[Skip to Content]
IT and hardware hacking
Guillaume's blog

Find the key to a WEP-secured WiFi hotspot

This is a pretty old technique, often cited to demonstrate flaws in once-commonly-used security schemes.

In this article you will learn how to attack a WEP access point (AP).

You will need :

  • Any recent version of backtrack
  • An in-range WEP-secured access point that you own or have permission to attack
  • The attack will be much easier if a legitimate client is connected to the AP

I assume you are already familiar with linux and the general operation of wireless networks.

 

Step 1

Start your wireless card in monitor mode and change your MAC address to protect yourself

airmon-ng start wlan0
macchanger -A mon0

Look for WEP networds

airodump-ng -t "WEP" mon0

Write down the BSSID of your target AP (it is the physical address of the AP's wireless card, such as AA:BB:CC:DD:EE), and the channel it using (1 to 13)

The second list in the output of airodump is the list of clients. You can see the clients' MAC addresses and the BSSID of the AP they are connected to.

 

 

Start by collecting IV packets that will allow us to crack the key, using airodump-ng

airodump-ng -t WEP -c 
Contenu dynamique channel non trouvé
-w dump -d
Contenu dynamique BSSID non trouvé
mon0

I chose to write the data to a file named "dump", but you can use any name.

Airodump will start collecting IV packets (you can see the number of IVs in the "#Data" column. We can get the key when this number reaches 10000-40000. Up to this point we are totally undetectable, since our wireless card is only collecting information passively. To speed up the packet collection (which could otherwise take years), we will become active and emit forged packets to stimulate the network. Open up a new terminal tab and follow these instructions :

Let's first use aireplay-ng to gain a fake limited access to the access point (association), that will then allow us to inject packets.

aireplay-ng -1 0 -a 
Contenu dynamique BSSID non trouvé
mon0

If this step does not work, do not hesitate to fiddle with the parameters. I sometimes use the following options when my attacks fail :

aireplay-ng -1 6000 -o 1 -q 10 -a 
Contenu dynamique BSSID non trouvé
-h [My faked MAC] mon0

If this doesn't work, these are potential problems :

  • MAC filtering is enabled : wait for the client to disconnect, steal his MAC address by changing the options of macchanger in step 1, and try again
  • The access point is too far away

Aireplay-ng should output 'Association successful :)"

 

 

Step 2

If a client is connected to the AP

We will use the packet replay method.

We are now ready to start injecting :

aireplay-ng -3 -b 
Contenu dynamique BSSID non trouvé
mon0

After a few minutes, the "injected" count should start increasing and if you switch back to airodump, the "#Data" count should be increasing.

If this doesn't work, these are potential problems :

  • MAC filtering is enabled : wait for the client to disconnect, steal his MAC address by changing the options of macchanger in step 1, and try again
  • The access point is too far away

If no clients are present

The attack will be a bit more tricky, and might not even always work. We will use the packet fragmentation method. We are going to collect a packet fragment and edit it to a broadcast packet, and then inject it.

aireplay-ng -5 -b 
Contenu dynamique BSSID non trouvé
mon0
paketforge-ng -0 -a 
Contenu dynamique BSSID non trouvé
-k 255.255.255.255 -l 255.255.255.255 -y fragment*.xor -w f.arp
aireplay-ng -2 -r f.arp mon0

Alternate method

When all else fails, you can still try the rebroadcast method :

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 
Contenu dynamique BSSID non trouvé
mon0

 

Step 3

When you have enough IVs (you can make a first try at 10000, and then try again every 5000 for instance), open up a third tab and use aircrack-ng to crack the WEP key :

aircrack-ng -x -0 *.cap

 

The key should appear in plaintext if you have enough IVs