Introduction to WEP cracking
Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets. It is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good conditions. With 40 bit keys the probability of success is even higher.
Basic example, using the Aircrack-ng suite
For more information about the aircrack-ng suite, take a look at this page: Aircrack
- Start your wireless card in monitor mode, airmon-ng can be used for this.
- Start capturing packets with airodump-ng. Note that distance plays an important role here.
- Start active attacks, like deauth and injection with aireplay-ng.
- Crack the key, as soon as you've got enough packets. Aircrack-ng will do the job. The longer the key, the more packets needed. The more packets you have, the faster the key can be found.
Note: you need to perform a fake authentication to be able to inject packets into the network, you can use aireplay-ng for this. If it doesn't work, then you could try changing your MAC address to a 'legitimate' one, use one of a computer that is on the network.
As you can see, the process is quite easy and can be done in very little time. A lot of people still have WEP protection on their wireless network, so most networks can be cracked this way. If you're dealing with a WPA protected network, take a look at this page WPA Cracking.