WEP VS WPA2

Encryptions

Mercy College

Alexander Martin, Basiru Mohammed, Rajkumar Ramadhin

IASP 560

December 13, 2019

1

Contents

1.0 Introduction.............................................................................................................................................. 2

2.0 Problem Description ................................................................................................................................ 2

3.0 WEP Encryption ...................................................................................................................................... 3

3.1 WEP Vulnerabilities ............................................................................................................................ 3

4.0 WPA2 Encryption .................................................................................................................................... 4

4.1 WPA2 Vulnerabilities .......................................................................................................................... 5

5.0 Our Approach .......................................................................................................................................... 5

5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng ...................................................................... 6

5.1.1 Setting up the field ........................................................................................................................ 6

5.1.2 Preparing the field ......................................................................................................................... 6

5.1.3 Finding the Target ......................................................................................................................... 7

5.1.4 Capture the 4-way Handshake ............................................................................................... 8

5.1.5 Cracking With Aircrack-ng .......................................................................................................... 9

5.2 Password Cracking: WEP .................................................................................................................. 10

5.3 Using Bash Script to perform a de-authentication attack .................................................................. 12

6.0 Conclusion ............................................................................................................................................. 13

7.0 References .............................................................................................................................................. 13

2

1.0 Introduction

As technology advances, so does security. Security algorithms to protect wireless

networks were created to protect people from malicious users. Unfortunately, this does not

always work; shortly after WEP was created, multiple security flaws were discovered. It was

later followed by numerous forms of WEP before the industry moved to the now-standard

WPA2. While it is more secure, it still has vulnerabilities of its own. This report aims to look at

the weaknesses and exploit them in real-world scenarios. The significance of this research

becomes obvious as ordinary people fall victims to seemingly “safe” encryptions and leave

themselves open to several attacks. This paper will enable and individual using a router with

either encryptions know how to protect his or her netwok. Also, in 2015 it was reported that

some AirBnB owners were found to have installed secret surveillance cameras in their rented

apartments/houses. As a result of this, a programmer created a bash script that would perform a

de-authentication attack using minimal tools or programs. This will help the ordinary tourist

know how to kick any of these devices offline (if any) and sleep soundly in his or her tempory

home knowing that nobody is spying on him or her.

2.0 Problem Description

There has been several encryption methods in succession, whenever one is developed and it

becomes vulnerable due to advancement in technology, another is developed to replace or

supliment it. It first started with WEP to the wired equivalent of WLAN technology.

Unfortunately, it failed for a number for reason and was eventually surpassed by WPA2. This

paper aims at comparing the encryption method and ease in realistically cracking their individual

passwords. We also evaluated the difference WEP will make on IoT devices compared to WPA2.

3

Further recommendations of will be made on which to use and how best to protect a network

using either.

3.0 WEP Encryption

Wired Equivalent Privacy (WEP) was first introduced in 1997 as part of the original

802.11 standards. The initial goal of WEP was to provide the same type of security as a

traditional wired network. It became the industry standard in 1999. It started with 64-bit

encryption then adapted the 128-bit model. WEP uses the stream cipher Rivest Cipher 4 (RC4)

method of encryption. WEP started with a 64-bit encryption model. This was a 40-bit key with a

24-bit initialization vector. The original WEP key size was limited by the US Government

restriction on cryptographic technology. It was later changed to 128-bit, with a 104-bit key size,

and then it evolved in a 256-bit WEP key. Even though the stronger 256-bit key is available, the

128-bit key is still the standard.

The way the authentication works is by having the endpoint send an authentication

request to the Access Point. The Access point responds with a clear-text challenge. The client

encrypts the text using the configured WEP key and sends it back in another authentication

request. Finally, the Access Point decrypts the response, and if matches the text is sends back a

positive response.

3.1 WEP Vulnerabilities

WEP features a multitude of vulnerabilities. The first one is that it does not prevent

forgery of packets. It does not protect against replay attacks, and the attacker can get into an

Access Point without knowing the encryption key due to the reuse of initialization vectors. Due

to the poor implementation of the RC4 encryption it is prone to brute force attacks within hour

hours.

4

To solve these problems, WEP2 and WEP+ were introduced. WEP2 was a solution to

hardware that was not able to handle WPA and WPA2. It attempted to fix the access key issue

and the reuse of initialization vectors but failed and was renamed to WPA-TKIP. WPA-TKIP

took a feature from dynamic WEP, the ability to change keys, while it made it into WPA-TKID

it never appeared in standard WEP. WEP+ was a propriety version by Access Systems. The

security improvements that came with WEP+ was only available when both endpoints were

connected to WEP+.

4.0 WPA2 Encryption

In 2004, the Institute of Electrical and Electronics Engineers (IEEE) created 802.11i, a

supplement to the already existing 802.11 wireless network standard due to the well know the

weakness of WEP and TKIP of WPA [1]. An industry regulation organization which owns the

trademark for Wi-Fi called Wi-Fi Alliance adopted the 802.11i to be used with the WPA2

certification without requiring the replacement of legacy hardware [2].

The main improvement of the WPA2 is the substitution of TKIP with AES-CCMP for

non-enterprise authentication. The Temporal Key Integrity Protocol (TKIP) is not an encryption

algorithm, but it is introduced with the WPA to govern the creation of a new 128-bit for each

packet sent and prevents replay attacks that make any WEP network vulnerable to cracking

software. The WEP uses the Cyclic Redundancy Check while the TKIP came with a Message

Authentication Code, which is much stronger.

However, the nightmares for TKIP started when it became vulnerable to Man-In-The-

Middle attacks in 2008. Martin Beck and Erik Tews discovered a way to exploit 802.11e QoS

features to decrypt short packets in a TKIP protected network.

5

The AES comes with CCMP (Counter Mode Cipher Block Chaining Message

Authentication Code Protocol). The AES-CCMP is not susceptible to the same replay attacks

that brought the TKIP to its knees in 2009. However, even though WPA2 certification supported

AES-CCMP, it is backward compatible with the TKIP, hence many users still could use the

TKIP in order for other devices, which are WPA2 incompatible with connecting to the network.

4.1 WPA2 Vulnerabilities

Just when we thought there was a solution for wireless security through AES-CCMP, the

famous KRACK attack brought its failure in early 2017. The 802.11i allowed the occasional

dropped network connection and in order to speed up re-connection allowing the re-used of an

old key by devices that have lost connection. This makes it possible for an attacker to reconstruct

the entire keychain by capturing packets and use a replay attack to force the network to

repeatedly send the same known blocks with new random number to access the network.

Sometimes, when both WPA and WPA2 are enabled on a router, they can cause connection

failures on the client side.

5.0 Our Approach

For the implementation side of our project, after an extensive research on the

implementation and vulnerabilities of the individual encryption methods under consideration, we

will go ahead and set up procedures to test the difficulties in cracking each of the encryption

processes. A testing environment in the form of Kali Linux is set up try to crack a simple WEP

and WPA2 passwords. Later, as the project evolves, we may attempt to bring a wifi-based

surveillance camera offline.

6

5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng

When Wi-Fi networks are secured with weak passwords, the passive procedure stated below

illustrates how they are cracked.

5.1.1 Setting up the field

To begin this procedure, a fully operational Kali linux system is required. By the Debian

command sudo apt-get install aircrack-ng to install Aircrack-ng and finally ensuring that the

wireless card supports monitor mode.

5.1.2 Preparing the field

• Before we go into monitor mode, the commands airmon-ng check and airmon-ng check

kill are used to stop or terminate all conflicting programs.

• Use the command airmon-ng to list wireless interfaces that support monitor mode if any

and note the wireless interface to be used say wlan0

• The command airmon-ng start wlan0 is used to place the wlan0 interface into monitor

mode

7

• iwconfig is run to confirm the selected interface in monitor mode

5.1.3 Finding the Target

• The command airodump-ng mon0 is used to listen to 802.11 Beacon frames broadcast by

the wireless routers in proximity which have interfaces that support monitor mode.

Choose the network you would want to crack noting its BSSID (MAC address) and the

channel (CH) number displayed to proceed with the next step

8

5.1.4 Capture the 4-way Handshake

• WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. This

handshake is captured by directing airmon-ng to monitor traffic on the target network

using the BSSID and the channel values noted from the previous step

• Begin capturing packet information from victim router/network using airodump-ng -

c#channelnumber# -w capture -d #victimbssid# wlan0mon. This will automatically

monitor and search for any packet exchanges.

• Keep this running until the SSID of the station to be used in the next command is

obtained.

• Use aireplay-ng --deauth 0 -a #victimbssid# -c #stationbssid# wlan0mon to begin

deauthentication attack and packet capture in new command window.

• While keeping an eye on airodump-ng window, once a handshake is captured it will

display on the top right and will autosave as a .cap file.

9

• Use wireshark nameofcapturefile to view the captured handshake information you can

open it in wireshark. (While in wireshark, filter by "eapol" and all 4 handshakes will be

seen)

5.1.5 Cracking With Aircrack-ng

• To obtain a word list for the attack, the dictionary file “rockyou.txt” is downloaded from

the URL: https://github.com/brannondorsey/naive-

hashcat/releases/download/data/rockyou.txt

• While in the terminal, we go to the directory of the wordlist ~# cd /usr/share/wordlists/

and ls is used to list all the files in the directory. This gives us something like ~# gzip -d

rockyou.txt.gz

• Cracking with the wordlist begins using the command aircrack-ng

#nameofcapturedfile# -w /usr/share/wordlists/rockyou.txt and when the password is

found, it will be seen next to ‘KEY FOUND’ as shown below.

10

5.2 Password Cracking: WEP

To crack WEP we plan to utilize a kali Linux tool known as wifite. Wifite is an out of the box

automated WEP, WPA and WPS cracking tool. Wifite’s automation is impressive. This tool is

customizable with only a few arguments (timeouts, packets/second). It scans and sorts the targets

by signal strength and cracking the access points with the strongest strength first. I automatically

does deauthentication attacks of to reveal SSIDs. It has the ‘anonymous’ feature which change the

MAC address and changes it back when the attack is done. The captured WPA handshakes are

backed up to the current directory of wifite.py. It does allow any initiated attack to be stopped

Ctrl+C and providing an option to continue, move to the next target, skip and exit with all of its

cracked passwords saved to cracked.txt. Wifite at play is demonstrated below:

• Use airmon-ng start wlan0 to put interface wlan0 in monitor mode as used above

• iwconfig is used to confirm that wlan0 is in monitor mode

11

• Use the comman wifite to begin wifite. It begins to scan for all the wifi connection the

vicinity and press Crtl+c when the wifi you desire to attack is found.

• It then prompts you to select the network(s) you want to attack, since you can attack

multiple network. However, in this case we select 3. This will initiate a number of attacks

on the selected network but will provide you an option to move or skip to the next attack.

• It does the deauthentication attack on the network and captures the handshake and saves it

as a .cap file.

• It then begins the analysis on the .cap file and cracks the password using the built-in

wordlist or dictionary as seen below.

12

5.3 Using Bash Script To Perform A De-Authentication Attack

In 2015 it was reported that some AirBnB owners were found to have installed secret

surveillance cameras in their rented apartments/houses. As a result of this, a programmer created

a bash script that would perform a de-authentication attack using minimal tools or programs. The

script would auto-detect two types of popular cameras, and automatically disconnect them from

their respective networks, bringing them offline. We will test this script to see its viability.

The script used in this process is called dropkick.sh, created by /JulianOliver and is

available through GitHub. The script will do everything as the process before but in a single shell

script and have the code repeat every 30 seconds. The benefit of the code running every 30

seconds is that it will continually kick devices off the network, preventing Wi-Fi cameras from

reconnecting and spying. The biggest issue with dropkick.sh is that it will find devices made by

specific manufactures, so it can remove baby monitors and devices on the network. The only

necessary step in running this script is using the command chmod –x dropkick.sh to make the

file an executable.

13

6.0 Conclusion

Through the research we learned the difference between the difference encryption

methods of wirless security aand focus on what makes WPA2 more secure than WEP. Through

our research we were able to learn the flaws of WEP and the evolution of wireless

communication. A good and strong Wi-Fi password is a good way to practice cyber hygiene, as

well as being aware of access points you are connecting to. Finally, through our implementation

and testing, it was discovered that the vulnerabilities are not only password related, but can be

taken advantage of, to remove a client off the network. Though, this is not the end of wireless

evolution as Wi-Fi 3 can bring new adaptions and changes to the space. Possibly making the

vulnerabilities found no longer viable.

7.0 References

Crack WPA/WPA2 Wi-Fi Routers with Aircrack-ng and Hashcat by Brannon Dorsey. (2019, January 11).

Retrieved from hakin9.org: https://hakin9.org/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-

and-hashcat/

14

Kali Tools. (n.d.). Wifite Package Description. Retrieved from Kali Tools: https://tools.kali.org/wireless-

attacks/wifite

Kody. (2018, April 16). Hunting Down & Cracking WEP Networks . Retrieved from null-byte: https://null-

byte.wonderhowto.com/how-to/hack-wi-fi-hunting-down-cracking-wep-networks-0183712/

lacaskauffman. (2013, 08 28). WiFi security: history of insecurities in WEP, WPA and WPA2. Retrieved

from Blog Overflow: https://security.blogoverflow.com/2013/08/wifi-security-history-of-

insecurities-in-wep-wpa-and-wpa2/

Lashkari, A., Mansoori, M., & Danesh, A. (2009). Wired Equivalent Privacy (WEP) versus Wi-Fi Protected

Access (WPA). International Conference on Signal Processing Systems, (pp. 445-449).

Mitchell, B. (2019, July 09). An Overview of Wireless Protected Access 2 (WPA2). Retrieved from lifewire:

https://www.lifewire.com/what-is-wpa2-818352

Oliver, J. (2015, December 18). Detect and disconnect WiFi cameras in that AirBnB you’re staying in.

Retrieved from Julian Oliver: https://julianoliver.com/output/log_2015-12-18_14-39

Skerritt, B. (2019, October 14). Forcing a device to disconnect from WiFi using a deauthentication attack.

Retrieved from hackernoon: https://hackernoon.com/forcing-a-device-to-disconnect-from-wifi-

using-a-deauthentication-attack-f664b9940142

Slater, J. (2019, October 3). A brief history of Wi-Fi security protocols from “oh my, that’s bad” to WPA3.

Retrieved from Ars Technica: https://arstechnica.com/gadgets/2019/03/802-eleventy-who-

goes-there-wpa3-wi-fi-security-and-what-came-before-it/

1.0 Introduction2.0 Problem Description3.0 WEP Encryption3.1 WEP Vulnerabilities

4.0 WPA2 Encryption4.1 WPA2 Vulnerabilities

5.0 Our Approach5.1 Cracking WPA/WPA2 Wi-Fi Router with Aircrack-ng5.1.1 Setting up the field5.1.2 Preparing the field5.1.3 Finding the Target5.1.4 Capture the 4-way Handshake5.1.5 Cracking With Aircrack-ng

5.2 Password Cracking: WEP5.3 Using Bash Script To Perform A De-Authentication Attack

6.0 Conclusion7.0 References