Quick Contact

    WEP Introduction

    easily broken. WEP uses the algorithm called RC4 encryption. In this algorithm, each packet is encrypted at the router or access point and then send out into the air. Once the client receives this packet, the client will be able to transform it back to its original form because it has the key. In other words, we can say that the router encrypts the packet and send it, and the client receives and decrypts it. The same happens if the client sends something to the router. It will first encrypt the packet using a key, send it to the router, and the router will be able to decrypt it, because it has the key. In this process, if a hacker captures the packet in the middle, then they will get the packet, but they wouldn’t be able to see the contents of the packet because they do not have the key.

    Each packet that is sent into the air has a unique keystream. The unique keystream is generated using a 24- bit IV (Initialization Vector). An initialization vector is a random number that is sent into each packet in plain text form, which is not encrypted. If someone captures the packet, they will not be able to read the packet content because it is encrypted, but they can read the IV in plain text form.

    The weakness with the IV is that it is sent in the pain text and it is very short(only 24- bit). In a busy network, there will be a large number of packets sent in the air. At this time 24-bit number is not big enough. The IV will start repeating on a busy network. The repeated IVs can be used to determine the key stream. This makes WEP vulnerable to statistical attacks.

    To determine the key stream we can use a tool called as aircrack-ng. This tool is used to determine the key stream. Once we have enough repeated IV, then it will also be able to crack WEP and give us the key to the network.

    WEP Cracking

    In order to crack WEP, we need first to capture the large number of packets that means we can capture a large number of IVs. Once we have done that, we will use a tool called aircrack-ng. This tool will be able to use statistical attacks to determine the key stream and the WEP key for the target network. This method is going to be better when we have more than two packets, and our chances of breaking the key will be higher.

    Let’s look at the most basic case of cracking a WEP key. To do this, we will set WiFi card in monitor mode. After this, we will run a command airodump-ng wlan0 to see all of the networks that are within our Wi-Fi range and then we will target one of those networks. Where wlan0 stands for the interface. The following output will be displayed after executing this command:

    In this figure, the fourth network that has come up is Ducat. On this network, we are going to perform our attacks. We are going to run airodump against Ducat network by using the following command:

    Here, we run airodump against the ducat network with a –bssid as 74:DA:DA:DB:F7:67. We include the –channel, number 11, and we add –write to store all of the packets that we capture into a file, which is wep. After running the above command, the following output will be displayed:

    This is a busy network. #Data, shows the number of useful packets that contain a different IV and we can use it to crack the key. If the number is higher, then it is more lightly to crack the key for us. In the following section, we can see the clients:

    Now we use ls command to list all the file.

    We can see that we have the captured file that was specified in the write argument. Now we will launch aircrack-ng against the file that airodump has created for us. We can launch aircrack against it even if we didn’t stop airodump. It will keep reading the new packet that airodump is capturing. Use the following command in new terminal to run aircrack:

    When we use aircrack-ng, we will put in the filename wep.cap. If aircrack fails to determine the key, aircrack waits until it reaches 5,000 IVs, and then tries again.

    Now, we have to wait until the aircrack can successfully crack the WEP key. Once it decrypts the key, we can press Ctrl + C. In the following screenshot, aircrack has successfully managed to get the key within data packets:

    We can see that the key is found. So, we can connect to the target network, ducat using ASCII password which is 12345. We need just to copy the 12345 and paste it while connecting the ducat. You can also connect using the KEY which is 31:32:33:34:35. In some cases, we are not able to see the ASCII password, at that time we can use KEY to connect to the network. To do this, just copy 31:32:33:34:35 and remove the colons between the numbers.

    Copyright 1999- Ducat Creative, All rights reserved.