TheoryA little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection.
A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate.
Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.
A couple of things will cause us some problems.
- If the key is not static, then you'll mix up all your IVs and it'll take forever to decrypt the key.
- Theres no traffic, therefore no packets - we can fix this.
- MAC Address Filtering - we can fix this too.
Setting up your toolsWe're gonna need 3 or 4 shells open, we have 5 tools:
- airodump - Grabbing IVs
- aircrack - Cracking the IVs
- airdecap - Decoding captured packets
- airreplay - (My Favourite) Packet injector to attack APs.
- kismet - Network Sniffer, can grab IVs as well.
I'll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.
Finding the NetworkFirst step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:
- Encryption type: Is it WEP 64-bit? 128-bit?
- What channel is it on? Can greatly speed up IV collection.
- AP's IP Address
Capturing IVsAlright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I've captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them.
Note: kimset can interfere with airodump so make sure you close it down before starting airodump.
Airodump is pretty straight forward with its command line looking something like this:
- interface is your wireless interface to use - required.
- output prefix is just the filname it'll prepend, - required.
- channel is the specific channel we'll scan, leave blank or use 0 to channel hop.
- IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.
./airodump ath0 lucid 6 1Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.
BSSID PWR Beacons # Data CH MB ENC ESSID 00:23:1F:55:04:BC 76 21995 213416 6 54. WEP hackme BSSID STATION PWR Packets Probes 00:23:1F:55:04:BC 00:12:5B:4C:23:27 112 8202 hackme 00:23:1F:55:04:BC 00:12:5B:DA:2F:6A 21 1721 hackmeThe second line shows us some info about the AP as well as the number of beacons and data packets we've collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won't use this client info in a straight theory hack but in practice we'll need this info to actively attack the AP.
This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file "lucid.ivs" with all the IV important packet info. Next, we'll feed this to aircrack. To move onto the next step, we'll want at least 100,000 packets (under # Data in airodump) but probably more.
Using IVs to Decrypt the KeyOk, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump - remember it'll autoupdate as new IVs are found) and we'll start aircrack. It looks something like this:
./aircrack [options]There are a lot of options so you can look them up yourself, i'll be using common ones here that should get you a crack. Our input file is "lucid.ivs", the options we will use are:
- -a 1 : forces a WEP attack mode (2 forces WPA)
- either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique.
- -n 64 or -n 128 : WEP key length, omit if not known by now.
./aircrack -a 1 -b 00:23:1F:55:04:BC -n 128 lucid.ivsand off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That'll pop open most old wireless routers with some traffic on them.
Anticipated ProblemsThere are lots of problems that can come up that will make the above fail, or work very slowly.
- No traffic
- No traffic is being passed, therefore you can't capture any IVs.
- What we need to do is inject some special packets to trick the AP into broadcasting.
- Covered below in WEP Attacks
- MAC Address filtering
- AP is only responding to connected clients. Probably because MAC address filtering is on.
- Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on.
- Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27
- Can't Crack even with tons of IVs
- Some of the statistical attacks can create false positives and lead you in the wrong direction.
- Try using -k N (where N=1..17) or -y to vary your attack method.
- Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble.
- Still Nothing
- Find the AP by following the signal strength and ask the admin what the WEP key is.