WEP Cracking (Automated)


Now that we know the basic steps for cracking WEP, from our last post, lets try a pointy-clicky GUI that’s included in the BackTrack distribution named Gerix Wifi Cracker. With our hacking environment setup the same as before, we setup our access point, attach a client to it, and start a continuous ping to a non-existent address to generate a steady stream of ARP requests. If you’re using a VM like me, you can attach the host system to the access point for your pinging client, and use your wireless USB NIC connected to your guest VM for the attack.

As a summary from last time, here are the steps we are going to complete:

  1. Enable monitor mode on the NIC
  2. Scan for nearby wireless networks
  3. Start capturing packets
  4. Test injection
  5. Authenticate with the access point
  6. Replay the captured ARP requests
  7. Crack the WEP password

You can find Gerix under Applications – Exploitation Tools – Wireless Exploitation Tools – WLAN Exploitation – gerix-wifi-cracker-ng.

Go to the Configuration tab, click “Reload wireless interfaces”, select your interface, then click “Enable/Disable Monitor Mode”. Then, click “Rescan networks” to display all nearby wireless networks.

Now, select the “donthackme” Essid and go to the WEP tab.

Under the “General functionalities” section, click “Start Sniffing and Logging” to start capturing packets. A new terminal session will open showing a summary of the capture interface.

Next click “Performs a test of injection AP” to verify that we are close enough to the access point.

Then, select the “WEP Attacks (with clients)” section.

Select “Associate with AP using fake auth” and you should see your capture session jump with connected clients.

Next, click “ARP request replay” to inject the captured ARP requests back to the access point to generate enough IV’s for cracking. Another terminal session will open, displaying the progress.

As we did in the previous post, we keep the ARP replay injection session running until the “Data” column of the capture session reaches at least 10,000.

Once we hit at least 10,000, we can go to the Cracking tab.

Then, under the WEP cracking tab, simply click “Aircrack-ng – Decrypt WEP password”.

Now that was even easier than last time ;-)

Comments are closed.