Cracking WEP with AirPcap and Cain and Abel
This video tutorial demonstrates how to crack WEP in Windows using AirPcap and Cain and Abel.
Preparation
You’ll need:
Note: It is possible to get this working by using the cheaper “Classic” AirPcap, in conjunction with the old 2.0 Beta Tx Drivers for AirPcap, to enable packet injection capability, but this is entirely unsupported, and is not guaranteed to work. YMMV.
Notes
- To begin ARP injections, AirPcap must capture at least 1 ARP request from a system on the target AP. You can usually force this by sending a Deauth to a connected client.
- Make sure you have over 250,000 IVs before attempting to crack the WEP key.
- In my tests, the old AirPcap (silver-grey) appears to perform significantly faster than the new AirPcap (dark-grey). I think it’s about 10x faster.
The Video
Get the Flash Player to see the wordTube Media Player.
Click Play to get things started.
Additional
Download the full resolution video (Thanks to TAz00 from the Oxid.it forums for the hosting!)
How to Crack WEP in Windows with Aircrack-ng and AirPcap · Mind Circus said,
11 June, 2007 at 2:45 pm
[...] 2007-06-11: Packet Injection is now possible in Windows with the AirPcap. Please see my posts: Cracking WEP with Cain and Cracking WEP with aircrack-ptw for more [...]
jimbo said,
23 July, 2007 at 8:40 pm
Any chance the new version of the AirPcap is one-tenth as fast because one-tenth of the IVs are occurring in response to something other than arp request injection? (ie. the attempted injection with the new AirPcap just isn’t resulting in any additional IVs?)
Frite said,
10 August, 2007 at 12:59 pm
Hello Phil, i have been watching your work, very impressive stuff. i am in scotland. i am just finishing up my networking degree and am going onto my masters in “Ethical hacking and penetration testing”. Have bin mucking about with the aircrack stuff, very fun and enjoyable. Have to admit i dont have an airpcap adapter which is a bit of a bum, is there any way to set up a cisco aironet a/b/g to do the same thing do you think?
I suppose its all about the arps, and requests…hmm, wonder if i could generate the traffic needed for dump another way apart from airpcap….
anyway, would love any thoughts or insights, and chat in general is muchly welcomed, we network security guys need to hang together, lol
Regards
Frite
kurt Allen said,
3 September, 2007 at 1:15 am
I was wondering would you please let me know how do I get free AirPcap driver?
Phil Wiffen said,
4 September, 2007 at 9:25 am
Kurt,
AirPcap is a USB adapter that you must pay for (see Wireless Analysis). The driver is free, but requires the USB adapter to work.
Ruslan said,
16 September, 2007 at 5:21 am
Hey phil i have a quik question for u, when i start up my program caine i noticed in ur video demo Cracking WEP with AirPcap and Cain and Abel that the caine program has a AirPcap driver info on the left hand side of the screen now is that supposed to be there when u start up the program, or do u have to buy the adapter and then u will get the screen to pop up, any help at all would be greatly appreciated.
Thanks.
Phil Wiffen said,
16 September, 2007 at 12:46 pm
Ruslan, you need the adapter.
Esau Munoz said,
16 October, 2007 at 3:53 am
phil,
there is two different versions of getting a wep key , in one u say that one needs over 250,000 IVs if someone just uses cain and able alone. to me this way is less confusing but then i guess the othe way were you use aircrack, is faster. how long does it take to get the requred packets. both in the easyer way and in the more complicated version.
the other question relates to the type of adapter, i believe u talk about some different versions the adapter came in. i believe one is (silver-grey), a (dark-grey), but i also believe there is one which is (black-orange) do you know anything about these. i think it came out pretty recently, but how faster or slower is it compared to there other ones.
THANKS.
esau munoz
Phil Wiffen said,
29 October, 2007 at 9:09 pm
Esau: Usually between 5 and 10 minutes, but sometimes longer. It can take me that long to explain to my clients what I’m performing!
There are 3 adapter “releases” so far. In my experience (I tested all three thoroughly whilst at Crownhill), the latest Black-Orange adapter was faster than the previous two.
Spanky said,
2 November, 2007 at 3:32 pm
so there’s definitely no free way of getting the wep key?
Phil Wiffen said,
2 November, 2007 at 3:39 pm
Spanky,
You can use a Linux Live CD like Backtrack to do a WEP Audit. Provided your existing laptop has a supported WLAN card, it’ll end up being “free”.
Dominik said,
3 November, 2007 at 6:10 pm
Phil,
I bought an aircap adapter but I made a mistake and I choose the simple one instead of the aircap tx.
Can I still use it to do what you did in the video or I need to buy the Tx version?
Thanks for you help!
Dominik
Phil Wiffen said,
5 November, 2007 at 2:05 pm
Dominik: I just replied to you without realising you’d also sent this comment! You can try using the Beta 2.0 drivers and see if it works, but you’re probably better off exchanging your Classic for a Tx.
patricio said,
13 November, 2007 at 4:48 pm
hi man,well a have a laptap, easy note mz350, whit windows xp and i need know if a can use the cain and abel to crack de wep password, to this program i need a special adaptor ????????????????????????
Phil Wiffen said,
13 November, 2007 at 6:06 pm
patricio: If you actually read the article above, you would not need to ask this question. I quite clearly state at the top of this article that you need the AirPcap Tx adapter.
sunda said,
15 November, 2007 at 7:27 am
Anyone can tell me how to modify/convert packets captured by Wireshark possibly could be cracked using aircrack-ng? I’m using Windows XP as platform. Thanks in advance.
Phil Wiffen said,
22 November, 2007 at 5:24 pm
Sunda, I’m pretty certain that Wireshark and aircrack-ng packet capture formats are inter-operable. You just need to point aircrack-ng at the Wireshark capture file. Have you tried it?
Alex said,
25 November, 2007 at 8:28 am
Hey Phil, awesome site. My question is about Monitor Mode. Is there any way to bypass the SSID filter and passively scan an entire channel that’s in range on the Windows platform? I’ve read that WinPcap doesn’t support it, but I wasn’t sure that if that was the end. This question partially arises from my decision on whether to buy an AirPcap and run Windows, or get a Atheros chipset and run Linux.
Thanks
Anthony said,
28 November, 2007 at 3:20 am
Will the USB key and software work with Vista??
lee said,
10 December, 2007 at 6:22 pm
are there any drivers for the airpcaptx to make it usable in backtrack linux
or do you know of anyway i could write my own
Phil Wiffen said,
17 December, 2007 at 8:24 pm
Alex: AirPcap allows you to passively scan the Wi-Fi channels. To do so you’ll need the Kismet release for AirPcap, or Cain (I prefer Kismet).
Anthony: Yes, AirPcap works in Vista. I’ve not yet tested Cain in Vista, but I’m sure if you asked at Cain’s forums they’d be able to tell you.
Lee: Not that I know of no, but seeing as most Linux-compatible Wi-Fi cards are cheaper than AirPcap, I’m not sure why you’d want to buy it for Linux (besides for the hell of it!). Might be worth contacting CACE to discuss a Linux driver
notharry said,
12 January, 2008 at 2:51 pm
When I try to run 2.0 Beta Tx Drivers for AirPcap, I am informed that no AirPcap Adapters found in the system. Yet I have an AirPcap-Ex plugged in.
Max said,
13 January, 2008 at 11:54 pm
hello im max , my problem is i nead to get a wep code . i just downloaded cain ; what els do i nead to hack a wep and how becous i dont now how to use this program atol
Jon said,
16 January, 2008 at 2:06 pm
Phil, you are doing some realy good work here. It’s nice to see someone dedicating some to time and effort to helping others understand a subject. Also the way you answer questions, to some the answer may seem simple, but you still answer in a very unpatronising way.
Thanks for support and advice.
Jon
Jon said,
16 January, 2008 at 3:38 pm
After putting a comment in i realised that i do actualy have a question.
I was looking at the Airpcap Classic and TX, from what i have read i understand that you can only realy crack WEP and WPA through the ‘TX’ adapter.
What are the main differences between the TX and Classic?
I’ve also been struggling a little from reading various bits on the net. Can you crack WPA aswell as WEP with one TX adapter. From what i can gather cain will reveal the WEP code but you have to brute force for the WPA – is this correct?
Thanks
Kyle said,
17 January, 2008 at 8:50 pm
hey phil, i’ve been using the AirPcap Tx USB(black and orange) for a while now with cain, but injecting packets doesnt work for me like it does for you in your video: that is, even when injecting, i dont get nearly as much traffic. this happens even when ARP requests have been sniffed on the target(if they havent, deauth doesnt usually do the trick for me either). any ideas?
Kyle said,
17 January, 2008 at 9:07 pm
Sorry for the above comment, after a search on the oxid.it forums it appears that this is a bug, possibly(but hopefully not) with the black/oj Tx adapter. hopefully its just the software and i didnt waste my $300.
Phil Wiffen said,
21 January, 2008 at 10:49 pm
notharry: As you have an AirPcap-Ex, you should be able to use the latest (non-beta) driver to use the transmit capabilities. I just checked, and the support matrix confirms this. FYI: the Beta driver was only intended for use with the USB AirPcap Classic.
Max: You need everything I listed in this post, particularly the AirPcap Tx adapter!
Phil Wiffen said,
21 January, 2008 at 10:55 pm
Hey Jon,
Thanks for your kind words!
Yeah, CACE neutered the original AirPcap by renaming it the Classic, and launching the Tx separately (…which is exactly the same, apart from a small change in firmware which enables injection!).
Regarding cracking… Both Cain and aircrack-ng will passively sniff WEP traffic and crack any WEP key after collecting x number of packets. They will both also passively sniff WPA EAPOL handshakes which can then be cracked, via brute force, “offline” – away from the Audit site. This takes way longer than the offset methods used in WEP cracking, and becomes pretty much unfeasible if the password isn’t in a dictionary, or is longer than 8 characters. I always recommend that WPA-PSK is deployed with at least a 20-character passphrase, and includes things like spaces and other non-alphanumeric characters.
Phil Wiffen said,
21 January, 2008 at 11:07 pm
Hey Kyle. Indeed, Cain can be very flakey with the AirPCap. From what I know, and have experienced, it’s not CACE’s fault.
If you’re not scared of a command line, you should try out my notes on using Aircrack-ng on the Windows command line. It usually works when Cain doesn’t!
Micro said,
26 January, 2008 at 1:17 am
Hi Phil,
1st, thanx for your great site and videos… it’s nice for tutorials and learning..
.
I have buy a AirPcapTX recently and try it with last drivers from Cace.
Packet Injection is really slow, with Cain but with aircrack-ng 0.9.2 for TX too…
from both method, i only Inject around 10 packets by seconds and capture only 1 IVs every 2 seconds…
So it seems the problem don’t come only from Cain but from the TX (or the driver) too…
I will try Kismet for Windows later see it’s working better…
Phil Wiffen said,
13 February, 2008 at 11:37 pm
Micro: Try CACE’s injection tool, which was bundled with the latest version of their drivers. It might solve your problem.
matt said,
5 March, 2008 at 12:41 am
hi phil i was wondering if there was any other program that will allow me to do this without the airpcap adapter and i was wondering also if there was any special place i have to go to get this adapter
Phil Wiffen said,
10 March, 2008 at 6:04 pm
Matt: AFAIK, it can’t be done any other way in Windows – you need the AirPcap. For a free alternative, see my response to Spanky further up the page.
jomar said,
16 March, 2008 at 10:33 pm
hi Phil,
i can not run the cain & abel properly, i installed the airpcap, but if i scan for the “wireless”. The AirPcap column, staing that driver version: not installed. and the lock on channel is inactive, as so as the other like the “analyze” button, it is not scanning for any WEP IV’s. i’m running under vista home premium. pls help me make the program works. thanks a lot.
Phil Wiffen said,
17 March, 2008 at 8:31 pm
jomar: The AirPcap Software will not work without an AirPcap Adapter. Have you bought one?
shane said,
12 April, 2008 at 9:42 pm
hey phil whats up?? i have air p cap ex the one with the attachable external antenna i was wondering if i can also use it as a wireless network card???? because it has lots of range…. is there any way to make it a wireless network card??? thanks
slayer said,
16 April, 2008 at 9:31 pm
airpcap tx and packet injection
i have used airpcap and cain to successfully crack my network in wep and wpa modes
what baffles me is how to generate traffic on the network to produce more wep ivs faster
i assume that packet injection is just the feature ive been looking for but im not sure how it works… i can deauth a client on a wpa network and collect wpa 4 way handshake but if its a wep clientless network then i cant generate traffic
with linux and aireplay you simply use packetforge to increase the traffic rate but packet injection in cain with airpcap doesnt seem to work..
what am i not doing or what am i doing wrong????
Phil Wiffen said,
18 April, 2008 at 8:44 pm
“but if its a wep clientless network then i cant generate traffic”
Hey Slayer, unless Cain has changed in the last few months (possible), you can’t generate traffic against a clientless AP.
Phil Wiffen said,
18 April, 2008 at 11:40 pm
Shane, in a nutshell: No you can’t use it as a wifi card. Its firmware prevents it from doing so.
Download Aircrack - Hacking WEP + WPA Keys, Windows - Page 2 - CashLoopholes said,
8 July, 2008 at 6:54 pm
[...] – Hacking WEP + WPA Keys, Windows np…here’s a useful video if you can’t figure it out Cracking WEP with AirPcap and Cain and Abel Mind Circus [...]
How to Crack Wifi in Windows using AirPcap, Cain amd Abel said,
16 July, 2009 at 12:13 am
[...] Thanks to Phil Wiffen [...]