(Fast) WEP Cracking on the Pwn Plug R3

It’s common knowledge that Wired Equivalent Privacy (WEP) is a completely broken form of WiFi security, but not everyone knows just how trivial it can be to defeat with a properly configured appliance such as the Pwn Plug R3. Not only is the R3 ready to go with the latest versions of all the required software, it’s also equipped with a high performance injection-capable wireless chipset and enough processing power to easily crunch the target network’s key.

Finding a Target

To start, we’ll put the R3’s internal WiFi radio into monitor mode, and see what networks are operating in the area. Running the following commands will setup the hardware and show a list of networks and their pertinent information:

airmon-ng start wlan0

airmon-ng mon0

You’ll be presented with a screen that will look something like this:

WEP Cracking

Here we can see we have a perfect target, a network named “linksys” on channel 6 which is running WEP encryption and has a nice strong signal.

Capturing Data

The next step is to use airodump-ng to capture data from the network, which we’ll eventually use to crack the WEP key. Simply plug in the values discovered from airmon-ng into airodump-ng:

airodump-ng -c <CHANNEL> -w <LOGFILE> –bssid <AP MAC> mon0

So the command to start dumping data from our “linksys” network would be:

airodump-ng -c 6 -w linksys –bssid 00:23:69:48:33:95 mon0

The resulting display will show clients connected to the network, as well as how much data is actually moving through the air:

WEP 2

Not much is happening on this network right now, but using packet injection, we’ll soon change that.

Note: Keep airodump-ng running in the background while performing the next steps.

Packet Injection

Circumventing WEP requires a large amount of encrypted data to be captured from the network so there’s enough information to crack the key. Under normal circumstances this would mean an attacker would need to wait around and capture data as it’s sent out by the network in the course of normal operation. The key to cracking WEP quickly is using packet injection to force the network to send more data out than it would normally.

The first step is to associate the R3 with the target network, which can be done with the following command:

aireplay-ng -1 0 -a 00:23:69:48:33:95 mon0

Which will give you the following output:

WEP 3

 

This command will throw up a few lines, but the only important one you need to look for is the final one. If you get a little smiley face, you’re good to go.

Finally, we’ll use another aireplay-ng command to start flooding the network with data, which will be captured by airodump-ng that we’ve been running in the background from earlier.

aireplay-ng -3 -b 00:23:69:48:33:95 mon0

Keep an eye on the last line of aireplay-ng’s output to see the the attack progressing.

WEP 4

Cracking the Key

With data pouring into the Pwn Plug, there’s only one thing left: use aircrack-ng against the growing capture file to crack the WEP key. By running aircrack-ng against the capture file as it’s being filled by airodump-ng, the process will continue until the necessary amount of data is collected (which varies from network to network).

Simply give aircrack-ng the name of the log file you specified when running airodump-ng:

aircrack-ng linksys-01.cap

A few seconds later, you should see the cracked WEP key ready for use

WEP 5

In practice, it will probably take longer to read the steps involved in cracking WEP than it does to actually recover the key. With the processing power and WiFi chipset in the Pwn Plug R3, going from target acquisition to recovered key can be done within a minute.

 

1 reply
  1. Neo Injector
    Neo Injector says:

    Sometimes it is difficult to manage airodump-ng output files. i mean once i generate those csv and xml files then after i start looking into it so for large amount of data i can’t figure it out. so is there any tools or services available for analysis and visualization ? i have used this website and it is quite

    good, here i have shared my sample data have a look and also share any other sources if anyone knows. – http://wifiscanvisualizer.appspot.com/

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *