evilrouters.net

so cracking wep really is as easy as they say…

i was sure of this since i don’t really have a reason to not believe anyone who has says it, but i’m one of those people who like to see things before i believe them. i also use the metasploit framework to run exploits against my own networks, just to verify that they are real.

anyways, i wanted to crack wep. my laptop has the intel pro/2200 wireless (centrino) built-in but apparently it can’t do packet injection, which is kinda a must.. reports that i read indicated that most of the atheros-based cards worked wonderfully, so i set out to find one (the netgear wg511t was specifically mentioned). i ran to office depot and managed to find one, and it’s even on sale for $20 off (instant rebate, not a stupid mail-in rebate). anyways, i bought it and came home.

after downloading the madwifi code/modules from livna for fedora core 5 on the laptop, it just worked(TM). i got to work with aircrack and started looking to see what kinda activity was going on. anyways, there was no traffic on the network i wanted to crack. aireplay-ng worked perfectly, associating to the access point so that i could capture the association traffic and replay it. it started injecting/replaying almost immediately and i watched the initialization vector (IV) packet count start increasing pretty quickly. i left it running and went to bed.

when i woke up this morning, there were 1,020,384 IVs that had been captured. since most docs i’ve read say that 128-bit wep can be cracked with around 200,000, i was sure this was plenty. i was right.

i fired up aircrack-ng, pointed it at the file containing the captured IVs and let it go to work. i didn’t have to wait long… four seconds later, it informed me that the key had been found. it was done. i was then able to use the encryption key to then connect to the network (using “iwconfig”) and post this blog entry. =)

here’s a png image of aircrack-ng finding the key.