Security through Insecurity

In this Video Tutorial, I show you how to crack a wireless network secured with WPA encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video

In the last Article, I showed you how to crack your own wireless network encrypted with WEP Encryption. In the video, you saw how easy it was to crack the network. And sad to say, this kind of attack affects most home users, and even many businesses. Fortunately for everyone, WEP Encryption is not the only security option available for wireless networks. WPA Encryption, is FAR more secure (For more information about WPA Encryption, go to WPA on Wikipedia.org). Virtually every router that is has WEP encryption, also has WPA and WPA2 encryption.

Since the Linksys WRT54G Wireless Router is extremely popular, I will be showing you how to secure your wireless network using WPA2 Encryption.

Linksys WRT54G Router

Open up your favorite browser of choice (mine happens to be Firefox),and and goto 192.168.1.1. This is the most common address for your router. You should be promted with a username and password dialog. Just try admin for both, unless you’ve changed it. If you don’t get a dialog box, or the page doesn’t come up, the address may be different. You can follow these directions to find out the address, but if you already found it, you can just skip ahead.

Lets find out your Routers IP address. The following instructions are for Windows.

1. Click the “Start” Button
2. Click on “Run”
3. Type in “cmd”
4. A console window should come up.
   Type in “ipconfig”
5. Look at “Default Gateway” Write down the address, it should be in the form of xxx.xxx.xxx.xxx
6. Now like before, go into your favorite Web Browser, and Put in the address.

You should now be at the Linksys Router Start Page. It should look very similiar to this:

Linksys Start Page

All the settings on this page should be fine already.

Lets click on the “Wireless” link at the top of the page.

Now click on the Wireless Security subsection at the top of the page.

Click on “Security Mode” and select “WPA2 Personal” as shown below

Linksys Wireless Security

From here we will choose a password. DO NOT use something common, ie.. names, places, numbers. Instead, use a combination. The best passwords, are long, and very random. Something like U71tR8zi89B is good. Passwords such as grandmother, San Diego, 123456, and password are horrible to use, and will usually be guessed with great speed.

That’s it! Save the settings by clicking on the “Save Settings” button at the bottom, and you will be good to go. Now just connect your computer to your WAP (Wireless Access Point) and put in the same password you did on the Wireless Security page. Note: It’s a good idea to memorize your passwords. You can also write them down, but make sure it is in a safe place, such as a safe.

Questions, Comments?

I love feedback.

Thanks!

In this Video Tutorial, I show you how to crack a wireless network secured with WEP encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video 1. Video 2.

1. Type in “airmon-ng” to see wireless adaptors on your computer.
2. You should see a listing come up. Mine showed wlan0. Yours may be different, such a rausb0.
   Type in “airmon-ng start wlan0” to start your wireless device. Replace the “wlan0” with whatever yours showed to be. This will create a new “virtual” device, and will show the name. The name for mine was “mon0“
3. Open a new terminal window, and type “airodump mon0” again, replacing “mon0” with your new virtual devices name.
   You will begin to see a listing of different APs (access points). Find the one you want and press Control + C. Pressing Control + C will cancel the current program running in terminal. The name of the networks found is under the ESSID column. You may not see anything there, which is fine, some of them are invisible. FUSiON is the name of my network, so I went over to the BSSID column, and copied the address, which was 00:23:69:18:E4:7D. This address is important, so I could recommend copying it, or writing it down. Also take note of what channel it is on.
4. This is what I typed after that, “airodump-ng –bssid 00:23:69:18:E4:7D –channel 6 –ivs -w FUSiON mon0” This is all real easy stuff, so I’ll just explain it to you right quick. airodump-ng is the program that captures what is called IVs, the primary component in cracking WEP networks. Here goes!
   • Type “airodump-ng”
   • Add a space and type “–bssid 00:23:69:18:E4:7D” replacing the address with the address of your Network. This “flag” says we only want to see this address, and nothing else.
   • Add a space and type “–channel 6″ replacing the number 6 with the number of the channel of your Network (although 6 is VERY common, so don’t be surprised if that is it)
   • Add a space and type “–ivs” This command only captures IVs, which will make cracking the password faster.
   • Add a space and type “-w FUSiON” replacing FUSiON with the name of your network, or something that you will remember, as we will be cracking this file later to find the password. I just use the name of the network, because it helps me remember easier.
   • The “mon0″ at the end, simply defines which device to use.
5. Open a New Terminal Window. In it, type “aireplay-ng -5 -b 00:23:69:18:E4:7D mon0″
   
   • aireplay-ng is a tool that greatly helps generate IVs. Without it, it wouldn’t be possible to crack most WEP networks.
   • The “-5″ flag is one method, and the most common, that is used to generate the IVs.
   • The “-b 00:23:69:18:E4:7D” tells which address to attack. The -b stands for bssid which is the address of your network. So you will have to replace 00:23:69:18:E4:7D with the address of your network (the one that I recommended you write down or copy earlier).
   • The “mon0″ at the end, again just defines which device to use.
6. Wait and Press “Y” for yes, when it asks if you would like to use the selected frame.
7. This process may have to be repeated until you have a resulting fragment file. It will say when you do. Additionally, you can run this command “aireplay-ng -1 1 -a 00:23:69:18:E4:7D mon0″ to help assist with getting a fragment file. Again, make sure to replace my address, with your own.
8. Now we must build a file that will be used to gather those precious IVs! I did it with the following command:
   “packetforge-ng -0 -a 00:23:69:18:E4:7D -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0324-230256.xor -w arpy”
   Let me break this down for you.
   • packetforge-ng is the program which will build the arp file, as I like to call it, which you will soon see.
   • Add a space, and follow it with “-0 -a 00:23:69:18:E4:7D” and of course, replace it with your own network address.
   • Add a space, and type in “-h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255″ This part of the command is pretty universal, rarely is it changed. So we won’t go into detail on it here.
   • Add a space, and type in “-y fragment-XXXX-XXXXXX.xor”, replacing your fragment file, place of this one, as well.
   • And lastly, type in “-w arpy” just the -w is important. The arpy can be anything you can remember. It’s something I’ve just always used, cuz it’s easy for me to remember.
   • If all goes well, it Successfully built our Arp Packet.
9. Almost Done!  “aireplay-ng -3 -r arpy -b 00:23:69:18:E4:7D mon0″ is our next command.
   • aireplay-ng, like before, should get those IVs flowing in. At an average, I see about 500 IVs/Second. Which isn’t too bad. But some cards do better than others, so you may have better, or worse luck.
   • -r arpy is a flag that tells aireplay-ng to play the arp file we created called arpy.
   • Like before, -b 00:23:69:18:E4:7D specifies which address to attack, and mon0 says which wireless interface to use.
10. If all went well, we are gathering IVs! Open the airodump-ng terminal window that we’ve had open, and look at the Data column. It should be constantly rising. This is the longest process, as we have to wait. While others recommend you getting at least 100,000 IVs, I’ve never waited that long. I’ve cracked many WEPs at just 20,000, although I recommend cracking at 40,000 IVs. So go get a Dr. Pepper and wait a while until you have enough accumilated.
11. Once you have at least 40,000, we can start cracking the WEP Password!
    • This step, has to be the simplest.
    • Open a new Terminal window, and type “aircrack-ng XXXX-01.ivs” replacing the XXXX with what you used when you first started the airodump-ng command.
    • Depending on the speed of your computer, you will soon have the WEP Key Decrypted. Just make sure to remove the colons “:” before confirming the Key.

There we go, that is my tutorial on basic WEP cracking. Any Questions, Comments, or Suggestions are GREATLY appreciated!