By using wireless networking, users with an IEEE 802.11-compatible device such as a laptop are able to connect to a wireless access point. This will let them access the resources on the local network, just like they would when connected physically using a wire. Wireless networking provides a lot of convenience to a user, whether at home or in a corporate environment.
By default, a wireless network is open, thus allowing anyone with a laptop or smartphone to establish a connection. This creates a concern about user privacy and security. The WEP encryption standard was used in the early generations of wireless networking and is still implemented by users at home and by IT administrators.
The WEP encryption standard uses the Rivest Cipher 4 (RC4) encryption cipher, which uses a 40-bit key for data encryption. When it was developed, this was considered very secure, but, by 2002, multiple security weaknesses had been found in the standard. An attacker would be able to obtain the encryption key within a few hours. Using the 40-bit key, an attacker could capture and decrypt traffic very quickly, which compromised the confidentiality of the WEP encryption standard. In modern cryptographic standards, a larger encryption key is used to prevent such attacks on data encryption.
As a cybersecurity professional in the field of offensive security, it's important to understand the techniques you should apply when performing WEP cracking using Kali Linux.
Perform the following steps to accomplish this:
- Enable monitoring mode on your wireless adapter with the following command:
airmon-ng check kill
airmon-ng start wlan0
- Perform wireless sniffing on nearby access points until you have discovered your target:
airodump-ng wlan0mon
Once you've found your target, make a note of its BSSID, channel, and ESSID values.
- Stop airodump-ng using Ctrl + C on your keyboard after obtaining the details, and then proceed to the next step.
- Attempt a packet capture for the target wireless network:
airodump-ng --bssid <target BSSID value> -c <channel #> wlan0mon -w <output file>
Let's look at what some of these commands do:
-
- --bssid: Allows you to specify a particular access point by using its BSSID value (media access control address of the access point)
- -c: Allows you to set the wireless radios so that they listen on a specific channel
- -w: Specific to the output location and filename
- Perform a deauthentication attack on the target.
Performing a deauthentication attack on the target access point will force any connected clients to disassociate. Once the clients are disconnected, they will automatically attempt to reconnect to the access point. In doing so, you are attempting to capture the WEP key during the clients' attempt to reauthenticate:
aireplay-ng -0 0 -a <target's bssid> wlan0mon
When you have captured the WEP key (you'll see the notification on the window running airodump-ng), you can stop the deauthentication attack.
- Next, let's attempt to crack the WEP and retrieve the secret key.
Once you've captured sufficient data on the target wireless network, stop airodump-ng. Using the ls -l command on the Terminal, you'll see a .cap file. In a new Terminal window, execute the following command:
aircrack-ng -b <bssid of the access point> output_file.cap
Additionally, you can use the following simple command to achieve the same task:
aircrack-ng output_file.cap
The following screenshot is an example of the expected output:
However, your WEP key will be different based on the value that was set by the administrator of the wireless access point. The output key is given in hexadecimal format, so you can now take this hex-based key and use it to access the target access point.
Having completed this section, you are now able to perform WEP cracking on wireless networks. In the next section, we will take a deep dive into how to perform WPA cracking techniques.