Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks in 1999. Recognizable by the key of 10 or 26 hexadecimal digits (or what is thesame 5 or 13 characters, 2 hex -> 1 byte each).
Two important elements to know are: IVs (initialization vectors), and Data packets.
Obtaining the password is relatively easy (if it is short enough) because the more data packets we have the easier is for algorithms using some heuristics to guess he password
and finally find it.
Normally having 120,000 data packets is enough to crack the password of WEP protected wifi networks. To accelerate the hacking process it is useful to join the network,
capture some packets and generate traffic artificially.
First check if the MAC filtering is enabled (authenticate and associate to the network):
sudo aireplay-ng -1 0 -e target_essid -a target_bssid -h my_MAC the_interface
You can also do that with “keep-alive”: -1 6000 -o 1 -q 10 (re-authenticate every 6000 secs, and send keep-alive every 10s)
If you obtain “authentication and association successful” then there is no MAC filtering.
If there is MAC filering you have to deauthenticate a client to inject packets with the client MAC:
deauthentication of a client (00…)
sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00 <interface>
packet injection with (00…)
sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00 <interface>
If there is no MAC filtering you can directly inject packets with your MAC
sudo aireplay-ng -3 -b bssid -h my_MAC <interface>
This attack is ARP capture and re-inject responses to generate and capture faked traffic (ARP replays). It can take a bit (5 min) to generate ARP replays since you start
capturing them.
If there are no clients… you cannot get ARPs by deauthenticating a client from the network. But you can use the chop-chop attack (short packet spoofing). To generate and
capture faked traffic. This consists of creating a faked ARP from a beacon packet (packets that contain information about the network, Beacon frames are transmitted
periodically to announce the presence of a Wireless LAN network) (not ARP but small enough to be guessed knowing IPs and CRC, also known as CRC based attack). First
you capture a packet in the keystream (.xor) packet using aireplay -4. Then you generate the ARP using packetforge-ng. And finally you send it using aireplay-ng -2 …
- Wait until you have at least 20,000 data packets to try to decode he WEP password. The more packets you have the easier is to find the password.
To get the password using the statistical methods you use:
aircrack-ng captured_packets_filename (there is an improved version, theoretically faster: aircrack-ptw)
NOTE: You can keep capturing packets since this method is statistical and the more packets you have the better.
If you don’t have Linux or you prefer to have a all-built in distro with a fancy all-in-one script I recommend the following. A software that I found specially useful for this kind of
auction is WifiWay in its version 0.8. The only problem with that version is that if you don’t have a wifi chipset that permits monitoring and injection you can not use it. This has
been corrected in later versions.
