As long as there is a wireless LAN near the place where you want to surf the Internet and it is encrypted, you can try this method, but don't use it for illegal purposes.
Page 1 *** 23
F(Jf7n*y'A WEP cracking process of wireless network/W4i; QY[9X
After the emergence of WLAN technology, "security" has always been the shadow of the word "wireless". For wireless networks (La#H kw$B#BBa
The attacks and cracking of security authentication and encryption protocols involved in technology are endless. Now, there may be hundreds online,
W3sbuFv even published thousands of articles about how to M4 Q6Mn ` 7g: AV * L.
Attack to crack WEP, but how many people can really successfully crack WEP's encryption algorithm? The author will give the following &; En&-u% a`} 7p
Here are some knowledge about WEP encryption. Novices can successfully crack Hu "p" JKFI by following the steps.
Method of WEP key. Of course, the ultimate goal is to let reporters do security settings and better prevent cracking. l6k " H a 'yi } @
There are two articles in this series. The first article mainly introduces the method of cracking WEP, and the second article introduces how to set WLAN} 2v% u-fy $ d | d d.
Better security settings.
%J0Y! U6o J2] h I WEP: the original protector of wireless network security [-m] wjw3`bb
Compared with wired network, sending and receiving data through wireless LAN is easier to be eavesdropped. Design a finished product V5t)| Ar7~
In a good WLAN system, encryption and authentication are two security factors that must be considered. In WLAN: c! l\\$]SK
The most fundamental purpose of using encryption and authentication technology is to make wireless services reach the same security level as wired services. For M'r J0d-cq ~
In order to achieve this goal, IEEE802. 1 1 standard adopts WEP (Wired Equivalent Privacy) protocol for vn*gZ|"D? L
Establish a special security mechanism to encrypt the business flow and authenticate the nodes. Mainly used in wireless local area network (WLAN) 0n ["s3um.wr; Lesbian
Confidentiality of information and data. WEP adopts symmetric encryption mechanism, and data encryption and decryption use the same key and encryption algorithm. 8Lg2k5y7e
WEP uses encryption keys (also called WEP keys) to encrypt the data part of each packet exchanged on the 802. 1 1 network.
Points. After encryption is enabled, two 802. 1 1 devices must have the same encryption key and both are configured as .r6v8cqvz) y% ZZ to communicate.
Use encryption. If one device is configured to use encryption and the other device does not, even if both devices have the same encryption.
e0~)R? 0h? 2Y! The v key can't communicate either. (as shown in figure 1)
+Du? 8JzL! Rv diagram 1: WEP encryption
FE@ oc] |*~+Z WEP encryption process x! kqn0r
WEP supports 64-bit and 128-bit encryption. For 64-bit encryption, the encryption key is 10 hexadecimal words qCoq? B
Operators (0-9 and A-F) or 5 ASCII characters; For 128-bit encryption, the encryption key is 26 hexadecimal characters or
R)w `X `F 13 ASCII characters. 64-bit encryption is sometimes called 40-bit encryption; 128 bit encryption is sometimes called 104 bit encryption. 152
6rO4Ge3G Page 2 * * Page 23 $ FX @ r (O5m. ? |
Bit encryption is not a standard WEP technology, and it is not widely supported by client devices. WEP relies on gDmb0@+] shared by both parties.
The key that protects the transmitted encrypted data frame. The encryption process of its data is as follows. Workgroup BPM, Z8z
1, checksum. %O p$_NN5W 1?
(1) Check and calculate the integrity of the input data. K*G7~8Ku9M#f
(2) combining the input data with the calculated checksum to obtain new encrypted data, also called plaintext, which is ~~3O_(rb t0x3k f
This text is used as input for the next encryption process. j `y"bm
2. encryption. In this process, the data plaintext obtained in the first step is encrypted by algorithm. Plaintext encryption includes Uc0a(V7C)i@
There are two meanings: encryption of plaintext data and protection of unauthenticated data. 6P.VC.^h? w#Y
(1) Check and calculate 24-bit initialization vector and 40-bit key connection to obtain 64-bit data. z,u#HU-DqG"s
(2) Input the 64-bit data into a virtual random number generator, which checks the initialization vector and the key.
$vC)K~Jz/D O'N+g and the calculated value used for encryption calculation. +Yz%_lG2V)J
(3) performing bitwise XOR operation on the plaintext after checksum calculation and the output key stream of the virtual random number generator to obtain 3rz)B3o'? Me! rJ! e
Encrypted information, that is, ciphertext.
. ? {1o: t) c @ 3, transmission. Concatenates the initialization vector and the ciphertext to obtain an encrypted data frame to be transmitted over the wireless link.
5VIT/Rrtr `#{ H"l "l l "l transmission. (as shown in Figure 2) /a%_Ly~9A
Figure 2: WEP encryption process BL9W^gJ'Bm
WEP decryption process
: g "vra% EZ In the security mechanism, the decryption process of the encrypted data frame is only a simple reverse process of the encryption process. The decryption process is as follows. I $ {e z(w & amp;; Z7h'^
Page 3 * * * Page 23
$Q! F.H-}Dm:p~ 1。 Restore the original plaintext. Regenerates the key stream and compares it with the received ciphertext information 8C/~#o! Hc[ RD
Operation to restore the original plaintext information. $ u _ k `gGt9R+V
2. Check the checksum. The receiver checks the checksum according to the recovered plaintext information and separates the recovered plaintext information n [j1w) \ b1a.
Recalculate the checksum and check whether it matches the received checksum. This ensures that only the correct checksum numbers are available.
5q; F*B3J8J will be accepted by the receiver only according to the frame. 9B:i5_KhSm
Figure 3: WEP Decryption Process d(}6S0Jn)
Second, the preparation work before cracking the WEP key
+mUe & amp; In the following two parts of Q2b6C, the author will gradually introduce how to crack the WEP key. o-juw 1k
Method. This method does not need any special hardware equipment, only two (only one) wireless network cards are needed.
3vAG_c4C}H notebook, and the whole attack process only used some * * * enjoyment and free software, without any professional FO 1c, U2C2W "z/]+FH J.
Tools. Readers who understand this article and learn how to operate it don't need to be network experts, but they should be familiar with I &;; ]"q])n7W[+? TV
Some network terms and basic principles. At least know how to ping another machine to test whether the network is smooth N)~. qE; koum
Pass, and will open a Windows command prompt window, know to enter the relevant commands, understand the Windows network.
) t "u & amp|HH7jZh network properties window related content. This is the basic requirement, otherwise how can it be called a method that novices can learn? ,f](Wt9i:Ai}'[
1, set the experimental environment.
K C:] Before EGCDQ begins, our first step is to set up an experimental environment. You can't play with other people's networks. e; b
Let's crack it. This is illegal and immoral. Building wireless network nWQK6W'P5w in experimental environment.
Platform, wireless AP is indispensable. In addition, 3 notebooks with wireless network cards (using desktop computers with wireless network cards /y d $ [] j # @ u)
A simple network) can meet the requirements. The network topology is shown in Figure 4 below.
E6| gN5M6z Page 4 * * Page 23 O SDB"d 1M6q4}s, s
Figure 4: Building an experimental environment s) h @: i "on9ar; [
In the network shown in fig. 4, we use Netgear product, model1ichyg r-e.
For WGT624v2, it will play the role of the target in the future and will be called the target AP in the future. In the use of three
A.Qi\ g Q.LK*wu machine, one of which is the client machine as the attack target, which is called "target" for the time being; One for the other two notebooks.
% S2D { 3H; J(J i) actively attacks to promote the generation of network traffic, so as to capture enough data packets in a short time.
O"Q @Z%b called this machine an "attack"; The remaining notebooks are used to sniff and capture packets generated by active attacks &; N @q9m Z-g
It's called "sniffing". Of course, although the whole cracking process can be completed in a notebook, the author does not.
G P. \。 # I OV (QY @) recommended this method, and using only one notebook will make future work very troublesome. I found that this method was used.
[:Yg-Fs j voice eavesdropping program may have some problems. In WLAN with low utilization rate, active attack is better than passive detection.
|.A3eg? The probability of UC test is greater, which can make WLAN generate more data packets in a shorter time, thus speeding up the cracking speed of WEP.
【o % a; I must use a notebook in this experimental environment. Of course, we can also use desktop computers or desks! l7Z[j D8p
Face PC and notebook are mixed, but it is more portable if you use a notebook, which is better for the current wireless PC card? #@A(P L
There is better compatibility.
News of the world. The wireless network card used by Ou \} & ampS6h@ Target has nothing to do with the chip. As long as it is based on 802. 1 1b, any manufacturer's products can be 5rmU)a*? C3t z P
Meet the requirements. Attacking and sniffing machines use two 802.5438+0 1B wireless networks x.L:W! ? 8_)O
Card. Although many tools (such as Kismet) we use in future operations can support quite a few kinds of wireless network cards,
*[` 4 ahc & amp; M But I still suggest using a network card based on PRISM 2 chip, because this chip can be needed by us in the process of cracking.
8{*O? All the tools used by 9j$Z3B. Yp"} is supported. D(g.f$bC\]
Wireless network cards generally have external antennas and built-in antennas. If you buy a wireless network card without a built-in antenna,
w qAw! v! W)Vh#E, you have to buy another antenna yourself. The advantages of external antenna are higher gain, better sensitivity and adjustability.
! J {^ R%qT antenna direction for better signal reception; The built-in antenna is more portable, but the disadvantage is that the antenna direction cannot be ~ 0L 1Rc'} $ z and lnd9o6 _ x.
Adjust. What I see is a mobile external antenna, which is very convenient to use. At the bottom of this mobile antenna, there is a J; G9K's }0z 1R
Several small rubber suction cups can be easily attached to the top cover of the notebook. If used in the car, k/J4O+Pq; a4U(k%X
You can also suck it firmly on the empty window glass of the car. As shown in Figure 5 below. R%@6d9jHA(Wp$d(lh
Page 5 * * * Page 23
#Sk#O"N8C Figure 4: Mobile antenna], VY/tS$E#v W
2. Experimental WLAN setup
M 1A]+Lz nb)_ It is very important to set up this experimental environment, because after all, we only want to use it here.
9c 1U3E6q? T 1@ P4W{2Y experimental environment completes all operations. In the attack described below, a 1e:qi2qk8q will be forcibly terminated.
individual
W, ~ G3Kl5t client connects with AP. This kind of attack may cause serious damage to nearby wireless users,
F | LE "gj & ampLn*x is to protect users who do not belong to the experimental WLAN, so as to avoid collateral attacks on users on adjacent AP. }C)p'}'B-Cs0@
If this operating environment is located in a complex office, office building or other areas covered by many wireless networks.
9bIz-y OD, if you want to try this cracking operation, please wait until no one is working at night and the network is no longer busy, wj(V a:k
I am afraid that "the city gate is on fire, which will hurt the fish in the pool." {c E'@N@
The first step is to connect and set up the attacked experimental WLAN. As mentioned above, this WLAN package is 7 HKNG &;; l " T & ampe 1N
There is an access point (wireless router) and only one wireless client. This wireless LAN is what we want.
+@? The WEP key cracked by 3z} 9iz and e 'wey is protected. Set the SSID (system set ID) of the target AP to "starbucks", SSIDd? O0[? )pjA}q
Used to distinguish different networks, also known as network names. The wireless workstation must display the correct SSID and wireless access point.
H) LC4OV Page 6 * * * Page 23 5[7A_ ~A+DB
Only when the SSID of the AP is the same can the AP be accessed; If the SSID presented is different from the SSID of AP, then AP will reject him bk &;; x~3pA De
Get online through this service area. It can be considered that SSID is a simple password, which provides a cryptographic mechanism and realizes certain security.
q; Completeness of P#E L'b4Np. And configure a 64-bit WEP key on this WAP for protection.
~4T$? _U0{P)[ Record the following information for future use.
#]; The MAC address of huJFy dr7sNB ①AP. It is usually displayed on the WEB configuration menu of AP, in AP or po5f7b/HB, y _
The MAC address of this machine may also be recorded on the side label.
(q l $ t ~ w3l2ap SSID。 (Bi (Z9Fs & amp[8i-M)
③ Wireless channel of access point. 9Q/s+G # t5f % \ & amp; g"}! v
④WEP key. If the wireless AP displays the key in a format similar to 0xFFFFFFFFFF (enter the setting value
Q-} J5C+hm6M+A instead of f), write down every letter except 0x.
The second step is to connect the target client to the target AP. We now need to connect the client to.
Rof2wiU7S target AP is further configured (all below are under Windows XP), and right-click "Net" on the desktop.
8RL4s-V? ) r}, or through the start menu, click Properties, and then double-click the wireless network connection.
B7^ C'm7FW then opens the window as shown in Figure 5, showing that there are multiple available wireless networks, but if there is only one wireless network {~; hello
Network, then this window may only display the AP named "starbucks" just configured, and double-click the corresponding one.
Zv7m (kb.jsid name) connected to the target AP.
2t2Of3ML}"pS3\k Figure 5: Connect to the target WLAN.
% n " ga 1 yeh 5u/\; H0`8zPk Because the AP has turned on WEP protection, Windows will ask for a password when connecting (as shown in Figure 6).
Oi)' v ZF enter the WEP key you just set (of course, you can paste it from notepad or wordpad document), wait a moment C~)}AO5KB[
Windows will report that it is connected to the network. To confirm whether the connection is really successful, ping a wired one.
*N W6l2X rE6x network computer to test it; Or if this experimental WLAN is connected to the Internet, just open a website.
*Sb%j5q'J3B6f7]fn Click to see if you can connect to confirm. If you can't successfully ping a machine with a known address or open a normal one.
AbP3aU$o! H.I website, open the properties of the wireless network card, click the "Support" button, and check whether there is NL &;; gc0T
The correct IP address. If the correct IP address cannot be obtained, please check whether the DHCP server in the network is enabled, 6mx @ j [# dy].
Page 7 * * * Page 23 I.+AC/A
And check whether the TCP/IP attribute of the wireless network card is set to "automatically obtain IP address". If everything is all right, in this s8u5j%b`8Q4`]9K.
Click the "Repair" button in the wireless connection to make corrections.
3[8~ Jyo.o Figure 6: Enter the WEP key.
GAA3bC$~ B z Step 3, record the MAC address of the target machine. Once successfully connected to the network, M3WS2PAA/will be attacked.
Record the MAC address of the target computer. There are two ways. One is to open a command prompt window and type, }Y Szui8F.
Ipconfig/all command can also see this MAC address, and the contents of this window are shown in Figure 7 below (MACIn(A\ uh/jZp"m "or wireless network card).
Address information is highlighted).
Figure 7: Enter the ipconfig/all command to discover the MAC address.
-T"VMuu$C Secondly, in Windows XP, you can get this MAC address from the Wireless Connection Status window, and click "k) g lr' z) r) a * ~ l.
Hold down the "button, and then click" Details ". This MAC address will be displayed on the right at the top of the window (as shown in Figure 8). Of course, [. x # z6z8] 0W2R3Y-b。
Different machines may display different names, and other computers may display descriptions such as "physical address".
FFLH & I presented the information. In this window, the letters and numbers that make up the MAC address are separated by dashes. The purpose of the dash is: S{$k+tV6a.
Just to make these characters clearer, but the actual MAC address does not have these dashes.
7zSB6W, {(Y(xxE#L:n Page 8 * * * Page 23&; _TR+VEW? kfi
Figure 8: MAC address displayed in network connection details
3. Notebook Settings
Dq4iF#X5A a'e First, we prepare several tools and software (Kismet, Airodump,
E/t.y3 [/t FH] xvoid11,Aireplay and Aircrack), Kism
4h*L/y m4by et: used to scan the WLAN of the whole area, find the target WLAN of the experiment, and collect relevant data, t`[Le! ^2z
(SSID value, channel, MAC address of AP and connected client, etc. ); Airodump: y+V$~ b([8? 7US
Scan and capture the generated data packet into a file; Void 1 1: Verify a computer from the target AP and force it to do so.
S5vz2V#c client reconnects to the target AP for ARP request; Aireplay: Accept these ARP requests and send them back.
,r)@/eXNB & amp; ~ b goes to the target AP and intercepts this ARP request as a legitimate client; Aircrack: accept the generated Airodump
-b3a7n+_' y% k] Capture the file and extract the WEP key from it.
C[jnR] They are all open source proprietary or free software, and all these tools can be installed in a program called K/DJ "F&; Bo{l,Y
"auditor security collection live CD" is located on the CD, which is a bootable system light J8Oey+{F5DN7w.
Disk, can boot an improved Kanotix Linux, this Linux version does not need to access the hard disk, through CD n L/sCm 1{ t
It can be installed directly into the memory at startup, and various wireless network cards can be automatically detected and configured after startup. As used herein.
A) the n-ez 'w auditor security collection live CD is the latest version, the version number is auditor- 150405-04, and the download address is.
6gA5a(VHtgRu! M)lO is [URL = http://new.remote-mirrors.org/index.php/auditor _ mirror] http://new.remote-mirrors.org/index.php/auditor _ mirror [/URL], and the downloaded file format is CD mirror.
f4]G8? O or. ISO files, recorded by NERO (or other recording software), are handed over to attack and sniffing machines.
Quqi r Zhang.
1r * width! N3CNe Page 9 * * * Page 23
1P8x’‘Lzg; X first insert the wireless network card into the notebook (it would be best if the machine has a built-in wireless network card), and then put the note qac4siu _ # y.
This is set to boot from the CD and put the Auditor Security Collection CD into the CD-ROM drive. The auditor instructs the dishes.
After selecting the appropriate screen resolution in the menu, Kanotix Linux will be installed in memory and run, and the Auditor startup screen will appear.
(S8M:OZ)`k%`0W screen (as shown in Figure 9). -R"kU! NP$C6l
Figure 9: Auditor's startup screen
In this audit system, the two most important icons are program and.
N-fu1n "LDJ C9c command line icons, through which many of our future operations will basically be completed. As shown in figure 10.
Q: _; } k-F_4z W3{$@ Figure 10: Location of program and command line.
(t } k # c; Here, before doing anything else, please make sure that the wireless network card on our machine can be connected) s 1X! a h.jhMi_9B
Verified by the auditor. Click the command line icon to open the command line window, and then enter the name of iwconfig 6X6jyn/g@
Orders, in the information displayed by Auditor, you will see information about "Wlan0", which is based on PRISM by Auditor.
P:\ # M6Z-|- The name determined by the card of J chip. If the notebook screen used to operate the attack displays a window as shown in figure 1 1, then "yrpcec2pz"
It shows that Auditor has detected the wireless network card, and now it can start the next work. For another notebook,
t! Y(Fy 1t) also performs the same steps and repeats the operation.
F` C3]@。 A 10 * * * Page 23 @ .H3wE pU
Figure 1 1: Check the wireless network card with iwconfig command.
# m`f * i4E4W4g% d/a, a Well, the preparations are basically completed now. In the second part of this paper, we will start the actual solution process.
b & ampWP-NbK R III。 Actual cracking process pO'| j5S, |
1, network detection using Kismet 8iT-vdWv, a 1A
Kismet is a wireless network scanning program based on Linux, which is a very convenient tool. Qfz! \ZX
Measure the surrounding wireless signals to find the target WLEV.
Ann: Although Kismet can also capture data communication on the network, there are other better tools now.
Tn "g8ro7 \ l * a is used (for example, Airodump), and here we only use it to confirm whether the wireless network card works normally and scan the wireless network.
Bj:kz}kT network, in the next part, we will switch to different tools and software to really monitor and capture the data communication on the network.
L Tft O|2x Click the program icon, then click Auditor, then click Wireless, and then click Scanner/Analyzer.
3Pi 1r)}w Finally Kismet, run Kismet program. As shown in figure 12.
-T*eK.w c q.vn 1 1 Page *** 23
h ' fx4n[5U qH w; Figure 12: running Kismet
P(j9t%p-B9em) In addition to scanning the wireless network, Kismet can also capture the data packets in the network into a file for future use by XQ6] fd.uq
Analyze and use it, so Kismet will ask the location of the files used to store the captured data packets, for example, I want to put these files E, O {,J, $ D V.
To save under rootDesktop, click Desktop, and then select OK, as shown in figure 13. Then destiny takes a hand
0U"c%hJkC9w5De will ask for the prefix name of the captured file. We can change this default name, for example, to "capture" w $ hw3`% v8pws {@ (~
Then click OK, so that Kismet will start with capture as the file name, and then add serial numbers in turn to save r) n; }I`R-j
Capture data packets into different files. yg B-D u8h/EW-kw
Figure 13: Specify the storage location of files in Kismet.
+z2i% y o Page 12 * * * Page 23
When Kismet starts running, it will display all WLAN "names" found in this area.
! The column oj'fZn shows the SSID value of the AP where the WLAN is located, and of course, the target 2mP0T}6w.
The WLAN should also contain (the line with starbucks under the name), where the value of the CH column (AP; `:J+q*o-^Gz4H/N
The channel used) should be the same as that recorded at the beginning. The information displayed on the far right of the window was discovered by Kismet.
+`RL YB+l5L! ~; The number of mH WLAN, the number of captured data packets, the number of encrypted data packets, etc. As shown in the following figure 14. 9P 'Ahy,U
If Kismet finds many neighboring access points, you should move this lab environment farther away from these access points.
V & ampQepx, C@DC or disconnect any high-gain antenna connected to the Internet.
! I. p. s QS 1 kgg $ f Kismet can detect packets from our target AP even when the target computer is turned off. this is because
u . e . t; U-WO+? Because the target AP keeps sending out "beacons", it will tell computers with wireless network cards that there are APS in this range, "HO" L7VDK D ~ 8QN.
We can think of 3g like this,} like this! {'s T4oql
For example, this AP announces, "My name is XXXXX, please connect with me."
RM5L/`w9W Rb diagram14: contents displayed by kismet wcoo) g
The default Kismet runs in "autofit" mode, and the displayed content is confusing, so we can pass it.
L DB#CW over-sorting rearranges the AP in any meaningful order, and presses the "S" key to the "Sort" menu, where you can press one.
The letters Tg/d$h.v~ ") are used to sort the searched APS. For example, the "f" key is sorted by the first letter of AP name, while the "c" key is sorted by AP.
7? J & ampUyyc is sorted by channel, "L" is sorted by time and so on. f UvUO
Now let's look at the details of the AP in the target WLAN, press the "S" key, and then press the "C" key.
FgA? B4H9R|$J Arranges the entire AP list by channel, and moves the highlight bar to the SSID representing the target AP with the cursor keys, L4} 7 ygb6m/q.