Follow the given instructions to get started:
abcdefabcdefabcdefabcdef12
as the 128-bit WEP key. You can set this to whatever you choose:wlan0
by issuing the following command:ifconfig wlan0 up
airmon-ng start wlan0
wlan0mon
, a monitor mode interface, as shown in the following screenshot. Verify that the wlan0mon
interface has been created using the ifconfig
command:airodump-ng
to locate our lab access point using the following command:airodump-ng wlan0mon
Wireless Lab
access point running WEP:Wireless Lab
network, so we can fine-tune our command to only see packets for this network:airodump-ng --bssid <Your AP MAC> --channel <whatever channel it's on> --write WEPCrackingDemo wlan0mon
An example command line is shown in the following screenshot:
airodump-ng
to save the packets into a pcap
file using the --write
flag:abcdefabcdefabcdefabcdef12
. Once the client has successfully connected, airodump-ng
should report it on the screen:ls
in the same directory, you will be able to see files prefixed with WEPCrackingDemo-*
, as shown in the following screenshot. These are traffic dump files created by airodump-ng
:airodump-ng
screen, there are very few data packets listed under #Data
(only 35
):aireplay-ng
tool.aireplay-ng
and inject them back into the network to simulate ARP responses. We will be starting aireplay-ng
in a separate window, as shown in the next screenshot. Replaying these packets a few thousand times, we will generate a lot of data traffic on the network. Even though aireplay-ng
does not know the WEP key, it is able to identify the ARP packets by looking at the size of the packets. ARP is a fixed header protocol; thus, the size of the ARP packets can be easily determined and can be used to identify them even within encrypted traffic. We will run aireplay-ng
with the options that are discussed next. The -3
option is for ARP replay, -b
specifies the BSSID of our network, and -h
specifies the client MAC address that we are spoofing. Don't forget to add the adapter to use. We need to do this, as replay attacks will only work for authenticated and associated client MAC addresses:aireplay-ng
was able to sniff ARP packets and started replaying them into the network. If you encounter channel-related errors as I did, append --ignore-negative-one
to your command, as shown in the following screenshot:airodump-ng
will also start registering a lot of data packets. All these sniffed packets are being stored in the WEPCrackingDemo-*
files that we saw previously:aircrack-ng
with the option WEPCRackingDemo-0*.cap
in a new window. This will start the aircrack-ng
software and it will begin working on cracking the WEP key using the data packets in the file. Note that it is a good idea to have airodump-ng
collect the WEP packets, aireplay-ng
do the replay attack, and aircrack-ng
attempt to crack the WEP key based on the captured packets, all at the same time. In this experiment, all of them are open in separate windows:aireplay-ng
), this should take 5-10 minutes at most. You may need to restart this process several times.aircrack-ng
should be able to break the key. Once it does, it proudly displays it in the terminal and exits, as shown in the following screenshot:aircrack-ng
. The only requirement is that a large enough number of data packets, encrypted with this key, are made available to aircrack-ng
.We set up WEP in our lab and successfully cracked the WEP key. In order to do this, we first waited for a legitimate client of the network to connect to the access point. After this, we used the aireplay-ng
tool to replay ARP packets into the network. This caused the network to send ARP replay packets, thus greatly increasing the number of data packets sent over the air. We then used the aircrack-ng
tool to crack the WEP key by analyzing cryptographic weaknesses in these data packets.
Note that we can also fake an authentication to the access point using the Shared Key Authentication (SKA) bypass technique we learned in the last chapter. This can come in handy if the legitimate client leaves the network. This will ensure that we can spoof an authentication and association and continue to send our replayed packets into the network.
In the previous exercise, if the legitimate client had suddenly logged off the network, we would not have been able to replay the packets as the access point will refuse to accept packets from unassociated clients.
Your challenge will be to fake an authentication and association using the SKA bypass we learnt in the last chapter, while WEP cracking is going on. Log off the legitimate client from the network and verify that you are still able to inject packets into the network and whether the access point accepts and responds to them.
13.58.137.218