How to Crack a WEP Encrypted Wireless Network

My wireless lan has been encrypted using WEP for a few years. After hearing that WEP was insecure I decided to try and crack it. It was suprisingly easy and this is how I did it.

  1. Install Kismet and Aircrack
  2. Use Kismet to find available wireless networks
  3. Use airodump to collect initialization vectors
  4. Use aircrack to find the WEP key

1. Install Kismet and Aircrack

This will depend on your particular distribution. I am using Gentoo and therefore this is as easy as

emerge kismet aircrack

Note: Getting your wireless card and drivers to work with Kismet can be tricky. It works fine on my desktop with a wg311v2 card from netgear and using the acx111 drivers. It doesn’t work on my older laptop since my card does not support raw monitoring.

2. Use Kismet to find available wireless networks

Launch Kismet

kismet

Kismet will now start sniffing for wireless packets. A couple of wireless networks will probably show up. I like to order them by signal strength, type “s” followed by “Q”. Kismet will show lots of useful information about each network such as ssid, mac address and type of encryption. To get more detailed information on a network, scroll down to it and press “i”. At this stage we need to note down the ssid, channel and mac address of the network you are interested in.

Note: Kismet would not work unless I was already connected to another wireless access point.

3. Use airodump to collect initialization vectors

It’s time to use airodump. Airodump will monitor a network and collect specific encrypted packets. These packets are called initialisation vectors (IVs) and are the achilles heel of wep encryption. Once you have collected enough IVs then you can get the key. How much is enough? Well it depends on a number of factors such as key size (64 or 128) and luck as well. You are generally looking at collecting between 200,000 and 2,000,000 IVs. Depending on the traffic on this network it may take some time, days or even weeks. There are tools which can speed up this process such as void11 and aireplay, these are not covered here.

Using the information we collected in part 2, we can start to collect IVs using airodump.

airodump wlan0 cap 6 00:11:22:33:44:55

This will monitor on the wlan0 network interface, on channel 6 for packets transmitted from the access point with the mac address 00:11:22:33:44:55. It will output files appended with the suffix “.cap”. Insert the information you collected from kismet into this command and watch airodump collect IVs. You can leave this running while starting up aircrack.

Note: For some reason airodump did not work for me until I had first used kismet.

4. Use aircrack to find the WEP key

Aircrack uses the IVs collected previously to find the key. We can start aircrack and it will automatically add in new keys as they are found by airodump.

aircrack -f 2 -m 00:11:22:33:44:55 /tmp/cap*.cap

The -f stands for fudge factor. Increasing this value will make the search slower but will increase your chances of of getting the key. Start of with a factor of 2 and then try doubling the value. I tend to find that values above 16 are simply a waste of time. You probably just need to collect more packets. Eventually, aircrack will probably find the key. I say probably because there is no guarantee that you will find the key although in my experience it is very likely.

Useful Links

Leave a Reply