Project 20: Cracking WEP with Kali on an Eee PC (20 pts.)

What You Need for This Project

A wireless access point
A computer running any OS with any wireless NIC to be the client
An Eee PC--I used the EEE PC 900HA with Kali Linux on it

Set up a WEP-Protected Wireless LAN

Router: Use any wireless router that is available.

Wired Client: Connect a cable from any numbered port on the router to the PC, and disable all other network adapters on the PC. Use IPCONFIG to find the Default Gateway on the PC and open that address in a Web browser. Configure the network to use WEP, and make a note of the key, which is ten hexadecimal characters.

Wireless Client: Use any computer with a wireless card. Connect to the wireless router, typing in the ten-character key when you are prompted to. Disable all other network adapters on the wireless client computer. On the wireless client, enter this command to send a constant series of pings to the router, using your router's IP address instead of the example address below:

PING -T 192.168.10.1

Booting the Eee PC to Kali Linux

Start the Eee PC. Select "Kali Linux". Log in as directed on the label on top of the computer.

Removing Old Files

In the Terminal window, execute this command to clean off old files left by previous students:

rm output*.cap

Observing the wlan0 Device

In the Terminal window, type in this command, and then press the Enter key: iwconfig You should see the wlan0 device, as shown below on this page. It is in Mode:Managed, which is the normal mode for wireless networking. We need to get the card out of that mode, so we will first disable it.

In the Terminal window, type in this command, and then press the Enter key:

ifconfig wlan0 down

Starting the wifi-0 Device in Monitor Mode

In the Terminal window, type in this command, and then press the Enter key:

airmon-ng start wifi0

You have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.

Capturing Packets to View the Available Networks

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 2" at the bottom of the window.

In the "Shell No.2" window, type in this command, and then press the Enter key:

airodump-ng -w test wlan0

This command opens a window showing all local networks, as shown below on this page. The captured packets are going to a file named "test", which isn't important.

The columns in the output are explained below:

BSSID The MAC address of the access point
PWR Power level
Beacons The number of beacon packets captured
#Data The number of packets containing Initialization Vectors (IVs) - these are the packets we need to crack WEP.
CH The channel (1 through 11 are used in the USA)
MB The speed of the network in Mbps
ENC, CIPHER, AUTH These values specify the encryption method
ESSID The name of the network

Write down these three values for the network you want to crack:

BSSID
CH
ESSID

In the lower section of your screen, try to find the STATION Mac address that is associated with the access point you want to crack.

If it has scrolled off the screen, stop the capturing with Ctrl+C, start it again with the airodump-ng -w test wlan0 command, and stop it as soon with Ctrl+C as soon as the lower portion of the chart shows your target network.

Write down the STATION address for your target network. This is the MAC address of the client.

Press Ctrl+C to stop the Airodump capture.

Restarting Monitoring on the Correct Channel

Click the "Shell" tab at the lower left of your screen to make it active—this is the window you used for the airmon-ng commands.

In the Terminal window, type in this command, and then press the Enter key:

airmon-ng stop wifi0

In the Terminal window, type in this command, and then press the Enter key:

airmon-ng start wifi0 11

Replace 11 with the CH number you wrote down in a previous step. Now the card is monitoring only the channel we are interested in.

Resuming Packet Capture

Click the "Shell No. 2" tab to make it active—this is the Konsole window you used for the airodump-ng command.

In the "Shell No. 2" window, type in this command, and then press the Enter key:

airodump-ng -c 11 -w output wlan0

Replace 11 with the CH number you wrote in the box above on this page. Now the card is monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. Notice that the #Data are not rising quickly—you may not even see any data being captured at all. Leave this capture running.

Performing an ARP Replay Attack

Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs.

In the "Shell" window, type in this command, and then press the Enter key:

aireplay-ng -3 -b 00:11:50:1E:43:87 -h 00:16:B6:5B:A3:D6 wlan0

Replace 00:11:50:1E:43:87 with the BSSID you you wrote down in a previous step (the access point's MAC address).

Replace 00:16:B6:5B:A3:D6 with the MAC you wrote you wrote down in a previous step (the Wireless client's MAC address).

The last line in your Terminal window should show the number of packets read, the number of ARP requests captured, and the number of packets sent, as shown below on this page. Within a few seconds, all three of these numbers should start rising rapidly. That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.

(The image below was taken with a different network adapter named rausb0, but now we are using the wlan0 adapter.)

If the number of ARP requests stalls at zero, disconnect the wireless client and reconnect it.

Look at the "Shell - Konsole <2>" window. The # Data value should be rising very rapidly, as shown below on this page.

Troubleshooting
If the ARP replay fails, you can just make the network busier. One simple way to do that is to open 30 Command Prompt windows on the client, each running this command, using your router's IP address instead of the example address below:
PING -T -L 65000 192.168.10.1
They won't get replies, but they should send a lot of packets to the router and make the DATA increase rapidly.

Cracking the Key

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 3" at the bottom of the window. In the "Shell No. 3" window, type in this command, and then press the Enter key:

aircrack-ng -a 1 -n 64 output*.cap

It should find the key within a few minutes, as shown below on this page.

Sending in the Image

The easiest way to capture this image is to take a photo of it with your cell phone.

Send the message to cnit.123@gmail.com with a subject line of Proj 20 From Your Name(s). If you are working in a group, list all the names in the subject line. Send a Cc to yourself.

If you don't have a cell phone that can take a photo, connect the Eee to the Internet using an Ethernet cable, execute the dhclient command, and capture a snapshot with Start, KSnapshot.

Then send the email from the Eee using Firefox.

Credits

I got a lot of this from "Wireless Vulnerabilities and Cracking with the Aircrack Suite", by Stephen Argent, in the magazine hakin9, Issue 1/2008. There is a lot more information about cracking WEP and WPA in that article, it's great!

Last modified 4-23-13 by Sam Bowne