Wired Equivalent Privacy (WEP) was introduced in 1999 as a part of 802.11 standard. It's puprose was to assure the privacy of the wireless network in a way near to wired networks. It's using RC4 cipher (with different key size: 64 and 128 bits) and CRC-32 checksum to mantain integrity. In addition WEP is using a short, 24 bit initialization vector (IV), which is added to the key provided by user, creating 'unique' for each packet RC4 key. But because the IV is so short, and it's used with the same key, WEP is now considered outdated, easy to crack and insecure.
Step by step attack
Firstly we need to setup an old router, with WEP security option enabled, which will be our practice target. Also remember to have some other device connected to it wirelessly since we'll need to capture encrypted data between them. After that check whether or not your wireless card supports packet injection - if not, you have to get another one. I'm using TL-WN722N which is great and cheap option. Now, if you have everything up and running - let's move to Kali.
Firstly let's check if your adapter is seen by Kali - you can do this by typing airmon-ng command.
For me it shows two cards - built in and USB one which is wlan1
Now type airmon-ng start [interface] to set your USB adapter into monitor mode. If you encounter any problem try using airmon-ng check kill which will kill any processes using this adapter. After that I checked what name was assigned to the adapter - for me it was wlan1mon but yours can be different.
Next step is to find the router - and get it's BSSID, channel (CH) and ESSID. You can do this by running command airodump-ng [interface]. This will show list of routers in range, information we need and some additional data.
Here it is, we've got all information to start the attack. My target is pentest_wep with BSSID:54:B8:0A:10:DF:0E on channel 1. Copy the essential information and open another terminal window (CTR + ALT + T). Now we're going to capture encrypted packets sent between the router and client device. We can do this with airodump-ng command.
Explanation: -w will save the packets to the file called pentest_wep, -c is a channel that the target is using, and --bssid is to specify which router we're going to attack. Last thing is to choose the USB adapter running monitor mode.
That's what we're going to be shown after running this command.
As you can see we've got a few more information - number of beacons, data sent, packets, and data per second. These numbers will start at 0 and grow as the traffic is passed between the router and client device. Then this traffic is saved into the file, specified in the command argument, which we're going to use later in order to crack the password. But to make it work you will need at least 20,000 IV's, sometimes even more. I recommend you to 'harvest' around 100,000 as it will undoubtedly work. At this point you can wait until you get desired number of IV's. But what if the target isn't using internet at the time? What if he/she's sleeping? Yup, there's solution to this ;)
Open up another terminal window (remember not to close the one running airodump-ng) and type in this command aireplay-ng -1 0 -a [BSSID] [interface]
After that run another command aireplay-ng -1 0 -a [BSSID] [interface]
Aireplay-ng works by sending ARP request packets so that data and beacons should start growing quickly. This works even if no one is connected to the internet.
Now after we've already captured huge amount of packets close all the processes that were running, then type ls to see if the .cap file was saved. Then we can type aircrack-ng [filename.cap]. This will start the process of cracking the password. Attack will be restarted between every 5000 IV's.
And we've got the key! Some versions of aircrack may show you also ASCII version of the key but both can be used to login into the wireless network. Notice that you can run aircrack at the same time as running airodump - that way it tries to crack the key every time you gather new 5000 IV's.
Notice how easy it was to gain access to the network protected with WEP? That's why you should never protect your network with this standard.
As always thanks for reading, keep tuned for the next part about more advanced algorithms like WPA or WPA2. I also really recommend trying it out by yourself as it's the best way to understand how it works and learning by practicing is the best way to gain knowledge.