Cracking WEP Encryption

Cracking a WEP encryption key is not only easy, it's extremely useful for both personal network pentesting and those rare instances when your Internet is down. This article will guide you through getting your WIFI adapter into monitor mode, gathering the necessary IV packets, and cracking a WEP key.

Keep in mind this article is written strictly for educational purposes and I can not be held accountable for your actions.

To start off you're going to need access to the Aircrack-ng Network Software Suite. This is available both on Windows and Linux. If you are new to the Pentesting world I'd highly recommend using BackTrack 4. It's the Linux security distribution I used in my screenshots and is a great Swiss army knife for new and experienced pentesters alike.

Now lets get started:

1. airmon-ng start wlan0 - This command puts your WIFI adapter into monitor mode with Packet Injection enabled. In other words you can listen to any network without actually associating with it and send packets. wlan0 is my WIFI adapter, use the ifconfig command to see a list of your adapters. If airmon-ng is successful it will create a mon0 interface.
   
2. airodump-ng mon0 - This command shows us a list of all surrounding networks as well as the clients connecting to them. This command is used for both a preliminary scan of nearby networks as well as dumping packet data from a specific channel.
   
3. airodump-ng mon0 --channel 3 --ivs -w UNTOUCHABLE - Once we've found a suitable network, UNTOUCHABLE in my case, we close and relaunch airodump-ng and focus on its specific channel. Be sure to keep airodump-ng running.
4. aireplay-ng mon0 -1 100 -b 00:1C:10:3B:69:EB - Aireplay-ng is used to speed up packet gathering using packet injection. The first step is to associate with the access point. In my case there is no client filtering so my MAC address is fine, but you can spoof the address of a trusted client to gain access and hide your identity if you wanted.
   
5. aireplay-ng mon0 -3 -b 00:1C:10:3B:69:EB - Now that we've successfully associated with the Access Point we'll perform whats known as an ARP Replay Attack to speed up what used to take weeks into a matter of minutes.
   
6. If everything goes as planned you should be able to switch back to airodump-ng and watch in awe as the router ignorantly sends you thousands of packets.
   
7. aircrack-ng UNTOUCHABLE.ivs - Now that we've started collecting massive amounts of data we start cracking the WEP key. Point aircrack-ng to the file that airodump created that ends in ".ivs". Type the number of the access point. Now go get yourself a cup of coffee. By the time you should see the WEP key near the bottom of the screen.

    

   

That about wraps up this tutorial. If you have any questions or comments please reply below and I'll try to get back to you.