Our friend and cyber defense teammate started a blog and posted about WEP cracking: Hack Here. So I decided to answer some common questions that come up in WEP cracking.

Problem #1: I can’t use wireless on a virtual machine. I really want to be able to crack WEP from my Backtrack virtual machine.

Solution: Alfa USB dongle. It’s not the wireless that’s the problem; it’s the interface. Wireless will work fine if VMWare recognizes the card.

Start up your virtual machine and navigate to Removable Devices. This demo is done in VMWare Workstation (thank you JMU). Exact location may vary depending on what virtualization software you use.

Now your card should be recognized, and it should be business as usual from here on out.

I know this works on an AWUS036H. What other USB dongles work? Remember you need a card that can monitor and inject.

Problem #2: There’s no data when I inject.

Solution: Tutorials that I have read generally tell you to ping a nonexistent system on the network to generate an ARP. Since we are only using this on ourselves, this shouldn’t be a problem. However, a scenario where there was no traffic on the target network arose in the cyber defense class I TA.

For this you need 2 wireless cards, the one you are injecting with and the one you are using to try to connect.

Once we have our WEP cracking set up and are just waiting for data to use for the cracking, we try to connect to the wireless network with our second card. Just give it whatever for the WEP key. The failed authentication will generate the ARP you need. In time doing this continually we get the data we need.

Problem #3: Mac Filtering

When trying to fake authentication with an access point, we might see this:

So we need to find a MAC that the base station will accept before we continue.

Use this command:

airodump-ng -c 6 -w mac wlan1 (where 6 is the channel we want to listen on and wlan1 is the wireless card we want to use)

The output will look something like this:

We need to find the mac of the base station at the bottom with the mac address of a client right after it.

Later we can use macchanger to spoof our MAC.

macchanger -m xx:xx:xx:xx:xx:xx wlan1 (where xx:xx:xx:xx:xx:xx is the mac we are spoofing).

Now we should be able to fake authentication.

Have fun, and of course the usual disclaimer applies.

Georgia