WEP Cracking in a flash at Interop
Every year the iLabs engineering team educates attendees by inviting them to attend interesting seminars and presentations about various networking issues. The team is made up of volunteers from government, educational and corporate organizations. This year, security issues were discussed, often emphasized by live demonstrations of hacking. After reading our The Feds Can Own Your WLAN Too , iLabs wanted to show off the latest WEP cracking techniques, but didn't know where to begin.
Brett Thorson, an engineer for iLabs, had heard about WEP cracking, but no one had actually showed him how to do it. We teamed up with Brett, and after several hours of configuring APs and finding suitable wireless cards, Brett was able to crack WEP keys with ease.
The demonstration used a Cisco Aironet 1200 access point as the target access point with a randomly-entered 128 bit WEP key. We found that Beta firmware installed on this AP that may have been intended to harden it against attacks. But the AP still eventually yielded to the new generation of WEP-cracking techniques we employed - it just took a little longer than the three minutes it took the FBI.
The iLabs demo also used a "victim laptop" that browsed the web and ran long file FTPs to generate traffic that we sniffed from another laptop running tools from the Auditor CD to gather enough IVs (Initialization Vectors). When enough IVs were gathered, an open source program called aircrack was used to break the encryption and reveal the WEP key. We found that we could crack a WEP key in about 2 minutes with about 500,000 IVs gathered over the course of about an hour. We also learned that with about more 700,000 IVs collected, some of the cracks were done almost instantly.
Some attendees said that they have always heard of WEP being cracked, but it was never demonstrated in front of them. Brett Thorson said, "This is definitely not a script kidde type of attack... there are many things you have to get right." But after we worked with Thorson, he was able to crack WEP more than two dozen times.
Don't Use This Card for Cracking WEP!
We learned a few things from this exercise, too. We found out the hard way that all Prism 2 cards are not alike. The Farallon SkyLINE card pictured above is seen by the Auditor Security Collection as a "Prism 2" chipset card, but it failed miserably for cracking WEP. Something in the card's implementation caused it to work fine for data transfer, but make it unable to provide the IVs needed for aircrack to run.
We also learned that it can take a long time to configure even the simplest functions of a Cisco WAP - even via its web interface. There are a large number of menus and options to navigate and it takes longer than it should to find things.