This document discusses cracking WEP encrypted WiFi networks. It begins with introductions to WiFi technology and encryption methods like WEP, WPA, and WPA2. It then provides steps to crack WEP networks using tools like Aircrack-NG on Windows and Kali Linux. For Windows, it describes using CommView to capture packets and Aircrack-NG GUI to crack passwords. For Kali, it outlines passive and active cracking techniques, including using airodump-ng to capture packets and aireplay-ng to generate more packets through ARP request replays and fake authentication attacks before cracking passwords with Aircrack-NG. The goal is to capture enough initialization vectors to crack weak WEP encryption keys.
Wifi cracking Step by Step Using CMD and Kali Linux 2018
1. * Contents
*Introduction.
*HISTORY AND TYPES OF WiFi.
*What ARE WIFI NETWORK
*IMPORTANT TERMINOLOGY
*Wi-Fi SECURITY: METHODS OF WiFi
*WEP ENCRYPION
*WEP CRACKING USING WINDOWS
*WEP CRACKING USING KALI
*RESEARCH PAPERS
*REFERENCES
Project Name: Wifi Cracking
Student Name: Mohammad Fareed
University: MMMUT Gorakhpur
E-mail ID: mohd.fareed1122@gmail.com
2. * INTRODUCTION
* Wi-Fi has emerged as the single most popular wireless network protocol of the 21st century. While other wireless protocols
work better in certain situations, Wi-Fi technology powers most home networks, many business local area networks and
public hotspot networks.
* Some people erroneously label all kinds of wireless networking as “Wi-Fi” when in reality Wi-Fi is just one of many wireless
technologies.
* Research Paper: The security of wifi connections has been in and out of the news over the past
* few years as the integrity of the wifi encryption process has been progressively
* eroded. Wifi encryption is normally driven by the use of three flavours of passwords/
* passphrases – Wired Equivalent Privacy (WEP), Wifi Protected Access
* (WPA) and WPA2 – which use different methodologies to ensure (to differing
* degrees) the integrity of the wifi IP-based communications path. But all have
* come under attack, with tools available to intercept and crack authentication.
* Does this mean that wifi should now be considered insecure?
3. * HISTORY AND TYPES OF WiFi
* In the 1980s, a technology designed for wireless cash registers called WaveLAN was developed and shared with the
Institute of Electrical and Electronics Engineers (IEEE) group responsible for networking standards, known as committee
802. This technology was further developed during the 1990s until the committee published standard 802.11 in 1997.
* The initial form of Wi-Fi from that 1997 standard supported only 2 MBPS connections. This technology was not officially
known as “Wi-Fi” from the beginning either; that term was coined only a few years as its popularity increased. An industry
standards group has continued to evolve the standard ever since, generating a family of new versions of Wi-Fi called
successively 802.11b, 802.11g, 802.11n, 802.11ac, and so on. Each of these related standards can communicate with
each other, although newer versions offer better performance and more features.
* Research Paper: Integrity in question
* In 2004, the integrity of the WEP password system was called into question after the Aircrack wifi password-cracking suite
was released. The open source suite – now known as Aircrack-ng and updated to perform attacks on the WPA/ WPA2 wifi
password systems – consisted of a number of wireless auditing utilities:
* • Airodump – a 802.11 packet capture program.
* • Aireplay – a 802.11 packet injection program.
* • Aircrack – a static WEP and WPAPSK key cracker.
* • Airdecap – which decrypts WEP/WPA capture files.Because the amount of time it takes to hack an encrypted wireless
network is dependent on the amount of traffic that the cracking software has access to, thesecond module of Aircrack –
Aireplay –is viewed as the most useful program of the four, as it allows the wireless hacker to increase the network traffic
and so speed up the hacking process. The third and fourth elements of the suite – Aircrack and Airdecap – were (and still
are) useful to crackers because they work for both WEP and WPA encryption, although back in 2004 the processing power
available at that time made the cracking of a WPA password a lengthy process – normally taking several weeks, even
where multi-core processing power was used. This contrasted with a typical cracking time for WEP (in 2004) of 20 minutes
or so – a time-frame that has been reduced to around 30 seconds using commercial software from Elcomsoft and others,
as well as open source/freeware apps/ suites such as Aircrack.
4. * What ARE WIFI NETWORK?
Most of you would have used wireless network either in your college, office, hotel or airports.
Wireless network have become so very common everywhere due to their great convenience and growing
popularity of laptops. Typically an area that offers wireless internet access is known as a hotspot.
Wi-Fi can be configured in one of two modes, called infrastructure mode Wi-Fi and ad-hoc mode Wi-Fi. Nearly all Wi-
Fi setups use infrastructure mode, where client devices within range all connect to and communicate through a
central wireless access point.
Ad hoc Wi-Fi allows clients to connect directly to each other without the use of an access point
* IMPORTANT TERMINOLOGY
SSID:
is short for service set identifier. It is public name of wireless network, which is used to identify a particular
network.SSIDs are case sensitive and are a sequence of alphanumeric characters(letters or numbers).
BSSID:
stand for basic service set identifier is the 48-bit MAC address of the access point of a wireless network.
WIRELESS ACCESS POINT:
is a device that allows device (like laptop, mobile device)to connected to a wireless
network using wifi & other wireless standards.
5. PSK: stand for pre shared key and is commonly used in encryption system. It is a possword or secret key that is shared
amonge all the users using that particular encryption system.
RSSI: is short for received signal stregnth indication and reprenteds the signal strength of a wireless network. RSSI
values range from 1 to 100.
*Wi-Fi SECURITY: METHODS OF WiFi
* Before cracking a Wi- Fi network, you must be aware of basic encryption techniques that protect a Wi-Fi network.
These three methods of encryption are the major sources of vulnerability associated with wireless networks. The
different types of Wireless Encryption Security techniques include the following:
* WEP: WEP is Wired Equivalent Privacy that can be cracked easily when configured appropriately. This method of
encryption can be cracked within few minutes.
* WPA: WPA is Wi-Fi Protected Access that provides strong security. Even then, there is possibility to crack if the Wi-Fi
password if short. However, wireless networks can be hacked easily using various tools.
* WPA2: WPA2 is Wi-Fi Protected Access 2 that also eventually provides high security. You can hack this method of
Wi-Fi encryption at the time of packet generation from Wi-Fi access points.
MAC ADDRESS: start for media access control address is a 48bit unique address that identifier every node
in network. Usually MAC address are assigned at the time of manufacture itself.
for example, 00:02:2D17B9:E8 is a typical MAC address.
6. * WEP ENCRYPION
WEP stand for wired enquivalent privacy and it is a security protocol that encrypts data transmission over wireless
network using a secret wepkey. There are typically 3 times of WEP key:
1) OFF.
2) 64-Bit.
3) 128 Bit.
WEAKNESS IN WEP ENCRYPTION:
In the wep protocol the AP and All the client(users) connected to a wireless network
should know the same security key or password.
If the user does not know the wep shared key or password, then the user may not be allowed to
connect the network. This gives an attacker planty of time to find out the encryption key of the network.
Depending upon the network, the password of the user is usually 40bit or 104 bit. This is
concatenated with the 24 IV vector to get a 64 bit or 128bit wep key. Which is used for encrypting all data packets.
It took until December 2009 before leading security researcher Moxie Marlinspike – who has since gone on to develop a
number of smartphone and tablet computing crypto applications for the Android platform – launched the
WPAcracker.com website.1 Using a parallel processing set of servers, Marlinspike claimed that his systems could crack
vulnerable WPA passwords in around 20 minutes, a process that would have taken a dual-core PC around 120 hours
using suitable software at the time. The cloud-based service – which costs $17.00 a time – reportedly uses a400-node
cluster of computers to run through around 130 million WPA password combinations in 20 minutes. To use the service,
Internet users upload a copy of the handshake file that occurs when a wifi device starts negotiating a link with a wifi
access point – downloaded off-air using AirCrack’s Airodump module or an open source utility such as Wireshark.
Although Wireshark is generally best known as a packet sniffer and analyser, widely used for network troubleshooting,
analysis, software and communications protocol development – its considerable evolution, since it was first launched as
Ethereal, makes it a popular wifi analysis tool. The evolution of WPAcracker.com was notable in wireless cracking terms
as – according to Marlinspike – although rainbow tables can be used to brute-force crack a WPA password, the process
is truly brute force in nature because each cracking project is unique. As Marlinspike observes: “You have to build a
unique set of rainbow tables for each network that you would potentially like to audit.” A rainbow table is essentially a
precomputed table for reversing cryptographic hash functions, typically used for cracking password hashes.
7. * WEP CRACKING USING WINDOWS
• Your require the following tools to crack wep network using windows:
• CommView for WiFi.
• Aircrack-ng GUI windows.
• Compatible wifi card that supports monitor mode.
Step1: Start the commView app, it will put your network adaptor in the monitor mode and allow you to record
data packets being transmitted across all the wifi network within range select any wep network that you want to
crack choose a network has a good signal strength.
Step2: Right click on the wep network & select the copy MAC address option.
Step3: Select the Rules Tab in the menu at the top. Select mac address on the left column, anable MAC
address rules in the center, select capture in the action and select both under add record paste the copied MAC
address press the add MAC address mode.
Step4: Click on the log in tab, enable auto saving and increase maximum directory size and average log file size
options.
Step5: now wait untill CmmView record around 10,000 gatra packets. Monitor the number of data packets by clicking on
the packets tab.
Step6: when you have around 10,000 data packets, then go to the login tab and then click the CONCATENATE LOGS
button, select all the capture file option and save the combined log file anywhere on the your computer.
8. Step7: Double click on the logfile, if you notice, 9247 dta packets has been recorded in this log file.
Step8: Click on the file>export logs> wireshark/ TCP dump format and log file in the selected format anywhere on your computer.
Strep9:Unzip the download file of aircrack-ng GUI and launch the Aircrack GUI application from the BIN folder.
Step10: Aircrack-ng will launch and will automatically try to crack password. In the this case if you notice, it failed and tells me to try
recording more data packets/Ivs.
Step11: Lets wait till I have recorded 21628 dta packets/Ivs.
Step12: Input the logfiles into Aircrack-ng and lets try againg!
Step13: And now when I run aircrack-ng again, it cracks the password and displays it on the screen! As simple as that.
10. * WEP CRACKING USING KALI
You require the following crack wep network using Kali:
Kali linux Vmware or ISO.
Aircrack-ng.
Compatible wifi network card.
Aircrack-ng suit of the tools comes with the following setr of tools:
1) Airmon-ng
2) Airodump-ng
3) Aireplay-ng
4) Aircrack-ng
WEP Cracking using Kali are two types:
1) PASSIVE Technique
2) ACTIVE Technique
PASSIVE WEP CRACKING TECHNIQUE
Passive wep cracking is a technique where the attacker tries to crack the password by passively sniffing Ivs of the target
network without sending/injecting any traffic to it.
Step1: Put Your WiFi card into monitor mode:
Put your wifi card in monitor mode so that it can listen to all packet being transmitted and not just packets send to your
system.
airmon-ng start wifi_interface_name
For example,
airmon-ng start wlan0
11. a) check status of network interfaces:
ifconfig
b) Put wifi interface into monitor mode:
airmon-ng start wlan0
c) Ensure wifi interface is in monitor mode:
ifconfig
(NOTE: if you notice secondary interface called mon0 is used when your wifi interface is put into monitor mode)
d) Lets see what wifi networks we are able to catch:
airdump-np wlan0
Step2: START DATA SNIFFER TO RECORD IVs:
Capture Ivs of data packets being transmitted an only the target
wifi network and ignore all other data packets:
airodump-ng-c channel—bssid APMAC –w outputfile interface
airodump-ng-c1—bssid 48:28:2F:DC:F5:D8 –w dump wlan0
Capture Ivs of data packets being transmitted only on the target wep network ingnore the rest.
Step3:CRACKTHE WEP PASSWORD FROM THE CAPTURED IVS:
Once you have captured enough number of Ivs(20,000-40,000) you can crack the wep passsword using the
aircrack tool:
aircrack-ng –b AP_MAC*.cap
Another alternative technique is to use the FMS/korek technique:
Aircrack-ng –k –b AP_MAC*.cap
For example, in today”s example I will type:
Aircrack-ng –b 48:28:2F:D5:D8 dump*.cap
12. Step4: LET’S SEE WHAT WiFi NETWORKS WE ARE ABLE TO CATCH:
airodump-ng wlan0
Important: Identify the BSSID(48:28:2F:D5:D8) and chabeel(1) of the wifi network you wish to crack and write it down
somewhere, you will need them in the next step.
* ACTIVE CRACKING WEP PASSWORD USING KALI
The problem with Passive wep cracking is that it can take a very long since you have to wait for adequate number of Ivs
to be captured, which can take 3-4 hours, if there is not enough traffic/active clients on the target wifi.
In Active wep cracking; the attacker actively ingets data packets to target wifi network to generate
additional Ivs and reduce the amount of time it takes to crack the password.
Step1: PUT YOUR WiFi CARD INTO MONITOR MODE:
Put wireless interface in monitor mode on the AP channel so
that it can listen to All packet being transmitted and not just packets send to your system
for example, airmon-ng start wlan0
Step2: TEST WHETHER INJECTION IS POSSIBLE OR NOT:
Test whether your wifi card and the target wifi router are
within close enough range for your computer to be able inject data packets into it. Not all wifi cards support data
injection.
aireplay-ng -9 interfacenam
For example, aireplay-ng-9 mon0
13. Step3: START DATA SNIFFER TO RECORD IVs:
Capture Ivs of the data packets being transmitted on only the target wifi network and ignore all other data packets.
airodump-ng –c chaneel –bssid APMAC –w output interface
Airodump-ng –c1 –bssid 48:28:2F:D5:D8 –w dump mon0
Step4: ARP REQUEST REPLAY ATTACK:
In order to crack wep keys it is important for an attacker to be able to record large number of Ivs from data packets
being send across the target network.
An ARP request replay attack can easily be executed using the aireplay-ng tool:
aireplay-ng –arpreplay –b AP_MAC_FACKE_auth interfacename
For example, aireplay-ng –arpreplay –48:28:2F:DC:F5:D8 mon0
Step5: FAKE AUTHENTICATION ATTACK:
In the ARP request replay attack, the attacker sends an ARP packet to the router of the target wifi network AP so that
it will; generate more Ivs.
Fake authentication attack allows an attacker to associate its MAC address with the AP, so that it
will not reject the ARP packets send to it in the ARP request replay attatck. This ensure that the target AP will generate new
Ivs that can then the sniffed by the attacker to crack the wep key.
Aireplay-ng -1 0 –e ESSID –a AP_MAC interfacename
Step6: ARP REQUEST REPLAY ATTACK(ALTERNATE TECHNIQUE):
In case airodump-ng shows you some order device that is already associated with the target wifi AP, then you
can skip fake authentication and directyly perform ARP request replay attack using the MAC address of the associated
device.
For example, aireplay-ng –arpreplay –b 48:28:2F:D5:D8 –h 1C:65:9D:C6:47:29 mon0
(where -h is used to specify MAC address of the associated device).
14. Step7: CRACK THE WEP PASSWORD FROM THE CAPTURED IVs:
Once you have captured enough number of Ivs, you can try to crack the wep password using the aircrack tool:
aircrack-ng –b AP_MAC*.cap
Another alternative techniquye is to use the FMS/korek technique:
Aircrack-ng-k-b AP_MAC*.cap
Crack the WEP password from the captured Ivs
Aircrack-ng –b 48:28:2F:D5:D8 dump*.cap
After 15,000 Ivs the WEP password has now been cracked.