5 Comments

WIFI WEP Cracking Tutorial Using Aircrack-ng

Adapted by:  • Edited by: Bill Bunter
Updated May 22, 2011 • Related Guides: Wireless Access Point | Linux

Forgotten your WEP key? Never wrote it down in the first place? With little help from Aircrack-ng, you can easily recover your lost WEP key. This tutorial is only meant to crack networks that you own & must not be used to hack other networks. Read more to find out, what Aircrack-ng has in for you.

Preparation

Slide 1 of 3

Forgotten your WEP key? Never wrote it down in the first place? Well it’s time to get it back. Disclaimer: Connecting to any network without the consent of its owner is illegal in many countries (including the US). This tutorial is only meant for use with networks you own. The writer of this post as well as its hoster do not condone or support the illegal use of this tutorial.

wepsuccess
click to enlarge
What You’ll Need

  • A BackTrack 2 disk (you could use the beta of 3, but we use BackTrack 2 stable)
  • A supported wireless card (you need a card that supports monitor mode amongst other things), if you don’t know if your card is compatible check the aircrack-ng team’s card compatibility page

Backtrack 2 is a penetration testing linux live-cd that contains all of the aircrack-ng tools we are going to use. Alternatively you could install these tools yourself (if you’re running linux).

As for hardware, I first tried to use my Macbook’s built in Airport Extreme card, but found that it was not compatible. Instead I went out and bought a WUSB54GC Linksys USB Wifi Adapter.

Configuring Aircrack

Slide 2 of 3

So you’ve got your compatible card and you’ve burned your BackTrack 2 ISO to disk. Now boot Backtrack 2 (alternatively you could install BackTrack 2 in VMWare fusion; use the VMWare image here). You should be prompted with ‘boot:’, hit enter. Once BackTrack has booted you should login with username: root and password: toor. Now enter ’startx’ and hit enter to start the KDE GUI.

The first thing we need to do is upgrade aircrack-ng to the latest version. This adds some new options to aircrack that will speed things up considerably later on. Open a konsole and run:

wget http://aircrack-ng.org/doku.php?id=install_aircrack

tar -zxvf aircrack-ng-0.9.tar.gz

cd aircrack-ng-0.9

make

make install

Now we need to check if our wireless card is working. Open a terminal and run ‘iwconfig‘. You should get something like this:

iwconfig
click to enlarge

In my case the feedback was for rausb0 as I was using my WUSB54GC adapter. Your output will likely be on eth0. Write down the name of your wireless device (the entry in the left column with the feedback beside it), you will be needing this later. Whenever I use ‘rausb0′ you should substitute in the name of your wireless device. If your output looks nothing like the above, try ‘ifconfig rausb0 up‘ (don’t forget to replace rausb0, with your own device name) and run ‘iwconfig‘ again to see if your card is working. The mode of your wireless card is now ‘managed’. We need to the mode to ‘monitor’. While in monitor mode, the card will passively monitor network traffic.

iwconfig rausb0 mode monitor

airmon-ng start rausb0

At first, I was unable to set my card into monitor mode. Instead of ‘monitor mode enabled’, airmon-ng returned ‘monitor mode disabled by driver’. If this is the case for you, you need to install a new driver for your card. In my case the rt73 driver. Your specific card might work best with a different driver. One word: Google.

Get Cracking

Slide 3 of 3

Next we need to scout out our target using ‘airodump-ng rausb0‘. After a few seconds airodump should display all of the wireless access points in range.

At the top, all of the access points are listed. Write down the bssid (MAC address) of the AP you want to attack and the channel (listed under CH) that the access point is broadcasting on. The access point I want to attack has the essid ‘g47m60′, the bssid 00:11:F5:0F:7B:43 and is broadcasting on channel 11. At the bottom, are all the ’stations’. Stations are clients connected to the access points. Listed under bssid is the bssid of the access point the client is connected to, and listed under station is the MAC address of the client. You can tell what access point the client is trying to connect to by correlating the bssids at the bottom with the bssids at the top. I see that one client is connecting to the access point I want to attack. Write down the MAC address of a client that is connected to your device (if none are connected, wait until one is). My client’s MAC address is 00:1C:B3:BC:E9:2B.

Next we want to make a more specific call of airodump-ng so that it monitors only traffic from and to our chosen access point. We want to capture this traffic in a file that aircrack-ng will later use to crack the WEP key.

airodump-ng --channel <channel> --bssid <bssid of accesspoint> -w dumpfile rausb0

Be sure to replace rausb0 with the name of your wireless device. You should notice that the #data column has started to increase. We need to get this number to about 20 000. To speed up this process we are going to stage an ARP replay attack. Open a new Konsole window and run

aireplay-ng --arpreplay -b <bssid of accesspoint> -h <MAC address of client> rausb0

In my case the command would be: 'aireplay-ng –arpreplay -b 00:11:F5:0F:7B:43 -h 00:1C:B3:BC:E9:2B rausb0'

First aireplay-ng will capture ARP requests.

Then, once it has captured some ARP requests it will start sending packets to generate traffic. Switch back to your konsole window running airodump-ng. You should see that the #Data column is raising more quickly now and that the #/s number has increased to about 200 or more. Now wait until the #Data column reaches 20 000.

Now open a new konsole, we will now use the captured data to find the key. It’s finally time to run aircrack-ng.

aircrack-ng -z -b <bssid of the accesspoint> dumpfile*.cap

wepsuccess
click to enlarge
We got it! For me it failed 5 times until I got 50 000 IVs, so if it fails the first time just wait a few minutes for more IVs.

This is only a very basic guide, and this was my first time using the program so my knowledge is somewhat limited. The aircrack-ng website has some great information if you want to know more. A page containing a basic description of how aircrack-ng works is of specific interest.

Happy Cracking! If you enjoyed this article, be sure to check out Bright Hub's Wireshark Sniffing, Ettercap DNS Redirection and Ettercap Wifi Sniffing tutorials!

  
Next Article »
We Also Recommend...

Comments

Showing all 5 comments
 
Yogesh Lohar Nov 16, 2011 12:32 PM
RE: WIFI WEP Cracking Tutorial Using Aircrack-ng
i used another wifi network....some circumtance i foret security key thenn now....how to crack security key....???
Devin-J Sep 15, 2011 7:02 AM
works BABY!
i could crack and evrything, but i am a programmer and used my own customized aircrack /ng. not the commercial one.
MaleXachi Jun 29, 2010 3:28 PM
WEP KEY 64 BIT
I have aircrack attackk successfully implemented, but only I do not know how I can get key, even though he found key. I read something into ASCI or whatever. How can I decrypt key?
Randy May 25, 2010 7:31 PM
RE: WIFI WEP Cracking Tutorial Using Aircrack-ng
Worked like a charm. Thank you.
Brandon Mar 22, 2010 10:49 AM
RE: WIFI WEP Cracking Tutorial Using Aircrack-ng
may i know you use windows or linux ?
 
blog comments powered by Disqus
Computer Security
FEATURED AUTHORS
Divya Mohan Amy Carson S. R. Obbayi Bill Fulks
Linda Richter Meryl K Evans kb3cpq Michael Guerrero
Most Popular Articles
Email to a friend