How to crack WEP password? (step by step guide)

WEP theory

The first encryption that we will discuss is Wired Equivalent Privacy (WEP) encryption, because it's the oldest one, and also the easiest one to break. WEP encryption uses an algorithm called RC4; each packet is encrypted at the Access Point (AP), and then sent out into the air. Once the client receives it, the client will be able to decrypt the packet and read the information inside of it, since the client has the key. In short, the AP encrypts the packet and sends it, and the client receives and decrypts it. In the same way, when the client itself sends the packet, the client encrypts it and then sends it out, and the AP receives and decrypts it with a key.

Each packet that is sent out has a unique key stream. WEP ensures that the key stream is unique by using a 24-bit Initialization Vector (IV). The IV is a random number that is sent into each packet in plain text, which is not encrypted. If we read the packet, we will be able to read a part of it in plain text.

The problem with the IV is that it's very short (24-bits, which is not that long). In a busy network, there will be a very large number of packets sent, the possibilities of random IVs will be exhausted, and we will end up with two packets that have the same IV. If this happens, we can employ aircrack-ng, which uses statistical attacks to determine key streams; it will be able to determine the WEP key.

From the preceding information, we know that the more IVs we collect, the more likely we'll be to successfully crack the WEP key. Our main goal, when we try to crack WEP, is to collect as many IVs as we can—because when we have a large number of IVs, we will end up with two packets that use the same IV, and aircrack-ng will be likely to determine the key stream and the WEP key for the target network. In the next part of this chapter, we will see how this actually works, and it should be easier to understand.

Basic web cracking

Through the previous section, we know that to crack a WEP key, all we have to do is sniff packets from the target network and gather as many IVs as possible. Once we have done that, aircrack-ng will be able to use statistical attacks to determine the key stream and the WEP key for the target network. Obviously, when we have more than two packets, the method is going to work better, and our chances of breaking the key will be higher—we're going to try to gather as many IVs as possible.

Let's look at the most basic case of cracking a WEP key. Wi-Fi card must be in monitor mode, and the first thing we're going to try to do is see all of the networks that are within our Wi-Fi range; then, we're going to target one of those networks. We're going to run airodump-ng wlan0, very basic command, where wlan0 stands for the interface. Following will be displayed as a output:

The first network that has come up is Test; this is the network that we're going to perform our attacks on. We're going to launch airodump against Test network by using the following command:

airodump-ng --bssid 54:B8:0A:9E:54:2D --channel 11 --write basic-test-ap wlan0

Here, we enter the --bssid and launch an airodump against Test AP. We include the -channel, number 11, and we add --write to store all of the packets that we capture into a file, which is basic-test-ap. As we run the preceding command, we will be able to see the output in the following screenshot, the target network that we have as the data we gathered it is quite a busy one, also the data and the frames are going:

It is a busy network; the following is the section where we can see the clients:

All we have to do now is launch aircrack-ng, which is part of the aircrack suite, against the file that airodump has created for us. We can launch aircrack against it even if we didn't stop airodump; it will keep reading the file, and it will read the new packets that airodump is capturing. The command to use is as follows: aircrack-ng basic-test-ap-01.cap

When we use aircrack-ng, we will put in the filename basic-test-ap-01.cap. While the file is still being created, getting larger and larger with the inclusion of new packets, we can run aircrack-ng, and it will keep getting updated, eventually giving us the password we need for cracking. If aircrack fails to determine the key, aircrack waits until it reaches 5,000 IVs, and then tries again.

The number of IVs actually depends on the type of WEP encryption. There are two types of

WEP encryption: 128-bit and 64-bit. The only difference is the length of the key; obviously,

64-bit requires a lower number of IVs than 128-bit. Remember that when we discussed aircrack, we indicated that the more packets we get without unique IVs, the higher our chances of cracking the WEP key are.

Now, we basically wait until aircrack can successfully crack the WEP key. Once it decrypts the key, we can press Ctrl + C. As we can see in the following screenshot, aircrack has successfully managed to get the key within data packets; this is because the target AP uses a 64-bit key:

Let's look at how we can use this key to connect to the network. We are going to copy the key and use the key too connect. We can then connect to the target network:

As you can see, our connection has been established; we successfully recovered the WEP key from the target network. We can go ahead and confirm by pinging Google: