WEP Cracking, the FBI Way

WEP cracking usually takes hours. Lots of hours, depending on the amount of traffic on the access point. A few months ago, two FBI agents demonstrated how they were able to crack a WEP enabled access point within a couple of minutes. 3 minutes to be exact. This is unbelievable when compared to, say 3 days of work. Here is how they did it, and how you can do it. You may need to know your way with each and every of these tools to get this done. You can ask Google for that. Anyway, if you are familiar with them, just do as follows :

  1. Run Kismet to find your target network. Get the SSID and the channel.
  2. Run Airodump and start capturing data.
  3. With Aireplay, start replaying a packet on the target network. (You can find a ‘good packet’ by looking at the BSSID MAC on Kismet and comparing it to the captured packet’s BSSID MAC).
  4. Watch as Airodump goes crazy with new IVs. Thanks to Aireplay.
  5. Stop Airodump when you have about 1,000 IVs.
  6. Run Aircrack on the captured file.
  7. You should see the WEP key infront of you now.

The software runs on Linux, they are all available on the Knoppix Linux Live CD. And finally, I think you should always use a combination of 2 or more security features. As for what you need, get Aircrack (Includes Airodump, Aireplay, Aircrack and optional Airdecap for decrypting WEP/WPA capture files) and get Kismet.

Update: Kismet for Windows (Kiswin32) is available now.

Posted June 4th, 2005 in category hardware, internet, linux, software.