Tuesday 2 April 2013

Converting Airdecap-NG into a Word List based WEP Cracker



We all know that WEP can be cracked, but can you crack a WEP network with only one Data packet?

Traditionally WEP Cracking has always involved making the victim network generate a ton of WEP encrypted data packets. Then one uses tools like Aircrack-NG to crack the WEP key using various cryptographic flaws in WEP. The ballpark number of packets is roughly between 30k-120k data packets. I'd also like to take this opportunity to say how fantastic Aircrack-NG is and how my friend Mister_X, it's creator, is without a shadow of a doubt one of the most talented programmers / security researcher I have ever had the privilege of knowing.

Now back to my blog post :) ----  However, what if you only have one WEP Data packet as in this trace file? Here is a quick look at the file with Wireshark:


To begin with there is no cryptographic attack which can crack WEP with just one Data packet. The only way would be to launch a dictionary attack against the Data packet. If we successfully decrypt it with a given key, then it is the right one. This really the same way we crack WPA/WPA2-PSK right now.

The problem we run into is that most WEP cracking tools do not support a dictionary based attack on WEP. There is a tool in the Aircrack-NG suite - Airdecap-NG which can decrypt WEP packets if we know the key, but it cannot take a dictionary as input. Below is a quick dump of the it's options:


The option that is interesting to me is the "-w" one. So with this, let me define our objective.

Objective: To create a Python script which can use Airdecap-NG along with a Word List and try to Crack WEP with just a single Data packet

Let's analyze the solution in steps:


Step 1: If we called Airdecap-NG from within our script, how would we know it has managed to find the right WEP key? To solve this, let's look at the output of Airdecap-NG when it FAILS to decrypt a packet using the supplied WEP key


We clearly see that Line No 5 of the output "Number of decrypted WEP packets" is "0".

Let's now see how it looks like when the decryption SUCCEEDS if we have the right WEP key:


Fantastic! Line no 5 not has "1" in the rightmost column because we managed to decrypt the packet.


Step 2: So we need to write a Python script which does the following:

  1. Takes a Word List and the Pcap file containing the WEP data packet as input
  2. It uses all the words of length 5 or 13 characters as the WEP key is really 40/104bits in length
  3. For each key, call airdecap-ng and check the output 
  4. If the output does not contain "1" in Line no 5, then continue with (3)
  5. If the output contains "1" in Line no 5, then stop and print the WEP key used. This is the correct key
I wish I had the time to make a flow chart for the above :)


Step 3: Let's code this up:





Step 4: Let's run this against the pcap file and use the default dictionary in Backtrack.


Step 5: Now the Python + Airdecap-NG are doing a lot of work for us. Let's appreciate that a bit by looking at the output while it is still running :)


Eventually, if the WEP key is in the wordlist, we will find it :)


The WEP key used by the network was "tudes" as we can see from the last line of the output.

Step 6: You can also see the decrypted packet using Wireshark



Awesome! Hopefully this has been an interesting illustration of how you can use Python for automating tasks using existing tools which are available, rather than wait for a new tool or a feature in an existing one.

If you enjoyed, leave a comment behind or please Tweet / Share this post. Thanks!

If you are interested in learning how to use Python for Pentesting then please have a look at our SecurityTube Python Scripting Expert course. This course is ideal for penetration testers, security enthusiasts and network administrators who want to learn to automate tasks or go beyond just using ready made tools. We will be covering topics in system security, network security, attacking web applications and services, exploitation techniques, malware and binary analysis and task automation.We have students from 73+ countries taking this course already!




3 comments:

  1. but most of the time dictionary attack won`t work... :(
    and it take so much time ...

    ReplyDelete
  2. Vishal, you are missing the main point. WEP is cracked and hopefully gone for good :) This post is more of an illustration of automation with Python.

    ReplyDelete