Cracking WEP Encryption

WEP Decryption Header

Recently I was tasked with cracking the WEP Encryption of a sample capture generated using Wireshark. With a sample capture provided this didn’t take long and thought I’d do a quick tutorial on how I did it.

NOTE:

A warning is usually appended to any article concerning the capture of packets on a network and this is no different. Never connect to a network (such as public Wi-fi) and capture packets from users who are unaware their data is being captured. Not only is this unethical, but is likely a criminal offence.

Tools You Will Need

If you’ve already have sample capture (in a Wireshark readable format) the only thing you’ll need to install is Wireshark and Aircrack-ng. Again I’m on macOS have have Homebrew installed so installed Wireshark in terminal using the command

$ brew install wireshark

and for Aircrack-ng ran the command

$ brew install aircrack-ng

Cracking the Capture

Initially my capture was in Wireshark’s newer .pcapng format whereas Aircrack-ng will only accept the older .pcap format. If this is the case for you, import your capture into Wireshark and save a copy as the older format to be used with Aircrack-ng.

In terminal typing Aircrack-ng will show you that it needs a command structure of $ aircrack-ng [options] <.cap / .ivs file> so I entered the command:

$ aircrack-ng -a 1 /myfilepath/mycapture.pcap

The key part of that command is likely the “-a 1” section. -a informs Aircrack to perform force attack mode and the “1” informs Aircrack what type of encryption it used (1 being WEP, 2 being WPA-PSK).

With the command entered Aircrack makes light work of the data and provided me with the WEP encryption key within 10 seconds. With your encryption key in hand move over to Wireshark and open your captured data.

Wireshark can use your cracked key to decrypt the data and allow you to view and manipulate the data captured. Go to Wireshark > Preferences and expand the “Protocols” section. Navigate to IEEE 802.11, tick Enable decryption then click “Edit” and add your WEP key to the list. As a result of doing this you’ll be able to see all of the data in the clear. As part of my task I was also asked to see if any sensitive data was being broadcast which I did by clicking on a TCP entry, right clicking and choosing Follow > TCP Stream.

Conclusions

While it has been common knowledge for a number of years that WEP just doesn’t provide good enough security for a wireless network anymore, that I managed to obtain the encryption key from a sample stream with ten seconds serves to underline that point.

WPA2 is widely accepted as the bare minimum for securing a Wifi networks but, as should be the case, there are even stronger security types currently in development for WiFi so hopefully ensuring that Wireless networking remains an option for organisations.