WEP cracking 101

8 03 2008

Hi everyone. Yet another post today. Being a sys0p for an internet-related company, it is important to understand the various weaknesses which are inherent in the systems we use. One of these systems is Wi-Fi connectivity. This all being the case, I thought I’d look into Wi-Fi vulnerabilities. This is what I found:


It really is no feat of genius cracking WEP. It took me, having never used the programs involved and understanding very little about what I was doing, about ten minutes. No more. Over this post I’ll write a transcript of the video which I’m going to make and embed tomorrow.

The program I am going to use is the SVN release of the Aircrack-ng suite on Back|Track 2 on a laptop with an Atheros internal wireless NIC and the SVN release of the Madwifi-ng drivers to allow packet injection.


Next I switch off my Managed mode interface ath0 by using the following command:

wlanconfig ath0 destroy

Now I bring up the Monitor mode interface (replaces ath0) with airmon-ng. You will need to know the channel which the AP runs on to allow this to work.

airmon-ng start wifi0 6

Replace the ‘6’ with the channel of your AP. It locks the channel of the interface to that and stops you ‘channel hopping’, which can screw things right up.

The next step is to start airodump-ng to find any clients which are connected:

airodump-ng -c 6 --bssid 00:11:22:33:44:55 ath0

This will start up the airodump-ng console app which will show the BSSID, ESSID, channel, any associated clients and all sorts of other info which we’ll get into later.

RIght. Now you can ^ C out of that window and start it again with a couple more options.

airodump-ng -w outputfile --ivs --bssid 00:11:22:33:44:55 ath0

This will start airodump capturing all Initialisation Vectors transmitted by the AP or the

I left that running and opened a new terminal. There, I ran a deuthentication attack on the wireless client with this command:

aireplay-ng -0 10 -a 00:11:22:33:44:55 -c 55:44:33:22:11 ath0

You should see the repercussions of this on the airodump terminal. Now you need to get aireplay to find an ARP packet which has caused the sending of lots of IVs. This is done in a few different ways. The method I used was just the ARP packet replay mode. It’s slower than some of the others, but almost always works.

aireplay-ng -3 -a 00:11:22:33:44:55 ath0

When it finds a packet which can be used it will come up and ask you if you want to use it.Say yes. It will then replay this packet to generate loads of IVs. You will see this in the airmon window. The data packets will go through the roof.

Now you need to start aircrack-ng working on the captured IVs.

aircrack-ng -z -b 00:11:22:33:44:55 outputfile*.ivs

Done. If aircrack acts up then just try again when you have more IVs.

If this ain’t enough to switch you over to WPA, then you’re a lost cause.