Simple Wep Crack (Aircrack-Ng)
Simple Wep Crack (Aircrack-Ng)
Simple Wep Crack (Aircrack-Ng)
Introduction
This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic
skills and get you familiar with the concepts. It assumes you have a working wireless card with drivers
already patched for injection.
For a start to finish newbie guide, see the Linux Newbie Guide. Although this tutorial does not cover all
the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP
key plus explain the reason and background of each step. For more information on installing
aircrck-ng, see Installing Aircrack-ng and for installing drivers see Installing Drivers.
It is recommended that you experiment with your home wireless access point to get familiar with these
ideas and techniques. If you do not own a particular access point, please remember to get permission
from the owner prior to playing with it.
I would like to acknowledge and thank the Aircrack-ng team [http://trac.aircrack-ng.org/wiki/Team] for
producing such a great robust tool.
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and
tips are especially welcome.
Assumptions
First, this solution assumes:
You are using drivers patched for injection. Use the injection test to confirm your card can inject
prior to proceeding.
You are physically close enough to send and receive access point packets. Remember that just
because you can receive packets from the access point does not mean you may will be able to
transmit packets to the AP. The wireless card strength is typically less then the AP strength. So
you have to be physically close enough for your transmitted packets to reach and be received by
the AP. You should confirm that you can communicate with the specific AP by following these
instructions.
There is at least one wired or wireless client connected to the network and they are active. The
reason is that this tutorial depends on receiving at least one ARP request packet and if there are
no active clients then there will never be any ARP request packets.
You are using v0.9 of aircrack-ng. If you use a different version then some of the comman
options may have to be changed.
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the
examples below, you will need to change “ath0” to the interface name which is specific to your wireless
card.
Equipment used
In this tutorial, here is what was used:
You should gather the equivalent information for the network you will be working on. Then just change
the values in the examples below to the specific network.
Solution
Solution Overview
To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal
network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you
can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving
them. Since none of us are patient, we use a technique called injection to speed up the process.
Injection involves having the access point (AP) resend selected packets over and over very rapidly. This
allows us to capture a large number of IVs in a short period of time.
Once we have captured a large number of IVs, we can use them to determine the WEP key.
Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this:
lo no wireless extensions.
If there are any remaining athX interfaces, then stop each one. When you are finished, run “iwconfig”
to ensure there are none left.
Now, enter the following command to start the wireless card on channel 9 in monitor mode:
Substitute the channel number that your AP runs on for “9” in the command above. This is important.
You must have your wireless card locked to the AP channel for the following steps in this tutorial to
work correctly.
Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the
madwifi-ng drivers are being used. For other drivers, use the wireless interface name. Examples:
“wlan0” or “rausb0”.
You will notice that “ath0” is reported above as being put into monitor mode.
lo no wireless extensions.
In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is
channel 9 and the Access Point shows the MAC address of your wireless card. Please note that only the
madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So
everything is good. It is important to confirm all this information prior to proceeding, otherwise the
following steps will not work properly.
Enter:
Where:
09:23:37 Found 1 AP
The last line is important. Ideally it should say 100% or a very high percentage. If it is low then you
are too far away from the AP or too close. If it is zero then injection is not working and you need to
patch your drivers or use different drivers.
Open another console session to capture the generated IVs. Then enter:
Where:
While the injection is taking place (later), the screen will look similar to this:
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
The lack of association with the access point is the single biggest reason why injection fails. Remember
the golden rule: The MAC you use for injection must be associated with the AP by either using fake
authentication or using a MAC from an already-associated client.
Where:
Where:
6000 - Reauthenticate every 6000 seconds. The long period also causes keep alive packets to be
sent.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the
next step until you have the fake authentication running correctly.
Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and
connect. If this is the case, you will not be able to successfully do fake authentication unless you
know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the
following command while trying to do fake authentication. Start another session and…
Run: tcpdump -n -vvv -s0 -e -i <interface name> | grep -i -E ”(RA:<MAC addreess of your
card>|Authentication|ssoc)”
If at any time you wish to confirm you are properly associated is to use tcpdump and look at the
packets. Start another session and…
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are
not associated. Meaning, the AP will not process or accept the injected packets.
If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv
-i ath0 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets
you want.
It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to
inject it. On your home network, here is an easy way to generate an ARP request: On a wired PC, ping
a non-existent IP on your home LAN.
Here is what the screen looks like when ARP requests are being injected:
You can confirm that you are injecting by checking your airodump-ng screen. The data packets should
be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large
variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second
and as high as a 500/second.
Troubleshooting Tips
If you receive a message similar to “Got a deauth/disassoc packet. Is the source mac
associated?”, this means you have lost association with the AP. All your injected packets will be
ignored. You must return to the fake authentication step (Step 3) and successfully associate
with the AP.
Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking
process. If this is the case, then you can include ”-n 64” to limit the checking of keys to 64 bits.
Two methods will be shown. It is recommended you try both for learning purposes. By trying both
methods, you will see quickly the PTW method successfully determines the WEP key compared to the
FMS/Korek method. As a reminder, the PTW method only works successfully with arp request/reply
packets. Since this tutorial covers injection arp request packets, you can properly use this method. The
other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ”--ivs”
option.
Where:
simple_wep_crack [Aircrack-ng] 7z7
To also use the FMS/KoreK method, start another console session and enter:
Where:
-b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since
when we originally captured the data, we applied a filter to only capture data for this one AP.
output*.cap selects all files starting with “output” and ending in ”.cap”.
If you are using 1.0-rc1, add the option ”-K” for the FMS/KoreK attack. (1.0-rc1 defaults to PTW.)
You can run this while generating packets. In a short time, the WEP key will be calculated and
presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If
you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to
85,000 packets for 128 bit. These are very approximate and there are many variables as to how many
IVs you actually need to crack the WEP key.
Aircrack-ng 0.9
KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)
Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this
example, the FMS/KoreK attack was used.)
General Troubleshooting
Be sure to read all the documentation on the Wiki for the various commands used in this
tutorial.
See Tutorial: I am injecting but the IVs don't increase