Hello aspiring Ethical Hackers. In this post, we will see how to crack WEP passwords with aircrack. I bought a new Alfa Wireless Adapter and I want to get straight away into cracking a WEP password. My Attacker machine is Kali Linux which is installed on VMware. So I first connected the GOD given ALFA Wireless adapter to my laptop, make sure it is connected to the virtual machine, open a terminal in Kali Linux and type command “iwconfig” to make sure my wireless adapter is connected.
Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.
I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.
As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.
As you can see, this shows all the wireless traffic. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.
In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point hack me if you can will be saved in the file wep_hc_crack.cap. What I am looking for is the initialization vectors that are used in cracking WEP. This initialization vectors play a key role in cracking the password of this Wi-Fi access point.
How? As I already told you, I will not tell you the technical jargon of this article for now. Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some Jugaad to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack. According to the website of aircrack,
The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.
where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.
As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.
If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.
You can see the traffic increasing. All have to do is play the game of patience now .
After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.