It’s common knowledge that Wired Equivalent Privacy (WEP) is a completely broken form of WiFi security, but not everyone knows just how trivial it can be to defeat with a properly configured appliance such as the Pwn Plug R3. Not only is the R3 ready to go with the latest versions of all the required software, it’s also equipped with a high performance injection-capable wireless chipset and enough processing power to easily crunch the target network’s key.
Finding a Target
To start, we’ll put the R3’s internal WiFi radio into monitor mode, and see what networks are operating in the area. Running the following commands will setup the hardware and show a list of networks and their pertinent information:
airmon-ng start wlan0
You’ll be presented with a screen that will look something like this:
Here we can see we have a perfect target, a network named “linksys” on channel 6 which is running WEP encryption and has a nice strong signal.
The next step is to use airodump-ng to capture data from the network, which we’ll eventually use to crack the WEP key. Simply plug in the values discovered from airmon-ng into airodump-ng:
airodump-ng -c <CHANNEL> -w <LOGFILE> –bssid <AP MAC> mon0
So the command to start dumping data from our “linksys” network would be:
airodump-ng -c 6 -w linksys –bssid 00:23:69:48:33:95 mon0
The resulting display will show clients connected to the network, as well as how much data is actually moving through the air:
Not much is happening on this network right now, but using packet injection, we’ll soon change that.
Note: Keep airodump-ng running in the background while performing the next steps.
Circumventing WEP requires a large amount of encrypted data to be captured from the network so there’s enough information to crack the key. Under normal circumstances this would mean an attacker would need to wait around and capture data as it’s sent out by the network in the course of normal operation. The key to cracking WEP quickly is using packet injection to force the network to send more data out than it would normally.
The first step is to associate the R3 with the target network, which can be done with the following command:
aireplay-ng -1 0 -a 00:23:69:48:33:95 mon0
Which will give you the following output:
This command will throw up a few lines, but the only important one you need to look for is the final one. If you get a little smiley face, you’re good to go.
Finally, we’ll use another aireplay-ng command to start flooding the network with data, which will be captured by airodump-ng that we’ve been running in the background from earlier.
aireplay-ng -3 -b 00:23:69:48:33:95 mon0
Keep an eye on the last line of aireplay-ng’s output to see the the attack progressing.
Cracking the Key
With data pouring into the Pwn Plug, there’s only one thing left: use aircrack-ng against the growing capture file to crack the WEP key. By running aircrack-ng against the capture file as it’s being filled by airodump-ng, the process will continue until the necessary amount of data is collected (which varies from network to network).
Simply give aircrack-ng the name of the log file you specified when running airodump-ng:
A few seconds later, you should see the cracked WEP key ready for use
In practice, it will probably take longer to read the steps involved in cracking WEP than it does to actually recover the key. With the processing power and WiFi chipset in the Pwn Plug R3, going from target acquisition to recovered key can be done within a minute.