Let's look at the most basic case of cracking a WEP key. To do this, we will set WiFi card in monitor mode. After this, we will run a command airodump-ng wlan0 to see all of the networks that are within our Wi-Fi range and then we will target one of those networks. Where wlan0 stands for the interface. The following output will be displayed after executing this command:
While the security behind WEP networks was broken in 2005, modern tools have made cracking them incredibly simple. In densely populated areas, WEP networks can be found in surprising and important places to this day, and they can be cracked in a matter of minutes. We'll show you how a hacker would do so and explain why they should be careful to avoid hacking into a honeypot.
Often one of the first wireless attacks a hacker will learn, WEP networks in your area can be tracked down with only a few software tools and cracked with a network adapter supporting packet injection. While WEP cracking has always been relatively straightforward, the simplicity with which it can be found and broken in 2018 brings it firmly into the abilities of even the most novice of hackers.
Another thing you should consider is that you will very likely not be the first person to crack that WEP network. Depending on the intentions of the person who got there first, the network could be doing anything from stealing credentials to providing a VPN endpoint for very bad stuff. Because you don't know what could be going on, be very cautious about connecting to networks that could be used for nefarious purposes. If WEP is implemented in a business, cracking WEP is often the first line of attack for a pentester to quickly embarrass their client.s
To try to crack the WEP network for the information you've gathered, you'll need to call Aircrack-ng with the location of the .cap file as the argument. This is pretty easy since Besside-ng usually stores WEP.cap in the root folder. That means running the command to try cracking the network is usually as seen below.
There you have it, it only takes a few minutes to break into a WEP network using modern tools like Airodump-ng and Besside-ng in conjunction with an appropriate wireless network adapter. Since WEP cracking is a staple of Wi-Fi hacking, I wanted to be sure we covered it in our intro to Wi-Fi hacking series. Hopefully, you have an understanding of what WEP is, why it's vulnerable, and how to go about actually cracking it.
I hope you enjoyed this guide to hacking WEP Wi-Fi networks! If you have any questions about this tutorial or WEP cracking, feel free to leave a comment or reach me on Twitter @KodyKinzie. We'll be doing more in our Wi-Fi hacking series, so stay tuned.
The flaws in WEP make it susceptible to various statistical cracking techniques. WEP uses RC4 for encryption, and RC4 requires that the initialization vectors (IVs) be random. The implementation of RC4 in WEP repeats that IV about every 6,000 frames. If we can capture enough of the IVs, we can decipher the key!
I found I have that problem when cracking WEP on my ASUS RT-10, but when I create one wifi VLAN with WEP encryption on my Linksys E2000 (with dd-wrt fw) I am able to rapidly increase Data packets - but I do not know why.
Our original WEP-cracking series appeared over two years ago and is still among the most popular articles on SmallNetBuilder.But to anyone trying to use the articles, it quickly becomes apparent that theywere out of date and in desperate need of updating. That said, the originals still contain a lot ofvery relevant information so we suggest you read at least Part 1 before you start, as it contains some helpful background information.
Tim first tried the Intel PRO/Wireless 2915ABG mini-PCI adapter embedded in one of his notebooks. It was recognized by BT2 and was able to be put into monitor mode for packet capture and could even inject packets for the ARP replay attack used to generate traffic. But it was able to capture packets only at a very low rate, true to the note in the above Aircrack hardware compatibility page. The upshot was that WEP cracking was possible, but way too slow, especially for WEP 128.
All of the above tricks came from the aircrack-ng Usage Tips:General approach to cracking WEP keys section, which you definitely should visit if you find yourself unable to crack a key even having the suggested number of IVs.
The aircrack-ng suite has had a couple of very beneficial releases since BackTrack came out. The most important is the addition of the PTW WEP cracking method, which requires significantly fewer captured IVs. You can see our impressive results here.
Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology, as well as working with command-line tools. A basic familiarity with Linux can be helpful as well.
One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here: NIC chipset compatability list.
WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets.
Additional Notes:Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files. A good size wordlist should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU intensive.
1. Is your adapter properly set in monitor mode ? 2. Does the adapter driver support injection (is aireplay-ng working) ?3. Do you have to spoof your MAC address (if AP limits MACs, change both physical and virtual monitor interface) ?4. Do you have a good signal to the AP ?5. Do you see associated clients (for WPA handshake capture) ?6. Do you see WPS pin count incrementing (Reaver WPA cracking) ?7. Does the target AP support WPS and is it enabled (for WPS attacks, check with the "wash" command) ?
As demonstrated above, WEP cracking has become increasingly easier over the years, and what used to take hundreds of thousands packets and days of capturing data can be accomplished today within 15 minutes with a mere 20k data frames. Simply put, cracking WEP is trivial.
Efforts to crack WEP encryption have been around and even publicly discussed since the inception of the WEP protocol, and this page brings you information about how to discover and calculate a WEP key from network traffic. This introduction to WEP cracking may be useful to anyone who intends to investigate network security.
Cracking WEP itself is relatively easy and can take anywhere from as little as a few minutes to a few hours (depends on the amount of network traffic, connection quality, etc.). Setting up your equipment so that it does what it needs to do can take weeks (depends on what you have and what you already know). Before you proceed to WEP cracking, read our first page of this "tutorial" which can provide an idea about setting your computer and also about the legality of WEP cracking.
We have tested WEP cracking with two network adapters: Intel PRO/Wireless 3945ABG with the ipwraw-ng-2.3.4 driver and alternatively TP-LINK TL-WN321G network adapter dongle with the rt73-k2wrlz-3.0.1. driver. The Intel adapter is referenced as wlan0 (wifi0), and the TP-LINK adapter is referenced as rausb0. You can find the name of your network adapter by executing the iwconfig command.
where -z invokes the PTW WEP-cracking method, -b selects the access point we are interested in, wepdump*.ivs selects all files starting with "wepdump" and ending in ".ivs" (this comes from your airodump-ng command earlier), -a denotes FMS/KoreK attack, and -n selects the type of WEP key (128-bit in our case). These commands will calculate WEP key from the captured initialization vectors. This is what the output looks like:
Cracking WEP is fast and easy with commonly available Windows- or Linux-based tools. The length of the WEP key, 40- or 104-bit, is practically irrelevant, and with the software tools currently available, any novice can crack WEP in minutes given enough captured data. With users being added to the WLAN every day in most enterprises and the amount of data going over the WLAN growing exponentially, capturing enough data to crack WEP is often simple.The moral of the story with WEP is simply that it should never be used when stronger authentication and encryption mechanisms are available. Cracking WPA/WPA2-Personal (which uses a passphrase) is a much more difficult task than cracking WEP, but it still isn't an overwhelming task. Given the right dictionary file(s) and the latest versions of WPA cracking tools, cracking WPA/WPA2-Personal can happen in a short time if a very strong passphrase isn't used by the network administrator. The Wi-Fi Alliance suggests at least 20 characters with lower case, upper case, numbers, and special characters and use of WPA2 over WPA whenever possible.Tools such as Aircrack-ng can be easily used both for cracking WEP and WPA/WPA2-Passphrase. Since Aircrack-ng is available for Windows, it gives the ability to do sophisticated hacking to a novice. Use of WPA/WPA2-Personal should be limited to small installations such as SOHO - hence the name "Personal" - or very specific scenarios in SMB installations (like VoWLAN phones). When WPA/WPA2-Personal is used, it is best for only the network administrator to have the passphrase. He/she would enter it into every laptop, VoWLAN phone, handheld PC, or other wireless device manually without giving it to the user. Of course this is not scalable, but it's more secure than having 5-50 users knowing the passphrase.More secure alternatives to static WPA/WPA2-Personal passphrases have been developed, such as Ruckus Wireless's Dynamic PSK solution. More information on this solution can be found here: -dynamic-psk.pdf If you just can't bring yourself to make a strong passphrase, there are tools just for this purpose, such as Juiper's PassAmp utility (a free download) and the website: Having tools like these will help you get past the mental block of creating such strong passphrases. 2b1af7f3a8