A quick guide to cracking WEP
The original tutorial is available here.
A beginner's use of the aircrack suite
I've chosen to write this because I'm tired of going over the same material and waiting for people to do the required reading to fill in the gaps. Why else do you get documentation like this?
It is important to understand that within a wifi-network traffic is much more public than on a wired network. Data is transmitted in all directions, not through narrow channels. So some form of encryption/privacy control was needed, and it came as WEP (Wired Equivalency Protocol, this should be all old news). WEP did the equivalent of making it difficult to connect to a wireless access point, though not impossible as you will inevitably find out. The technical details about the flaws in WEP are not covered here. This article will cover how to utilize the aircrack suite developed by Christophe Devine and KoreK. The suite contains several tools that are vital to various stages of cracking the WEP key. This article will cover the airodump, aireplay, and aircrack tools. Let's get started.
What you will need
* 1 copy of BackTrack Beta 1
* 1 Atheros** or Prism2/2.5/3 wifi card (the injection card)
* 1 other wireless card, any type (the target card)
* Computers for both of the above cards (If you can get it working with one, good for you. If not, find a consenting friend and use theirs)
* 1 wireless router supporting the frequencies of the cards (i.e. 802.11a, 802.11b or 802.11g)
* A location (ideally lab setting) where you can operate without disturbing other APs
* Patience, luck, persistence
** A note about Netgear WG511T cards and the Backtrack Beta 1. Currently there are issues with injection, either a faulty patch or kernel issues. Hopefully this will be fixed with the new kernel release. Other functions should be alright, though. Update: TheGreatVirus has written a great tutorial on how to get injection working properly with stubborn Atheros cards (requires HD install). I have tested this with my own WG511T and injection worked properly.
Checking for Injection
Look at this thread for notes on how to confirm proper injection, had to be a new thread.
The Setup (and a little thinking)
In order to crack a WEP key you must have a large number of encrypted packets to work with. This is an unavoidable requirement if you wish to be successful. The best way to get a large number of packets is to perform an ARP request reinjection attack (otherwise known as attack -3). In order to do this attack and get results there must be a client already authenticated with the AP, or about to connect to the AP.
So, with this in mind, let's get things organized. The following conditions should be in set:
* The target client should be booted and authenticated with the AP. Confirm this however you'd like (i.e. google something).
* The injection client (with the Atheros or Prism card) should be booted into BackTrack, use startx to start the GUI once logged in as root.
* The card on the injection client should be placed into monitor mode. You can do this with the command "iwconfig DEVICNAME mode monitor", or you can start kismet and it will be done for you.
* The Access Point should be configured to use WEP, whatever keylength you'd like (keep in mind that longer keys require more data packets).
Moving right along, you will need the following information in an easy to reach place. I like to put it into an open text file for simple copy/paste moments. If you can cat | grep | awk it, then you shouldn't be here.
1. AP MAC address
2. Target client MAC address
3. AP BSSID
4. Target client ESSID
You can find these by using Kismet or starting airodump.
The Good Stuff; Or, How I Do That?
Now that you have everything set up (or not, you lazy bum) let's get it on. For the next few sections you will need to use Konsole or XTerm or whatever console emulator you like to input the commands. I'll try to be gentle.
Once again, we'll start with some thinking. Encrypted packets are not beacons, neither are they "packets". They are identified within airodump as "Data", and in previous versions as "IVs" (which stands for Initialization Vectors). They represent packets collected that can be used to crack the WEP key. This means that they were encrypted by the AP before being transmitted and can be subjected to various statistical attacks, but we'll get into that later. Let's get our packet capture on.
Type the following command into the console (Remember, you card should already be in monitor mode):
* airodump DEVICE dump CHANNEL 1
Where DEVICE is the name of your wifi card and CHANNEL is the channel of the AP. The 1 (one) on the end tells airodump to only save IVs to the file. This will also change the suffix for the capture file from .cap to .ivs. You should now be looking at the airodump interface. You should be seeing your own AP and the associated client if you have everything set up correctly. Notice how the beacons go up faster than the data packets? Let's do something about that.
Aireplay is used to inject packets in order to increase the selection of crackable data. It has five seperate attacks, but today we will just be using the -0 (deauthentication) and -3 (ARP replay injection) attacks.
When a wireless client (any wireless client) attempts to obtain an IP from the AP it sends an ARP request (several, in this case, because radio signals don't always make it). This request is recieved by the AP which then consults some rules and, if the packet meets those rules, it sends an ARP reply to the client. Due to the nature of the request, these replys are encrypted, which makes them ideal for cracking. Unless the router has limits on the number of ARP requests allowed then the replys can be broadcast several hundred times per second.
However, since our client is already authenticated, it isn't likely to be sending out many more ARP requests. It is possible to do it manually but for the sake of the article we'll do it the hard way.
If the wireless client is suddenly disconnected then it will automatically try and re-obtain their IP in the form of severl ARP requests**. The -0 attack will effectively kick the client off the network and force it to reauthenticate. Set up the following attack in a new console but do not run it yet.
* aireplay -0 10 -a APMAC -c CLIENTMAC DEVICE
Where APMAC is your APs MAC address, CLIENTMAC is the client MAC address, and DEVICE is the device name. Let's set up the next attack.
** It should be noted that windows clients are more likely to spew forth ARP packets when they are deauthed than linux clients.
Before setting off the deauth attack we need to set up aireplay to listen for the ARP request so it can rebroadcast the packet and generate traffic. Type the following command into a new console, but don't run it:
* aireplay -3 -b APMAC -h CLIENTMAC -x 500 DEVICE
Follow the same naming scheme as above. This command tells the program to listen for an ARP request coming from the clients MAC address and directed at the APs MAC address, then broadcast that request 500 times per second from your Atheros or Prism card.
Using the attacks
Run the -0 attack, then immediatly after run the -3 attack. Feel free to write a script to do this for you. You should see the -3 command output how many ARP requests it recieved then display how many have been transmitted. With any luck, the number in the Data column on airodump should be increasing at a high rate. You may need 250,000 packets to crack a short WEP key, and up to 2,000,000 for a longer one if you aren't lucky.
Breaking the key
Once you start generating packets you can start aircrack on breaking them. Aircrack can work even as the packets are being collected, so you can run it during the -3 attack. There are many options you can use to fine tune the cracking process, they are available here. However, you can try this command if you really want to (remember that for this test we named the capure file dump.ivs):
* aircrack -a 1 -b APMAC dump.ivs
This command tells aircrack that it is trying to break a WEP key, reading from the dump.cap file, using only packets coming from the target AP MAC address. This command is a very basic implementation of aircrack and will take a long time to crack even a simple key. I recently cracked my own 40 bit WEP key with 250,000 packets using two different commands. My first command was similar to the one above. My second command looked something like this:
* aircrack -a 1 -i 1 -n 64 -m CLIENTMAC -b APMAC dump.ivs
On a Pentium M 1.3 Ghz laptop with 512 Mb of RAM the first command ran for 3 hours without finding a match. The second command cracked it in 20 minutes. These aren't intended as test results but merely a comparison of cracking time when more arguments are given. I had the oppertunity to test these different commands on a P4 3.2 Ghz system with gobs of ram. The first command took several hours to crack a 40 bit key, while the second command managed to do it in less than one second. Think about it.
probably wouldnt be a bad idea to sticky this...
btw gj for throwin this in here i expect it will be helpful to many
Well done that was a very good tutorial.
That will certaintly clear a few things up for some people
You put a note about WG511T issue with packet injection due to faulty patch or kernel issue.
As i got this card and get stuck with injection, i would like to update the kernel to latest stable version 22.214.171.124 as well as patch with latest Madwifi-ng driver (i am to impatient to wait for a backTrack update).
As i do not feel so comfortable with this, would you know how to proceed step by step to update the kernel and also Madwifi-ng ?
I am pretty sure that some of us would be very very interested to have a clear picture on the appropriate procedure.
Anyone comments will be indeed very appreciated.
Cheers // Padou
And the deAuth dont work either. Its sending but it does`t kick my target of the AP
i use this command "aireplay -0 20 -a macap -h mactarget ath0"
I have also tried this "aireplay -0 20 -a macap -c mactarget ath0"
First off, thanks for the feedback. The article on the website had been updated slightly to explain the final aircrack command. Props to br0adband on IRC for the tip.
In regard to the WG511T injection problems I don't have any easy answers. Patching drivers and updating kernels (especially the BackTrack kernel) are completely different tutorials (slackbook.org has a good guide to compiling a kernel from source). Currently I'm trying to get the patched drivers to work with an updated slackware install, I'll try to keep you posted.
I've just moved, though, and I'm starting work again so progress might be slow.
also check out the video tutorials....
you can stop the video action and print pages as you see fit... they are excellent!
Beginners should definitely read the aricrack documentation from end-to-end, it's here:
The link on wirelessdefense also gives step-by-step instructions for using the aircrack suite and examples:
Read that little lot, *then* ask more detailed and specific questions here :-)
Oh, and sometimes you can't break the WEP key so easily (see Devine's comments on this). See below the results from throwing a generous packet dump of IVs at a quad PIII server (note the running time in HHHH:MM:SS format). This run failed to find the WEP key despite using the -f 4 option in aircrack.
[1089:40:46] Tested 10103896 keys (got 3757676 IVs)
KB depth byte(vote)
0 0/ 1 DD(1161) F7( 33) EF( 30) 36( 30) F8( 30) 46( 27)
1 1/ 2 89( 137) 58( 71) 68( 61) 67( 48) 92( 47) 0F( 46)
2 0/ 1 9F( 495) 88( 58) 80( 50) 8D( 40) 87( 36) C0( 33)
3 1/ 2 E8( 130) D8( 112) C7( 108) B8( 93) E3( 62) DB( 60)
4 0/ 1 4D( 537) D8( 129) EC( 43) B2( 36) 33( 36) 62( 36)
5 48/ 49 B2( 247) 51( 235) 55( 232) 81( 231) 12( 229) D5( 219)
6 1/ 2 C8( 232) D5( 77) DD( 66) 83( 63) DC( 50) C6( 36)
7 0/ 1 66( 612) 8D( 106) 0A( 80) EE( 64) 1E( 57) 09( 52)
8 5/ 6 99( 36) E0( 26) B2( 21) D9( 21) 0C( 21) 98( 19)
9 84/ 85 59( 166) E3( 160) 83( 155) 57( 154) 1F( 149) 58( 140)
10 98/ 99 45( 166) 56( 159) B9( 127) 0C( 122) 4A( 114) 64( 114)
11 1/ 2 31( 218) 56( 162) 3A( 103) 27( 94) 48( 82) 82( 77)
12 0/ 2 E2( 730) E7( 201) D0( 133) 16( 130) F0( 90) E5( 89)
Attack failed. Possible reasons:
* Out of luck: you must capture more IVs. Usually, 104-bit WEP
can be cracked with about one million IVs, sometimes more.
* If all votes seem equal, or if there are many negative votes,
then the capture file is corrupted, or the key is not static.
* A false positive prevented the key from being found. Try to
disable each korek attack (-k 1 .. 17), raise the fudge factor
(-f) and try the experimental bruteforce attacks (-x / -y).