26-10-2010 How to Crack a Wi-Fi Network's WEP Pa…

Lifehacker
How to Crack a Wi-Fi Network's WEP Password with BackTrack
You already know that if you
want to lock down your Wi-Fi
network, you should opt for
WPA encryption because
WEP is easy to crack. But did
you know how easy? Take a
look.

Originally published last

year, we wanted to revisit
Gina's awesome guide to
cracking Wi-Fi WEP
pass words for Evil Week. Alternatively, if you're not in a reading mood, check out the video version.

Today we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP s ecurity turned on. But firs t, a word:
Knowledge is power, but power doesn't m ean you should be a jerk, or do anything illegal. Knowing how to pick a lock
doesn't m ake you a thief. Cons ider this post educational, or a proof-of-concept intellectual exercise.

Dozens of tutorials on how to crack WEP are already all over the internet using this method. Seriously—Google it. This ain't
what you'd call "news." But what is surprising is that som eone like m e, with m inimal networking experience, can get this
done with free software and a cheap Wi-Fi adapter. Here's how it goes.

What You'll Need

Unless you're a computer security and networking ninja, chances are you don't have all the
tools on hand to get this job done. Here's what you'll need:

A compatible wireless adapter—This is the biggest requirem ent. You'll need a wireless
adapter that's capable of packet injection, and chances are the one in your com puter is not.
After consulting with m y friendly neighborhood security expert, I purchased an Alfa
AWUS050NH USB adapter, pictured here, and it set me back about $50 on Am azon. Update:
Don't do what I did. Get the Alfa AWUS036H, not the US050NH, instead. The guy in this video
below is using a $12 model he bought on Ebay (and is even s elling his router of choice).
There are plenty of resources on getting aircrack-compatible adapters out there.
A BackTrack 3 Live CD. We already took you on a full screenshot tour of how to install and
use BackTrack 3, the Linux Live CD that lets you do all sorts of s ecurity testing and tasks. Download yourself a copy
of the CD and burn it, or load it up in VMware to get started. (I tried the BackTrack 4 pre-release, and it didn't work as
well as BT3. Do yourself a favor and stick with BackTrack 3 for now.)
A nearby WEP-enabled Wi-Fi network. The s ignal should be strong and ideally people are using it, connecting
and disconnecting their devices from it. The m ore use it gets while you collect the data you need to run your crack,
the better your chances of success.
Patience with the command line. This is an ten-step proces s that requires typing in long, arcane com mands and
waiting around for your Wi-Fi card to collect data in order to crack the password. Like the doctor said to the s hort
person, be a little patient.

Crack That WEP

To crack WEP, you'll need to launch Konsole, BackTrack's built-in comm and line. It's right there on the taskbar in the lower
left corner, second button to the right. Now, the comm ands.

Firs t run the following to get a list of your network interfaces:

airmon-ng

The only one I've got there is labeled ra0. Yours m ay be different; take note of the label and write it down. From here on in,
substitute it in everywhere a com mand includes (interface).

Now, run the following four com mands. See the output that I got for them in the screenshot below.

airmon-ng stop (interface)

lifehacker.com/…/how-to-crack-a-wi+fi-… 1/5
26-10-2010 How to Crack a Wi-Fi Network's WEP Pa…
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

If you don't get the same

res ults from these com mands
as pictured here, most likely
your network adapter won't
work with this particular crack.
If you do, you've succes sfully
"faked" a new MAC address on
your network interface,
00:11:22:33:44:55.

Now it's tim e to pick your network. Run:

airodump-ng (interface)

To s ee a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row
pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the colum n labeled CH), as
pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or
anything els e.

Like I said, hit Ctrl+C to stop

this listing. (I had to do this
once or twice to find the
network I was looking for.)
Once you've got it, highlight the
BSSID and copy it to your
clipboard for reuse in the
upcom ing com mands.

Now we're going to watch what's going on with that network you chose and capture that information to a file. Run:

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

Where (channel) is your network's channel, and (bs sid) is the BSSID you just copied to clipboard. You can use the
Shift+Insert key combination to paste it into the com mand. Enter anything descriptive for (file name). I chose "yoyo," which is
the network's name I'm cracking.

lifehacker.com/…/how-to-crack-a-wi+fi-… 2/5
26-10-2010 How to Crack a Wi-Fi Network's WEP Pa…

You'll get output like what's in the window in the background pictured below. Leave that one be. Open a new Konsole
window in the foreground, and enter this com mand:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

Here the ESSID is the access point's SSID name, which in m y cas e is yoyo. What you want to get after this comm and is
the reassuring "As sociation succes sful" m essage with that smiley face.

You're almost there. Now it's

time for:

aireplay-ng -3 -b
(bssid) -h
00:11:22:33:44:55
(interface)

Here we're creating router

traffic to capture more
throughput fas ter to speed up
our crack. After a few minutes,
that front window will start
going crazy with read/write
packets. (Also, I was unable to
surf the web with the yoyo
network on a separate
computer while this was going
on.) Here's the part where you
might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to
run your crack. Watch the number in the "#Data" colum n—you want it to go above 10,000. (Pictured below it's only at 854.)

Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo AP was
in the s ame room as my adapter), this process could take s ome tim e. Wait until that #Data goes over 10k, though—
because the crack won't work if it doesn't. In fact, you may need more than 10k, though that seems to be a working
threshold for many.

lifehacker.com/…/how-to-crack-a-wi+fi-… 3/5
26-10-2010 How to Crack a Wi-Fi Network's WEP Pa…

Once you've collected enough data, it's the mom ent of truth. Launch a third Konsole window and run the following to crack
that data you've collected:

aircrack-ng -b (bssid) (file name-01.cap)

Here the filename should be whatever you entered above for (file name). You can browse to your Hom e directory to s ee it;
it's the one with .cap as the extension.

If you didn't get enough data, aircrack will fail and tell you to try again with more. If it s ucceeds, it will look like this:

The WEP key appears next to

"KEY FOUND." Drop the
colons and enter it to log onto
the network.

Problems Along the Way

With this article I set out to prove that cracking WEP is a relatively "easy" process for someone determ ined and willing to get
the hardware and software going. I still think that's true, but unlike the guy in the video below, I had several difficulties along
the way. In fact, you'll notice that the last screenshot up there doesn't look like the others—it's because it's not mine. Even
though the AP which I was cracking was m y own and in the sam e room as m y Alfa, the power reading on the signal was
always around -30, and so the data collection was very slow, and BackTrack would consistently crash before it was
com plete. After about half a dozen attempts (and trying BackTrack on both my Mac and PC, as a live CD and a virtual
machine), I still haven't captured enough data for aircrack to decrypt the key.

So while this process is easy in theory, your m ileage m ay vary depending on your hardware, proximity to the AP point, and
the way the planets are aligned. Oh yeah, and if you're on deadline—Murphy's Law alm ost guarantees it won't work if you're
on deadline.

To s ee the video version of these exact instructions, check out this dude's YouTube video.

lifehacker.com/…/how-to-crack-a-wi+fi-… 4/5
26-10-2010 How to Crack a Wi-Fi Network's WEP Pa…

Got any experience with the WEP cracking courtesy of BackTrack? What do you have to say about it? Give it up in the
com ments.

Gina Trapani, Lifehacker's founding editor, is tired of typing comm ands that start with "air." Her weekly feature, Sm arterware,
appears every Wednesday on Lifehack er. Subscrib e to the Sm arterware tag feed to get new installments in your
newsreader.

Contact information for this author is not available.

By Gina Trapani

Me gusta A 353 personas les gusta esto. Sé el primero de tus amigos.

270

Oct 25, 2010 01:00 PM 1,427,475 285

more about wep

Crack a Wi-Fi
Network's WEP
Password with
BackTrack, the Fancy
Video Version

The Definitive Guide

to Finding Free Wi-Fi

read more: wifi, wep, stepbys tep, s ecurity,

homenetwork, linux, linuxlivecd, livecd,
vmware, clips, howto, s creenshottour,
feature, top, sm arterware, downloads ,
com mandline, evilweek

Archives Advertising Legal Report a Bug FAQ

Original material is licensed under a Creative Commons License permitting non-commercial sharing w ith attribution.

lifehacker.com/…/how-to-crack-a-wi+fi-… 5/5