Skip to content

Cracking WEP PartII

So, now we are hopefully capturing traffic and saving IVs to crackme.ivs for channel 10. Now we must generate traffic by doing an active attack (or we could be sniffing traffic for weeks on a low use WAP). To do this we are going to use aireplay.

So, the first thing we need to do is open another terminal (keep airodump running). You can try attacking with a made up mac address by using:

aireplay -1 0 -e -a -h wlan0

so for example:

aireplay -1 0 -e attackme -a 00:12:34:56:78:90 -h 0:1:2:3:4:5 wlan0

However, that did not work for me. I had to use a mac address of a client that was already authenticated to the wap. You can find this by watching the console of airodump.

aireplay -1 0 -e attackme -a 00:12:34:56:78:90 -h 00:45:93:84:85:93 wlan0

Either way, you know that the attack worked if you get an “Association Successful ;)” message at the end of the output. We may have run this command a couple of times, so we are going to open a new terminal to keep this command easily accessible. Now we are going to use aireplay to “replay” packets at the wap.

aireplay -3 -b 00:12:34:56:78:90 -h 00:45:93:84:85:93 -x 600 wlan0

You will now see a line that says it is reading packets and sending packets. I had to wait quite a while to see any results from sending packets. So after 5 – 10 minutes should start to see your arp packet and sending packet numbers going up. You may have to reassociate with the wap, so feel free to go back to the previous terminal and rerun the previous command a couple of times.

After this we need to open another terminal. Now we are going to run aircrack to crack the IV packets and hopefully get the key. Aircrack has quite a few options as well. -a 1 will tell it is WEP instead of WPA. -n 64 will tell it is a 64bit key, -n 128 will tell it is a 128bit key. -x will tell it to brute force the last two keybytes. Then you also supply the dump file from the airodump program. So, to crack a 128bit key we will type:

aircrack -x -a 1 -n 128 crackme.ivs

Now, depending on how many packets you have captured this can take a variety of time. For cracking 128bits, I ran airodump overnight. Doing an active attack, I probably did not have to wait that long. However, I started it at night and didn’t feel like watching it. I did not run aircrack until the morning. When I started aircrack, it found the key in about 10 seconds. When I cracked 64bit, the whole process took about 5 minutes! Scary stuff!!
While aircrack is running, it will be constantly updating the screen. Once it finds the key, it will stop and display the key. And we are done!!

Some other helpful websites:

http://www.wirelessdefence.org/Contents/AircrackORIGINAL.html

http://www.grape-info.com/doc/linux/config/aircrack-2.3.html

http://www.netstumbler.org/showthread.php?t=15497

Post a Comment

You must be logged in to post a comment.