What is WepLab?

What is WEP?

As Wikipedia says, WEP, Wired Equivalent Privacy, is part of the IEEE 802.11 standard (ratified in September 1999), and is a scheme used to secure wireless networks (WiFi). Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping; WEP was designed to provide comparable confidentiality to a traditional wired network, hence the name. However, several serious weaknesses were identified by cryptographers, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the inherent weaknesses, WEP provides a bare minimal level of security that can deter casual snooping.

Different key lengths are supported in WEP, from 64 bits to 256 bits (tipically 64, 128 and 256 bits).

What is WepLab?

WepLab is a tool designed to teach how WEP works, what different vulnerabilities it has, and how they can be used in practice to break a WEP protected wireless network. So far, WepLab more than a Wep Key Cracker, is a Wep Security Analyzer designed from an educational point of view. The author has tried to leave the source code as clear as possible, running away from optimizations that would obfuscate it.

What does WepLab do?

WepLab tries to break the WEP key using several known attacks.

  • Bruteforce: trying to brute force the key. It is also possible to restrict the key-space by just trying an small customizable subset like 7F:7F:7F... if you are looking, for example, an ascii plain key.
  • Dictionary: by using a dictionary of words or pass phrases and trying each one as key in plain or MD5 form. Weplab relies on John The Ripper to generate the words, so you can take full advantage of all its options.
  • Statistical attacks: by using the FMS attack and not restricting it to the classic A+3,FF,x form (as most WEP crackers do), but trying all IV in deep to see if they are weak, and attacking both the first and the second byte. Latests version of weplab include the amazing Korek's attacks that make FMS obsolete. Using these new attacks it is possible to crack a 64-bit key from 100.000 packets and a 128-bit key by using 300.000 packets. Forget everything about interesting or weak packets. Korek's attacks changes everything. And, as far as I know there is no patched firmware yet!

Documentation

How to install WepLab

Installing and compiling WepLab in GNU/Linux, *BSD or MacOSX is very easy.

Instalation steps:

  1. Download WepLab from the Download section.
  2. Uncompress the tarball: tar xzf weplab-0.1.5.tar.gz
  3. Create Makefile: ./configure
    The main need of WepLab is libpcap development files. There are standard packages in many GNU/Linux and *BSD distributions with this software.
    For instance, in Debian GNU/Linux is quite simple: apt-get install libpcap-dev
  4. Compile: make
  5. Install: make install

How to use WepLab

WepLab is a command line tool (there is a beta wxWidgets based front-end here).

There are many uses of the WepLab tool:

  • Capture 802.11 traffic: weplab -c
    It is very important to configure a wireless interface in monitor mode and in the same channel where the WEP enabled wireless network is. Example: weplab -i wlan0 -c file.cap
  • Analyze 802.11 captured traffic file: weplab -a file.cap
  • Crack 802.11 captured traffic file with a brute-force attack: weplab -b file.cap
  • Crack 802.11 captured traffic file with a dictionary attack: cat dictionary | weplab -y file.cap
    Is very useful to join the variability of john the ripper creating different candidate passwords in this kind of attack, for example: john -i -stdout | weplab -y file.cap
  • Crack 802.11 captured traffic file with a statistical attack (FMS, KoreK attacks): weplab -r file.cap

Those uses can be modified by many optional parameters:

  • --debug <debuglevel>: prints debug information.
  • -v, --verbose: increased verbosity.
  • -k, --key {64|128}: specifies 128 or 64 bits (default) key.
  • -i, --interface <interface>: use this interface for capturing packets with --capture.
  • -m, --multiprocess <number>: assume a number of processes. Number must be between 1-64. Default is 1.
  • --caplen <length>: maximum length of captured packets with --capture (default 80).
  • --fcs: assume all captured frames have the FCS field.
  • --keyid <id>: just analyze specific id WEP packets. Only for 64 bits keys. (default 0).
  • --prismheader: assume all captured frames have the Prism header.
  • --allow_dups: do not control packets with duplicated IVs.
  • --perc <number>: uses this minimun percentage of succeed when using FMS cracking.
  • --stability: selects level of stability. Another way to specify which attacks, depending on their stability level, will be launched.
  • --debugkey <key>: gives the real WEP key to weplab to gather information about a crack. The key must be in the form AA:BB:CC:DD... and may be incomplete.
  • --attacks <number1,number2,...>: allows you to select which attacks will be used for heuristic mode.
  • --bssid <MAC>: only processes those packets that belong to specified BSSID.
  • -h, --help: displays help and exit.
  • -V, --version: output version information and exit

Examples

Download of pcap files is available to try them in your system:

FAQ

There are many frequently asked questions, but many of them are answered in other sections of this site. For those which are not answered we have opened this section:

For what platforms and operating systems is WepLab available?

Weplab works under any flavor of Linux for i386 and PPC, MacOSX and Windows NT/2000/XP.

Does WepLab have a logo?

We are proud to announce that we finally have a logo! Alex Key sent us a nice set of proposals, and we've chosen this one:

logo

We hope that you like it! ;-)

Download

There are two main development branches to download:

GNU/Linux, *BSD and MacOS version

Lastest stable version of weplab is 0.1.5. Version 0.1.6 is still in development and it has just weplab/wxWepLab compatibility issues, is not recommended to use it without wxWepLab.

Available downloads at sourceforge.net

There is a deb package of weplab 0.1.4 for Debian GNU/Linux users (or other distributions based on Debian, such as Ubuntu).

There is also a gentoo ebuild of weplab in development and a ebuild of weplab 0.1.3 for Gentoo GNU/Linux users.

Help is needed to create RPM and new DEB packages of WepLab, come and join us! ;-)

Recently we have developed a graphical front-end for weplab called wxweplab, by Pablo Garaizar. You can download it from here: wxweplab-0.1.6-3.tgz

Microsoft Windows version

There is a precompiled executable (that uses cygwin and winpcap) in sourceforge page. However, capturing packets does not work under Windows, but it is still possible to use Airopeek to capture packets and Ethereal to convert Airopeek's files on pcap format.

Available downloads at sourceforge.net

Screenshots

WepLab, console version

They are not very amazing by now. I promise that I'll capture nicer ones O;-)...

wxWepLab, wxWidgets version

This software is still beta, use it with care (and report bugs, it's my first wxWidgets App! ;-D).