Wireless Penetration Testing with OS X

By | September 14, 2006

Breaking WEP Encryption with KisMAC

There are several different types of wireless encryption mechanisms. The commonly seen schemes are Wired Equivalent Privacy (WEP) and WiFi Protected Access (WPA). By looking at the KisMAC information window, we can see that we have one network with WEP encryption enabled. We will use it as our target.

KisMAC Wireless LAN Details

KisMAC has three methods of WEP cracking: Wordlists attacks, Weak Scheduling Attacks and Brute Force attacks. In order to use one of these attacks, we must capture enough packets for the attack for work. The easiest and common way to capture traffic is by utilizing the de-auth attack. This attack is utilized by injecting de-authenticate packets that causes clients to disconnect from the wireless network and re-authenticate again. Following a successful de-auth attack, we capture clients’ authentication packet.

De-authenticating clients in KisMAC is extremely easy. From the top of the KisMAC menu, select the main channel of the wireless network – KisMAC | Channel – and select Network | De-authenticate. If KisMAC is successful in its attempt, you should see an increase in the number of injected packets as well as the number of captured packets.

Once enough packets have been captured, we attempt to re-inject several packets in order to capture enough Initialized Vectors (IVs) to crack the key. Select Network | Reinject Packets from the top menu and let KisMAC find a suitable packet. After enough IVs have been capture, we can use KisMAC to perform the Weak Scheduling Attack or the Wordlist attack.

Final Thoughts

KisMAC is probably the most advanced wireless network discovery and attacking tool available for OS X. It offers penetration testers point-and-click options for some of the most popular attacks. In addition, it includes features such as packet re-injection, WPA cracking and other that on other operating systems are more difficult to deploy.

Leave a Reply