Skip to content

Cracking WEP

These are my experiences in attempting to crack WEP over 802.11b. Keep in mind it is unethical and most likely illegal to do this to any network that you do not own or have express written permission to attack.

I started out using ubuntu and installing some security tools from the repositories. I imediately learned that I needed to patch the orinoco drivers to enable the monitoring mode for my wireless card. You can find instructions on how to do that at the kismet website: http://www.kismetwireless.net/HOWTO-orinoco-drivers.txt.

After doing that I was able to capture capture packets using kimet and airodump. However, I was not able to inject packets using aireplay. So, since I owned the network I was attempting to crack, I generated a bunch of traffic so that I could capture enough IVs to crack the key. I set this up and let it run over a couple of days by downloading iso images and playing online games.

I ended up with 3.9 million IVs. While this was running I attempted to to crack it in real time. I never got it. It was pretty frustrating since I had so much traffic. I decided that I really needed to get packet injecting working. Fortuantely, I had a couple of DLink DWL-650 r1 cards laying around. These are Prism 2.5 based cards which are suppossed to be perfect for packet injection.

So, I banged away at my ubuntu install by installing from source the hostap drivers and the wlan-ng drivers. I still could not get the card to inject packets. I even attempted to upgrade the firmware. No go.

So, I finally decided to use a distribution that was built for this type of activity, back|track. With this, I finally had some success. I used back|track version beta-05022006.

Unfortunately, I have an old junky PII notebook with very little ram. So, even though back|track is designed to run as a live distribution, I really needed it installed to the hard drive. Unfortunately, X does not run well on this box so I followed the instructions to to manually install to the hard drive, located here.

The only problem I found is that loaded up my root partition as a tmpfs filesystem. I tried editing the /etc/fstab to correct the problem, but it did not make any difference. The first time I built the system, I was having problems with aircrack. I thought that this was the problem. So, I rebuilt the system. There was no difference, except aircrack worked.

So here is what I did to crack my WAP:
The wlan-ng drivers did not seem to work too well, so I switched over to the hostap drivers. Back|track has kindly provided a script to easily switch between the two drivers. So, I ran the switch-to-hostap script to switch to hostap (switch-to-wlan will switch back).

Then I put the card into monitor mode using the airmon.sh script. This is airmon.sh wlan0 on. airmon.sh takes two arguments, the first is your interface name, the second is on|off. On puts the interface into monitor mode, off takes it out.

Now that that is done, we can monitor traffic. For doing this you can either use kismet or use airodump. For simplicity sake we are just going to use airodump.

airodump takes several options. The first is the interface name. The second is the prefix of the dump file. The third is what channel to monitor. The fourth tells airodump to save the entire packet or just the initialization vector.

So, to get started we are going to type airodump wlan0 dump 0. 0 tells airodump to hop between the channels to montior everything. Once you do this airodump will begin saving packets to the out.cap file. It will also display any waps, their ssids, their channels, packets captured, and any clients connected to those waps.

Once you find which wap you want to attack, make a note of its channel and hit cntl-c to cancel out. Now we are going to tell airodump to dump just the packets for the wap that we want to attack. Also, because we are not really interested in the traffic, we are going to tell it just to capture the IVs. The command for this is airodump wlan0 crackme 10 1. This assumes that the wap we are attacking is on channel 10.

Now we are saving all IVs for any waps on channel 10. Exciting huh? The problem is that there is probably very little traffic and we need quite a bit to crack the key. So now we must generate some traffic. We can do this by doing an active attack against the wap. That will be in the second part of this tutorial.

Post a Comment

You must be logged in to post a comment.