Skip to main content

How To Crack WEP - Part 2: Performing the Crack

Deauthentication via void11

You probably noticed that the IV count doesn’t rise very quickly under normal traffic conditions. In fact, it could take several hours or even days, to capture enough data from most wireless LANs for a successful WEP key crack under normal conditions. But fortunately, there are a few tools at our disposal to speed things along.

The easiest way to speed up packet generation is for the Target WLAN to be a busy one. We can simulate this by running a continuous ping or starting a large file download on the Target. Keep airodump running on Auditor-A and notice the rate that the IV count is rising. Then start your file download via bittorrent or just download an .ISO file of your favorite Linux distribution or movie trailer.

Alternatively, a continuous ping can be done in Windows by entering the following into a command window:

ping -t -l 50000 ADDRESS_OF_ANOTHER_LAN_CLIENT

where ADDRESS_OF_ANOTHER_LAN_CLIENT is replaced by the IP address of the AP, router or any other pingable client on the LAN.

Either of these methods will cause the IV count to rise a bit faster. But since they require access to the very WLAN that you are trying to obtain the WEP key for, they’re useful only to illustrate that more traffic = more IVs. What is needed is a traffic-generation method that requires only the information that we’ve obtained via Kismet.

This is where void11 comes in. Void11 is used to force a de-authentication of wireless clients from their associated AP,i.e. the clients are "kicked off" the AP. After being kicked off the wireless network, a wireless client will automatically try to reassociate with the AP. In the process of re-association, data traffic will be generated. This process is commonly referred to as a de-authentication or deauth attack. Here’s how it’s done.

Figure 6: void11 usage
(click image to enlarge)

Start Auditor-B with its Wi-Fi card and Backtrack CD inserted. Once Backtrack is up, open a shell and type in the following commands:

Commands for setting up a void11 deauth attack switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

NOTE: Replace THECHANNELNUM with the channel number of your Target WLAN, and MACOFSTATION and MACOFAP with the MAC addresses of the Target WLAN client and AP respectively, i.e.

void11_penetration -D -s 00:90:4b:c0:c4:7f -B 00:c0:49:bf:14:29 wlan0

Tip: You may see an invalid argument error while running void11 on the Backtrack CD. Don’t worry about this error, as void11 is working, which we’ll verify next.