Productivity

WEP Cracking Redux: Beyond The Command Line

Last week we showed you how to crack a Wi-Fi network’s WEP key using a live CD and some command line fu. Today we’ve got other cracking options—but more importantly, clarification on the point of all this.

Even Easier Ways to Crack WEP

The cracking method we covered last week involved typing in 10 tedious commands you can easily fat-finger. While there’s no super-simple GUI with a giant button that says “Crack this network” and plays James Bond theme music, a couple of windowed options are much more usable.

SpoonWep in BackTrack 3 (booted on a PC or Mac or in VMware)
With the same BackTrack 3 live CD or VMware image that we used last week, you can bypass almost all the commands you see there and use SpoonWep instead. When you’re booted into BackTrack 3, from the KDE menu, choose BackTrack>Radio Network Analysis>80211>Cracking>SPoonWep. You’ll get the window you see in the screenshot here. All you need to run SpoonWep against a Wi-Fi network is its channel and BSSID. (I used the previously-mentioned airodump-ng command to get the BSSID of my router; you can also use Kismet in the BackTrack>Radio Network Analysis>80211>Analyser folder of BackTrack’s KDE menu to get that info.)

Enter the BSSID in the “Victim Mac” field of SpoonWep. Choose your Wi-Fi adaptor from the drop-down, set the channel, and launch your attack. Increase or decrease your injection rate using the slider. (Thanks to PrunellaIguana and RamonHans for pointing out SpoonWep.)

As for the BackTrack 4 pre-release, commenters point out that it supports more wireless cards and can crack passwords faster using aircrack-ptw. BT4 consistently froze on me, but I believe it was the version of the Alfa USB adaptor I was using that caused the problem, so your mileage will likely vary.

KisMAC for Mac OS X
If you want to get your crack on Mac-style, download the free KisMAC. KisMAC cannot crack WEP with your regular old built-in Airport card; you’ll still need a card that works with a KisMAC driver which supports packet injection. Here’s a list of the built-in drivers KisMAC comes with, and the list of wireless adapters that work with those drivers. If you’re using an Alfa 500mw like I am, you can use the USB RTL8187L driver. The YouTube video below walks you through the steps. From KisMAC’s Preferences pane you add the driver that works with your wireless adaptor. Scan for networks, choose the one you want to crack, and from the Network menu choose “Deauthenticate”. Then, also from the Network menu, choose “Reinject packets”. Once your “Unique IVs” number is high enough, from the Network menu, choose Crack and then pick your attack.

The clip demonstrates a “Weak Scheduling Attack” against a 40-bit key in action with KisMAC. Go full screen and high quality for best legibility.

Windows: aircrack-ng suite
As far as I can tell, there is no non-command line software you can install on Windows to crack WEP. There are plenty of tutorials on how to install the aircrack-ng suite on Windows and run it. I half-heartedly tried a few on my own but just went back to BackTrack 3. (If you’ve got to use the CLI anyway, might as well do it from a Linux image.) If your Cygwin-devoted heart is braver than mine, here’s how to install Aircrack-ng for Windows and a longer tutorial on how to crack WEP on Windows XP Pro SP2.

The Point: Now You Know How to Better Secure Your Wireless Network

Knowing how to crack WEP keys doesn’t mean you go out and actually break into people’s Wi-Fi networks. It means you’ve seen, firsthand, exactly how crackable WEP keys are. I’ve “known” for years now that WPA is more secure than WEP, but the bridge on my network offered WPA but couldn’t authenticate with it on my (old, cheap) router. It wasn’t until I wrote the article last week that I got an updated router that did work. That’s the power of seeing something in action you’ve normally got to wade through nefarious blackhat web sites to dial into.

This is a sticky issue, of course. But thanks to all of you, the comment thread on last week’s howto illuminated some of the best points about the wireless security issue. To recap:

WEP doesn’t actually keep anyone out. I like MaribelAlligator’s comparison of a WEP key to a home bathroom lock, the one you can open just using a bent paperclip. Everyone knows how to unlock it, but when it’s locked everyone who walks by understands they should stay out. Glenn Fleishman likens WEP to a “No Trespassing” sign—a clear indicator the people inside don’t want the uninvited in, but nothing that will actually keep people out.

WPA is crackable as well, but it’s more difficult (especially WPA2). A wired network is more secure than a Wi-Fi network because it’s more difficult to connect to it. But if wiring up your home isn’t an option—and let’s face it, it really isn’t something any one of us wants to do—opt for WPA2 where possible. As several commenters pointed out, WPA has been cracked in some circumstances as well, but it’s not done as easily as WEP. To explain, MaribelAlligator continues the “bathroom lock” analogy:

WPA is like a standard door lock; it’s a lot more secure, but it is still possible to get by for someone with the right tools, knowledge and circumstances. WPA2 is like a bank safe. It may be possible to defeat, depending on how it’s been set up, but it’s not realistically possible for anybody to actually do so… yet.

Filtering MAC addresses and hiding SSID’s doesn’t matter to folks who want to get in. A few commenters said they’ve stopped broadcasting their router’s SSID, and set up MAC address filtering, which only allows particular devices to connect to it. These measures will stop folks who don’t know what they’re doing, but not those who do. Spoofing a MAC address is very easy, and any network scanner worth its salt (including free ones like NetStumbler) detect networks with hidden SSIDs. To continue the bathroom lock analogy, MaribelAlligator said:

Not broadcasting your SSID is like taking the numbers off of your house – The house is still there and everyone can see it, it’s just a bit harder to find for people that don’t know what they are looking for already. Filtering by MAC address is like having a guard at the door that checks everyone’s name against a list to see if they can enter. The only problem is, he doesn’t ask for ID or remember what people look like, so anybody can listen in to see what names are allowed and then claim to be anybody else.

The bottom line: Protect your stuff using multiple layers of security. Whether your network is wired or wireless, open, WEP, WPA, or WPA2, take several measures to secure your important stuff. Password your network shares (choose good ones!), do virus and malware sweeps, back up your data, run firewalls—in short, don’t rely entirely on your wireless router’s password (whether it’s WEP encryption or not) to keep out intruders.

If you’ve got old devices that ONLY support WEP… Like everything in life, you’ve got to balance risk and reward. If your Nintendo DS only speaks WEP, and you want wireless access, use WEP knowing what the risks are. Ben D. makes a great point about WEP-only devices:

Make sure your firmware is up-to-date, and if it is, lobby the heck out of the manufacturers to start supporting WPA2. “I saw this article on Lifehacker”… It’s totally outrageous that any manufacturer-supported wireless device, in 2009, would only offer WEP.

Thanks to everyone who dropped knowledge in the comments on the previous tutorial. Now go forth and configure your wireless network as it should be.

Gina Trapani, Lifehacker’s founding editor, is finished with this Wi-Fi encrypted key-cracking business. For now. Her feature Smarterware appears every week on Lifehacker.