Skip to main content

5. Gaining Access - WEP Cracking

Basics

  • WEP means: Wired Equvalent Privacy
  • It's an old encryption
  • Uses an algorythm called RC4
  • Still used in some networks
  • Can be cracked easily

How Encryption works

  • Each Package is encrypted via a unique Keystream
  • Random Initialization Vector (IV) is used to generate the Keystreams
  • The IV is only 24 bits
  • IV + (password) Key = keystream

WEP Cracking

  • IV is too small (24bits)
  • IV is sent in plain text

Weakness

  • IV's will repeat on busy networks
  • This will make WEP vulnerable to statistical attacks
  • Repeated IV's can be used to determine the Keystream
  • And break the encryption

We can use the tool aircrack-ng to determine the keystream

To crack WEP we need to

I am assuming, you already have done Part 1 and 2 of this tutorial

1. Capture a large amount of Packages/IVs (airodump-ng)

airodump-ng --bssid 11:22:33:44:55:66 --channel 12 --write ~/wep-cap wlan0

2. Analyse the captured IVs and crack the key (aircrack-ng)

aircrack-ng wep-cap.cap

It should look something like this:

Bildschirmfoto vom 2023-02-10 20-15-05.png

If the ASCII Code isn't displayed, which will be sometimes the cast, just use the key between the brackets, while removing the colons like this: 41:73:32:33:70 -> 4173323370

Which means, the target router will accept both: As23p or 4173323370 as password

Back to top