Introduction
Welcome to this lab on cracking WEP keys with aircrack-ng. WEP (Wired Equivalent Privacy) is an outdated and insecure Wi-Fi security protocol. Its cryptographic weaknesses allow attackers to recover the secret key by analyzing a relatively small amount of network traffic.
In this lab, you will use aircrack-ng, a popular suite of tools for auditing wireless networks. Specifically, you will use the aircrack-ng tool to analyze a pre-existing capture file (.cap) that contains captured network packets, including the Initialization Vectors (IVs) necessary to crack the WEP key. This hands-on exercise will demonstrate how straightforward it is to break WEP encryption, highlighting the importance of using modern security protocols like WPA3.
All operations will be performed in the terminal within your ~/project directory.
Select the .cap File with Captured WEP IVs
In this step, you will begin by examining the contents of your working directory to locate the capture file. The lab environment has been pre-configured with a capture file named wep.cap in your ~/project directory. This file contains the necessary network traffic for the attack.
First, let's list the files in the current directory to confirm that wep.cap is present. Use the ls -l command, which provides a detailed listing.
ls -l
You should see the wep.cap file in the output, similar to this:
total 68
-rw-r--r-- 1 labex labex 68884 Dec 12 12:00 wep.cap
This confirms the file is ready for the next step.
Run aircrack-ng Directly on the Capture File
In this step, you will run the aircrack-ng command on the capture file to initiate the cracking process. The basic syntax for this operation is aircrack-ng <capture_file>.
Execute the following command in your terminal:
aircrack-ng wep.cap
After running the command, aircrack-ng will read the file and display a list of wireless networks it found within the capture. It will then prompt you to select which network you want to attack.
The output will look something like this:
Opening wep.cap
Read 11117 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 <length: 6> WEP (10408 IVs)
Choosing first network as target.
aircrack-ng automatically selects the first network as the target. The attack will start immediately after this message.
Analyze the Attack Progress and the PTW Method
In this step, you will observe the output of aircrack-ng as it begins the attack. After you select the target network, aircrack-ng immediately starts the cracking process using the collected IVs.
The tool will display real-time progress information. Pay attention to the following details:
- IVs read: It shows the number of packets and IVs read from the file.
- Attack Method: The primary attack used is the PTW (Pyshkin, Tews, Weinmann) attack. This is a highly efficient statistical attack that can crack WEP keys with a relatively small number of IVs.
The screen will update as the attack progresses, showing the number of IVs tested:
Opening wep.cap
Read 11117 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 <length: 6> WEP (10408 IVs)
Choosing first network as target.
Attack will be restarted every 5000 IVs.
Starting PTW attack with 10408 IVs.
This output confirms that the PTW attack has started. You just need to wait for it to complete.
Wait for the 'KEY FOUND' Message to Appear
In this step, you will wait for aircrack-ng to complete its process and find the WEP key. The PTW attack is very fast when a sufficient number of IVs are available. The wep.cap file provided in this lab contains more than enough IVs, so the cracking process should only take a few seconds.
Once aircrack-ng successfully determines the key, it will stop the attack and display a clear success message.
Look for the following output in your terminal:
Aircrack-ng 1.6
[00:00:00] Tested 1 keys (got 10408 IVs)
KB PTW Key
1 1036 00:14:6C:7E:40:80 KEY FOUND! [ 1F:1F:1F:1F:1F ]
Decrypted correctly: 100%
The KEY FOUND! message indicates that the attack was successful. The Decrypted correctly: 100% line further confirms that the found key is correct.
Interpret the Found WEP Key in Hexadecimal Format
In this step, you will interpret the final result from aircrack-ng and record the key. The most important piece of information from the previous step is the key itself.
From the output KEY FOUND! [ 1F:1F:1F:1F:1F ], the value inside the square brackets is the WEP key. It is presented in hexadecimal format. The colons (:) are used as separators for readability and are not part of the actual key. The key is 1F1F1F1F1F.
To complete this lab, let's save the recovered key to a file named wep_key.txt. This simulates recording the key for future use.
Execute the following command to write the key (without colons) into the file:
echo "1F1F1F1F1F" > wep_key.txt
You can verify the content of the file with the cat command:
cat wep_key.txt
The output should be:
1F1F1F1F1F
You have now successfully cracked the WEP key and saved it.
Summary
Congratulations! You have successfully completed this lab.
In this lab, you learned how to use aircrack-ng, a powerful tool for wireless network auditing. You started by identifying a capture file, then launched aircrack-ng to analyze it. You observed the PTW attack in action and successfully recovered a WEP key from the captured data.
This exercise demonstrates the fundamental weakness of the WEP protocol and underscores the critical importance of using stronger, modern encryption standards like WPA2 or WPA3 to secure wireless networks.