Cracking WEP using Aircrack-ng

From nUbuntu Wiki

This page will explain how you crack WEP protection using Aircrack-ng.

Contents 1 Requirements 2 Before we begin 3 Getting started 3.1 Monitor mode 3.2 Find the target 3.3 Generate traffic 3.4 Cracking 4 See also

Requirements

• Aircrack-ng
• Supported Wireless Network Card. Check this list if you are unsure.

Before we begin

• We assume the target WLAN has at least one client connected to the AP/Router. This will not work otherwise!
• Accessing anyone else's network without permission is at worst illegal in some U.S. jurisdictions and at best, not really a friendly thing to do. Keep it legal!

Getting started

First open up a terminal. We will do everything from here, since there is no graphical interface for Aircrack-ng.

Monitor mode

• We need to know what your WLAN card is called. Run iwconfig and write down/remember your WLAN card's name. (wlan1, eth0, wi0, etc.)

Now that we know the WLAN card's name we have to start working here. Replace wlan1 with the name of your card.

• Run airmon-ng to check the card's status.
• Run airmon-ng stop wlan1 to stop the card, then airmon-ng start wlan1 to restart it in monitor mode.

Find the target

First, we need three pieces of information:

   * MAC address / BSSID of the target AP
   * MAC address / BSSID of a client associated to the target AP
   * The channel in use by the target AP and client

• Run airodump-ng --ivs --write capturefile wlan1. Your card now scans for networks on all channels.
• Note down the results. We will be needing them later! Pay special attention to the MAC addresses of the client and AP as well as the channel they use.

Generate traffic

You may have noticed the '#Data' column. We need that number to reach at least 300,000 for WEP 64 and at least 1,500,000 for WEP 128. To do this within reasonable time we need to create some traffic on the network. Replace [AP Channel] and [AP BSSID] with the info you noted down.

• Run airodump-ng --ivs --channel [AP channel] --bssid [AP BSSID] --write capturefile wlan1.
• Now to create some traffic and increase that '#Data, #/s'. Open a second terminal window and run aireplay-ng --arpreplay -b [AP BSSID] -h [client MAC from airodump] wlan1.

Wait until you have 300,000 on #Data if you know the network has 64-bit encryption. Wait until it reaches 1,500,000 if you are unsure. To be on the safe side you should overshoot those numbers by a good deal! 500,000/2,200,000 will not hurt.

Cracking

Now you have one or several .ivs-files on your computer. We need to do something with those!

• Open a third terminal window and run aircrack-ng -b [AP BSSID] [capture file(s) name]. The command supports wildcard if you have several files (from several sessions). It may look something like this: aircrack-ng -b 00:02:15:E2:D2:11 capturefile*.ivs.

When the key has been found it can be entered as a hexadecimal key (exclude the :'s). You should hopefully be on the network soon.

See also

• Aircrack-ng
• smallnetbuilder.com for a more detailed walkthrough with screenshots. Note that they use BackTrack and not nUbuntu.