Skip to main content

How To Crack WEP - Part 2: Performing the Crack

Packet capture and cracking

At this point Auditor-A is running a replay attack and producing plenty of IVs. Now it’s finally time to do the actual WEP cracking. Stop void11 on AUDITOR-B, if you haven’t done so already. Type in the following commands to set up airodump to capture packets for cracking.

Starting up airodump after stopping void11 switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk airodump wlan0 cap1

NOTES:

- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Backtrack CD to simplify commands and reduce typing

- Replace THECHANNELNUM with the channel number of your Target WLAN

- If there are many wireless access points in range, append the MAC address of your target AP to the end of the airodump command, i.e.
airodump wlan0 cap1 MACADDRESSOFAP

After airodump starts, you should now see the IV count rise to about 200 per second, thanks to the aireplay replay attack running on Auditor-A

Figure 14: After ten minutes of aireplay
(click image to enlarge)

With airodump writing IVs into a capture file, we can run aircrack at the same time to find the WEP key. Keep airodump running and open another shell window. Type the following commands into the new window to start aircrack:

Starting aircrack cd /ramdisk aircrack -f FUDGEFACTOR -m MACADDRESSOFAP -n WEPKEYLENGTH -q 3 cap*.cap

NOTES:

- FUDGEFACTOR is an integer (default is 2)

- MACADDRESSOFAP is the MAC address of the Target AP

- WEPKEYLENGTH is the length of the WEP key you are trying to crack (64, 128, 256 or 512)

Figure 15 shows an example of a complete command.

Figure 15: aircrack usage
(click image to enlarge)

Aircrack will read in unique IVs from all the capture files and then perform a statistical attack on those IVs. A lower "fudge factor" (-f parameter) has less chance of succeeding, but is very fast. A high fudge factor is slower, but has a higher chance of finding the WEP key. A fudge factor of 2 is the default starting point.

You can stop aircrack by typing control-C or just let it run to completion (it will give up after awhile if it doesn’t find the WEP key, at least for 64 bit WEP keys). If you followed our syntax above, you can simply hit the up arrow then enter. You can then restart aircrack by hitting the up arrow then enter keys, and aircrack will automatically include the updated contents of the airodump capture file. At some point, you should be rewarded with the screen shown in Figure 16.

Figure 16: Gotcha, Key Found!
(click image to enlarge)