How To: Crack a WEP Key

This is the first post of a two-part feature on how to obtain information on a WEP enabled wireless network. This post shows how to crack a WEP key and the second post shows how to gather information using a Firefox Add-on called Firesheep.

Disclaimer: I do not care what you do with this information. Who am I to tell you what to do with something you’ve learned? It is your decision to use this information ethically or unethically. Just know that hacking into a wireless network that is not your own is most likely illegal.

Overview
In this How To I will show you how easy it is to crack a WEP key. We will be using a Linux distro called BackTrack. Don’t worry. You won’t have to install it to your hard drive. We’ll be booting BackTrack off a USB flash drive. This How To assumes that you are using a Windows based PC to set up the USB flash drive and that you also have a compatible wireless network adapter that supports injection. But first, we’ll start with a little background of WEP.

The History of WEP
Wireless Equivalent Privacy (or WEP) keys are used to secure a wireless network. It’s a fairly old (read: insecure) way to protect a wireless network. Introduced in 1997, WEP uses a single shared key across a network. This allows WEP to be easily cracked within an hour and even sometimes within minutes depending on the method you use. It’s successor, Wi-Fi Protected Access (WPA), changes the encryption key each time data is transmitted making the network much more secure.

The Method to Crack WEP
There are many methods to cracking a WEP key. I’m going to discuss one method I found to be very easy to use and well supported. BackTrack is a Linux based OS that contains many security tools for auditing and penetration. In this guide we will be using a terminal to run programs such as Airmon and Aircrack.

One: Download BackTrack

Head over to BackTrack’s download page and download BackTrack 4 R1 Release ISO (1.87 GB). I suggest downloading it via Torrent because I’ve noticed that downloading it directly from HTTP is a little slow. Once BackTrack is done downloading we’re going to put it on a USB flash drive so we can boot off of it. UNetbootin is a program that creates bootable live USB flash drives of various operating systems.

Two: Download/Setup UNetbootin

Head over to the UNetbootin page and download the Windows version. Open up UNetbootin. Click the Diskimage radio button and make sure ISO is selected in the drop down menu. Browse for the ISO of BackTrack. Then select your USB flash drive’s assigned letter in the Drive dropdown menu. Don’t worry about selecting the Linux distribution at the top. That option downloads the ISO for you and installs it on your USB flash drive. But since we already downloaded our copy of BackTrack we don’t have to worry about this option. Your UNetbootin should look like this:Press OK and let UNetbootin do its thing. It should take 10-15 minutes depending how fast your computer is. When it’s done restart your computer. Keep your USB flash drive plugged in after it reboots. You may have to configure your BIOS to allow booting from USB devices.

Three: Boot BackTrack

When you first boot from your USB flash drive, you’ll see a blue screen with different boot options. Just keep the default option. BackTrack will now boot. When it’s done, you’ll be at a command line that says “root@bt:~#” with a blinking cursor. To load the BackTrack GUI just type “startx” without the quotes.

Four: The 11 Commandments

Now the fun part. First thing you want to do is open up Konsole. It’s that black square to the right of Firefox on the taskbar. We want to start networking with this command:

/etc/init.d/networking start

Let that run for about a minute. If you get any errors don’t worry about it. You should see “DHCPDISCOVER on [your interface name]“. For example, my interface name is wlan0. Yours may be different.

The next command lists the network interfaces on your computer:

airmon-ng

Keep note of what your wireless interface’s name is. Next, we’re just going to make sure that we have a monitor interface. Run these commands one at a time. Add your interface’s name at the end of the first two:

airmon-ng stop [your interface name]
airmon-ng start [your interface name]
airmon-ng

You should see that there is a new interface now called “mon0″. Still with me? Okay, next command:

airodump-ng [your interface name]

If you’re around a lot of wireless access points you’ll start to see a list of SSIDs flood your Konsole. You want to find one that has WEP under the Encryption (ENC) column. You’ll also want to look for one that has good signal strength. Look at the Power column. Whichever has a highest (closest to zero) power has the better signal strength. For example, -35 is a better signal than -75. Once you’ve found the wireless network you want to hack, press Ctrl+C to end airodump. Copy down the channel number (CH) and the BSSID. Then run this command:

airodump-ng -w wep -c [channel number] –bssid [bssid] [your interface name]

Your computer is now sending data packets to the selected wireless network. Let this run until the #Data column reaches at least 10,000. The more data sent the better your chances are of cracking the key. Now open up another Konsole window and run this command:

aireplay-ng -1 0 -a [bssid] [your interface name]

This command sends an authentication request to the wireless network. It attempts to penetrate the network. If successful it will output “Association successful”. If it keeps saying “Sending Authentication Request (Open System)” you may be too far from the access point. Open up yet another window (last one, I swear) and type this in:

aireplay-ng -3 -b [bssid] [your interface name]

What your computer is doing now is sending and receiving more data in an attempt to “speed things up” a bit. Once your data has reached at least 10,000 in the first Konsole window run the following two commands below. The last command will attempt to crack the WEP key based on the amount of data you’ve received back from the access point.

dir
aircrack-ng [filename.cap]

When you enter the dir command it will list contents of your root. Look for a file that has a .cap extension. For example, my .cap file was called “-wep-01.cap”. Yours might be different. If you’re lucky you will be able to crack the WEP key and the command will output KEY FOUND! [key]. Copy this key down. You can now use this key to connect to a WEP enabled wireless network.

Five: Celebrate

Glad to see you made it to the end. Good job! Go grab yourself a celebratory beer. If you found this interesting I suggest digging deeper into BackTrack. There are some pretty useful tools (such as Gerix Wifi Cracker) that can speed this process up. Once you’re on the WEP network, it’s time to use Firesheep to gather data. Stay tuned for my next post on how to use Firesheep.

Have any issues with BackTrack? Have a success story? Let us know how everything went in the comments.

Patrick is the founder and editor-in-chief of pinglio. He works as a system administrator and studied at the University of Illinois at Chicago. He currently lives in Chicago with his girlfriend and two dogs.