How To Crack Wep Wifi
Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat.
- How To Crack Wifi Passwords
- How To Crack Wep Wifi Security
- How To Crack Wep On Mac
- How To Crack Wep Wifi Password
This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.
If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. For a variety of suggestions and alternative methods, see the appendix. neal1991 and tiiime have also graciously provided translations to this document and the appendix in Chinese if you prefer those versions.
- How to Crack Wireless Networks. WEP cracking. Cracking is the process of exploiting security weaknesses in wireless networks and gaining unauthorized access. WEP cracking refers to exploits on networks that use WEP to implement security controls. There are basically two types of cracks namely.
- Steps to crack WPA/WPA2 WiFi Password using Fluxion Scan the networks. Capture a handshake (can’t be used without a valid handshake, it’s necessary to verify the password). Use WEB Interface. Launch a FakeAP instance to imitate the original access point. Spawns a MDK3 process, which.
WEP Vulnerabilities vs WPA Vulnerabilities. Before we begin the WEP cracking demonstration, you should have a general understanding of the protocol, its vulnerabilities, and how they differ from WPA and WPA2. First off, you should understand that WEP is a security protocol that uses RC4 security which is a type of stream cipher. The cipher uses. Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys. Crack WPA or WPA2 PSK (aircrack-ng) WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless.
How To Crack Wifi Passwords
DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.
Android platform. The latest version of the platform is now Android 10. Android 8 introduced an Android flavor for low-end devices the Go Edition.It aims devices with low RAM (1GB or less), slow internet connections and lower-end CPU. When a device goes from just working to actually making life easier, Android is behind it. It’s the reason your GPS avoids traffic, your watch can text and your Assistant can answer questions. It’s the operating system inside 2.5 billion active devices. Everything from 5G phones to. Android os versions.
Getting Started
This tutorial assumes that you:
- Have a general comfortability using the command-line
- Are running a debian-based linux distro, preferably Kali linux (OSX users see the appendix)
- Have Aircrack-ng installed
sudo apt-get install aircrack-ng
- Have a wireless card that supports monitor mode (see here for a list of supported devices)
Cracking a Wi-Fi Network
Monitor Mode
Begin by listing wireless interfaces that support monitor mode with:
If you do not see an interface listed then your wireless card does not support monitor mode
We will assume your wireless interface name is wlan0
but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:
Run iwconfig
. You should now see a new monitor mode interface listed (likely mon0
or wlan0mon
).
Find Your Target
Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
You should see output similar to what is below.
For the purposes of this demo, we will choose to crack the password of my network, 'hackme'. Remember the BSSID MAC address and channel (CH
) number as displayed by airodump-ng
, as we will need them both for the next step.
Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng
to monitor traffic on the target network using the channel and bssid values discovered from the previous command.
Now we wait.. Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67
at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
Once you've captured a handshake, press ctrl-c
to quit airodump-ng
. You should see a .cap
file wherever you told airodump-ng
to save the capture (likely called -01.cap
). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat
for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat
. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
Cracking With naive-hashcat
(recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap
file to the equivalent hashcat file format .hccapx
. You can do this easily by either uploading the .cap
file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx
tool directly.
Next, download and run naive-hashcat
:
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE
:
Where the last two fields separated by :
are the network name and password respectively.
If you would like to use hashcat
without naive-hashcat
see this page for info.
Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
Note, that if the network password is not in the wordfile you will not crack the password.
If the password is cracked you will see a KEY FOUND!
message in the terminal followed by the plain text version of the network password.
Deauth Attack
A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake 'sender' addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng
.
Use airodump-ng
to monitor a specific access point (using -c channel --bssid MAC
) until you see a client (STATION
) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7
the client MAC.
Now, leave airodump-ng
running and open a new terminal. We will use the aireplay-ng
command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.
You can optionally broadcast deauth packets to all connected clients with:
Once you've sent the deauth packets, head back over to your airodump-ng
process, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0
. Now that you've captured a handshake you should be ready to crack the network password.
List of Commands
Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.
Appendix
The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:
- Capture handshakes and crack WPA passwords on MacOS/OSX
- Capture handshakes from every network around you with
wlandump-ng
- Use
crunch
to generate 100+GB wordlists on-the-fly - Spoof your MAC address with
macchanger
A Chinese version of the appendix is also available.
Attribution
Much of the information presented here was gleaned from Lewis Encarnacion's awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.
Overwhelming thanks to neal1991 and tiiime for translating this tutorial into Chinese. Further shout outs to yizhiheng, hiteshnayak305, enilfodne, DrinkMoreCodeMore, hivie7510, cprogrammer1994, 0XE4, hartzell, zeeshanu, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Reddit and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.
You already know that if you want to lock down your Wi-Fi network, you should opt for WPA encryption because WEP is easy to crack. But did you know how easy? Take a look.
Secure Your Home Wi-Fi Network
Tech site Ars Technica runs down the basics of securing your home wireless network with the most…
Read more ReadAdvertisement
Note: This post demonstrates how to crack WEP passwords, an older and less often used network security protocol. If the network you want to crack is using the more popular WPA encryption, see our guide to cracking a Wi-Fi network's WPA password with Reaver instead.
How to Crack a Wi-Fi Network's WPA Password with Reaver
Your Wi-Fi network is your conveniently wireless gateway to the internet, and since you're not …
Read more ReadToday we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on. But first, a word: Knowledge is power, but power doesn't mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise.
How to Pick a Lock with a Bump Key
From the 'use this for good, not evil' files comes a fascinating instructional video on…
Read more ReadAdvertisement
Dozens of tutorials on how to crack WEP are already all over the internet using this method. Seriously—Google it. This ain't what you'd call 'news.' But what is surprising is that someone like me, with minimal networking experience, can get this done with free software and a cheap Wi-Fi adapter. Here's how it goes.
What You'll Need
Unless you're a computer security and networking ninja, chances are you don't have all the tools on hand to get this job done. Here's what you'll need:
- A compatible wireless adapter—This is the biggest requirement. You'll need a wireless adapter that's capable of packet injection, and chances are the one in your computer is not. After consulting with my friendly neighborhood security expert, I purchased an Alfa AWUS050NH USB adapter, pictured here, and it set me back about $50 on Amazon. Update: Don't do what I did. Get the Alfa AWUS036H, not the US050NH, instead.The guy in this video below is using a $12 model he bought on Ebay (and is even selling his router of choice). There are plenty of resources on getting aircrack-compatible adapters out there.
- A BackTrack Live CD. We already took you on a full screenshot tour of how to install and use BackTrack 3, the Linux Live CD that lets you do all sorts of security testing and tasks. Download yourself a copy of the CD and burn it, or load it up in VMware to get started.
- A nearby WEP-enabled Wi-Fi network. The signal should be strong and ideally people are using it, connecting and disconnecting their devices from it. The more use it gets while you collect the data you need to run your crack, the better your chances of success.
- Patience with the command line. This is an ten-step process that requires typing in long, arcane commands and waiting around for your Wi-Fi card to collect data in order to crack the password. Like the doctor said to the short person, be a little patient.
Advertisement
Crack That WEP
To crack WEP, you'll need to launch Konsole, BackTrack's built-in command line. It's right there on the taskbar in the lower left corner, second button to the right. Now, the commands.
Advertisement
First run the following to get a list of your network interfaces:
The only one I've got there is labeled ra0
. Yours may be different; take note of the label and write it down. From here on in, substitute it in everywhere a command includes (interface).
Advertisement
Now, run the following four commands. See the output that I got for them in the screenshot below.
Advertisement
If you don't get the same results from these commands as pictured here, most likely your network adapter won't work with this particular crack. If you do, you've successfully 'faked' a new MAC address on your network interface, 00:11:22:33:44:55.
Advertisement
Now it's time to pick your network. Run:
To see a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the column labeled CH), as pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or anything else.
Advertisement
Like I said, hit Ctrl+C to stop this listing. (I had to do this once or twice to find the network I was looking for.) Once you've got it, highlight the BSSID and copy it to your clipboard for reuse in the upcoming commands.
Advertisement
Now we're going to watch what's going on with that network you chose and capture that information to a file. Run:
Where (channel) is your network's channel, and (bssid) is the BSSID you just copied to clipboard. You can use the Shift+Insert key combination to paste it into the command. Enter anything descriptive for (file name). I chose 'yoyo,' which is the network's name I'm cracking.
Advertisement
You'll get output like what's in the window in the background pictured below. Leave that one be. Open a new Konsole window in the foreground, and enter this command:
Here the ESSID is the access point's SSID name, which in my case is yoyo
. What you want to get after this command is the reassuring 'Association successful' message with that smiley face.
Advertisement
You're almost there. Now it's time for:
Here we're creating router traffic to capture more throughput faster to speed up our crack. After a few minutes, that front window will start going crazy with read/write packets. (Also, I was unable to surf the web with the yoyo
network on a separate computer while this was going on.) Here's the part where you might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to run your crack. Watch the number in the '#Data' column—you want it to go above 10,000. (Pictured below it's only at 854.)
Glock serial numbers list 1. Advertisement
Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo
AP was in the same room as my adapter), this process could take some time. Wait until that #Data goes over 10k, though—because the crack won't work if it doesn't. In fact, you may need more than 10k, though that seems to be a working threshold for many.
Advertisement
Once you've collected enough data, it's the moment of truth. Launch a third Konsole window and run the following to crack that data you've collected:
Here the filename should be whatever you entered above for (file name). You can browse to your Home directory to see it; it's the one with .cap as the extension.
Advertisement
If you didn't get enough data, aircrack will fail and tell you to try again with more. If it succeeds, it will look like this:
How To Crack Wep Wifi Security
Advertisement
The WEP key appears next to 'KEY FOUND.' Drop the colons and enter it to log onto the network.
Problems Along the Way
With this article I set out to prove that cracking WEP is a relatively 'easy' process for someone determined and willing to get the hardware and software going. I still think that's true, but unlike the guy in the video below, I had several difficulties along the way. In fact, you'll notice that the last screenshot up there doesn't look like the others—it's because it's not mine. Even though the AP which I was cracking was my own and in the same room as my Alfa, the power reading on the signal was always around -30, and so the data collection was very slow, and BackTrack would consistently crash before it was complete. After about half a dozen attempts (and trying BackTrack on both my Mac and PC, as a live CD and a virtual machine), I still haven't captured enough data for aircrack to decrypt the key.
Advertisement
So while this process is easy in theory, your mileage may vary depending on your hardware, proximity to the AP point, and the way the planets are aligned. Oh yeah, and if you're on deadline—Murphy's Law almost guarantees it won't work if you're on deadline.
How To Crack Wep On Mac
Got any experience with the WEP cracking courtesy of BackTrack? What do you have to say about it? Give it up in the comments.
How To Crack Wep Wifi Password
Advertisement