Category Archives: WEP Attacks

Although WEP security is rarely ever used to secure WiFi networks today, it is still important to familiarize yourself with the hacking techniques as many IoT devices still use it.  Hacking WEP networks are the easiest to crack, so are a good way to familiarize with the tools and techniques before you attempt to break more secure WPA and WPA2 networks.

How to Use Fern WiFi Cracker to Crack WEP Encrypted Networks

Posted on by

In my original WEP cracker article, I walked you through a WEP crack using the airodump-ng tool, the aireplay-ng tool, and the aircrack utility. I used aircrack to crack my WEP key.

The other two tools, aireplay and airodump I used to sniff the wireless traffic and then inject packets into the wireless stream in order  to speed up my WEP crack. These three tools provide very deep levels of control.

You can modify the TCP traffic to, for instance, inject a certain number of packets during a specific period of time. You can really fine tune your attack with aireplay. Aircrack also provides a huge list of options when attacking a password.

This level of granularity and control can really help you when you are out on wireless security audits. However, I’m going to discuss the Fern WiFi Cracker with you. It’s a pretty nifty utility, and you can use Fern to automate a WiFi crack with just a few mouse clicks.

Automation Using the Fern WiFi Cracker

Just so you know, I still prefer and recommend you study the other methods to crack WEP as well, by using airodumpaireplay, and aircrack.

Why? Because in order to be a good network security professional, you need to KNOW how this stuff works. It’s not enough to be able to click a few buttons. We call those people keyboard jockies or tool monkeys.)  Understand what’s going on under the surface. WiFi hacking software  comes and goes, but aircrack, airodump, and aireplay have been around for a long time. They’re all quality products and you should know how each of these three tools works and how they can be used in conjunction with one another for a successful WiFi crack. The Fern WiFi cracker is an example of some fairly new WiFi hacking software that’s worth it.

Fern is a great WiFi cracker to use in a pinch and it’s already included in Back Track and Kali Linux. However, you can download Fern’s source code right here. We can use Fern to do a WiFi crack against a WEP encrypted network. Start by launching Fern from the Applications menu button at the top-left corner of the screen.

If you’re running Kali Linux:

Applications > Kali Linux > Wireless Attacks > Wireless Tools

If you’re running Back Track:

Applications > Back Track > Exploitation Tools > Wireless Exploitation Tools >WLAN Exploitation

Launch the Fern WiFi Cracker and Crack WEP

From the menu, click Fern-wifi-cracker to launch the tool.

You should already have your wireless card in monitor mode. If not see my previous article right now.

Click the drop down menu at the top of Fern and select your wireless adapter from this list. Click OK to any message boxes you get. After a few moments, the message Monitor Mode Enabled on… should appear in green as seen in the image.

Then click Scan for Access Points.

Fern will scan for WiFi networks in range, and will begin populating the WEP and WPA boxes.

Once the the Fern WiFi Cracker finishes scanning for networks, you can select the network you are targeting by finding it in either the  WEP section or the WPA section. In this example, I am targeting a WEP encrypted network with an SSID of Hack-WiFi.

You will have to select your target network from the drop down box and then clicking the WiFi Attack button to the right.

The Fern WiFi Cracker will now begin an automated WEP crack against the hack-wifi network. This may take some time, so if you need to get some coffee or take a dump, go for it. You’ll have a Please Wait… screen for a long time, as Fern goes through the process.

Remember, Fern is completely automated WiFi hacking software, so there isn’t anything left to do at this point than to just allow Fern to sniff the WiFi network, authenticate to the device, begin injecting replay traffic, and finally to crack WEP.

In my case, the Fern WiFi cracker didn’t succeed until it captured about 25,000 IVs.

But finally, if everything worked as it should, you’ll get the message below:

Basic WiFi Hacking – Cracking WEP Security

Posted on by

The WEP WiFi hack is the oldest one around. Increasingly, it’s less and less likely to be an option in your security audits and penetration tests. This is because most people now use more robust encryption methods like WPA2 and WiFi routers come with WPA/WPA2 enabled as default.

However, some IoT (Internet of things), devices that use the internet, or simply a WiFi network to work, like wireless security cameras, wireless printers, ‘smart’ thermostats, and even ‘smart’ refrigerators still use WEP security.

Numerous security holes exist in WEP which is why you’re less likely to encounter it on an engagement. WEP, or Wired Equivalency Protection) was the first serious attempt to secure wireless networks.

WEP sought to give users the same amount of protection and confidentiality as wired networks provided. We can easily perform WEP-based WiFi hacks on those access points still dumb enough to use it. By exploiting a flaw in WEP’s RC 4 stream cipher, we can decrypt the password based on traffic we collect from the access point over time.

We’ll need to capture a ton of packets (Tens of thousands). The more packets we capture from the wireless access point, the more likely we are to have enough data to perform statistical cryptanalysis to decode the password.  (But don’t worry, we’re going to drastically speed up the time it takes to collect enough packets to do this).

If you haven’t read my original post on the basics of a WiFi hack, you really should because it gives you a general understanding of WiFi security. There are, of course videos and hacking tutorials on more advanced wireless attacks. But stay here for right now, because as long as you’ve already read the overview, you can move forward in time.

The easiest WiFi hack – Cracking WEP Wireless Encryption

Let’s get started. Boot into your Back Track or Kali Linux Live CD. Make sure you are connected to the Internet, then run updates:

apt-get update

Then run:

apt-get upgrade

Connect your wireless network adapter.We need to discover the name Back Track (or Kali) has assigned to the adapter. Run the following command and hit Enter:

Before we can do this WiFi hack, we need to enable packet injection on our wireless adapter.

Now run:

airodump-ng monO

Airodump will literally dump the WiFi networks it detects in the air, as seen below:

As we can see above, only one network that airodump picks up uses WEP encryption, so we will focus our WiFi hack on this particular network. Once we make note of the BSSID and the CH, (Channel) fields, we are almost ready to perform our WiFi hack. We’ll run airodump again, but instead of a broad sweep of the WiFi spectrum, we will focus only on the access point we picked out above.

Our command syntax is:

airodump-ng -c (channel) -w (file name) —bssid (bssid) (interface)

We just need to plug in the channel, BSSID, our packet-injecting interface, and supply  a file name to save the packets to. To see the file (because you will need it soon) browse your Home directory and it should be there.

Hit Enter and let the packet capturing begin.

Now, we could simply wait to capture enough packets, but remember we need tens of thousands, and that could take way too long to reasonably wait. Wireless security consultants don’t have to to wait around. If time is short for a WiFi hack, you can use the aireplay took to inject the access points with packets. These packets trick the access point into tossing out even more of its own packets. This can happen very fast!  

(This particular WiFi hack may only take a matter of seconds, depending on the number of packets you capture and how close you are to the access point.)

Open a new terminal window.

Remember to plug in your target’s BSSID and ESSID into the correct fields, and be sure to specific the name of your monitoring interface. It’s usually monO, but yours may be different so check. Also, you need to specify your spoofed MAC address after the -h switch.

aireplay-ng -1 0 -a (bssid) -h (your spoofed MAC address) -e (essid) (interface)

You should get an Association successful message. Now you can begin flooding the access point in order to capture more packets. Plug in the target’s BSSID,your spoofed MAC address, and your interface again. Hit Enter.

aireplay-ng -3 -b (bssid) -h (your spoofed MAC address) (interface)

Plan on hanging around until enough packets are harvested to run your WiFi hack.

Go back to your second airodump window where you are capturing packets to file. Keep an eye on the number in the Data column. It needs to be between 10,000 and 20,000. When you’ve captured 10,000 to 20,000, you can hit Control C to stop the capture.

Now you can attempt the actual WiFi Hack by running the aircrack tool. Plug in the target’s BSSID and the name of the capture file you started with the airodump command.  (The capture file should be located in your Home directory.)

aircrack-ng -b (bssid) (yourcapturefilename)

If you captured enough packets, the WEP key will appear next to the triumphant message Key Found. Use that key without the colons to log into the target’s wireless network.

Read up on Aircrack’s website. You can do much more than crack WEP  (as we’ll see later), and any security consultant worth their salt should be familiar with the ins and outs of aircrack. Congratulations on your first successful WiFi hack! Keep going!