It’s occured to me, many folks understand that WEP is easy to break, but don’t know all the steps and just how easy it is. Here I hope to lay down the basic steps in one coherent post.. demonstrating how to crack into a wireless network using WEP, with a client attached to it.
Like always… only do this against your own networks. The legal grounds are a bit grey here, but the ethical grounds are clear – you shouldn’t pick your neighbor’s doorlock. Being a security professional also comes with the responsibility to use your skills for good, not evil.
Step 0: get the software.
I assume you’re using linux…. these tools do work on OSX but they require a bit of tweaking i think, and i haven’t done it myself. so i’ll just write up linux. you can use a VM of linux but the wireless card support is a bit flakier unless you’re using a USB card.
basically you only will need two packages, kismet, and aircrack-ng
So:
apt-get install kismet
apt-get install aircrack-ng
Step 1: Find a WEP network
Kismet is an amazingly powerful scanning tool and I could write much more about it than we need here. It takes advantage of the feature in wireless cards to use “monitor mode”, which basically does passive listening for network traffic, and analyzes the traffic into a nice list. It can do all sorts of other neat stuff like gps logging, etc, but that’s not totally necessary here.
If you don’t know it, you’ll need the interface name for your wireless card. Check it by typing:
iwconfig
Then, just launch kismet (type ‘kismet‘) and then it will prompt you what your WLAN card is. It will try and put it into monitor mode and is usually successful, even with built-in wireless. If not theres some troubleshooting to be done….
Assuming it works, it will give you a list of networks it sees. It ‘hops’ channels by switching the frequency the card is listening on and collects traffic on that frequency. If there’s a WEP network in sight, kismet will highlight it in red, and you will need to pay attention to four things:
- Its BSSID – similar to the MAC address of the access point
- The ESSID – the ‘friendly name’ of the network
- The MAC address of a client that is attached to it.
- The channel the AP is broadcasting on
Kismet has a column that shows the amount of traffic it sees for both the AP in general and the client. You want to target one with a client attached that is passing data… they’re the easiest targets.
An alternate path to WLAN monitor mode:
If kismet has a hard time putting your card into monitor mode, try running ‘airomon-ng start <interfacename>’ and it should attempt to do so. If that still doesn’t work…. investigate getting a new card. The Alfa AWUS306Hf is an excellent USB choice.
Step 2: prepare to attack
If it’s not setup yet, enable monitor mode:
airomon-ng start <interfacename>.
Begin a dump session – this logs traffic, sort of like a lightweight Wireshark. You want to filter it to only the transactions we’re interested in:
airodump-ng –channel <c> –bssid <xx:xx:xx:xx:xx> –write <fileprefixname> <interfacename>
where c: the broadcast channel of the network
xx: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)
Keep this running and launch a new window for the next steps.
Step 3: do an ARP replay attack
This essentially looks for an ARP request from the attached client, and replays it many many times, enough to create a data set large enough to mount a cryptographic attack against WEP.
aireplay-ng –arpreplay -h <xx:xx:xx:xx:xx:xx> -b <yy:yy:yy:yy:yy:yy:> <interfacename>
where xx: the MAC address of the client
yy: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)
Once this has started, check out the other window. You should see the data packets starting to increase rapidly. When you’re at about 40k there is enough to crack a 104-bit WEP key. The more the better, but no harm in starting early…
Step 4: mount the cryptographic attack
From the same directory you launched the dump process just run this:
aicrcrack-ng <fileprefixname>.cap -0
This will launch a window that shows progress. if it’s successful, you’ll see the key! if it’s not… keep waiting for more traffic. 40k+ data packets increases your odds tremendously but if it’s a simple WEP key it requires less. This tool will actually keep trying as the packet capture increases in size so you can keep it running. Or quit it (ctrl-c) and wait till you have more.
Step 5: connect!
If all went well you have broken the WEP key via the PTW attack method. Now you can connect to the network. Close down the dump sessions, etc etc and bring down your WLAN card – ifconfig wlan0 down
Then you’ve just gotta connect:
ifconfig <interface> up - bring up the wlan card
iwconfig <interface>mode managed key [WEP key]
iwconfig <interface> essid “[ESSID]” (Specify ESSID for the WLAN)
dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)
If all goes well you’ll get an IP and then you’re good to go, test by pinging or whatever else.
But if it didn’t work, they may have MAC filtering in place…
So change the MAC address of your wireless card to the same one that you just cracked with! This is a bit messy and could freak out the DHCP server of the access point, but it’s worth a shot.
Bring the card down first:
ifconfig wlan0 down
Then change the MAC:
ifconfig wlan0 hw ether xx:xx:xx:xx:xx:xx
Bring it back up again and repeat. You should be good to go.
This is a simplified walkthrough of a process that is documented many other places. It should give you a taste of kismet, and the basics of the aircrack-ng suite, which has many many other great features. I encourage you to read all about it over on their website.
Additionally, their site also contains a much more in-depth WEP crack tutorial.
Again, this is not ground-breaking, but it is always good to share the fundamentals in case someone hasn’t seen it before. Good luck!