optimized method of 40-bit keys brute-forcing
Symmetric multiprocessing support with the -j option
Please note that in the modular dwepcrack source code weakksa.c an improved FMS attack implementation and brute.c WEP brute-forcing implementation are separate. This makes the analysis of the attacks and possible additional
modifications easier. Dwepcrack is straightforward to run:
arhontus:~# dwepcrack -h
usage: -j <jobs> -b -e -w -f <fudge> -s <logfile> [wordfile]
-j: number of processes to run (useful for smp systems)
-b: brute force key by exhausting all probable possibilities -e: search the entire key width (will take a while)
-w: use weak ksa attack (= modified FMS attack - Authors)
-f: fudge the probability scope by specified count (might take a while) -s: file uses 104-bit wep
For the last option, use dwepstumbler to try and determine WEP key size or you can just assume it is 104-bit; the majority of modern WEP keys are.