If you want to read this in Italian, please click here.
This is the WINDOWS PROCEDURE
With this procedure you can see how it is EASY to crack the WEP key of your Wireless connection; this is to show the importance to use a good encryption for your wireless!
You can test this procedure ONLY with your own wireless connection using a WEP key, because:
cracking somebody’s else WEP key is ILLEGAL.
- START
1. Capture the packets using CommView for WiFi:
This document is intended for study only and not for any illegal concerns on cracking somebody else’s WEP key.
This material is given to you to show how you can test the security of your own wireless connection protected using the weak WEP encryption.
To hack your own web key you need mainly 2 tools, for gathering the packets in the air and one for their analysis.
This step by step guide explains you a way to recover your WEP key using:
CommView for WiFi and AirCrack.
a. Install CommView for Wifi
b. Install the modified drivers for your card, those drivers enable the monitoring features of your wireless adapter. Do following the instructions provided here:
c. Search for the WiFi networks
2. Enable the advanced rules:
I have been asked to give a very simple explanation on how it works… here it is…
If you start capturing all the packets you can see that there are a lot of them, but those needed for the WEP de-encryption are only ARP response packets.
To generate those ARP response packets we need to wait a “legitimate” client to connect to the Access Point (AP)… connecting, a client automatically sends an ARP request to the AP and the AP will reply with the response we are looking for.
Those connections are not frequent, so we need (somehow) to disconnect a client, so that it can re-connect to the AP and send his ARP request.
WLAN traffic is encrypted, so we cannot investigate on the packets to see which packet is an ARP or not… so we can just guess.
We know that an ARP packet can be 68 or 70 bits long, is sent to all the MAC addresses in the LAN and has the “To Distribution System” – ToDS bit set to 1.
So let’s set a rule that captures those packets only, as follows:
Go to the the Rules tab and Enable Advanced Rules as in the following picture:
3. Start capture
4. Gather ARP request packets:
You can do it in 2 ways:
a. Wait for a client to send it
b. Force a client to send it
Forcing a client to send an ARP request means “disconnect and re-connect” and can be done by CommView for WiFi: go to Tools -> Node Reassociation
-Choose how many packets to send and an interval, the default should be ok(you can try few or many, as you wish).
-Choose the AP (YOUR Access Point, the one you would like to hack)
-Choose whether to disconnect one client or all the clients
-When you are OK, click Send Now
Normally doing this, the clients should reassociate with the AP sending a ARP request packets.
5. Send the ARP requests to the Access Point:
Thanks to the rule enabled before, now in the Packets tabs you should be able to see only the ARP requests. If you cannot see any of them, go back to the step 4 and keep on disconnecting the client, or wait for the client to reassociate by its own.
Once you have one or more ARP requests packets logged (ENCR.DATA) sent to Broadcast do the following:
a. Select one or more of those packets
b. Right click on them, Send Packet(s) -> All
At this point, the Send Packet window should appear
6. Disable the rule:
Now you have to disable the rule, because now we have to gather all the packets. We need IV Packets (Initialization Vector), which are all different between them and no rule can be created for those packets.
7. Send the packets:
Here you can even choose to send a lot of packets, and very fast… try, every network is different, but after having sent some packets you should see the counter of the packets captured increasing very fast.
8. Number of Packets:
There is no theory about how many packets you need to have gathered in order to recover a WEP key. It depends most of all on the WEP Encryption, whether it is a 64, 128 or 256 bit.
Usually for a 64 bit if you have about 1.000.000 packets, then the cracking of the key lasts 1 second… but it depends. For sure the more packets you get, the more possibilities to crack it faster you have 
9. Export the packets captured:
From CommView go to File -> Save Packet log As -> and choose the tcpdump .cap format
10. Download Aicrack for Windows :
You can download it from here: http://www.aircrack-ng.org/doku.php?id=downloads
Run the bin/GUI, choose first the file .cap exported from CommView, Choose WEP encryption, choose a keysize (start from 64) you should know the Key you are using!
And the Launch
Good luck
If you liked this guide and it was useful for you, please donate me something, even 1 dollar can help me a lot.
You can post your comment here
If you have questions about this procedure you can write in the forum community
Any question? You need our FAST help? Go to our forum and as for FREE!
If this article Helped you, please Pay-it-Forward by sharing it!
67 Responses to WEP Key recovery with Commview and Aircrack
Leave a Reply
Translator
Subscribe to our feed
Wonderful ! Tthe mac address is exactly what i needed . And yes i have signed up in the forums. So will come back if anything is needed. Thanks buddy
that’s amazing! brilliant!
i hope you will benefit from my help
Hey , in Aircrack ng 1.0 for windwos i am only able to see the bottom part of the index for ex it starts at like 92456 …i cant see index #1, 2 , 3 …i can only see the bottom . I would like to see the entire index do you know how to fix this bug ? i tried this on a different computer and the same thing happened. I should be able to see the full index.
Hello Jacob,
please ask on the forum… there is a good and fast support there…
I am sure you will be satisfied
hi , when i go Tools -> Node Reassociation,when i select a AP and click send now, a message saying that NO client has been selected. is there any solution for that? I find a URL which i think is a solution(http://www.thetazzone.com/cracking-wep-with-windowsno-clients-easy/comment-page-1/#comment-15837),but i dont understand how to use another adapter to connect(step 9),anyone can help please??
Hi krein,
please write a new thread in the forum and attach a screenshot. You will receive the solution very fast.
Regards
thanks for sharing
can u tell me how to use commview 6.1
I have a packet file that is around 30mb. I tried using aircrack to open it, and it said: Opening packets, please wait for hours.
Am I doing something wrong?
Hi Jummy,
sorry for not answering, for some strange reason I didn’t receive the notification of your comment.
Do you still need help?
I have a question…..See, I accidently deleted my WEP and I’m not on the original computer(that one broke long ago) and I hope this recovers it, but which aircrack should I download to fi this? This is my work computer, andd I don’t want to wait for our ‘geek’ to come back from vacation, surprisingly he left his morning and will not be back till after spring break….
-sigh- so andy advice on aircrack would be wonderful.
thx so much but i have a problem : when i want to connect via not capture adapter i cant find any network so???
after capturing packets when i launch aircrack it shows me
MS-DOS style ath detected: C:\(my dir)\tcpdump.cap
preferred POSIX equivalent is:/cygdrive/c/(my dir)/tcpdump.cap
CYGWIN environment variable option “nodosfilewarning” turns off this warning.
consult the user’s guide for more details about POSIX paths:
http”//cygwin.com/cygwin-ug-net/using.html#using-pathnames
read 1 packets.
# BSSID ESSID Encryption
1 00:22:3F:32:05:AE nishantpk no data – WEP or WPA
Chosing first network as target.
opening C:\(my dir)\tcpdump.cap
Got no data packets from target network!
quiting aircrack-ng…
hello sir,
i am a (very) beginner of this issue.
first of all i have to say many many thanks for sharing your information with others.
more than 3 weeks i was trying to use REW( a program that made with Spanish guys) but could not susses. yesterday i find this page( by Google) and now i learned some useful information.
i read your forum also (WEP Key wifi) and it was very useful.
i did not susses to collect the key till now but i sure because of my fault and need try more and reading carefully too.
in next few days if i could not solve my problem i will inform u and asking for more help.
best regards
Buston
hello Sergio,
i am a (very) beginner of this issue.
first of all i have to say many many thanks for sharing your information with others.
more than 3 weeks i was trying to use REW( a program that made with Spanish guys) but could not susses. yesterday i find this page( by Google) and now i learned some useful information.
i read your forum also (WEP Key wifi) and it was very useful.
i did not susses to collect the key till now but i sure because of my fault and need try more and reading carefully too.
in next few days if i could not solve my problem i will inform u and asking for more help.
best regards
Buston
thanks.. its really work on my system…
well i’ve been doing this for awhile but maybe i’ve been lucky or something but i can’t seem to get a ARP packet even with Node Reassociation i can’t get one no mater how many packets i send or how long i wait for someone to happen log off and log in,i have the formula put in and i have set the mac as my target.
Any ideas will be helpfull
thanks
Hi, help please, I’ve managed to get 150000 IV files but the aircrack just can’t crack it. I’ve cracked another network with 70000 IVs, but why doesn’t it want to crack if it has that many IVs. Any ideas?