Cracking 802.11, WEP

11 minutes
Share the link to this page
You need to purchase the class to view this lesson.
One-time Purchase
List Price:  $139.99
You save:  $40
List Price:  د.إ514.18
You save:  د.إ146.92
List Price:  A$182.11
You save:  A$52.03
List Price:  ৳11,901.15
You save:  ৳3,400.57
List Price:  CA$177.84
You save:  CA$50.81
CHF 89.14
List Price:  CHF 124.80
You save:  CHF 35.66
List Price:  kr862.01
You save:  kr246.30
List Price:  €115.89
You save:  €33.11
List Price:  £103.02
You save:  £29.43
List Price:  HK$1,085.42
You save:  HK$310.14
List Price:  ₹10,242.01
You save:  ₹2,926.50
List Price:  RM565.06
You save:  RM161.46
List Price:  ₦55,462.88
You save:  ₦15,847.67
List Price:  kr1,199.74
You save:  kr342.80
List Price:  NZ$195.88
You save:  NZ$55.97
List Price:  ₱6,726.63
You save:  ₱1,922.03
List Price:  ₨22,557.45
You save:  ₨6,445.44
List Price:  S$186.18
You save:  S$53.20
List Price:  ฿4,211.81
You save:  ฿1,203.46
List Price:  ₺1,046.46
You save:  ₺299.01
List Price:  B$741.01
You save:  B$211.73
List Price:  R2,131.70
You save:  R609.10
List Price:  Лв226.90
You save:  Лв64.83
List Price:  ₩154,585.35
You save:  ₩44,170.40
List Price:  ₪460.36
You save:  ₪131.54
Already have an account? Log In


Probably one of the biggest classic threats to any wireless network. Is it susceptibility to being cracked. So what we're going to be doing in this episode is we're going to be grabbing WP WPA, WPA two and WPS passwords using standard hacking tools. Now, there's a lot of details that go into all of this. So we're going to separate these. So first, let's go ahead and let's go through an old school web crack.

Now, the ability to crack WEP has been around for Well, a long, long time, close to 20 years now, with that, you would think that most wireless networks would be off of wi EP Well, they're not. We can find up to 15% of all wireless networks are still running WEP encryption so even though weapons old fashioned even though WEP is well established, its ability to crack well We're going to go through it. The downside to web is that the initialization vector, the way it was being generated, made it susceptible to mathematical rigor. And as a result, we call this a IV attack. It's been around for a long time, and it's actually kind of fun to do. So, let me give you our setup so you know what's going on.

Now, first of all, I just got a regular wireless access point here. I have hot rotted a little bit, it's running DD WRT firmware instead of the regular lynxes firmware. Now, I've got a machine over here. Now this machine, the only reason he's here is so I can show you what's happening on the wireless settings on this wireless access point. And over here, I've got my good old Kali Linux box with my good superduper network card on here. And we're going to be using a tool called aircrack to go through the process of grabbing the WEP keys off of this system.

So what you're looking at here, I'm over on my good computer right now. And I'm physically plugged into the back of this little router. So you can see the router itself is set up as 192 168 one dot one, it's going to be a DHCP server passing out 192 168 dot one addresses. And what I'd like to do now is let's go over to the wireless side. And you can see right now it's set up as an access point. And I've given it the SSID of not secure Wi Fi, you need to remember that.

The next thing I want to do is head over to wireless security. Now if you look here, we've got it set to WEP. If I wanted to, I could do a lot of other ones. But right now I just because I want to show you how web works. Now web remember has two different size keys 64 bit or 128 bit now I'm going to use 64 bit just because it cracks a little faster, but it can crack 128 just as easily. Now what we do is we usually type in some word and that generates these 64 bit key So you can see the 64 bit keys are generated by this.

So it's 10 hexadecimal digits 1-234-567-8910. I want to use the passphrase total. let's generate on that. And you can see I have four different keys. Now normally, we're just going to use the first key, you can see the default transmit key is number one, the other three keys are there in case somebody wanted to come visit, you want to give him a temporary key or something like that, where you can generate that stuff. Let me go ahead and save all this.

So we've got a little web enabled wireless access point that's running an SSID of not secure web. And we've gone ahead and we know what that key is. So let's go ahead and put the key down one more time, so we got it. Alright, so remember that key because we're going to use this guy and we're going to take advantage of the power of the aircrack tool to actually make that crack. So what we're going to do is we're going to go through the steps To do this, keep in mind that a lot of the steps that you're going to be looking at at the beginning are going to be things for just like finding the network card, getting the network card turned on to start grabbing data, sending it through a particular port, then we're going to take that data and we're going to look at it for a while.

And then literally, there's only one line that we're going to do that says, Okay, go ahead and crack it. Go. Let's go ahead and get started. Alright, so here I am at a terminal within my Kali Linux, and we're going to start running aircrack. So aircrack is actually a suite of different utilities. aircrack ng is actually the only tool that does the cracking.

We use other tools as well. Like for example, what I want to do is I want to see what kind of network cards I have. So I'm going to use the command airman dash and G. And you can see it has a W land zero and that is my superduper network card. So that's the one I want to use. So I'm going to tell the airman tool to start Monitoring on that wireless device. So I'm just saying go ahead and get started on Ws zero.

So it's a little unhappy so I'm gonna have to turn something off here. Let's try again. There we go. Okay, so now it's up and running. Now what I want you to notice is right here, you'll see where it says w LAN zero mon. That is, in essence, all of the monitoring that it's doing is going through this interface.

And it's, it's an interface, we can talk to it, we can write from it, we can do whatever we want. So now what I want to do is go out into the world and see what's out there for me to have some fun hacking on so I'm going to use Arrow dump. And I'm going to say, hey, go look out on w LAN mon, and tell me what you see. And here are all the wireless networks in the area around here. Let me open this up a little bit so we can see it better. Ah, that's better.

Okay, now, now we've got the spread out a little bit, you can see that we have all of our SS IDs here. Nice. No, it says SSID. These are SS IDs. So if you take a look here, it's going to say not secure web. So that is our target, wireless access point.

Now the other thing that's important here is we see the MAC address for that wireless access point. So we're going to need that information to go ahead and start grabbing data. So what I'm going to do now is I'm going to use a tool called arrow dump, and I'm going to say just grab it data but just from this one wireless access point. So here's the MAC address. Here's the channel that is currently on this is 2.4 gigahertz. And here's the SSID.

So to do all this, let me just let that keep running for all I care. Bring up a new window. Yes, I'm running in route. Don't give me any trouble about that. All right, so I'm gonna have to type in this fairly long command, I'm going to use arrow dump. And w means I'm going to have to write all the data that it's starting to grab.

So I'm going to give it a name. Something really clever like dump file. I'm going to tell them what channel to monitor. That's channel six for this guy. And now I have to type in the MAC address. I know it says BSS ID, but it's actually the MAC address.

And then I'm going to tell it which monitor do we want to use and it's good old w land zero, mon. So let's go ahead and get that guy started. And he's up and cooking. Alright, so what's happening now is air dump is grabbing all the very specific packets that I've asked for, and he's dumping it into this one file called dump file. Now in order to Use an IV attack on web, we have to have quite a few frames, then people will argue about the amount, my general rule of thumb is, go outside, go have a coke come back, and it usually has enough. So I'm gonna let this run for about 510 minutes, probably about all I need.

And we'll come back in just a minute, and we'll see aircrack ng action. Okay, so we've learned a little bit of time pass here. So let's take a look on the screen. Now, if you take a look, as we've been running here, this arrow dump has been tracking this one particular wireless access point. And you can see down here, these are actually systems that are connecting to it. So we're actually getting information on systems that are making connections and we've got tons of frames here probably way too many.

A lot of times they'll say as few as 5000 frames is all you need, but I believe in a little bit of overkill here. So what I'd like to do is go ahead and Let's crack this guy. So I'm going to stop that. And we're going to actually run aircrack. Now before I do, let me backspace that out. Before I do I want to show you something.

Now if you remember I said we're going to put them into a file called dump file. Now you'll see that arrow dump actually makes four different types of capture files. And the one I want is the dump file dash 01 dot ca P. So let's go ahead and run aircrack. Watch it for a second. Tena, there it is. So take a look right here.

There's the key that it's derived. Now let's put that key we brought up earlier Back on screen and compare them. It's the exact same key, we are officially cracked. All I need to do now to get onto this wireless access point is on any client that I want. Simply go in, find that particular SSID and type in that little bit of passcode and WEP is all over with now. Granted WEP is a little old fashioned, although it is still out there, however, that which replaced it WPA a WPA two also have some type of limitation.

So let's do a little more cracking but let's shift into the WPA two world

Sign Up


Share with friends, get 20% off
Invite your friends to TabletWise learning marketplace. For each purchase they make, you get 20% off (upto $10) on your next purchase.