Cracking 128 bit WEP

(…in linux)

Setting up the packet capture

Here we are going to place the wireless card (ath0 on my system) in monitor mode, create a directory to save the packet capture in, and then start a wireless packet capture of all traffic in the air.

ifconfig ath0 up
iwconfig ath0 mode monitor
cd /home/name/
mkdir wepcrack
cd wepcrack
airodump ath0 tocrack

Injecting IV packets back into the stream

Look at the airodump screen and find the BSSID of the target system. We are going to try to use aireplay to capture a specific packet from that BSSID to reinject back into the air, forcing the AP to broadcast an iv packet.

aireplay -i ath0
  • look at the BSSID and see it it is the target SSID… if not, do not use the packet
  • also reject any packets with destination MAC of FF:FF:FF:FF
  • once packet has been chosen, select “y” and then in the airodump window, look for packets AND iv packets increasing…if iv’s do not increase rapidly, it is not a good packet. Stop aireplay and try another packet.

Wait, and then crack

Once you have about 500k IVs, try to load aircrack in the background and do the WEP cracking in parallel

cd /home/name/wepcrack/
aircrack -q 3 -f 2 tocrack.cap

(-q 3 is used to display crack progress, f 2 is for the fudge factor)

You should see aircrack display the 128 bit key in about 5 seconds for about 500k iv packets in the capture file. Cracking 128 bit in 5 seconds? ya, its that good. Kinda makes you want to use WPA, doesnt it. Dont worry, I’ll tell you how to crack that too later.