Follow the given instructions to get started:
abcdefabcdefabcdefabcdef12
as the 128-bit WEP key. You can set this to whatever you choose:Wlan0
by issuing the following command:ifconfig wlan0 up
airmon-ng start wlan0
mon0
, the monitor mode interface, as shown in the following screenshot. Verify that the mon0
interface has been created using the iwconfig
command:airodump-ng
to locate our lab access point using the following command:airodump-ng mon0
airodump-ng –bssid 00:21:91:D2:8E:25 --channel 11 --write WEPCrackingDemo mon0
The preceding command line is shown in the following screenshot:
airodump-ng
to save the packets into a pcap
file using the --write
directive:abcdefabcdefabcdefabcdef12
. Once the client has successfully connected, airodump-ng
should report it on the screen.ls
in the same directory, you will be able to see files prefixed with WEPCrackingDemo-*
, as shown in the following screenshot. These are traffic dump files created by airodump-ng
:airodump-ng
screen, the number of data packets listed under the #Data
column is very few in number (only 68). In WEP cracking, we need a large number of data packets, encrypted with the same key to exploit weaknesses in the protocol. So, we will have to force the network to produce more data packets. To do this, we will use the aireplay-ng
tool:Aireplay-ng
and inject them back into the network to simulate ARP responses. We will be starting Aireplay-ng in a separate window, as shown in the next screenshot. Replaying these packets a few thousand times, we will generate a lot of data traffic on the network. Even though Aireplay-ng does not know the WEP key, it is able to identify the ARP packets by looking at the size of the packets. ARP is a fixed header protocol; thus, the size of the ARP packets can be easily determined and can be used to identify them even within encrypted traffic. We will run aireplay-ng
with the options that are discussed next. The -3
option is for ARP replay, -b
specifies the BSSID of our network, and -h
specifies the client MAC address that we are spoofing. We need to do this, as replay attacks will only work for authenticated and associated client MAC addresses:aireplay-ng
was able to sniff ARP packets and started replaying them into the network. If you encounter channel-related errors as I did, append –ignore-negative-one
to your command, as shown in the following screenshot:airodump-ng
will also start registering a lot of data packets. All these sniffed packets are being stored in the WEPCrackingDemo-*
files that we saw previously:aircrack-ng
with the option WEPCRackingDemo-0*.cap
in a new window. This will start the aircrack-ng
software and it will begin working on cracking the WEP key using the data packets in the file. Note that it is a good idea to have Airodump-ng collect the WEP packets, aireplay-ng
do the replay attack, and aircrack-ng
attempt to crack the WEP key based on the captured packets, all at the same time. In this experiment, all of them are open in separate windows.aircrack-ng
is working on the packets to crack the WEP key:aireplay-ng
), this should take 5-10 minutes at most. If the number of data packets currently in the file is not sufficient, then aircrack-ng
will pause, as shown in the following screenshot, and wait for more packets to be captured; it will then restart the cracking process:aircrack-ng
should be able to break the key. Once it does, it proudly displays it in the terminal and exits, as shown in the following screenshot:Aircrack-ng
. The only requirement is that a large enough number of data packets, encrypted with this key, are made available to aircrack-ng
.We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we first waited for a legitimate client of the network to connect to the access point. After this, we used the aireplay-ng tool to replay ARP packets into the network. This caused the network to send ARP replay packets, thus greatly increasing the number of data packets sent over the air. We then used the aircrack-ng
tool to crack the WEP key by analyzing cryptographic weaknesses in these data packets.
Note that we can also fake an authentication to the access point using the Shared Key Authentication bypass technique we learnt in the last chapter. This can come in handy if the legitimate client leaves the network. This will ensure that we can spoof an authentication and association and continue to send our replayed packets into the network.
In the previous exercise, if the legitimate client had suddenly logged off the network, we would not have been able to replay the packets as the access point will refuse to accept packets from un-associated clients.
Your challenge will be to fake an authentication and association using the Shared Key Authentication bypass we learnt in the last chapter, while WEP cracking is going on. Log off the legitimate client from the network and verify that you are still able to inject packets into the network and whether the access point accepts and responds to them.