Wireless is ubiquitous. That means it's almost everywhere in the developed nations. Thankfully, most people have been educated about the dangers of using WEP encryption on their wireless networks. WEP encryption has a number of weaknesses, which are well known. The result, is that a mildly interested person can look up steps and guides on how to crack a WEP password, and be able to understand and perform them.
This article demonstrates somebody can break a WEP password in under 30 minutes.
Requirements:
Setup Steps:
Attacker Side
Power on Backtrack 5. You have options:
- put cd in tray, and live boot
- download VM from website, and boot in VMPlayer (free)
- download ISO from website, and boot in VMPlayer, VirtualBox, or VMWorkstation
- convert ISO to bootable USB key, and boot from that
It doesn't really matter which route you choose. Once booted, plug in the usb wireless card. If using a vm, make sure the vm can access the wireless card directly (important!).
Victim Side
Find a wireless network protected by WEP, park yourself close enough that your pc can see the wireless network with enough signal strength for the AP to hear your pc as well. (ideally, this will be in your own authorized lab environment).
Be prepared to wait for client activity on the network. (ideally, you will simulate this by making your own activity).
Execution:
Fire up BT5, log in, run "startx", open 4 terminals.
You will need to run a number of commands, which must be run as root. In Backtrack, the main user is root.
In the first terminal, you will want to identify your wireless card. Type:
# ifconfig
# iwconfig
Hopefully, you will see wlan0 for your wireless card. Don't be intimidated by the output. Just read it. The text next to one of the devices will include the word 'wireless'. That's the one you want. I will use wlan0 for the remainder of this article. Replace that with your wifi device.
Next, you will need to put the device into something called monitor mode. Monitor mode means that the wireless card will eavesdrop on wireless packets, even ones which are not addressed to it.
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
Next, you will need to run a program called airodump, which will record the wireless traffic. You will run airodump twice. The first time will survey the airwaves. The second time will start the dump on a specific network, and save the results.
# airodump-ng wlan0
You will soon see a list of wireless networks, and numbers flashing. Read the table until you find the encryption column, "ENC". In that column, scan down until you find your WEP network. Once found, press Ctrl+C to exit airodump. Next, run airodump again, and include the information for this WEP network.
# airodump-ng wlan0 -c <channel> --bssid <network mac address> -w <location to save file>
Go to the second tab. You will run aireplay. Aireplay is able to broadcast wireless packets. It performs 9 functions. Run airodump, and it will display the help file. Read it.
# aireplay-ng
You will need to specify attack #1, and then attack #3. The other attacks are for specific scenarios, but #3 is most likely to work for you. Attack #1 should trick the AP into listening to your packets. Attack #3 will then be able to tell the AP to send you lots and lots of IVS. You will need about 50,000 IVS, which will be given to aircrack. Aircrack will be able to run a statistical analysis on the IVS, and will be able to drastically reduce the amount of bruteforce required to decipher the WEP password. On a busy network, it could take months to collect enough IVS to perform a sucessful crack. Attack #3 speeds this process up, allowing you to collect enough IVS in about 30 minutes.
Run aireplay with attack #1. This will associate with the victim AP.
# aireplay-ng -1 10000 -o 1 -q 10 wlan0 -a <network mac address>
Go to the next tab. Run aireplay again, with attack #3. This will wait for an ARP packet. If there is no network activity on the victim AP, you will have no success. But if you are able to capture even just one ARP request, the game is over. Attack #3 will replay that ARP request over and over, generating the IVS you need.
# aireplay-ng -3 wlan0 -b <network mac address>
Read the output. You will see a part which states 0 ARP packets. If there is not network activity, this will stay at 0. In your lab, simulate an active client on the network, and watch as the ARP is caught, and then IVS start to fly. You can go back to the first tab, and you will see the "Data/#" column, which represents IVS for WEP networks.
Go to the last tab, where you will run aircrack. You will need to give it the file you specified when you called airodump the second time. It should start cracking as soon as you run the program. If there are more than one networks detected, you will have to choose one. aircrack will automatically choose the network if only one is in the file. It will also automatically start cracking the network. It will probably fail, and say try again with more IVS.
Do not worry. aircrack will automatically retry the original file, and will display the key when finished.
# aircrack-ng <location to save file>
Wait about 15-20 minutes, and you should have your WEP key.
