Wireless Hacks

Hack 88 Cracking WEP with AirSnort: The Easy Way

Use a dictionary attack to test the security of your WEP key.

While widely publicized for its ability to crack a WEP key in real time by attacking weaknesses in the implementation, AirSnort requires a potentially large amount of data to be gathered before the attack is successful. AirSnort also comes with a largely unknown utility that will perform a dictionary attack on a relatively tiny sampling of network traffic.

Using the aptly named decrypt utility, you can attempt to decrypt a WEP stream by trying a list of potential candidates from a word list. This attack can be carried out in a matter of minutes, rather than the hours that would be required to collect the large traffic samples needed to interpolate a WEP key.

To use the decrypt utility, you first need a packet dump from a utility that can capture raw 802.11 frames (such as Kismet [Hack #31]). You will also need a list of suitable candidates, namely words that are either 5 or 13 characters long (for 40-bit or 104-bit WEP respectively). Invoke the utility like this:

# decrypt -f /usr/dict/words -m 00:02:2D:27:D9:22 -e encrypted.dump -d [RETURN]
out.dump
Found key: Hex - 61:6c:6f:68:61, ASCII - "aloha"

Notice that you also need to specify the BSSID of the network you wish to attempt to decrypt. In this case, the BSSID is the same as the MAC address of the AP, but can be set to virtually anything. You can obtain this field from the Info pane inside Kismet when capturing the data [Hack #31]. If successful, the decrypt utility displays the WEP key, decrypts the entire stream (specified by the -e switch), and saves it to a file of your choice (specified by the -d switch).

This output file is suitable for import into any standard packet-analysis tool, such as tcpdump ([Hack #37]) or Etherereal [Hack #39].

Of course, this attack succeeds only if the WEP key actually appears in your list of words to try. Unix password crackers have developed utilities over the years that will not only try words from the dictionary, but will try common (and even unusual) variations on these words until a match is found. The use of these tools is left as an exercise to whatever demented individuals find it worth their while to do so.

Again, the point of this hack isn't to encourage you to go around breaking into people's networks, but to stress the importance of strong encryption and proper network configuration. It is just plain foolish to expect WEP to answer all of your security needs when tools like AirSnort so easily demonstrate its inherent weaknesses.

You can download AirSnort from http://airsnort.shmoo.com/. There is also a wealth of information there about passive monitoring, WEP implementations, and wireless security in general.