How to: Crack a WI-FI WEP network

How to: Crack a WI-FI WEP network

This guide presents a method for obtaining the WEP key of a WiFi network using aircrack-ng. This article aims to warn about the weaknesses of WEP encryption, and to train the penetration of such networks.

It requires:
- A compatible wireless adapter
- Kali Linux distro or install Aircrack-ng
- A nearby WI-FI network WEP secured

Mode monitor on the network interface:

We will start by passing our wifi card in monitor mode in order to listen to the surrounding wifi networks.

First of all, we will have to inquire about our wifi interface. For that, type the following command:

# iwconfig

In this case, our interface is called wlan0. Then we will switch our wifi card to monitor mode with this command:
# airmon-ng start wan0

starting wireless card

Detection of nearby WEP networks

The return of console tells us: monitor mode enable on mon0, so for the continuation it will be necessary to use mon0 like interface. Usually the default interface is wlan0mon.

We will now launch airodump-ng, the program to monitor wifi networks. Here is how it is used:

# airodump-ng <option> <interface>
<option> is the options you want to use for this command
<interface> is our wifi interface, in this case: mon0

Airodump-ng offers a multitude of options and filters to target what you want to monitor:

-w creates a capture file in which all packages will be saved.

Example: airodump-ng -w out wlan0 (a capture file named out is created, the first file will be called out-01.cap, the 2nd out-02.cap ... etc)

-Encrypt allows to filter the networks according to the type of encryption used.

Example: airodump-ng -encrypt wep wlan0 (only WEP networks will be displayed)

-c can target listening on a particular wifi channel.

Example: airodump-ng -c 1 wlan0 (airodump-ng will only listen to channel 1)

-Bssid allows to target only one access point according to its MAC address.

Example: airodump-ng -bssid 00: 16: 41: C9: E0: 3F wlan0 (airodump-ng will only monitor the access point whose MAC address is 00: 16: 41: C9: E0: 3F)

Here, we will monitor encrypted networks in WEP, the command to use is:

# airodump-ng -encrypt wep mon0

Listening wireless network

Let's detail a bit what we get:

BSSID is the MAC address of the access point

CH is the transmission channel of the access point

ENC type of encryption. Here we only display encrypted networks in WEP

ESSID is the name of the access point

STATION is the MAC address of a computer connected to the network

The network whose ESSID is RoXXX will be our target for this tutorial.

Under airodump-ng, the access points are displayed at the top and the stations (connected computers) are displayed at the bottom. Here, we can see that a computer is connected to the RoXXXX network whose MAC address is XX:XX:XX:XX:XX:A4. Three stations are connected to a WEP encrypted network, the conditions are met to crack the network. We stop airodump by doing Ctrl + C in the shell (console) and restart it by creating a capture file and targeting the RoXXXX network:

# airodump-ng -w out mon0
By browsing in the folder from which we launched airodump-ng, we can see the 2 created files: out-01.cap (the capture file containing the packages) and out-01.txt (a log file containing all information about ESSIDs, MAC addresses of access points, stations etc ... contained in the capture file).

Fake authentication with Aireplay-ng

We will use aireplay-ng to check if we can associate with the access point. Here, the conditions are optimal for crack: the signal is excellent and a client is connected to the access point. If the signal was not so good, we might have trouble associating with the access point. It is wise to try an association before embarking on the packet injection. This makes it possible to see if the connectivity is good, and it can also help to know if an access point uses MAC address filtering.

Some boxes only allow associates to be included in their list of authorized customers. To summarize, if you do not have a valid MAC address you will not be able to communicate with the access point, which will make the crack and the connection impossible. Be aware that MAC filtering is enabled by default on Liveboxes, but it is disabled by default on Tecom routers (Club Internet). Knowing the default settings of boxes can often know in advance if MAC filtering is enabled or not.

The command to associate with the access point is aireplay-ng

The different attacks of aireplay-ng are:

-Deauth count: deauthenticate 1 or all stations (-0)

-Fakeauth delay: fake authentication with AP (-1)

-Interactive: interactive frame selection (-2)

-Arpreplay: standard ARP-request replay (-3)

-Chopchop: decrypt / chopchop WEP packet (-4)

-Fragment: generate valid keystream (-5)

-Caffe-latte: query to client for new IVs (-6)

-Cfrag: fragments against a client (-7)

-Test: injection and quality tests (-9)

Our order for the fakeauth attack (association & authentication) will be:

# aireplay-ng -1 0 -e RoXXX -a XX:XX:XX:XX:XX:A4 -b XX:XX:XX:XX:XX:A4 -h XX:XX:XX:XX:XX:77 mon0

RoXXX: ESSID (name of the wifi network)

XX:XX:XX:XX:XX:A4: MAC address of the access point

XX:XX:XX:XX:XX:77: MAC address of the client ("station" under airodump-ng)

mon0: our wifi interface

We can see that before sending the association packets to the access point, aireplay-ng replaced the MAC address of our WIFI card with the one specified in the -h parameter (that of the station) so that we can communicate with the access point. The association was immediate, the message "association successfull" Confirms the success of the operation.


Aireplay-ng -3, packet injection attack

We will now launch the aireplay-ng -3 (packet injection attack) attack.

Older versions of the suite aircrack-ng allowed to crack a WEP key with 1 million Ivs, between capture, injection and crack it often took a long time to crack the network. The current version of the aircrack-ng suite uses the "PTW" algorithm to crack a 128-bit WEP network with just 45,000 DATAs. However, the PTW algorithm does not use the Ivs, but the ARPs for the crack. This is why the ARP replay attack is the fastest and most powerful solution for cracking a WEP key.

Our command for the standard ARP-request replay (ARP replay) will be:

aireplay-ng -3 -e RoXXX -a XX:XX:XX:XX:XX:A4 -b XX:XX:XX:XX:XX:A4 -x 600 -r out-01.cap my0
-x 600: number of packets per second that will be injected (to be regulated according to the quality of the wifi signal)

Once the attack is launched, we can see below the number of ARP requests contained in our capture file. From 40000 ARP, it is possible to crack a 128-bit WEP key.

The arp requests are also saved in a file called replay-arp-date-heure.cap. We can see that Aireplay-ng has created this file:

Let's go back to our airodump-ng shell to see what's going on. We can see the effects of our attack:

-The "Data" column increases, which means that the capture file contains Ivs.

-The column "# / s" indicates 254, which means that we catch 254 datas / second

A few minutes of patience are needed. Once the DATAs and ARPs start to reach an interesting number (ARP 10000 for a 64-bit WEP key, ARP 40,000 for a 128-bit WEP key) we can open a new shell and try to crack the WEP key of the network with aircrack- ng.


Aircrack-ng: crack the WEP key

We now come to the last part of this tutorial and surely the most interesting: crack the WEP key!

For that we will use aircrack-ng. Here is how this command is used:

aircrack-ng [options] <.cap / .ivs file (s)>

Here we will not use options, we will just provide the capture file. The command to use is as follows:

# aircrack-ng out-01.cap

Wait a few minutes and the result should appear:

 Result crack wep

Congratulations, you managed to crack a WEP key!