Still working to restore things from a backup of the old website | sign in

How to Hack WEP Protected Wireless Networks

2010-10-08

We never want to be without the Internet and sometimes there's an open wireless network in range but they're usually quite slow.  However, most of the time there are also networks "secured" with WEP and they're easy to hack.  WEP is pretty much like closing your door but not locking it.

First of all, you'll need aircrack-ng.  Install it now – you'll need it when you can't access the Internet.  aircrack-ng is a set of very useful console programs and in this article I'll assume you're using Linux, but it's pretty much the same for Windows without the sudo.  On Debian-based Linux you can just type:

sudo apt-get install aircrack-ng

You need to get your wireless card and driver into monitoring mode and make it capable of injecting packets on the network.  We'll use airmon-ng to create a new virtual interface called mon0 that can do this.

sudo airmon-ng start wlan0

You can use sudo airmon-ng to find the name of your wireless interface if it's not wlan0.  Next we'll use airodump-ng to see what networks are within range.

sudo airodump-ng mon0

Wait a little, then pick the WEP network with the highest number of data packets sent and note what channel it's on.  Now we want to use the same program again but lock onto that channel and record all the encrypted data that is being sent.

sudo airodump-ng -w wireless_dump -c channel mon0

Hacking WEP works by collecting enough encrypted data packets so we can have a program do a very complicated analysis to come up with probable passwords and try them until it finds the right one.  If we couldn't narrow it down like this it could take years to try all combinations.

Sometimes 10 000 encrypted data packets are enough, other times you need more than 50 000.  On very busy networks there might be enough traffic to quickly get enough packets but most of the time we have to speed things up by tricking hosts to send more data.  We'll open a new console and use aireplay-ng and the standard ARP-request replay attack for this.

sudo aireplay-ng -3 mon0 -b target

The target is the BSSID of the network we're hacking and looks something like 00:01:38:AE:A2:86.  You can see it on the airodump-ng screen or find it in the wireless_dump.csv file.

As soon as aireplay-ng finds an ARP-packet it will use it to try and have the other hosts send much more data and you can see that it's working on the airodump-ng screen.  Now it's finally time for cracking the password and for this we'll use aircrack-ng.

aircrack-ng wireless_dump*.cap

Select the the network, unless it does it automatically, and then aircrack-ng will start working.  It might fail because you don't have enough packets yet but then you can just leave it and it will automatically try again whenever you've collected an other 5 000 packets.

And there you have it, aircrack-ng will print out the password key in HEX when it finds it.  Type it without the semicolons.  Sometimes it might print it out in ASCII as well and then you can use that as a normal password.  Now save this page so you know what to do when you can't access the Internet.

You might want to check out How to Secure A Wireless Network now.