Groo: Fully Automated WEP Cracking

Updates Below!

I don’t know about the rest of you, but I have an entire room of my house which is simply a huge pile of electronics scrap.  A hacked Tivo, some chipped XBoxes, an old VCR, a pile of PCI video cards, a full shoebox of 64MB Compact Flash cards…  You get the idea.

One day, I decided to put some of this junk to good use and I wandered into the scrap heap looking for inspiration.

Inspiration came in the form of an Atheros wireless card and an old ITX barebones system that had been picked up from a junk table at DefCon for $60 the year before.  The ITX box has a single PCI slot, perfect for a decent Atheros wireless card with an external SMC antenna connector.  It also runs on 12V DC power, so I can run it off the car battery.

Over the next few weeks, I built a small embedded Linux system for the sole purpose of cracking WEP keys.

First, I added a USB wireless network card to use as a control interface that I could access from my iPhone.

I also built a small web service that completely automates the process using the Python web framework TurboGears, aircrack-ng, and screen.

The web interface is incredibly simple – it uses only a single combo box.  This makes it ideal for using from the iPhone.

Now, instead of being the sketchy guy sitting in my car with a laptop, I’m just another Seattle-ite staring into my iPhone while the computer doing the WEP cracking is running off my car battery halfway down the block.

Everything in the web interface is fire-and-forget.  You can view a list of available networks, select one for cracking, and it will automatically:

  1. Reconfigure the wireless interface to the correct channel
  2. Begin dumping packets with airodump-ng in a screen session
  3. Begin an ARP replay attack with aireplay-ng in a screen session
  4. Automatically kick off the actual WEP cracking by starting aircrack-ng in a screen session
  5. Once the crack has succeeded, save the ESSID, BSSID, and cracked WEP key in a SQLite database

Since each of the aircrack-ng tools are running in a separate screen session, you can disconnect from the control interface as soon as the crack starts.  You can also reconnect at any time during the crack and view each screen session separately.

When close enough to a target for the ARP replay attack to work, this script averages only 3 minutes to crack a WEP key.  This is on an ITX box with a wimpy Cyrix C3 processor with only 256MB of RAM!

My scripts and installation instructions available here.


I have ported these scripts to the EEE pc (I use Ubuntu Netbook Remix on a 900A), available here.

However, I can’t get airodump-ng to actually capture any packets!  I believe this is a problem with my madwifi driver, but I haven’t sorted it out yet.  Hopefully, if I post the scripts one of you can help me out 🙂

Another Update (October 2010):

Hello Hackaday!  Since writing this initial version, I’ve since learned a lot about Python job control.  Check out the Jabbercracky project, also on this site.  I’m planning on a much-improved version of Groo, using what I’ve learned from Jabbercracky, which will also add some new tricks, including some available WPA cracks.  I’d also like to improve the installer, and to also provide builds for Ubiquiti networks hardware.  If anyone is interested in helping out, please email me at awgh at awgh dot org.

Stay tuned…

15 comments… add one
  • Any chance to get a hand at the EeePC port you mentioned on your 25C3 talk?

  • Talk about thorough, saving to a SQL(lite) database instead of a plain text file… hardcore.

  • parker


  • nicolas

    I know, Andreas just asked but i dont like to go by, unnoticed. Any chance – or progress on the eeepc-port?

  • check out my script. It is also fully automated. Here’s the demo:

  • Wifiguy

    I don’t know much about the madwifi drivers, but sometimes you have set up a monitor interface and use it for the sniffing and the injection.

  • EM

    Good job.
    How does it compare to wesside-ng?

  • Very nice. Now if only this could be done on the iPhone.

  • Blurb

    wifibuster: video has been deleted ?!

  • underdwg

    I had an Acer Aspire One I think it is the same wireless chip or similar and had to do as specified on this website ( and use the Ath5k Driver

  • Sintharas

    Really nice piece of work you got there =)
    I love your concept of the little box sitting in the car, doing everything completely automatic.^^

    Trying to start the eee pc version asap 😀

  • math

    Isnt the Madwifi driver superseded by the athk drivers which are integrated into the kernel, when testing my home network with an aspire one injection works wilst under ubuntu and havent used madwifi since 7.04 i think. secondly if I remember correctly when using madwifi you need to install a patch for some cards. which you can find on the air-crack website

  • Nice work, now it if it just booted the os from usb stick and did all that for me that would be king.

  • zoobab

Leave a Comment