If you want to read this in Italian, please click here.
This is the WINDOWS PROCEDURE
With this procedure you can see how it is EASY to crack the WEP key of your Wireless connection; this is to show the importance to use a good encryption for your wireless!
You can test this procedure ONLY with your own wireless connection using a WEP key, because:
cracking somebody’s else WEP key is ILLEGAL.
- START
1. Capture the packets using CommView for WiFi:
This document is intended for study only and not for any illegal concerns on cracking somebody else’s WEP key.
This material is given to you to show how you can test the security of your own wireless connection protected using the weak WEP encryption.
To hack your own web key you need mainly 2 tools, for gathering the packets in the air and one for their analysis.
This step by step guide explains you a way to recover your WEP key using:
CommView for WiFi and AirCrack.
a. Install CommView for Wifi
b. Install the modified drivers for your card, those drivers enable the monitoring features of your wireless adapter. Do following the instructions provided here:
c. Search for the WiFi networks
2. Enable the advanced rules:
I have been asked to give a very simple explanation on how it works… here it is…
If you start capturing all the packets you can see that there are a lot of them, but those needed for the WEP de-encryption are only ARP response packets.
To generate those ARP response packets we need to wait a “legitimate” client to connect to the Access Point (AP)… connecting, a client automatically sends an ARP request to the AP and the AP will reply with the response we are looking for.
Those connections are not frequent, so we need (somehow) to disconnect a client, so that it can re-connect to the AP and send his ARP request.
WLAN traffic is encrypted, so we cannot investigate on the packets to see which packet is an ARP or not… so we can just guess.
We know that an ARP packet can be 68 or 70 bits long, is sent to all the MAC addresses in the LAN and has the “To Distribution System” – ToDS bit set to 1.
So let’s set a rule that captures those packets only, as follows:
Go to the the Rules tab and Enable Advanced Rules as in the following picture:
3. Start capture
4. Gather ARP request packets:
You can do it in 2 ways:
a. Wait for a client to send it
b. Force a client to send it
Forcing a client to send an ARP request means “disconnect and re-connect” and can be done by CommView for WiFi: go to Tools -> Node Reassociation
-Choose how many packets to send and an interval, the default should be ok(you can try few or many, as you wish).
-Choose the AP (YOUR Access Point, the one you would like to hack)
-Choose whether to disconnect one client or all the clients
-When you are OK, click Send Now
Normally doing this, the clients should reassociate with the AP sending a ARP request packets.
5. Send the ARP requests to the Access Point:
Thanks to the rule enabled before, now in the Packets tabs you should be able to see only the ARP requests. If you cannot see any of them, go back to the step 4 and keep on disconnecting the client, or wait for the client to reassociate by its own.
Once you have one or more ARP requests packets logged (ENCR.DATA) sent to Broadcast do the following:
a. Select one or more of those packets
b. Right click on them, Send Packet(s) -> All
At this point, the Send Packet window should appear
6. Disable the rule:
Now you have to disable the rule, because now we have to gather all the packets. We need IV Packets (Initialization Vector), which are all different between them and no rule can be created for those packets.
7. Send the packets:
Here you can even choose to send a lot of packets, and very fast… try, every network is different, but after having sent some packets you should see the counter of the packets captured increasing very fast.
8. Number of Packets:
There is no theory about how many packets you need to have gathered in order to recover a WEP key. It depends most of all on the WEP Encryption, whether it is a 64, 128 or 256 bit.
Usually for a 64 bit if you have about 1.000.000 packets, then the cracking of the key lasts 1 second… but it depends. For sure the more packets you get, the more possibilities to crack it faster you have 
9. Export the packets captured:
From CommView go to File -> Save Packet log As -> and choose the tcpdump .cap format
10. Download Aicrack for Windows :
You can download it from here: http://www.aircrack-ng.org/doku.php?id=downloads
Run the bin/GUI, choose first the file .cap exported from CommView, Choose WEP encryption, choose a keysize (start from 64) you should know the Key you are using!
And the Launch
Good luck
If you liked this guide and it was useful for you, please donate me something, even 1 dollar can help me a lot.
You can post your comment here
If you have questions about this procedure you can write in the forum community
Any question? You need our FAST help? Go to our forum and as for FREE!
10:07 pm on February 18th, 2009
What do you do after you find the key, because you can’t just enter the key you got and put in as their password.
11:49 pm on February 18th, 2009
yes, I confirm that the key you find is the password
1:41 am on February 20th, 2009
I was working with Commview. I have more than one networks on same channel. How do I pick to collect Packets from only one Network not other 7 networks on same channel?
10:55 am on February 20th, 2009
you have to click on the “Play” button on the left-top screen, there you will see all the networks, you can select your network and start the capture. From this moment only your channel will be collected
7:10 am on February 21st, 2009
Excellent guide. After reading this document and a few others, I was able to crack WEP-encrypted networks.
Although, I do have a question.
You see, I kind of cheated by generating traffic on the wireless network I was trying to crack by hooking up a wireless laptop and transferring large data files, while I was using my desktop Wireless NIC card to pick up the packets to decrypt. I was able to collect 500,000 packets in just a couple minutes with this route.
I was having trouble collecting as many packets with the ARP packet sending. It seems like sending ARP packets only generated 10~ packets per second. While it did work, it was going to take 8-10 hours of packet collecting before being able to crack the WEP password.
So my question is, how long is it supposed to take to collect packets using ARP injection? Am I doing something wrong or is that normal?
Thanks,
Drue.
8:53 am on February 21st, 2009
Thanks for prompt response. I already know how to capture a CHANNEL. My question was if there is any way to capture only one NETWORK on that CHANNEL. Because network I want to crack is on channel 6 along with 7 other Networks. And I don’t want to collect Packets for those 7 networks.
10:55 am on February 21st, 2009
Javed, I believe you can filter out packets based on MAC Address
8:58 pm on February 21st, 2009
Drue:
arp injection should increase the packet generation and you should receive “good packets” much faster. You can filter your network just for data exchange, if they are exchanging many data you can get many good packets for the decryption.
Javed: yes, as Drue said you can make packet filtering on the advanced rules
10:42 pm on February 21st, 2009
Guys, I have a question for you… where did you find my blog?
If you questions about other topics you can write in my forum http://www.security-exchange.net
I have posted the WEP procedure at:
http://www.security-exchange.net/forums/showthread.php?t=24
Regards…
6:24 am on February 22nd, 2009
I found your blog just by googling “Commview Packets”. It wasn’t the first result, but most of stuff was totally useless and irrelevant. Its great that you reply in short time period. Thanks for help and Nice Tutorial.
9:36 am on February 22nd, 2009
If you want you can share about this tutorial, and your IT experience in the forum.
11:39 am on February 22nd, 2009
I googled “Cracking WEP AND Commview” or something similiar. As Javed said, this wasn’t one of the first listings, but it was the best one I found. For some reason most of the tutorials either offer too much information or too little. I found this guideline to be the most helpful. In fact, I might pop in my Wireless NIC card again and test out some more packet collecting. I had to attempt to crack WEP for my wireless networking class and was successful.
I’ve never worked in IT, but its something I want to make a career out of. I’m getting a degree in computer forensics, and after that I may attend a cyber security program. Although my forensics degree is two years away, I find it more interesting the deeper the courses go.
12:09 pm on February 22nd, 2009
I started sniffing in my LAN with a little hub, I wanted to see my own passwords on the lan, interpretating the packets without experience I saw that it’s not so difficult and I thought I knew a lot.
I was still a child, now that I have more experience, I am CCNA and N+ certificated and I am going to be CCNP soon, I understand that I know nothing I if think that in front of me there is still a LOT to learn.
Guys, I love IT, in particular networking and I can suggest you something… if you like it also… study study and study. You will be satisfied when you learn new things, and you will learn the next things much faster…
If you have any Technical questions or about Cisco… I think I can help you
3:32 pm on February 22nd, 2009
I’m taking a CCNA class and hope to have my cert shortly after.
I’m glad I found this site. Thanks for offering help, I may have a few questions down the road.
3:57 pm on February 22nd, 2009
Drue, great!!
One very important thing… there are many sources of informations, but I suggest you the Cisco Press books for your CCENT/CCNA. There is everything and you can be sure that it is everything right! Other sources of informations are also good, like Exam Cram books. But read the other later. First Cisco Press newest books.
After this you will even notice errors in the other books
7:31 pm on February 22nd, 2009
Awesome. I am using a Ciscopress book
1:09 pm on February 24th, 2009
hello sergio,
I’m italian, are you too? if you are it’s better to talk in italian so i can understand the steps.
anyway, i have some problem on 4th step:
- what do you mean when you say “Wait for a client to send it”?? how can i wait???
1:22 pm on February 24th, 2009
Ciao Carbonkio, puoi scrivere sul forum http://www.security-exchange.net/forums/forumdisplay.php?f=35, proprio in questa sezione puoi creare un nuovo Thread e chiamarlo in Italiano “Hack WEP key – WEP recovery – using CommView and Aircrack – Italian”
Saro’ felice di risponderti.
Ciao
5:27 am on February 25th, 2009
I was showing Commview to a friend of mine. He have Linksys Network Adapter and Commview was not working on his PC. Any idea how to make Linksys work with Commview for Wifi??
10:37 am on February 25th, 2009
Javed, please read here the suppurted adapters:
http://www.tamos.com/products/commwifi/adapterlist.php
11:07 pm on February 27th, 2009
Thanks for the feedback.After going through this list, I think Commview doesn’t support Wireless USB Adapters. It supports only PCI WLAN Cards. Looks like my friends would have to buy a new Wireless adapter.
12:25 am on March 8th, 2009
Hi
Is there any other program I could use to generate a wep key from the packets commview provide. I cant seem to get airdump to work :/
Thankyou in advanced
11:29 am on March 8th, 2009
Hi Tom, please use Aircrack, not Airdump.
There are 2 main versions of Aircrack, one with white text on black background and one the opposite, you can try them both.
Best Regards
10:06 am on March 16th, 2009
See tips on getting the WEP key everywhere but…
After finding the WEP Key for example 12:12:01:15:19:11:12
how do you use it to connect to the WLAN???
12:00 pm on March 16th, 2009
MannyLee I remind you that you can do it only on YOUR Wifi!!
The key that you put there as example doesn’t seem to be valid.
Examples of WEP keys can be:
64 bit: 677129297a
128:bit 7a2a615327786c20254a414346
152 bit: 48535a272a6236662245652756646757
256 bit: 48535a272a6236662245652756646757
So to resume: 5/13/16/29 characters are needed for 64/128/152/256-bit WEP
5:37 pm on March 26th, 2009
I have the same issue as Javed. My channel contains about 40 networks and I’m capturing packets from all of them.
I’ve set the rules to filter out packets based on MAC Address but it doesn’t work, they keep capturing. What am I doing wrong?
Please help.
6:00 pm on March 26th, 2009
SM…
the only way I can help you on this is for you to write on the forum a very detailed explanation: what is the kind of network, whether the network is yours or not, if the network is not yours we cannot help… it would be better if you attach some little screenshots in jpg format…
So… very detailed explanation and screenshots… and screenshots of the filters you are applying
2:10 am on April 3rd, 2009
hi there, could anybody help me? i have a tp-link 510card in my laptop but under commview it does not pick up any IP/UDP, ARP REQ packets in the protocol column. do you know why this is? thanks
10:01 am on April 3rd, 2009
I James, please describe it in details on the forum – you can even attach a screenshot.
8:54 pm on April 10th, 2009
I am working on step 4, however, after i select a AP and click send now, a message saying that NO client has been selected, why is that the case???
9:04 pm on April 10th, 2009
Kenny, in the little box in the bottom of this little windows there should appear the client/clients connecting to the AP. If it is empty it means that no client established a connection with the AP.
5:15 am on April 11th, 2009
Thanks for your reply, does it mean that i can not send the ARP requests to the Access Point if no client established a connection with the AP??
9:28 am on April 11th, 2009
Kenny, right. Somebody should be associated with it in order to capture the ARP that you will need to send later on.
6:06 pm on April 14th, 2009
I’m having the same problem as SM and Javed. I’ve set the rules to filter out packets based on MAC Address but it doesn’t work. Even tried advanced code. It’s doesn’t show them coming in as packets but they still come in. how do you filter out other networks on the same channel, just in general.
7:02 pm on April 14th, 2009
hello dubble, please write on the forum explaining it with more details, from the very beginning. Please attach also some screenshots.
12:04 pm on May 6th, 2009
hello, thanks for the great post, i’m studing network’s in college and i try to do but ia have one problem every packet’s that i get in commview has 28k 29k, turning the filter off because if i turn it on i dont receive any packet. Even when i try for severel times using another laptop to connect the network given a wrong password i dont get any arp packet that have 68k or 70k what seems to be de problem?
thanks
12:27 am on May 13th, 2009
Sergio,
I’m having the same problem as Kenny. Do I just have to leave it sitting for awhile till a client comes up?
10:38 am on May 13th, 2009
Hello Kyle and Hugo…
this page is becoming very huge… please ask your questions on the forum:
http://www.security-exchange.net/forums/forumdisplay.php?f=35
It can be a better way even for explaining and understanding the issues you are facing, because there you can attach screenshots, which are important for troubleshooting…
Thank you for understanding, and looking forward for your posts
)
Ciao
4:03 pm on June 1st, 2009
Thank you very much,
I was looking for such an explanation for a long time!!!
I ‘ve found other tutorials but they didn’t explain why you should make this or that so i didn’t want to try.
Now i can begin to try cra**ing myself.
Thanks!!!(sorry for my english)
4:35 pm on June 1st, 2009
Hi Janfran,
I am happy that you like it. If you need something else, just let me know. You can also write in the forum
Ciao
8:52 pm on June 15th, 2009
[...] your WEP key? You want to do some testing? Go to our guide to recover the wep key: here crack, crack wep key, hack, RC4, RC4 security, security, ssl, wek key crack, wep, wep crack, wep [...]
5:35 am on June 16th, 2009
I got a problem. I am using dwa 642 wich is uspported by Commview. and i exported 5 logs with 20000 packets each. when i run aircrack i get 1690 results but only a few with IVs and those that have IVs have only 1IV. Any ideas? i have spent so much time with this already:(
9:53 am on June 16th, 2009
Hello nikita,
I hope you are trying to hack your wifi and not somebody else’s!
I can help you if you confirm that you are trying to test your wifi, ok?
As I have written here: http://www.security-exchange.net/news/wireless-transmissions-are-insecure-why/ you have much more possibilities to find faster the web key on a high traffic wireless network.
For example. take your wireless access point or router, connect a laptop, and connect them with WEP encryption, for testing I suggest you a 64 or 128bit key. Use this laptop to surf the internet, but much better if you use it downloading some big torrent or using emule… so that a lot of data is being exchanged.
In this way in aircrack you would see many IVs.
To summarize: if there is few traffic very few IVs get exchanged between the AP and the laptop. If you get few IVs you have almost no possibilities to hack the wep key.
Please go and read what I wrote on that link, there is a short explanation as to why WEP is weak.
Please confirm me that the wifi is yours and you are not doing anything illegal.
6:28 pm on June 17th, 2009
Hy
I was working with Commview. I collected some Packets from only one WEP-AP and got them to Aircrack, my question is: If all traffic is from the same AP why do I have so many Networks? (ie. one for each entry)… How can I put them all together???
Tnks
2713 1C:80:E9:6E:C5:AE WPA (0 handshake)
2714 06:1F:B3:90:2E:49 WEP (1 IVs)
2715 7E:2F:0C:AB:8F:7C WEP (1 IVs)
2716 B8:61:B3:90:34:AF WEP (1 IVs)
2717 30:B7:A1:3A:B6:A2 WEP (1 IVs)
2718 D9:76:90:8B:DD:4A WEP (1 IVs)
2719 47:9D:87:62:95:A5 WPA (0 handshake)
2720 00:8B:BE:63:27:44 WPA (0 handshake)
2721 CC:5E:4E:24:50:B9 WEP (1 IVs)
2722 3F:F9:C4:49:34:90 WEP (1 IVs)
2723 46:35:D5:1D:42:0A WEP (1 IVs)
2724 91:C0:DB:EE:2E:49 WPA (0 handshake)
2725 41:DA:B7:D1:A5:B0 WPA (0 handshake)
2726 7E:08:EA:AF:DB:CA WEP (1 IVs)
2727 00:DF:08:EE:59:B4 WEP (1 IVs)
2728 C5:32:17:E4:30:D9 WPA (0 handshake)
2729 87:C9:7B:76:17:DB WPA (0 handshake)
2730 00:1F:B3:30:B6:E9 WEP (1 IVs)
2731 BF:F4:C4:1D:AA:B0 WPA (0 handshake)
2732 54:65:64:96:2E:49 WEP (1 IVs)
2733 45:05:EA:3A:B6:5A WEP (1 IVs)
2734 AE:87:93:D1:EB:E5 WEP (1 IVs)
2735 3F:AD:F2:7F:D4:74 WPA (0 handshake)
2736 AE:C6:FB:40:95:B7 WEP (1 IVs)
Index number of target network ?
9:38 pm on June 17th, 2009
Hi Gus,
in the beginning when you are “choosing the AP” you are choosing the channel indeed. What happens is that you are choosing the AP from the list and start the collection of data, but you are collecting the traffic from all the access points on that channel.
I suggest you to subscribe to our RSS feeds, soon I will add some more informations about Wifi Collections and also other screenshots.All the questions I have been asked will be included in the explanation.
If you have any questions about anything IT-Security concerned, please write in the forum, we will be happy to give you a good support.
I hope you like this site, we have a long path behind
Cheers
1:15 am on June 18th, 2009
Sergio.
Sorry to insist but I am positive sure there is only one AP…
any sugestions?
Thanks
1:30 am on June 18th, 2009
Ok, so if you say like this I would like to see some screenshots, because I can see that some of them are WEP and some WPA. So it’s like there is more than 1 AP in that channel or there is more than 1 PC.
Let’s do something, please make some screenshots to show me what you see on CommView, where I can see the list of AP, and you will circle on red your AP (in the list of channels, before starting collecting data). Then you will make another screen on the “packets” tab. You can even send me the data you collected in tcpdump format, this should be sent only to my email address, because of privacy, and I can check it in AirCrack.
You can send me all of those informative screenshots on the forum. This is the link: http://www.security-exchange.net/forums/forumdisplay.php?f=35
Please don’t forget to write in the question whether this access point is yours or not and that you are just learning and testing. Because if you just want to hack somebody I cannot help you.
8:29 pm on June 22nd, 2009
[...] WEP key and WPA key can be stolen by your friends!! Attention After the success o our guide to recover the lost WEP key, I want to write about another way to get the the WEP key or the WPA key, and what I want to [...]
1:39 am on July 1st, 2009
Hey Sergio , on aircrack how come i do not see the ssid ? id like to know which network im finding the key for. Because one time i had chosen 1 as the index and it found me a random key which wasnt mine. How do i figure out which one is my network from the index ? because it really doesnt tell you . It seems like all the networks from channel 5 are there.
9:36 am on July 1st, 2009
Hello Jacob,
a simple way to find the right AP is to find the MAC address of your access point so that you know it.
Another way that can help you… for example go to the “nodes” tab: http://www.heise.de/software/screenshots/6992.gif
as you can see from that screenshot, you can see the SSID is listed.
I hope to have answered right to your question. If you have more questions I invite you to our forum http://www.security-exchange.net you can ask them everything about computers and security
8:01 pm on July 1st, 2009
Wonderful ! Tthe mac address is exactly what i needed . And yes i have signed up in the forums. So will come back if anything is needed. Thanks buddy
8:40 pm on July 1st, 2009
that’s amazing! brilliant!
i hope you will benefit from my help
4:57 pm on July 4th, 2009
Hey , in Aircrack ng 1.0 for windwos i am only able to see the bottom part of the index for ex it starts at like 92456 …i cant see index #1, 2 , 3 …i can only see the bottom . I would like to see the entire index do you know how to fix this bug ? i tried this on a different computer and the same thing happened. I should be able to see the full index.
9:29 pm on July 4th, 2009
Hello Jacob,
please ask on the forum… there is a good and fast support there…
I am sure you will be satisfied
8:01 am on December 7th, 2009
hi , when i go Tools -> Node Reassociation,when i select a AP and click send now, a message saying that NO client has been selected. is there any solution for that? I find a URL which i think is a solution(http://www.thetazzone.com/cracking-wep-with-windowsno-clients-easy/comment-page-1/#comment-15837),but i dont understand how to use another adapter to connect(step 9),anyone can help please??
10:53 am on December 7th, 2009
Hi krein,
please write a new thread in the forum and attach a screenshot. You will receive the solution very fast.
Regards
4:17 pm on January 3rd, 2010
thanks for sharing
can u tell me how to use commview 6.1
4:15 pm on February 11th, 2010
I have a packet file that is around 30mb. I tried using aircrack to open it, and it said: Opening packets, please wait for hours.
Am I doing something wrong?
1:29 am on March 3rd, 2010
Hi Jummy,
sorry for not answering, for some strange reason I didn’t receive the notification of your comment.
Do you still need help?
4:10 am on March 12th, 2010
I have a question…..See, I accidently deleted my WEP and I’m not on the original computer(that one broke long ago) and I hope this recovers it, but which aircrack should I download to fi this? This is my work computer, andd I don’t want to wait for our ‘geek’ to come back from vacation, surprisingly he left his morning and will not be back till after spring break….
-sigh- so andy advice on aircrack would be wonderful.