Skip to main content

How To Crack WEP - Part 2: Performing the Crack

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn’t generate enough to effectively speed up our IV gathering process. It’s also a pretty blunt instrument and severly interferes with normal WLAN operations. For more efficient traffic generation, we’ll need to employ a different technique called a replay attack.

A replay attack simply captures a valid packet generated by a Target client, then spoofs the client that it captured the packet from and replays the packet over and over again more frequently than normal. Since the traffic looks like it is coming from a valid client, it doesn’t interfere with normal network operations and goes about its IV-generating duties quietly.

So what we need is to capture a packet that is sure to be generated by the void11 deauth attack, stop the deauth attack, then start a replay attack using the captured packet. A perfect candidate for capture are Address Resolution Protocol (ARP) packets since they’re small (68 Bytes long), have a fixed and easily recongnizable format, and are part of every reassociation attempt.

Figure 11: aireplay setup
(click image to enlarge)

Let’s start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack (via void11) or capturing traffic (via airodump) and running the actual crack against the captured data via aircrack which we’ll get to shortly.

Figure 12: The full WEP-cracking monty

We’ll first start aireplay. Go to Auditor-A, open a shell and type in these commands:

Commands to set up aireplay to listen for an ARP packet switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk
aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff


- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Backtrack CD to simplify commands and reduce typing

- Replace THECHANNELNUM with the channel number of your Target WLAN

At first, nothing too exciting will happen. You should see aireplay reporting it has seen a certain number of packets, but little else since the packets haven’t matched the filter we’ve set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF).