Groo: Fully Automated WEP Cracking
Updates Below!
I don’t know about the rest of you, but I have an entire room of my house which is simply a huge pile of electronics scrap. A hacked Tivo, some chipped XBoxes, an old VCR, a pile of PCI video cards, a full shoebox of 64MB Compact Flash cards… You get the idea.
One day, I decided to put some of this junk to good use and I wandered into the scrap heap looking for inspiration.
Inspiration came in the form of an Atheros wireless card and an old ITX barebones system that had been picked up from a junk table at DefCon for $60 the year before. The ITX box has a single PCI slot, perfect for a decent Atheros wireless card with an external SMC antenna connector. It also runs on 12V DC power, so I can run it off the car battery.
Over the next few weeks, I built a small embedded Linux system for the sole purpose of cracking WEP keys.
First, I added a USB wireless network card to use as a control interface that I could access from my iPhone.
I also built a small web service that completely automates the process using the Python web framework TurboGears, aircrack-ng, and screen.
The web interface is incredibly simple – it uses only a single combo box. This makes it ideal for using from the iPhone.
Now, instead of being the sketchy guy sitting in my car with a laptop, I’m just another Seattle-ite staring into my iPhone while the computer doing the WEP cracking is running off my car battery halfway down the block.
Everything in the web interface is fire-and-forget. You can view a list of available networks, select one for cracking, and it will automatically:
- Reconfigure the wireless interface to the correct channel
- Begin dumping packets with airodump-ng in a screen session
- Begin an ARP replay attack with aireplay-ng in a screen session
- Automatically kick off the actual WEP cracking by starting aircrack-ng in a screen session
- Once the crack has succeeded, save the ESSID, BSSID, and cracked WEP key in a SQLite database
Since each of the aircrack-ng tools are running in a separate screen session, you can disconnect from the control interface as soon as the crack starts. You can also reconnect at any time during the crack and view each screen session separately.
When close enough to a target for the ARP replay attack to work, this script averages only 3 minutes to crack a WEP key. This is on an ITX box with a wimpy Cyrix C3 processor with only 256MB of RAM!
My scripts and installation instructions available here.
Update:
I have ported these scripts to the EEE pc (I use Ubuntu Netbook Remix on a 900A), available here.
However, I can’t get airodump-ng to actually capture any packets! I believe this is a problem with my madwifi driver, but I haven’t sorted it out yet. Hopefully, if I post the scripts one of you can help me out 
Stay tuned…
This post has 5 comments
December 29th, 2008
Any chance to get a hand at the EeePC port you mentioned on your 25C3 talk?
January 2nd, 2009
Talk about thorough, saving to a SQL(lite) database instead of a plain text file… hardcore.
January 4th, 2009
WERE TO BUY LOL
January 21st, 2009
I know, Andreas just asked but i dont like to go by, unnoticed. Any chance – or progress on the eeepc-port?
May 25th, 2009
check out my script. It is also fully automated. Here’s the demo: http://www.youtube.com/watch?v=aYWe4_zcY-I