Many of us utilize wireless routers these days in our daily lives. We use them at home, at the airport, at the local coffee shop, and many other places we often frequent. But what do we know about how to secure them. Many people have fallen into the trap of thinking that as long as their router has a password and they don't give that password out to anyone, that their system is secure. What they don't realize is that often times they are utilizing the WEP (Wired Equivalent Privacy) standard, which is very weak and was never intended to be used to secure sensitive data. This blog will show how easy it is to crack a WEP secured router and why you should use a better encryption standard such as WPA or WPA2.
Most of my information comes from the Small Net Builder website: http://www.smallnetbuilder.com/wireless/wireless-howto/24244-howtocrackweppt1 and is intended to educate users on why they shouldn't use WEP to secure their information. It is not intended to be used to crack networks that are not your own without the consent of the owner; sometimes referred to as "war-driving".
This particular hack relies on the open source Aircrack suite, which is run on the Back Track 2 linux platform. For a more detailed walkthrough please read the attached article; this post will merely cover a brief overview.
The first thing that must be checked is that there is a client currently associated with the router. This is because we need a client associated with it in order to get the needed information for an ARP Replay Attack (explained later). In order for aircrack to work 3 pieces of information are needed: the MAC address of the Access Point (AP), the MAC address of the client computer associated with the AP, and the channel being used by both.
To keep things short, essentially what happens is, using the Aircrack suite, activity is stimulated between the AP and the client system, which generates Initialization Vector (IV) packages. These packages are captured and are what the actual password will be generated from once we have enough of them. We use the IVs because they are sent in clear text, and as a result, and be manipulated to gain the desired information. The crack requires between 300,000 to 1,500,000 IVs in order for it to have enough information to disern. This is where the ARP Request Replay Attack come in.
Once a valid ARP package has been captured, one of the Aircrack programs is utilized to continuously inject requests to the AP. Using another one of the Aircrack programs, the IVs are processed until, "Abracadabra!!" there is your password. All of this can be done in as little as 10-20min.
As you can see, relying on WEP to protect your AP is a very poor decision if you are trying to protect any important information. WPA and WPA2 are much more secure and are even able to provide faster connections in some cases. The choice is pretty simple.
Nice post. Possible improvement would be to provide a link to some instructions for setting up WPA.
ReplyDelete