Cracking WEP WiFi using the Raspberry Pi
About: WEP WiFi security has been debunked for years but thankfully for us there are still people who have never switched to the more secure WPA2 protocol. These are either older businesses who never invested in updating their security or have older equipment which is not compatible with the WPA2 security protocol. You will see how unsecured the WEP protocol is and how quickly it can be cracked. The Raspberry Pi I will be using is overclocked to 900 MHz so it will speed up the cracking process a little bit. I plan on writing a separate article on how the different overclock settings and how they compare.
Objective: To demonstrate how insecure the WEP security protocol is and how easily it can be cracked.
Material: You will need the following:
- Raspberry Pi (I have PwnPi 3.0 running on mine, but this can be done using Raspbian)
- USB WiFi Adapter – I use the Panda USB WiFi adapter
- aircrack-ng suite
Instructions: In this tutorial I will be cracking my own WiFi router. I have set it up to WEP protocol and have a few phones connected to my network. If you will be doing this you will need to make sure that there is something connected to your network so that there is information being passed back and forth. We will be monitoring all the data and storing it to a file which we will be cracking afterwards. The more data we collect the better our success rate will be. I will also show you how to speed this process up by requesting data from the WiFi router without connecting to it.
Lets start by finding our WiFi adapter. Type ‘airmon-ng’ in the terminal. This will pull up some data about our WiFi adapter. Be sure to write down the Interface. Mine will be wlan0 in this tutorial.
Write down your interface and type the following command to set that interface into monitor mode. ‘airmon-ng start <interface>’
airmon-ng start wlan0
If you see a warning like I have in the above image you can use airmon-ng to check and kill the processes using the following command
airmon-ng check kill
Now we are ready to look for routers running the WEP security protocol. You can see what is going on in your area using the following command ‘airodump-ng <mon adapter you created above’
You can see all the routers available in the image above. The top half is all the Access Points available. The bottom half is devices looking for access points to connect to, or that are already connected to an Access Point. This screen will tell us a lot of information. You can see the BSSID (MAC Address) of the Access Point as well as the channel it is broadcasting on and its current security protocol. I have highlighted my router which I have set for the WEP protocol, and we will need to make note of the channel and the BSSID. When running airodump-ng it will refresh every second. We will need to stop it from refreshing by pressing CTRL + C.
Now we are ready to start monitoring our Access Point and filtering out all the unnecessary data, and writing the data to a file so that we can crack for the WEP password. This will begin capturing the packets that are being transmitted on that Access Point. Ideally we want someone to be already connected to the Access Point so that there is data being transmitted, if not I will show you how we can generate our own data in a minute. First lets start capturing using airodump-ng again
Type the following command airodump-ng -w <file to write to> -c <channel> –bssid <BSSID of Access Point> <monitor interface>. The file to write to parameter can be anything and will be the name of the files that airodump-ng will create and write captured packets to. The channel and BSSID will be used from the information above. To hack my router I will using the following command
airodump-ng -w dayzhack -c 1 --bssid 9C:D3:6D:02:3A:E0 mon0
We will need to monitor this screen and watch the data count rise. We need at least 100,000 data packets in the counter if we want a chance of cracking the WEP quickly and successfully. Depending on what data is being used on the Access Point there will be a change in how fast the data counter is going up. If you are doing this in the middle of the day and no one is home and connected to the Access Point the data will go up very slowly. If it is the evening and people are using YouTube and watching videos, this data counter will go up very fast.
We can speed things up if there is not much going on by using aireplay-ng command. What we will be doing is sending ARP and ACK requests to the Access Point and monitoring the data packets that come across. If your Raspberry Pi is headless like mine is, you will need to connect to it again using SSH or if your Raspberry Pi is not headless you will need to open a new terminal. Nevertheless, you need to keep the airodump-ng command running for it to keep capturing and writing the data to your hard drive.
aireplay-ng will be used in a 2 step process. We will first need to assoiate with the Access Point using the following command: aireplay-ng -1 0 -a <BSSID> <monitor interface>
aireplay-ng -1 0 -a 9C:D3:6D:02:3A:E0 mon0
Now type the following command to begin sending ARP requests. aireplay-ng -3 -b <BSSID> <monitor interface>
aireplay-ng -3 -b 9C:D3:6D:02:3A:E0 mon0
Just as a side note. The Raspberry Pi is not fast enough to send out ARP requests that will really speed up the data too much. It will work but with us running airodump-ng and writing to our SD card as well as sending ARP requests, it will not be as effective as if we were doing this on a laptop.
We should see our data counter going up. I left mine running for about 30 minutes and came back to find I have over 170,000 data packets collected.
We should now have enough data to crack the WEP quickly. We can now stop airodump-ng as well as aireplay-ng by closing the terminal for aireplay-ng and typing CTRL + C for the airodump-ng screen. You can now type ‘ls’ to see all the files you have in your current location. You should see a few files with the name that airodump-ng was writing to. In my case I used dayzhack as the file names.
Notice the file called dayzhacl-01.cap, thats the file we’ll need. You will want to make note of which file has the .cap extension since that is the file containing all the data that we need to crack. We will now begin cracking the WEP protocol using aircrack-ng. Simply type aircrack-ng <file>
It took the Raspberry Pi under 2 minutes to find the WEP key. We can now use the cracked key to login to the Access Point. Congratulations!
This shows you how easy and quick it is to crack the WEP protocol using the Raspberry Pi. I initially thought the Raspberry Pi would take over 10 minutes to crack the file but I was surprised how quickly it was able to find the password.
For any questions or if you need help comment and I will try to help you out as best as I can.