WEP Decryption and Physical Intrusion

Posted by William
I was thinking the other day "Ok, I cracked the WEP key and I can login to the network, but what about these encrypted packet captures?". Well I looked into it and managed to decrypt packet dumps and sniff a network with WEP without associating (Assuming I have the WEP key). Also, I have a story on the importance of physical security!

WEP Decryption

---

Three tested methods exist to decrypt WEP encrypted packet dumps.
1) decrypt tool that is included with airsnort 2) Ethereal 3) Kismet

decrypt tool

---

This program will decrypt saved packet dumps and remove the beacons within for an easier to read packet dump. You can provide the known WEP key or provide a file with WEP keys to attempt to find the correct key.

Syntax: decrypt -p [WEP-KEY] -b -m [BSSID] -e [infile] -d [outfile]

When entering the WEP key make sure you seperate it with colons like the example above. The -b option removes beacons out of the packet dump. The BSSID of the network to decrypt is specified and the encrypted packet dump is specified and the desired output name added.

Ethereal

---

Using Ethereal you can (a)decrypt packet dumps and (b) decrypt packets on the fly without associating to the wireless network. This is the most convenient solution out of all the three.

Open Ethereal then select EDIT -> PREFERENCES -> PROTOCOLS -> IEEE 802.11

Enter your WEP key into 'WEP key #1' box. Select 1 in the 'WEP key count' and check the 'Assume packets have FCS:' and click 'OK'. Any packets captured now will be decrypted and previously captured packets. You can add more WEP keys for Ethereal to use and if you do add more increase the 'WEP key count' value.

Kismet

---

Kismet also provided on the fly decryption of WEP encrypted traffic like Ethereal. Open the /usr/local/etc/kismet.conf file with an editor and add the wepkey directive as so:
Syntax: wepkey=[BSSID],[WEP KEY] Multiple wepkey entries can be used to decode multiple networks.

Physical Intrusion

---

Now for the story! Physical security is of utmost importance and everybody can do it. Names and locations of story are different to prevent public embarrasment and so on.

At work I was asked by my supervisor to test network security in a "new" without exploiting devices or misconfigurations. I decided on taking a physical approach to it for a change.

It was lunch time and the vending machines were on the way so I nabbed a quick snack. So off I head toward the IT offices and server room with a chocolate bar in hand and come up to the first obstacle, a door with a card swipe lock, it usually never works and I turn the handle and the door opens! I'm now walking past the IT offices but all the doors are locked it seems everybody went out to lunch. It is good they are all out since no one is around but the doors are locked.

I head toward the IT help desk since it is not office but more of a receptionist desk near the back of the building. I arrive and the help desk geek is out to lunch also so I decide to look around. When employees have problems with there laptops the help desk geek submits a request for repair and stores the laptop in a cabinet until the PC techs can come by to pick them up. Well I try the cabinet and lo and behold it's unlocked! About six laptops populate the cabinet all high end models. I spot a Sony VAIO with Cisco decals on it and remember that this is the Network Administrators laptop. Apparently having Cisco decals on your laptop makes you an expert on all things networking. Anyways, I grab the laptop and go out to lunch with my supervisor with the laptop in hand. We go to lunch to a cafe next to our workplace to be within range of the corporate wireless network. We're both laughing at how we have the network adminsitrators laptop and he ask me to see what I can harvest out of it. I turn on the laptop and boot it up with my ERD Commander CD and quickly reset the administrator password. Once reset I log into Windows XP and start to snoop around. On the desktop there is an icon named "AirMagnet Console" I inform my supervisor on this and he says to attempt to break into it since here at work its a high profile piece of software that is supposed to be well secured. I connect to the corporate network and start up AirMagnet and receive a connect dialog and list of usernames to choose from and I select the network administrators account but as the login procedure starts I receive an error saying the software version is out of date and then closes the application opens a browser and requests a username and password to log into the web management console. In the connect dialog the username is visible in plaintext but the password is in ****** mode and I cant cut and paste the password into the web login. I remember a feature available in the Cain & Abel program that presents the ****** password in cleartext. I download Cain & Abel and run the decrypt utility and I now have the password. I attempt to reconnect to have the program open the browser then promptly enter the username and password and I'm in. With the password and username I have complete control of the AirMagnet infrastructure. My supervisor just laughs, we finish up our lunch and head back to work. That same day he has a meeting with the heads of IT including the network administrator. I can only imagine how many heads will roll for this considering there is a "zero tolerance" policy regarding security.

That's all for today! Time to start collecting info for the next post.

~William