Cracking WEP Encryption With Kali Linux

In this tutorial we will see how easy it is to crack WEP encryption on a wireless access point. WEP is now very outdated, after it’s easy vulnerability was exposed. However you will still find some access points using WEP, and for educational purposes I wish to demonstrate how easy it is to break, which should encourage you to switch to WPA if you haven’t done so already.

It is also a good starting point for you to learn the basics of how to use airodump-ng and aircrack-ng tools within the terminal window.

I’m using the Kali Linux distribution that comes with these tools already installed. If you haven’t done so already I advise you download and setup a USB live drive running Kali Linux. If you’re a mac user you will find this tutorial useful as I also address the wireless driver issues that frequently plague Mac users trying to run aircrack.

STEP 1
First we will run airodump-ng to scan for available wireless networks and identify one running WEP that we wish to connect to.01_airodump

As you can see there’s several networks with WEP available, we will target the last in the list. press control c to stop airodump and run the following command
airodump-ng -w <directory to write the file to> -c <channel number> –bssid <MAC of target access point> <wireless interface>
02_airodump

As you can see I am saving the captured packets to a local directory on my system, and I set the channel and BSSID to the channel and bossed indicated in our initial scan. Finally as I am using a mac I have got the prism0 wireless interface which is being used for wireless monitoring. If you’re on another machine I assume you have already enabled monitor mode with the airmon-ng command.

When you hit enter airodump will then begin gathering packets and writing them tot he capture file. You will need to capture around 10,000 IV’s before it will be possible to start cracking the WEP encryption, typically I have found I need around 2,000 IV’s to be successful.

STEP 2
Leave the terminal window open with airodump capturing packets, and start a new terminal window. Here will run aircrack-ng with the following command
aircrack-ng <directory to the capture file>
03_aircrack

When you hit enter aircrack-ng will open the capture file and begin to try to crack the WEP encryption. If successful it will display the result in Hexadecimal code. If it’s not successful it will indicate not enough IV’s have been captured. Simply leave the window open it will automatically retry when the next 5k IV’s have been captured.

04_aircrack

When you finally have captured enough IV’s it will display the successfully cracked password in Hexadecimal format. You can use an online converter tool to convert this to ASCII characters if you wish, or enter the HEX without the : separators.
06_cracked

Cracking WPA PSK With Kali Linux On Macbook

If you are running this on a Macbook and are having troubles putting the wireless device into monitor mode, then you need to follow my previous tutorials regarding this. If you’re running this on another machine then chances are you can use the airmon-ng start wlan0 command to switch to monitoring mode.

For the rest of this tutorial I will assume we are working on a macbook pro and that the wireless monitoring device is called prism0. 

STEP 1

  • Check that you have monitoring mode enabled. Run ifconfig or iwconfig to check on this.
    iwconfig
  • In the above screen shot you can see that we have the prism0 wireless device. This is our monitoring mode device on the macbook.

STEP 2

  • Run airodump-ng with options to write to a captured file. We will name this capture file “capture”
    airodump-ng
  • Once airodump is running, we need to identify which wireless network we wish to crack. For this tutorial we are looking for a WPA type with a PSK. I’ve setup a wireless network for us to crack with these requirements, you can see two in the below screenshot. We need to run airodump until we have captured a WPA handshake. Once a handshake has been captured it will show in the top row, as illustrated below. (This means waiting for someone to connect to the access point. If you don’t want to wait you can force a de-authentication of a device connected to the network and hope they reconnect)handshake
  • If you wish to make a forced disconnection in order to capture the handshake you can execute the following :-
     aireplay-ng -0 1 -a 3C:DF:A9:68:E6:56 -c 60:03:08:64:D5:C3 prism0
    
    where -a is the mac ID of the base station and -c is the mac ID of the device you wish to de-authenticate.

STEP 3

  • Once you have captured a handshake packet on the access point we wish to hack you can proceed to the next step, which is cracking the password. We are using a brute force method, which can take some time, but basically means running through a dictionary of words and finding which works. This can take hours, and there’s no guarantee that the password is in your dictionary. There’s many free online dictionaries in .txt format you can use. For the purposes of testing however you can use a password that you know is in your dictionary as we are just doing this for a learning experience.
  • Run aircrack-ng and you will see a list of options. We need to input two options, the first is the BSSID of the network you wish to crack, the other is the path to the dictionary you will be using.aircrack-ng
  • Finally input the path to the capture file.
    aircrack-ng -b 3C:Df:A9:66:E6:56 -w /root/Documents/Dictionarys/passwords.txt /root/Documents/CapturedPackets/capture-01.cap
    aircrack-ng_2
  • After hitting enter if everything is done correctly aircrack will begin running through the dictionary. Now it’s just a matter of waiting until it finds the correct password
    cracking
  • Here’s the final cracked password
    cracked