Thoughts on Storage, Virtualisation, Windows, Linux and IT strategy from a curious Brit
How to Crack WEP in Windows with Aircrack-ng and AirPcap
This guide demonstrates how to crack WEP in Windows using the AirPcap Wireless Capture Adapter.
To do this, you'll need the useful AirPcap USB Wireless Capture Adapter from CACE Technologies. It's pretty cheap when compared to some of the other Windows hardware solutions, and you'll be supporting the makers of Wireshark!
I adore Linux and the entire Open Source movement, but it's important to recognise that many people out there are locked into Windows; and learning an entirely new OS to perform security testing isn't cost-effective for their company.
How is WEP cracked?
To crack WEP, you need to exploit a weakness in its implementation, and collect lots of Initialisation Vectors (IVs). In normal WLAN traffic, it would take quite a while to pickup enough IVs - approximately 1 million - so we need to generate our own traffic. There's two ways we could do this:
Generate your own traffic using iperf.
Use packet injection using aireplay.
At present, the AirPcap Drivers do not support packet injection in Windows. Fortunately, the makers of AirPcap, CACE Technologies, have said packet injection will be included soon. :DUpdate 2007-06-11: Packet Injection is now possible in Windows with the AirPcap. Please see my posts: Cracking WEP with Cain and Cracking WEP with aircrack-ptw for more information.
Your own Wireless Access Point, configured with WEP.
3 computers, at least 1 of which should have a Wireless LAN Adapter.
Enough traffic to generate over 1 million IVs. For this demonstration, we'll use a Windows release of iperf, called K-perf, to generate lots of traffic.
Let's get cracking
This guide assumes that you are performing this on a WLAN you have permission to use.
OK let's do it...
Set up Aircrack
Plug in your AirPcap.
Extract the contents of the aircrack-ng release to C:\aircrack (or wherever, I'm just doing this for tidiness).
Open up the c:\aircrack\bin\ directory and double-click the airodump-ng.exe (this is a specially built release tailored for AirPcap).
Configure it as per your settings [Screenshot: Configuring Airodump-ng]
Go back to your AirPcap machine and watch the IV frames come in. [Screenshot: Airodump-ng capturing WEP IVs]
When you've hit over 1,000,000 frames, open up aircrack-ng_GUI.exe in the c:\aircrack\bin\ directory.
Click the Aircrack-ng tab, and locate your crackme.iv file.
Click launch and wait for the cracker to find your WEP key. [Screenshot: Airocrack-ng cracking WEP]
If aircrack cannot find your WEP key, you may not have enough IVs. To get more IVs, start up airodump-ng.exe again, and when asked the Output filename prefix, give the same name as you did previously. Airodump-ng will then append packets to the original dump.
As this is a simulation, now that you have your WEP key, you can continue your penetration testing by using AirPcap with Wireshark to capture all the traffic flowing over your WPA or WEP-enabled WLAN.
As one of the aims of my blog is to help people, if you have friends/neighbours/co-workers whose WLANs are WEP enabled, you could demonstrate how easy it is to crack WEP, and then help them set up a properly-implemented WPA/WPA2 WLAN :)
Did this help you at all? Any questions? Feel free to leave me a comment below!