How to crack WEP wireless networks

/* Posted April 3rd, 2008 at 9:00am    */
/* Filed under Mods, Networking, Programming    */

broken_lock.jpg

A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know… think of it as the network key you need to authenticate.

Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.

A couple of things will cause us some problems.

* If the key is not static, then you’ll mix up all your IVs and it’ll take forever to decrypt the key.
* Theres no traffic, therefore no packets – we can fix this.
* MAC Address Filtering – we can fix this too.

Setting up your tools

We’re gonna need 3 or 4 shells open, we have 5 tools:

* airodump – Grabbing IVs
* aircrack – Cracking the IVs
* airdecap – Decoding captured packets
* airreplay – (My Favourite) Packet injector to attack APs.
* kismet – Network Sniffer, can grab IVs as well.

For a standard WEP hack we’ll usally only need airodump, aircrack, and kismet (server and client). If we run into some problems we might have to use airreplay to fiddle about.

I’ll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.

Finding the Network

First step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:

* Encryption type: Is it WEP 64-bit? 128-bit?
* What channel is it on? Can greatly speed up IV collection.
* AP’s IP Address
* BSSID
* ESSID

All this info isn’t required but the more you have, the more options you have later to crack and sniff. We can get a lot of this from airodump as well but I find the channel is important.

Capturing IVs

Alright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I’ve captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them.

Note: kimset can interfere with airodump so make sure you close it down before starting airodump.

Airodump is pretty straight forward with its command line looking something like this:

./airodump [channel] [IVs flag]

* interface is your wireless interface to use – required.
* output prefix is just the filname it’ll prepend, – required.
* channel is the specific channel we’ll scan, leave blank or use 0 to channel hop.
* IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.

My wireless card is ath0, output prefix i’ll use “lucid”, the channel we sniffed from kismet is 6, and IVs flag is 1 because we just want IVs. So we run:

./airodump ath0 lucid 6 1

Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.


BSSID PWR Beacons # Data CH MB ENC ESSID

00:23:1F:55:04:BC 76 21995 213416 6 54. WEP hackme

BSSID STATION PWR Packets Probes

00:23:1F:55:04:BC 00:12:5B:4C:23:27 112 8202 hackme

00:23:1F:55:04:BC 00:12:5B:DA:2F:6A 21 1721 hackme

The second line shows us some info about the AP as well as the number of beacons and data packets we’ve collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won’t use this client info in a straight theory hack but in practice we’ll need this info to actively attack the AP.

This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file “lucid.ivs” with all the IV important packet info. Next, we’ll feed this to aircrack. To move onto the next step, we’ll want at least 100,000 packets (under # Data in airodump) but probably more.

Using IVs to Decrypt the Key

Ok, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump – remember it’ll autoupdate as new IVs are found) and we’ll start aircrack. It looks something like this:


./aircrack [options]

There are a lot of options so you can look them up yourself, i’ll be using common ones here that should get you a crack. Our input file is “lucid.ivs”, the options we will use are:

* -a 1 : forces a WEP attack mode (2 forces WPA)
* either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique.
* -n 64 or -n 128 : WEP key length, omit if not known by now.

So our command will look like:


./aircrack -a 1 -b 00:23:1F:55:04:BC -n 128 lucid.ivs

and off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That’ll pop open most old wireless routers with some traffic on them.

Anticipated Problems

There are lots of problems that can come up that will make the above fail, or work very slowly.

* No traffic
o No traffic is being passed, therefore you can’t capture any IVs.
o What we need to do is inject some special packets to trick the AP into broadcasting.
o Covered below in WEP Attacks

* MAC Address filtering
o AP is only responding to connected clients. Probably because MAC address filtering is on.
o Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on.
o Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27

* Can’t Crack even with tons of IVs
o Some of the statistical attacks can create false positives and lead you in the wrong direction.
o Try using -k N (where N=1..17) or -y to vary your attack method.
o Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble.

* Still Nothing
o Find the AP by following the signal strength and ask the admin what the WEP key is.


Tags:


23 Responses to “How to crack WEP wireless networks”

  • Comment from jorel314

    Here’s how to crack WEP on a Mac without using the command line.

    http://bit.ly/aiSw

  • Comment from alleena

    THIS SEEMS SO DIFFICULT!!!! >_<

  • Comment from josue ponce

    hey will the fbi find out about this i dont know how to hack wep but i relley want to hack my neighbor so i can play xboxlive and is this hard and will my neighbor find out that i hacked him

  • Comment from Dr.oska mena

    i need to know how to hack the wep . please teach me thanks

  • Comment from Miguel huertas

    How do I do for my ps3

  • Comment from tom

    just woundering where can i download all theses softwares
    – airodump – Grabbing IVs
    – aircrack – Cracking the IVs
    – airdecap – Decoding captured packets
    – airreplay – (My Favourite) Packet injector to attack APs.
    – kismet – Network Sniffer, can grab IVs as well.

    please contact me !!!!

    • Comment from omikey

      Hi
      let me know how to about the downloading of
      the softwares

  • Comment from rahul

    i want to learn hacking pls help ,i out

  • Comment from Muhammad Jamshed

    Hello Dears,

    I need a wep cracker but i dont no where from i found it if any body have any type of wep cracker software pleas send me by my email

    thanks
    Muhamma Jamshed

  • Comment from Nathan

    can someone please teach me how to hack a wep

  • Comment from Viper

    Okay, I’m doing a project in lab. Problem is, I really need to know how to hack WEP, WPA, and WPA 2before tomorrow. If someone could e-mail me a link or a tutorial, or anything, it would greatly help me out.

    Thanks,
    Viper.
    My e-mail address is bdviper13@gmail.com

    (just in case it doesn’t show up)

  • Comment from Moon Khan

    Hi dear all
    please someone help me,how i can get wep key ?i have many wireless connections in my area but all are lock & need key.
    how i can crack a network please help me someone here is my chat ID
    dubai_khan143@yahoo.com
    waiting for someone i hope there is someone who can help me
    waiting for you!!

    have a great day!

  • Comment from Jdawg55/ tristaninthehood-psn accounts

    u got dat pic at da top from google….anyway

    im tryin to connect my marvin yukon fast ethernet controller cord from my ps3 to my laptop
    but on my laptop i am using a wireless network ( on windows vista )
    when i plug up my cord …. when connected to wireless network all it does is just show up on the NETWORK AND SHARING center
    i am asking how would i transfer that wireless network to my ps3
    and i cant connect through wireless on my ps3 because where the ps3 is it doesnt pickup that wireless signal
    PLZZZ HELP ME CONFIGURE THIS …. IVE BEEN LOOKING ALL OVER THE INTERNET TO FIND THIS OUT BUT EVERY1 ELSE SAYS THERE USING A ROUTER OR BROADBAND TO CONNECT BUT NOTHING SAYS HOW I CAN CONNECT MY PS3 TO THE INTERNET USING MY WIRELESS NETWORK COMPUTER
    PLLLEEEZZEE HELP ME
    THNX…
    BY THE WAY… IF YALL HELP ME WITH THIS AND I GET IT UP RIGHT GIVE ME YOUR PSN NAME AND I WILL ADD U
    THNX AGAIN..

  • Comment from michael

    i need 2 crack the wep code on prettyboyfloyd

  • Comment from dike afam azogi

    i want to conect my psp slim to the internet please help me.

  • Comment from Confused???

    I’m very confused…
    Could some one just tell me where to download those software,how to install it and how to work it….plizzzzz….

  • Comment from michael

    hi,i already try to cracking WEP use usb wifi in windows use Vmware.just follow from this site http://wireless-security-system.blogspot.com
    But i don’t know how to make my usb wifi monitor mode.
    hope can guide me clearly.

    thanks.regard.

  • Comment from john YoUng

    How do I do this for ps3

  • Comment from ledge paranchich

    MockUpScreens creates native app for Mac
    MacNN
    … Windows skin to show the same information as it would appear in Windows, useful for guaranteeing a consistent interface on cross-platform applications. …
    and more »

  • Comment from bouvill

    En el negocio de Ventas de accesorios del Sr Alfredo Ramirez en la Av. Fundadores frente al Centro Clinico los (cont)

  • Comment from Anonymous

    How to get the key

    • Comment from atrquimides

      how can i get free wireless


Leave a Reply

or Login (not required)





HTML tags allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>