Hirte Attack
Hirte is a type of attack that aims to crack the WEP key of wireless networks that are not reachable but the client device (laptop, mobile, etc.) is in the area of the attacker. This can be achieved because the WEP key and the configuration details are still stored in the wireless device.
The only requirement for this attack is to setup a fake access point with the same SSID of the WEP network. When the client device will try to connect automatically then ARP packets will be sent from the fake access point (attacker machine) to the device and the other way around which they will contain part of the keystream.
The next step is to configure airodump-ng to capture packets and to write those in a file called Hirte.
As we can see the fake access point appears on the list of the available wireless networks.
The same network will appear and on the victim device.
The victim device will connect automatically on the Wireless Pentest Lab as it is a network that it was connected previously when the genuine Wireless Pentest Lab was in range. The Hirte attack will start and ARP packets will be sent as the device will try to obtain an IP address. However this will not be possible as there is no DHCP server running but the collection of IVs will start.
The final step is to start the aircrack-ng in order to crack the WEP key from the packets that have been captured on the file called Hirte.
As we can see from the image below the WEP key has been cracked for a wireless network that it was not even in the range of the attacker.
The only requirement for this attack is to setup a fake access point with the same SSID of the WEP network. When the client device will try to connect automatically then ARP packets will be sent from the fake access point (attacker machine) to the device and the other way around which they will contain part of the keystream.
Breakdown of the Hirte Attack
- Setup a fake WEP AP and waits for a client to connect
- Upon connection of a client waits for auto-configuration IP address
- Client sends an ARP packet
- Obtain the ARP packet and converts it into an ARP request for the same client
- Client replies
- Collect these packets
- Crack the WEP key
Deployment of Hirte Attack
The first step is to create the WEP access point with the use of the tool airbase-ng. The -c variable defines the channel, the -W sets the encryption bit, mon0 is the interface and the -N enables the Hirte attack mode.The next step is to configure airodump-ng to capture packets and to write those in a file called Hirte.
As we can see the fake access point appears on the list of the available wireless networks.
The same network will appear and on the victim device.
The victim device will connect automatically on the Wireless Pentest Lab as it is a network that it was connected previously when the genuine Wireless Pentest Lab was in range. The Hirte attack will start and ARP packets will be sent as the device will try to obtain an IP address. However this will not be possible as there is no DHCP server running but the collection of IVs will start.
The final step is to start the aircrack-ng in order to crack the WEP key from the packets that have been captured on the file called Hirte.
As we can see from the image below the WEP key has been cracked for a wireless network that it was not even in the range of the attacker.
Conclusion
As we saw with the Hirte attack someone is able to crack the WEP wireless key from a network just by exploiting a roaming client and without attacking the access point at all. This happened because the wireless configuration including the WEP key was stored on the device and client had the option to connect automatically to this wireless network when it was found in range. In a summary this attack uses the following principles:- It is a fragmentation attack
- Targets isolated clients
- Collects ARP packets that contain the WEP key