Crack WEP Encryption

Yes I know, there are already a lot of articles available on the internet which describe how to break WEP encryption. Some of them can be found at the bottum of this page. However the purpose of this page is to write down how it really worked for me.

Of course I did this experiment in a test-environment. (on my own Accees-Point)

If you have suggestions for improvement don't hastitate to contact me.

used equipment

The most important thing is that your wireless card is compatible with the tools used. The other Hardware should be exchangeable.
I cracked WEP several times with different hardware. The only thing that is necessary is a laptop or any other computer with a supported wireless card. PRISM chipset is often recommanded! One Access Point, one authenticated client and one attacking machine was used.

  • Wireless Cards
    - Cisco Aironet 802.11 a/b/g PCI Wireless Client Adapter
    - Belkin Wireless G Network Adapter
    - Intel Pro Wireless 2200 b/g (Mini-PCI)
  • Software
    - Kismet
    - AirSnort
    - AirCrack (airodump, aircrack)
    - Auditor Security Colletion (200605-02-no-ipw2100)
    - Backtrack (User Edition beta 05022006)

discover the target network

Kismet is a good choice to discover your target network. You will need information about the BSSID and channel later on.

capture traffic

This is the part which takes most of the time. You should keep the caputring process running during the next steps.

# airodump ath0 cap 11

ath0 = interface; cap = filename(could be anyone); 11 = channel

If you are running a Live CD it is highly recommanded to capture the data to another drive. When capturing to ramdisk your computer will become slower and slower, because the more data you capture the more RAM you take away of the running machine.

performaing the attack

While sniffing traffic we can try if we have already captured enough data:

# aircrack -b 00:12:A9:02:FD:FD *.cap

-b = BSSID
*.cap = filename of captured traffic

If you do not have success you should wait until enough traffic is captured. This is only a matter of time - depanding on the network load.

What others don't tell you

In the test network 1GB of data was transfered, but only 350MB were actually captured by the attacker. After ~250.000-300.000 interesting packets were found the attack was successful.

When enough traffic was captured the attack was done in 0.2 seconds! The capturing process took much longer.

Encription used: 128bit WEP
Passphrase used: !+S"f*{@[*?#>
Key used (in hex): 21 2B 53 94 66 38 7B 40 5B 2A 3F 23 3E

The easy way

Usually you don't have to mess around with any command line tools, just start AirSnort, select the Channel and network card driver. Now you just have to wait until enough traffic is caputed. when the process is finished the key will be presented on the same screen.

additional Links


last updated 02 November 2008