Wifi Hacking Tuttorial

WEP is Wired Equivalent Privacy. This is an encryption standard for wireless until now. Many people do not even use WEP due to weak security, hassle, or WEP is pointless, because it can dicrack, although usually take a while to obtain enough data to get the WEP passwords, especially passwords are very long.
WEP consists of secret passwords and encryption. Secret password that is shared between access point and everyone in the wireless network, consisting of 5 or 13 characters. Used by the process of encryption for communications package that is disguised throughout the WLAN, or Wireless Local Area Network. All packages are unique and random, so if someone makes a crack in one package key, they can not see what others have done without cracking on them too.
This is all done using the secret password together with the three characters (the Initialization Vector, or IV) who were randomly selected by the wireless device. For example, if you are the password "hello", may make "abchello" to a package, and "xyzhello" for the other.
WEP also uses XOR, or Exclusive OR, for encryption. XOR compares two bits, and if theyre different, it will return 1. If not, it will return 0. For example, 1 XOR 1 will be 0, and 1 XOR 0 is 1.
Array is a variable that can hold multiple values. For example, an array of alphabet [26] will continue to value 26, which are labeled 0 through 25.
Example:
alphabet [0] = 'A';
alphabet [1] = 'B';
void swap (char & first, char & second)
{
char temp = first;
first = second;
second = temp;
}
swap (alphabet [0], alphabet [1]);
If the values ​​array randomely have swapped many times, it can not be sent to the array element that holds the value.
The actual algorithm used by WEP to encrypt packets is RC4. RC4 consists of two steps: with a password and Scheduling Algorithm Pseudo Random Generation Algorithm. The first part, the scheduling algorithm is a password, or KSA, like this in C code, assuming k [] is an array of secret passwords:
int n = 256;
char s [n];
/ / Initialization
for (int i = 0; i <= (n - 1); i + +) s [i] = i; int j = 0; / / scrambling for (int l = 0, l <= (n - 1); l + + ) {j + = s [l] + k [l]; swap (s [l], s [j]);}
Let's examine the code above until we know that:
1. Integer 'n' determines how we make kuay encryption. Here using WEP 256.
2. Array of characters 'k' is the secret password in combination with three fake character. This does not change at all in this program.
3. The '/ / Initialize' only represents the initialization, as much as the characters 0-255.
4. Integer 'j' is used to hold value during scrambling. Always initialized to 0, because it must always be in the range 0.
5. Furthermore, (where '/ / scrambling') scrambling process begins. Basically, will result in 's' array 'random' than ever before 's' specified array.
6. Inside the circle, which merges their first passwords (k) with a random array (s) to create a complete character. Then, the call to swap () puts into an array of characters is completed.
Now it's time for the second part of the RC4 algorithm, then the Pseudo Random Generation Algorithm (PRGA). This section of the output stream passwords based on KSA's pseudo-random array. This key stream will be merged with cleartext data to create the encrypted data.
int i = 0;
int j = 0;
int z;
while (data_disini)
{
i + +;
j + = s [i];
swap (s [i], s [j]);
z = s [s [i] + s [j]];
/ / Z is outputted here
/ / And then XOR'd with cleartext
}
1. Integers 'i' and 'j' is declared and initialized to 0.
2. There is a loop that runs until the end of the data packet is reached.
3. 'I' is incremented in each iteration of the loop is to keep it running.
4. 'A' holds the pseudo-random numbers.
5. Another caller to swap () an active character in s [i] and s [j].
6. 'Z' is calculated by adding s [i] and s [j] and take values ​​in appropriate elements of their numbers. This reason will be explained later.
7. 'Z' is XOR'd with the cleartext to create a new text is encrypted.
Cyclic redundancy checksum CRC stands for. When the packets are sent to the entire network, should be no way to know the host receives a packet has not been damaged in any way. It is the purpose of the CRC. Before data is sent, the CRC calculating the value, or checksum, for packages will be shipped with the package. If accepted, the new count of the target host using a CRC checksum. If the CRCs match, the packet of credibility has been confirmed.
In summary. Access Point creates a pseudo-random characters. They are joined by sharing prechosen password to create a secret password. KSA then use this password to create a pseudo-random array, which is used by the PRGA stream to create a key. This password is then XORed with the cleartext to create the encrypted data, and entered into the CRC and make the checksums.
Then, for receiving host decrypts. Character is added by the AP to be deleted and merged with the keys to be sent back together with a secret password. Password go through the whole process of RC4, and XOR'd with the encrypted text, and create cleartext checksum. Checksum will be removed and made a then compared to see if the data safe, and whether this was the original user.
Part II: Cracking WEP
Before we get cracking WEP, let us discuss some flaws in the encryption process:
* There is a 5% chance that the value in s [0]-s [3] will not change after three iterations by KSA.
* The first value in the encrypted data is SNAP, which 0xAA, or 170 base 10. Sniffing the first of bytes and XOR-ing the encrypted text to 170 will output the first byte of the PRGA.
* A particular format of bytes given by the AP will show that he is weak and easy to crack. This format is (B + 3, 255, X), where B is the byte of the password secret. Where X could be worth anything.
We'll talk about the KSA now. Let us define some variables to "test":
* Character code taken from the AP is 3255.7. We sniffed it from the air. We will use the test results have shown that the code is very weak.
* Shared password is 22222. In practice, you will not know this.
* N is 256.
* If there is a value above 256, modulo operation will be performed on it. The resulting value that will be used.
* Array 's' has been confirmed, with a value of 0-255.
Open the program Kismet. Kismet is free wireless scanner for Linux. When you open it, you'll see a list of WLANs within range. Choose one and make a note of the four following details (note that the target obtained from each host computer on the WLAN):
* AP MAC Address
* MAC Address of the target computer.
* WEP - Key used
* Wi-Fi-channel used
Open Aircrack and you will start capturing packets. You also will capture the IVs. But it takes a long time. He can even last for several hours or days to capture the number of IVs to crack WEP passwords.
Fortunately, we can accelerate it. For example, if a WLAN is very busy, it will be more traffic IVs packets, so the IVs more easily retrieved. If we continue to ping the network, will result in more packets of data.
ping-t ip_address-l 50 000
So what to do now? We have less data, but we have to get a WEP password here. There is a time to pass void11. Void11 ​​that in deauthenticate AP to all the hosts who were there. Cutting off is up to all hosts. The first thing to do in this case is automaticall who will try to reconnect the connection to the AP.
But there is another technique called a replay attack. It captures a packet from a host on the WLAN, then do spoofs the host and continue to repeat the packet over and over again. Generating traffic is very large data packets. The best of these programs is airreplay. This is for what used void11.
Open airodump. Now, say thank you to Replay Attack. IV run about 200 per second. Wow! You'll probably get all the necessary packets within 10 minutes. All IVs are being written into a file that will be taken. Then open aircrack. Aircrack will read all the IVs are taken from files, and perform statistical analysis on the file. Then, he will try to brute force a file "that exists. After finding the password, the password would be supplied to you.
Hehehe .. Finally: You've got the password

source: www.imam77.co.cc