How to Hack WEP encryption?
Note: ITS FOR EDUCATION PURPOSE ONLY! I AM NOT RESPONSIBLE FOR YOUR ILLEGAL USEAGE.
In the previous blog i explained about Pre-connection attack before starting this section.
The first encryption that we’ll learn how to break is called the WEP, or wired equivalent privacy. This is an old encryption and it can be broke easily, now days its very rare to find a network with a WEP encryption. But still some networks use this encryption so, i am covering it so when you see this encryption you don’t get stuck and don’t know what to do and how to crack it.
To cr4ck WEP we need to:
1) Capture a large number of packets/IVS by using airodump-ng
2) Analyze the captured IVs and cr4ck the key by using aircrack-ng
EXAMPLE: airodump-ng — bssid 00:00:00:00:00:00 — channel 4 — write testfile wlan0
In this step here we are going to capture a large number of packets and store it in a file called testfile.
First, We are going to run airodump-ng and store it in a file as shown in the picture: airodump-ng — bssid <bssid> — channel <number of channel> — write <specify a file name> followed by the interface wlan0 or mon0 or what ever is the name of your interface.
NOTE: That the packets will keep capturing until you quit the program by typing CTRL + C
Second step we will use aircrack-ng program to cr4ck the key.
Now we are going to use this program on the capture file that we called filename, and make sure that you are cr4cking filename.cap. “”.cap file is the important file that we need””.
now we have the filename.cap we will use aircrack-ng on it by simply running:
aircrack-ng filename.cap
Once cr4cked you will see a KEY FOUND! : 00:00:00:00:00:00
remove the (:) double quotes and you will be able to connect to the network.
Getting associated with the target network using Fake Authentication attack
In this section we will talk about fake De-authentication att4ck to associate with the target network incase we dont have clients connected to the network.
What will happen in this att4ck that we will pretend that we are a client in the router and we are going to tell the router that i want to connect to you.
i have explained to you how to use airodump-ng in the last blog and here, so now you are familiar with it and probably you will be able to run, in case you forgot take a recap here.
lest go step by step to make it simple on how to use this att4ck:
EXAMPLE: airodump-ng — bssid 00:00:00:00:00:00 — channel 4 wlan0
First we are going to run airodump-ng and make sure its running.
Secondly, we are going to run the fake authentication att4ck by typing:
aireplay-ng — fakeauth 0 -a <bssid> -h <wireless adapter MAC>
aireplay-ng : the program name
0 : tells that we want to run De-authentication
-a: specifies the MAC Address of the router
-h: specifies the MAC Address of the wireless adapter, And the MAC address is located after unspec (12digits) make sure you remove the (-) minus.
Hint: you can run ifconfig command to check your MAC address
Once you run the att4ck you will see that the target network AUTH changed and you will have a new client under the BSSID which is us.
Note: That we are associated with the network and we are able to communicate with it if we send something to it, but we are not fully using the wifi just associated.
Packet Injection attack (ARP REQUEST REPLY)
Now, we are already associated with the network and we can communicate with it and it wont refuse us.
So now we are going to send packet injections into the traffic and force the Access Point to generate new IVs. This will increase the number of the DATA really quick and that will allow us to crack the network in minutes or seconds.
I am going to explain to you the best or most reliable method which is AARP Request to att4ck and this method should work against most networks if you have a good signal and a good wireless adapter. I have recommended 2 best alfa adapters Alfa AWUS036NHA , Alfa Long-Range Dual-Band .
The Idea behind air pocket method, its like a type of packet that we are going to wait for. Once this packet is sent in the network, we’re going to capture it and retransmitted.
Once we do this, the router is forced to generate new packets with a new IVs.
So by repeating this process, we will be forcing the writer to continuously generate new packets with new IVs.
Then once we have enough data and IVs, we can run aircraft and exactly as we’ve seen
before, and crack the key.
Now lets do that step by step:
First, We are going to run airodump-ng
step 2: We are going to run aireplay-ng aireplay-ng — fakeauth 0 -a <bssid> -h <wireless adapter MAC>
3rd step: We are going to run the AARP att4ck to inject packets.
So we are going to use similar command as the previous one aireplay-ng.
aireplay-ng — aireplay -b <bssid> -h <wireless adapter MAC> <interface>
What’s happening right now the wireless adapter is waiting for air pocket.
Once there is an air pocket transmitted in this network, it’s going to capture it and it’s going to retransmit it.
Once retransmitted, The access point will be forced to generate a new IV packets. It will keep forcing to generate new packets as you can see in the last line after READ (203), so what you should do is just wait for it.
Once you have seen the packets are moving very fast, Then we are going to use air crack-ng.
## You better run step 2 before cracking.
So now we are going to use aircrack-ng by typing:
aircrack-ng <filename.cap>
##The — write file name that you named when you run airodump-ng
Packet Injection attack (korek ChopChop attack)
Another way of cr4cking WEP , That works with weak signals but more complex than ARP request reply.
So first we are going to run airodump-ng as before
secondly, We are going to run the fake authentication att4ck so the target network dont ignore us and associate and communicate with us.
aireplay-ng — fakeauth 0 -a <bssid> -h <wireless adapter MAC>
Then we are going to run the ChopChop attack
aireplay-ng — chopchop -b <bssid> -h <wireless adapter MAC>
It might take some time so please wait…
Once done check the keystream replay-dc-6999–1696.xor , note that its not identical like this but it ends with .xor
Now next step what we will do is to force fake packets
EXAMPLE: packetforge-ng -0 -a 00:11:22:33:B4:EA -h 00:cd:c3:c9:c3:10 -k 255.255.255.255 -l 255.255.255.255 -y replay-dc-6999–1696.xor -w chopchop
Now we are going to use aireplay-ng to inject our fake packet into the target network:
*Run fake authentication att4ck to get associated before running this attack…
aireplay-ng -2 -r <fake packet> <wifi card>
Now we are going to run aircr4ck-ng on the chopchop.cap file for example. (names differ)
aircrack-ng <filename>.cap <interface>
example: aircrack-ng chopchop-01.cap wlan0
Once cr4cked you can connect to the network with that key! just remove (:).
Packet Injection — PRGA (Fragmentation Attack)
This fragmentation attack is similar but faster than the previous one. In this att4ck we will have to obtain 1500bytes of the PRGA which stands for pseudo random generation algorithm. So we need to get closer to the target network in order to get 1500 bytes.
* Forging new packets and inject them and forge packet into the traffic to instantly increase the number of IVs.
So first step we are going to run airodump-ng and name a file something related to Fragmentation att4ck for example:
airodump-ng -bssid <bssid> — channel <number of the channel #CH> — write fragment-T wlan0
Second step as we do always running fake authentication att4ck so the target network communicate with us and dont ignore us.
aireplay-ng — fakeauth 0 -a <bssid> -h <wireless adapter MAC>
Third step which is the fragmentation att4ck step which is identical to chopchop att4ck but the difference is just the name, instead of chopchop we will type fragment.
- Run fake authentication once more before running this att4ck.
aireplay-ng — fragment -b <bssid> -h <wireless adapter MAC>
when its says USE THIS PACKET? just type y and hit enter.
Once the packet is useful we are going to get the keystream in fragment..etc.xor
So as we did before in chopchop we forced packet using packetforge-ng
packetforge-ng -0 -a <BSSID> -h <adapter MAC> -k <source IP address> -l <destination IP address> -y <keystream file .xor> -w <filename>
Example:
packetforge-ng -0 -a 00:11:22:33:B4:EA -h 00:cd:c3:c9:c3:10 -k 255.255.255.255 -l 255.255.255.255 -y fragment..etc.xor -w fragment_forged_packets
Now we are going to inject the packet into the air using aireplay-ng.
Example:
aireplay-ng -2 -r fragment_forged_packets wlan0
once done you will see the packets are in the air moving fast so now we are going to use aircrack-ng to cr4ck the key.
aircrack-ng <filename>.cap <interface>
example: aircrack-ng fragment_T-01.cap wlan0
and here we go we got the WEP Key!.
So here is the end of the blog of how to cr4ck WEP and i should you the best 3 methods to inject packets to increase the number of data into idol networks.
I hope you enjoyed and found this blog informative , Dont forget me with a like and share :) . Thank you ❤.