WEP offers protection for data being transferred over the air. It works by providing encryption and authentication. WEB is the oldest of the wireless encryption protocols and it is also the easiest to hack. In this how to we will look into steps necessary to hack WEP protocol.
WEP was developed to provide the following:
- Protection from eavesdropping on communications and attempts to reduce unauthorized disclosure of data.
- Encrypt packets prior to transmission with shared secret key
- Check integrity of data as it flows across the network
- Provide confidentiality, access control and integrity in a lightweight, efficient system
- CRC32(Cyclic Redundancy Check), used in integrity checking, is flawed and with slight modifications packets may be modified consistently by attackers to produce there desired results
- WEP is susceptible to DOS attacks through the use of associate and disassociate messages, which not authenticated by WEP
- Keys may be uncovered through the analysts of packets, allowing for the creation of a description table
- WEP is vulnerable to plain text attacks through the analysts of packets
- Initialization vectors (IV) are only 24 bits in length, meaning entire pool can be exhausted my moderate use within 5 hours or so
WEP uses initialization vectors. An IV is a randomized value that is used with the secret key for data encryption purposes. Flaws in the generation of IVs in WEB can make it vulnerable to analysis and cracking.
First on our laptop we have to make sure wireless adapter is up and running. We are using kali Linux for this but commands should be similar for other distributions also.
iw dev phy#0 Interface wlan0 ifindex 3 wdev 0x1 addr ..... type managed <---specifies the operational mode of the wireless devices channel 2 ....
Lets run airmon-ng
Enter the following command
airmon-ng start wlan0 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 492 NetworkManager 666 wpa_supplicant 782 dhclient PHY Interface Driver Chipset phy0 wlan0 iwlwifi Intel Corporation WiFi Link 5100 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0)
Now run again iw dev command to make sure adapter is in monitor mode
iw dev phy#0 Interface wlan0mon ifindex 4 wdev 0x2 addr 00:22:fb:17:e2:a2 type monitor channel 10 (2457 MHz), width: 20 MHz (no HT), center1: 2457 MHz
Start airodump-ng to start scanning
You should see list of access points around your area
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 84:9x:8C:9D:BC:38 -22 922 3717 0 2 54 WEP WEP H1 08:0x:81:CE:83:FB -46 203 0 0 11 54e WPA2 CCMP PSK
As you can see access point with SSID H1 running WEP
Enter the following command specifying -w file where we dump results, -c channel number
We will need to capture close to 15000 packets for this to sucseed
Now lets run this command to crack the key
Here is one more way to run data capture