This article has been superceeded by How to Crack WEP...Reloaded.
In Part 1 of How to Crack WEP, we showed the basic approach to WEP cracking, configured a practice target WLAN and configured both sniffing and attack computers. We also introduced the Auditor Security Collection and used Kismet to find in-range wireless LANs.
In this article, we will describe how to use additional tools found on the Auditor CD to capture traffic and use it to crack a WEP key. We'll also describe how to use deauthentication and packet replay attacks to stimulate the generation of wireless traffic that is a key element of reducing the time it takes to perform a WEP key crack.
Before we get started, however, let us make a few points that may save some readers the time and effort of trying these techniques:
To successfully follow this How To, you need basic familiarity with networking terminology and principles. You should know how to ping, open a Windows Command Prompt, enter command lines and know your way around the Windows networking properties screens. Basic familiarity with Linux will be helpful too.
These procedures assume the use of specific wireless hardware described in Part 1. They will not work with other hardware types without modification.
These procedures assume that the target WLAN has at least one client associated with an AP or wireless router. They will not work with an AP that has no associated clients.
This tutorial is based on the Auditor version released April 2005. Future versions could make this attack easier or harder. In addition, some of the commands shown are Auditor-specific scripts that don't exist (but can easily be made) in other Linux distributions.
Accessing anyone else's network other than your own without the network owner's consent is illegal. SmallNetBuilder, Pudai, LLC and the author do not condone or approve of illegal use of this tutorial in any way
Also note that it is possible to perform WEP cracking using only one computer. But we have chosen to use two to more clearly illustrate the process and avoid some of the complications caused by using a single computer.
The four main tools used in this article are airodump, void11, aireplay and aircrack, which are included on the Auditor Security Collection CD:
- Airodump scans the wireless network for packets and captures these packets into files
- Void11 will deauthenticate computers from a wireless access point, which will force them to reassociate to the AP, creating an ARP request
- Aireplay takes this ARP request and resends it to the AP, spoofing the ARP request from the valid wireless client
- Finally, aircrack will take the capture files generated by airodump and extract the WEP key
From your scanning with Kismet as described in Part 1, you should have written down the following four pieces of information:
- MAC Address of the wireless Access Point (AP)
- MAC Address of the "Target" computer
- WEP key used
- Wi-Fi channel used
In the following procedures, we will call our laptops, Auditor-A and Auditor-B and call the target computer Target. Let's get started.