Introduction
With the popularity of wireless networks and mobile computing, an overall understanding of common
security issues has become not only relevant, but very necessary for both home/SOHO users and IT
professionals alike. This article is aimed at illustrating current security flaws in WEP/WPA/WPA2.
Successfully cracking a wireless network assumes some basic familiarity with networking principles and
terminology, as well as working with command-line tools. A basic familiarity with Linux can be helpful as
well.
Disclaimer: Attempting to access a network other than your own, or one you have permission to use is
illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held liable for any damages resulting
from the use or misuse of the information in this article.
To successfully crack WEP/WPA, you first need to be able to set your wireless network card in "monitor"
mode to passively capture packets without being associated with a network. This NIC mode is driver-
dependent, and only a relatively small number of network cards support this mode under Windows.
One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the
aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions
(provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of
supported network cards available here: NIC chipset compatability list.
If your network card is not supported under Windows, one can use a free Linux Live CD to boot the
system. BackTrack 3 is probably the most commonly used distribution, since it runs from a Live CD, and
has aircrack-ng and a number of related tools already installed.
For this article, I am using aircrack-ng version 1.0 on a Linux partition (Fedora Core 10, 2.6 32-bit
kernel) on my Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card. If you're using the
BackTrack 3 CD aircrack-ng is already installed, with my version of linux it was as simple as finding it
with:
The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-PSK key
cracking. The ones we will be using are:
airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured
data.
1. Setup (airmon-ng)
As mentioned above, to capture network traffic wihtout being associated with an access point, we need to
set the wireless network card in monitor mode. To do that under linux, in a terminal window (logged in as
root), type:
iwconfig (to find all wireless network interfaces and their status)
airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface
name)
ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the
MAC of an associated client. NIC should be stopped before chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.
This step assumes you've already set your wireless network interface in monitor mode. It can be checked by
executing the iwconfig command. Next step is finding available wireless networks, and choosing your
target:
airodump-ng mon0 - monitors all channels, listing available access points and associated clients within
range. It is best to select a target network with strong signal (PWR column), more traffic (Beacons/Data
columns) and associated clients (listed below all access points). Once you've selected a target, note its
Channel and BSSID (MAC address). Also note any STATION associated with the same BSSID (client
MAC addresses).
running airodump-ng displays all wireless access points and associated clients in range, as
well as MAC addresses, SSIDs, signal levels and other information about them.
WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between 20k and 40k
packets), while WPA-PSK needs a dictionary attack on a captured handshake between the access point and
an associated client which may or may not work.
3. Capture Data (airodump-ng)
To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a
specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up
data collection, otherwise the wireless card has to alternate between all channels. Assuming our wireless
card is mon0, and we want to capture packets on channel 6 into a text file called data:
airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0 (-c6 switch would capture data on channel
6, bssid 00:0F:CC:7D:5A:74 is the MAC address of our target access point, -w data specifies that we want
to save captured packets into a file called "data" in the current directory, mon0 is our wireless network
adapter)
Notes:
You typically need between 20,000 and 40,000 data packets to successfully recover a WEP key.
One can also use the "--ivs" switch with the airodump-ng command to capture only IVs, instead of whole
packets, reducing the required disk space. However, this switch can only be used if targeting a WEP
network, and renders some types of attacks useless.
An active network can usually be penetrated within a few minutes. However, slow networks can take hours,
even days to collect enough data for recovering the WEP key.
This optional step allows a compatible network interface to inject/generate packets to increase traffic on the
wireless network, therefore greatly reducing the time required for capturing data. The aireplay-ng
command should be executed in a separate terminal window, concurrent to airodump-ng. It requires a
compatible network card and driver that allows for injection mode.
Assuming your network card is capable of injecting packets, in a separate terminal window try:
aireplay-ng allows for injecting packets to greatly reduce the time required to recover a
WEP key
Notes:
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also
want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng
WEP cracking is a simple process, only requiring collection of enough data to then extract the key and
connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-
attempt cracking the key after every 5000 packets.
aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same
directory)
aircrack-ng can successfully recover a WEP key with 10-40k captured packets. The
retreived key is in hexadecimal, and can be entered directly into a wireless client omitting
the ":" separators
Notes:
If your data file contains ivs/packets from different access points, you may be presented with a list to
choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes
work with as few as 10,000 packets.
WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration
useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an
access point and a client. What this means is, you need to wait until a wireless client associates with the
network (or deassociate an already connected client so they automatically reconnect). All that needs to be
captured is the initial "four-way-handshake" association between the access point and a client. WPA hashes
the network key using the wireless access point's SSID as salt. This prevents the statistical key-grabbing
techniques that broke WEP, and makes hash precomputation more dificult because the specific SSID needs
to be added as salt for the hash.
With all that said, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase
makes it vulnerable to dictionary attacks.
To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This
can be obtained using the same technique as with WEP in step 3 above, using airodump-ng.
You may also try to deauthenticate an associated client to speed up this process of capturing a handshake,
using:
aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client (where MAC_IP is the MAC address of the access
point, and MAC_Client is the MAC address of an associated client).
Once you have captured a four-way handshake, you also need a large/relevant dictinary file with common
passphrases. See related links below for some wordlist links.
You can, then execute the following command in a linux terminal window (assuming both the dictionary
file and captured data file are in the same directory):
Notes:
Cracking WPA-PSK and WPA2-PSK may take much longer, and will only succeed with weak passphrases
and good dictionary files.
Alternatively, there are tools like coWPAtty that can use precomputed hash files to speed up dictionary
attacks. Those hash files can be very effective, but quite big in size. The Church of WiFi has computed
hash tables for the 1000 most common SSIDs against a million common passphrases that are 7Gb and
33Gb in size...
Conclusion
As demonstrated above, WEP cracking has become increasingly easier over the years, and what used to
take hundreds of thousands packets and days of capturing data can be accomplished today within 15
minutes with a mere 20k data frames.
WPA/WPA2-PSK encryption is holding its ground if using a strong, long key. However, weak passphrases
are vulnerable to dictionary attacks. WPA/WPA2 may be on borrowed time as well, according to some
recent news.
Related Links
aircrack-ng
Openwall wordlist collection
wordlists - torrent search
the A.R.G.O.N. - wordlists
Church of WiFi hash tables
Introduction
This tutorial walks you though a very simple case to crack a WEP key.
It is intended to build your basic skills and get you familiar with the
concepts. It assumes you have a working wireless card with drivers
already patched for injection.
For a start to finish newbie guide, see the Linux Newbie Guide.
Although this tutorial does not cover all the steps, it does attempt to
provide much more detailed examples of the steps to actually crack a
WEP key plus explain the reason and background of each step. For
more information on installing aircrck-ng, see Installing Aircrack-ng and
for installing drivers see Installing Drivers.
Assumptions
• You are using drivers patched for injection. Use the injection test
to confirm your card can inject prior to proceeding.
• You are physically close enough to send and receive access point
packets. Remember that just because you can receive packets
from the access point does not mean you may will be able to
transmit packets to the AP. The wireless card strength is typically
less then the AP strength. So you have to be physically close
enough for your transmitted packets to reach and be received by
the AP. You should confirm that you can communicate with the
specific AP by following these instructions.
• There is at least one wired or wireless client connected to the
network and they are active. The reason is that this tutorial
depends on receiving at least one ARP request packet and if
there are no active clients then there will never be any ARP
request packets.
• You are using v0.9 of aircrack-ng. If you use a different version
then some of the common options may have to be changed.
Ensure all of the above assumptions are true, otherwise the advice that
follows will not work. In the examples below, you will need to change
“ath0” to the interface name which is specific to your wireless card.
Equipment used
You should gather the equivalent information for the network you will
be working on. Then just change the values in the examples below to
the specific network.
Solution
Solution Overview
To crack the WEP key for an access point, we need to gather lots of
initialization vectors (IVs). Normal network traffic does not typically
generate these IVs very quickly. Theoretically, if you are patient, you
can gather sufficient IVs to crack the WEP key by simply listening to
the network traffic and saving them. Since none of us are patient, we
use a technique called injection to speed up the process. Injection
involves having the access point (AP) resend selected packets over and
over very rapidly. This allows us to capture a large number of IVs in a
short period of time.
The purpose of this step is to put your card into what is called monitor
mode. Monitor mode is mode whereby your card can listen to every
packet in the air. Normally your card will only “hear” packets
addressed to you. By hearing every packet, we can later select some
for injection. As well, only (there are some rare exceptions) monitor
mode allows you to inject packets. (Note: this procedure is different for
non-Atheros cards.)
lo no wireless extensions.
If there are any remaining athX interfaces, then stop each one. When
you are finished, run “iwconfig” to ensure there are none left.
You will notice that “ath0” is reported above as being put into monitor
mode.
lo no wireless extensions.
In the response above, you can see that ath0 is in monitor mode, on
the 2.452GHz frequency which is channel 9 and the Access Point shows
the MAC address of your wireless card. Please note that only the
madwifi-ng drivers show the MAC address of your wireless card, the
other drivers do not do this. So everything is good. It is important to
confirm all this information prior to proceeding, otherwise the following
steps will not work properly.
The purpose of this step ensures that your card is within distance of
your AP and can inject packets to it.
Enter:
Where:
The last line is important. Ideally it should say 100% or a very high
percentage. If it is low then you are too far away from the AP or too
close. If it is zero then injection is not working and you need to patch
your drivers or use different drivers.
The purpose of this step is to capture the IVs generated. This step
starts airodump-ng to capture the IVs from the specific access point.
Where:
While the injection is taking place (later), the screen will look similar to
this:
The lack of association with the access point is the single biggest
reason why injection fails. Remember the golden rule: The MAC you
use for injection must be associated with the AP by either using fake
authentication or using a MAC from an already-associated client.
Where:
Where:
Troubleshooting Tips
If you want to select only the DeAuth packets with tcpdump then you
can use: “tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth”. You may
need to tweak the phrase “DeAuth” to pick out the exact packets you
want.
It will start listening for ARP requests and when it hears one, aireplay-
ng will immediately start to inject it. On your home network, here is an
easy way to generate an ARP request: On a wired PC, ping a non-
existent IP on your home LAN.
Here is what the screen looks like when ARP requests are being
injected:
You can confirm that you are injecting by checking your airodump-ng
screen. The data packets should be increasing rapidly. The ”#/s”
should be a decent number. However, decent depends on a large
variety of factors. A typical range is 300 to 400 data packets per
second. It can as low as a 100/second and as high as a 500/second.
Troubleshooting Tips
The purpose of this step is to obtain the WEP key from the IVs gathered
in the previous steps.
Note: For learning purposes, you should use a 64 bit WEP key on your
AP to speed up the cracking process. If this is the case, then you can
include ”-n 64” to limit the checking of keys to 64 bits.
Where:
To also use the FMS/KoreK method, start another console session and
enter:
Where:
You can run this while generating packets. In a short time, the WEP key
will be calculated and presented. You will need approximately 250,000
IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the
PTW attack, then you will need about 20,000 packets for 64-bit and
40,000 to 85,000 packets for 128 bit. These are very approximate and
there are many variables as to how many IVs you actually need to
crack the WEP key.
Aircrack-ng 0.9
KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5)
A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15)
2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13)
0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15)
58( 15) 6A( 15) 7C( 15)