Cracking the Wired Equivalent Privacy (WEP) Key Project 1 for CSCI388 Advisor: Dr

Cracking the Wired Equivalent Privacy (WEP) key Project 1 for CSCI388 Advisor: Dr. Xiuzhen Cheng

1. Introduction:

The purpose of this project is to experiment with an IEEE 802.11 wireless network and learn how to exploit its security properties. In this project, you will learn how to use a variety of tools for surveying and sniffing wireless networks. The overall goal, however, is to crack the Wired Equivalent Protocol (WEP) protocol defined in the 802.11 standard. The WEP protocol is crippled with numerous security flaws. Most of these weaknesses are described in " Weaknesses in the Key Scheduling Algorithm of RC4" by Scott Fluhrer, Itsik Mantin and Adi Shamir.

2. Notes and suggestions

There is only one AP located near to AC 725, running both 802.11b and 802.11g protocols. Please report to [email protected] or [email protected] if the AP seems to be malfunctioning.

No laptop will be provided for students in this project. You have to use your personal equipment/laptop.

Linux OS is highly recommended for this project, though Windows can do the same job as well. The best practice is to use a special security Linux distribution (such as WHAX, backtrack and etc) with a USB flash drive with 1G above capacity. If you are not familiar with Linux, start your project as early as possible. Don’t start your project at last minute. It does require some efforts to get it done!

Please be advised that you should be very careful when you try different network sniffing and monitoring tools. Do not hack any wireless network other than the one (SSID CSCI388) provided for this course.

You are not required to follow the suggested steps mentioned below as long as you finish the required task correctly. Those steps are just meant to provide you with some guidelines. It can be done by any means necessary.

2.1. Step I

To begin this project, you will have to figure out the detailed information about the wireless network with the SSID of “CSCI388”. Such information includes what kind of security features the access point is implementing, AP’s MAC address, clients that are associating with the AP, and etc. Of course, it is not going to be connected if you just simply set your client to associate with the access point.

• For windows users, you can survey the site using Netstumbler. • For Linux users, you can use either Kismet or Air snort.

After surveying the site, it should be fairly clear as to why you cannot associate properly.

2.2. Step II

This step requires you to sniff the traffic on the WLAN, and hopefully this can provide you with enough information to crack the WEP key and associate with and use the WLAN. Tools such as Kismet, Air snort, Aircrack-ng and Wireshark can be used, but you may use whatever you like.

Definitely be patient with the sniffing. Wait till enough WEP encrypted data is collected. It is important to look for WEP-encrypted data sent to/from the SSID because they contain the most important data (i.e., the weak IVs). For 64 bits WEP key between about 50,000 and 20,000 packets are required, for 128 bits between 200,000 and 700,000. For some reasons (I have seen many different reasons), some students still can not recover the key even with 1,000,000 packets collected.

But there is a very stealthy attack that does not require this. Instead of passively collecting the data, you can actively spoof the AP so that more “weak” IVs will be sent out. Therefore, you end up getting enough weak IVs with much less time. Last year’s record of recovering the WEP key is less than 2 hours.

2.3. Step III

After doing your reconnaissance, you should have acquired enough information to recover the encryption key and access the server. Once you recovery the right key (in ASCII format, convert it to ASCII if you get a key in hexadecimal format), you will know it is the right key immediately. It is simply because I choose some magic words.

2.4. Step IV

There is a file named “file_of_cs388” in the server. Your job is to get that file. Once you are connected to the network with the key you recovered, you will need to find out what’s going on. Through sniffing the network traffic, figure out who the server is. Also determine which services it provides.

In one of the services, the “file_of_cs388” is being transferred to clients. So, you can masquerade to be a legal client to get that file. Please note that, all the necessary information needed to be a legitimate user has been collected in step III.

3. Write up format

3.1. Background Information 3.1.1. What OS and software tools have you used in these project? Provide information such as version. 3.1.2. What type of wireless card and its driver are used? Please give the chipset and driver version of your wireless card.

3.2. Surveillance information 3.2.1. Describe the security features implemented at the AP: such as the protocol and key length. Whether MAC filter is used? 3.2.2. Provide the detailed information about the AP and its associated clients. This information includes BSSID, SSID of the AP, and the MAC address of the clients 3.2.3. Specify the rough location and time that you did the WEP key crack. Give the perceived RSSI value at your location at that time. 3.2.4. Record the data capture rate of your wireless card.

3.3. Collected traffic analysis 3.3.1. The WEP key you recovered, in ASCII format. Please provide detailed steps (including what tools/commands with parameters are used, provide snapshot if necessary). 3.3.2. Analyze the sniffed packets and find out the IP address of the server. 3.3.3. Find out the vulnerable services running at the server. You may use tools such as to Nessus to do this task. 3.3.4. Describe how you can connect to the wireless access point as a legitimate user. 3.3.5. Try to send out forged management frames such as de-authentication and de-association frames. Try to capture one ARP request packet and replay it. (These two tasks are for extra credits).

3.4. Answer the questions briefly. 3.4.1. List the vulnerabilities found in WEP. 3.4.2. What is the best practice in creating a secure WI-FI network? 3.4.3. How would you to prevent attacks on WEP key cracking? 3.4.4. Once the WEP key is discovered by adversaries, what will you do to protect a Wi-Fi network? Simply rekey is the answer I am looking for. 3.4.5. How does WPA using TKIP differ from WEP? Also, explain the port- based authentication. What are the vulnerabilities of WPA?

3.5. Extra credit: Recover the WEP key using a different approach (20 pts). You need to provide the detailed steps and commands.

Please put everything into a tar/zip ball and email it to [email protected] and [email protected].

Good luck and enjoy!