Main Broadband Reviews Articles Forums Information

Search site

Main
Home » Articles » Security
Broadband
Reviews
Articles
Articles
Forums
Information How To Crack WEP and WPA Wireless Networks
Cracking WEP, WPA-PSK and WPA2-PSK wireless security using aircrack-ng
2008.11.21 10:53 by Philip
Keywords: aircrack, Wireless, Wi-Fi, WPA, WEP, WPA2, NIC, hash, wordlist, security, SSID, channel

Login
Username: Introduction
Username
With the popularity of wireless
Password:
networks and mobile computing, an
•••••••••
overall understanding of common
security issues has become not only
relevant, but very necessary for both
forgot your password?
home/SOHO users and IT
professionals alike. This article is
Shortcuts aimed at illustrating current security
flaws in WEP/WPA/WPA2.
Broadband Hardware
Successfully cracking a wireless
FAQs
network assumes some basic
Glossary familiarity with networking principles
SG Broadband Tools and terminology, as well as working
with command-line tools. A basic
SG Network Tools
familiarity with Linux can be helpful
SG Ports Database as well.
SG Security Scan
Disclaimer: Attempting to access a network other than your own, or one you have
SG Speed Test permission to use is illegal insome U.S. jurisdictions. Speed Guide, Inc. are not to be held
TCP/IP Analyzer liable for any damages resulting from the use or misuse of the information in this article.
TCP/IP Optimizer
To successfully crack WEP/WPA, you first need to be able to set your wireless network
card in "monitor" mode to passively capture packets without being associated with a
network. This NIC mode is driver-dependent, and only a relatively small number of
network cards support this mode under Windows.

One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK
keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux
and Windows versions (provided your network card is supported under Windows). The
aircrack-ng site has a comprehensive list of supported network cards available here: NIC
chipset compatability list.

If your network card is not supported under Windows, one can use a free Linux Live CD to
boot the system. BackTrack 3 is probably the most commonly used distribution, since it
runs from a Live CD, and has aircrack-ng and a number of related tools already installed.

For this article, I am using aircrack-ng version 1.0 on a Linux partition (Fedora Core
10, 2.6 32-bit kernel) on my Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn
network card. If you're using the BackTrack 3 CD aircrack-ng is already installed, with my
version of linux it was as simple as finding it with:

yum search aircrack-ng

yum install aircrack-ng
The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-
PSK key cracking. The ones we will be using are:

airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-
PSK using the captured data.

1. Setup (airmon-ng)
As mentioned above, to capture network traffic wihtout being associated with an access
point, we need to set the wireless network card in monitor mode. To do that under linux,
in a terminal window (logged in as root), type:

iwconfig (to find all wireless network interfaces and their status)
airmon-ng start wlan0 (to set in monitor mode, you may have to substitute
wlan0 for your own interface name)

Note: You can use the su command to switch to a root account.

Other related Linux commands:

ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC -
can even simulate the MAC of an associated client. NIC should be stopped before
chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.

2. Recon Stage (airodump-ng)

This step assumes you've already set your wireless network interface in monitor mode. It
can be checked by executing the iwconfig command. Next step is finding available wireless
networks, and choosing your target:

airodump-ng mon0 - monitors all channels, listing available access points and
associated clients within range. It is best to select a target network with strong
signal (PWR column), more traffic (Beacons/Data columns) and associated clients
(listed below all access points). Once you've selected a target, note its Channel and
BSSID (MAC address). Also note any STATION associated with the same BSSID
(client MAC addresses).

running airodump-ng displays all wireless access points and associated

clients in range, as well as MAC addresses, SSIDs, signal levels and
other information about them.

WEP is much easier to crack than WPA-PSK, as it only requires data capturing (between
20k and 40k packets), while WPA-PSK needs a dictionary attack on a captured handshake
between the access point and an associated client which may or may not work.

3. Capture Data (airodump-ng)

To capture data into a file, we use the airodump-ng tool again, with some additional
switches to target a specific AP and channel. Most importantly, you should restrict
monitoring to a single channel to speed up data collection, otherwise the wireless card has
to alternate between all channels. Assuming our wireless card is mon0, and we want to
capture packets on channel 6 into a text file called data:

airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0 (-c6 switch

would capture data on channel 6, bssid 00:0F:CC:7D:5A:74 is the MAC address of
our target access point, -w data specifies that we want to save captured packets
 into a file called "data" in the current directory, mon0 is our wireless network
adapter)

Running airodump-ng on a single channel targeting a specific access point

Notes:
You typically need between 20,000 and 40,000 data packets to successfully recover a
WEP key.
One can also use the "--ivs" switch with the airodump-ng command to capture only IVs,
instead of whole packets, reducing the required disk space. However, this switch can only
be used if targeting a WEP network, and renders some types of attacks useless.

4. Increase Traffic (aireplay-ng) - optional step for

WEP cracking
An active network can usually be penetrated within a few minutes. However, slow
networks can take hours, even days to collect enough data for recovering the WEP key.

This optional step allows a compatible network interface to inject/generate packets to

increase traffic on the wireless network, therefore greatly reducing the time required for
capturing data. The aireplay-ng command should be executed in a separate terminal
window, concurrent to airodump-ng. It requires a compatible network card and driver that
allows for injection mode.

Assuming your network card is capable of injecting packets, in a separate terminal window
try:

aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0

-3 --> this specifies the type of attack, in our case ARP-request replay
-b ..... --> MAC address of access point
-h ..... --> MAC address of associated client from airodump
-x 50 --> limit to sending 50 packets per second
wlan0 --> our wireless network interface

aireplay-ng allows for injecting packets to greatly reduce the time required
to recover a WEP key

Notes:
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9
wlan0. You may also want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng

5. Crack WEP (aircrack-ng)

WEP cracking is a simple process, only requiring collection of enough data to then extract
the key and connect to the network. You can crack the WEP key while capturing data. In
fact, aircrack-ng will re-attempt cracking the key after every 5000 packets.

To attempt recovering the WEP key, in a new terminal window, type:

aircrack-ng data*.cap (assuming your capture file is called data...cap, and is

located in the same directory)

aircrack-ng can successfully recover a WEP key with 10-40k captured

packets. The retreived key is in hexadecimal, and can be entered directly
into a wireless client omitting the ":" separators

Notes:
If your data file contains ivs/packets from different access points, you may be presented
with a list to choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It
may sometimes work with as few as 10,000 packets with short keys.

6. Crack WPA or WPA2 PSK (aircrack-ng)

WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP
method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary
attack on a handshake between an access point and a client. What this means is, you
need to wait until a wireless client associates with the network (or deassociate an
already connected client so they automatically reconnect). All that needs to be captured is
the initial "four-way-handshake" association between the access point and a client.
Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak
passphrase makes it vulnerable to dictionary attacks.

To successfully crack a WPA-PSK network, you first need a capture file containing
handshake data. This can be obtained using the same technique as with WEP in step 3
above, using airodump-ng.

You may also try to deauthenticate an associated client to speed up this process of
capturing a handshake, using:

aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is

the MAC address of the access point, MAC_Client is the MAC address of an
associated client, mon0 is your wireless NIC).

Once you have captured a four-way handshake, you also need a large/relevant dictinary
file (commonly known as wordlists) with common passphrases. See related links below for
some wordlist links.

You can, then execute the following command in a linux terminal window (assuming both
the dictionary file and captured data file are in the same directory):

aircrack-ng -w wordlist capture_file (where wordlist is your dictionary file, and

capture_file is a .cap file with a valid WPA handshake)

Additional Notes:
Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a
handshake). After that, an offline dictionary attack on that handshake takes much longer,
and will only succeed with weak passphrases and good dictionary files. A good size wordlist
should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU
intensive.

Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for
the chance to stumble on a combination of common numerals or dictionary words. Still, a
weak/short/common/human-readable passphrase can be broken within a few minutes
using an offline dictionary attack. My record time was less than a minute on an all-caps
10-character passphrase using common words with less than 11,000 tested keys! A
modern laptop can process over 10 Million possible keys in less than 3 hours.

WPA hashes the network key using the wireless access point's SSID as salt. This prevents
the statistical key-grabbing techniques that broke WEP, and makes hash precomputation
more dificult because the specific SSID needs to be added as salt for the hash. There are
some tools like coWPAtty that can use precomputed hash files to speed up dictionary
attacks. Those hash files can be very effective (sicne they're much less CPU intensive and
therefore faster), but quite big in size. The Church of WiFi has computed hash tables for
the 1000 most common SSIDs against a million common passphrases that are 7Gb and
33Gb in size...

Conclusion
As demonstrated above, WEP cracking has become increasingly easier over the years, and
what used to take hundreds of thousands packets and days of capturing data can be
accomplished today within 15 minutes with a mere 20k data frames.

WPA/WPA2-PSK encryption is holding its ground if using a strong, long key. However,
weak passphrases are vulnerable to dictionary attacks. WPA/WPA2 may be on borrowed
time as well, according to some recent news.

Related Links
aircrack-ng
Openwall wordlist collection
Wordlists mirror
wordlists - torrent search
the A.R.G.O.N. - wordlists
Church of WiFi hash tables

Network Protection
Broadcast on secured borderless networks with industry experts!
www.cisco.com/SBN

User Reviews/Comments: rate: -- rating -- avg:

by demola - 2009.02.07 08:02

can it be used with vista?

by Philip - 2009.02.07 10:40

Yes, the aircrack suite will work under Vista as well. All commands need to be ran under
"elevated command prompt" (admininstrator priviledges), or you need to have UAC
(User Account Control) turned off.

The only potential problem under Windows is that fewer network adapters have
compatible drivers that support monitor mode.

by Timothy - 2009.02.17 16:57

Hello,

finnaly I got Back Track work (this allready took me a few time =) ) But now I typed in
"ifconfig" at the console but it doesn't show me a wirless interface. Do I need to install
any drivers ? Or does it simply not work with my Laptop's Wirless Card. It's a Intel
Wireless WiFi Link 5100. When I look at the compatibility list it should work I think :

Centrino a/g/n (5xxx) NO YES YES

Pls Help me.

Greetings Timothy

by anonymous - 2009.03.03 09:03

Intel wireless cards don't play well with Linux. Consider getting a D-Link card that uses
an Atheros chipset or get any other Atheros based card.

by Philip - 2009.03.03 09:51

While it is true that Atheros-based NICs have the widest support, latest linux kernels
have improved Intel-based support.

I have had no problem running aircrack with my Intel 4965agn wireless NIC as
mentioned in the article.

by arrowunderworld - 2009.03.04 01:50

To show me a wirless interface attached to your computer, you need to type: iwconfig.

Good luck

by dominique - 2009.03.05 07:51

hey Phil,

so im wondering.. after this process, do i have to put my wireless card back in normal or
"managed" mode as i think its called? and if so how do i do so? thx a bunch in advance. i
havent done this crack process yet cuz i want all the intangibles covered as much as i
can but as soon as u reply, i will. cuz ur guide look legit and fool proof. thx again.

by anonymous - 2009.03.06 21:13

When using backtrack 3 on my sony VGN-TZ160C which has the same network card
chipset I got the

"ERROR: Neither the sysfs interface links nor the iw command is available"

when running airmon-ng start wlan0

it tells me to install iw but I found no easy way to install it.

Then again i'm running backtrack 3 from my usb dongle, I did not nor know how to
install the image to the USB so I beleive the installation is readonly. Is it possible to
install IW or how do I install backtrack to the USB dongle ?

Thanks for pointing me in the right direction

by triniwasp - 2009.03.07 02:15

Thanks for the article Phillip, I was wondering does one need to install a Linux OS on the
machine or can it be done from Virtual Box or similar software?

by Philip - 2009.03.07 09:47

triniwasp, theoretically it's possible to run aircrack-ng under Windows if you have the
right driver for your network card.

Alternatively, you can run Backtrack 3 from a live CD, or you can install some other
version of Linux on a USB drive (or a second partition on your HDD).

Ultimately, it depends which OS supports the monitor/inject mode for your network
card.

by triniwasp - 2009.03.10 13:16

Phillip,

When I attempt to capture after entering the commands I get the following message:
"airodump-ng --help" for help

Nor is there a data file in my home folder, do you have any idea what I'm doing wrong?

Thanks.

by anonymous - 2009.04.20 15:23

i have a ap in client mode because i dont have a wireless card. Its possible crack the
wires founded by my ap?

by anonymous - 2009.05.15 10:41

I was getting the same error but made it work by typing

airodump-ng --channel 6 --bssid 00:0F:CC:7D:5A:74 -w data mon0

This should work

by Jingfeng - 2009.08.23 07:04

Very clear instructions.

Does it work with Mac OS X?

by teknogeekz.com - 2009.09.20 23:12

For Mac OS X try Kismac

 by anonymous - 2009.10.03 18:09

Greetings from London. When I do the aireplay --deauth command, is there any
indication that would tell me if it worked or not?

by Kojak1958 - 2009.10.27 11:29

Hello ? Speed guide ? The lights are on. Is anybody really home ?

You can hide, and have hidden, behind the letter of the law.
Publishing this information is ethically criminal. Your disclaimer
clearly indicates you understand people will use this information
to do what ought not to be done. Namely hacking into networks
not their own. Shame on you speed guide !

by Philip - 2009.10.27 12:48

Security by obscurity is not a sound principle in our book. In other words, the notion
that unknown security flaws are unlikely to be found by attackers is false.

WEP, for example, has very well known exploits, and anyone serious about securing
their network should be aware of the extent of such flaws.

The article above merely informs readers how this is accomplished, therefore allowing
them to make more educated choices when choosing encryption methods.

by Kojak1958 - 2009.10.28 13:58

Phillip,

You have only to look at all the other posts here, in order to clearly understand what is
happening. Others posting here are helping each other hack private networks (not
protect themselves), whether you do or do not acknowledge this it doesn't change the
truth of the matter. Period.

by Philip - 2009.11.08 12:54

Inormation can be used in different ways. The fact that there exists the possibility of it
being used unethically does not justify hiding it, and does not make it "shameful".

by zoltan - 2009.11.17 10:28

BFD

and that does jack what to my RADIUS setup?

by anonymous - 2009.11.17 13:09

The best article I have read on using the aircrack suite. Thanks for posting, this
information needs to be known.

by Wdb8 - 2009.11.27 18:34

Dear Writer,

I am extremely thankful to you for this informative, clean, pin pointed and easy to
understand tutorial. It worked for me as piece of cake.

Before, I could reach at your article, I tried almost 50 Tutorials and 10 different Linux
Distros.. but my wireless RT2870 Chipset was not compatible for the said purpose.

Regards
Thank you again

by MD - 2009.12.04 22:27
 Well, your tutorial was really easy to follow. Other ones at the default website and some
forums were really long and confusing for me, even I am using Linux for over 5 years. I
don't get why those people have written more commands and other shit.

Good work. Keep it up!

by asd123mnm - 2009.12.12 02:16

HI,
I have same intel 4965 agn with hp dv6985 se,Operating system Vista.I em using
Vmware and running backtrack 3.I still cannot see my card.Please help me
Thanks

1 |2|3

Related Articles:

The TCP Window, Latency, and the Bandwidth Delay product

Windows Vista tcpip.sys connection limit patch for Event ID 4226
Windows 7, Vista, 2008 Tweaks
ADSL VPI, VCI and Encapsulation settings
Linux TCP/IP parameters reference

Copyright © 1998-2010 Speed Guide, Inc. All rights reserved.

exec. time: 0.15907 s Terms of Use | Privacy Policy