CHAPTER 9 : WEP CRACKING

THEORY BEHIND WEP CRACKING 

to watch WEP cracking video click on the link: https://youtu.be/moMi9AzxnSI

 

WEP is an old encryption , but its still used in some networks , there
fore we will explain how to break it.
It uses an algorithm called RC4 where each packet is encrypted at the
AP and is then decrypted at the client , WEP insures that each packet
has a unique key stream by using a random 24-bit Initializing Vector
(IV) , this IV is contained in the packets as plain text. The short IV
means in a busy network we can collect more than two packets with
the same IV, then we can use aircrack-ng to determine the key stream
and the WEP key using statistical attacks.
Conclusion: The more IV's that we collect the more likely for us to
crack the key.

WEP Cracking:Basic Case

so all we need to do is to run airodump-ng to log all traffic from the target
network.
> airodump-ng --channel [channel] --bssid [bssid] --write [file-name] [interface]
Ex: airodump-ng –channel 6 –bssid 11:22:33:44:55:66 –write name wlan0mon
At the same time we shall use aircrack-ng to try and crack the key using the
capture file created by the above command.
> aircrack-ng [file-name]
Ex: aircrack-ng name-01.cap
Keep both programs running at the same time and aircrack-ng will be able todtermine the key when the number of IV's un out-01.cap is enough.

wlan0mon is my interface name in monitor mode check yours using <iwconfig>

WEP Cracking:Packet Injection

What if the AP was idle , or had no clients associated with it ?
In this case we have to inject packets into the traffic in order to
force the router to create new packets with new IV's.
We shall explain 3 methods to increase the number of IV's
rapidly in clientless AP's, so that if one method does not work
we can try another , knowing 3 methods guarantees that we
can crack any WEP encrypted network.
Fake Authentication
Before we can start injecting packets into the traffic , we have
to authenticate our wifi card with the AP, because AP's ignore
any requests that come from devices that are not associated
with the AP. This can be done easily using airmon-ng like so
> aireplay-ng --fakeauth 0 -a [target MAC] -h [your MAC] [interface]
ex: aireplay-ng --fakeauth 0 -a A0:79:85:C8:7F:90 -h 99:v0:c7:9c:8a:12 wlan0mon
If this fake authentication was successful the value under the
“AUTH” column in airodump-ng will change to “OPN”

Packet injection::1. ARP request reply

In this method , after successfully associating with the target AP
, we will wait for an ARP packet , we will then capture this
packet and inject it into the traffic , this will force the AP to
generate a new ARP packet with a new IV , we capture this
new packet and inject into the traffic again , this process is
repeated until the number of IV's captured is sufficient enough
to crack the key.
> aireplay-ng --arpreplay -b [target MAC] -h [your MAC] [interface]
ex: aireplay-ng --arpreplay -b E0:69:95:B8:BF:77 -h 00:c0:ca:6c:ca:12 wlan0mon

it is one of the best way to inject packets to a wireless networks 

the other two ways to inject packets to the network are

* Korek chop chop method 

*fragment method