Groo: Fully Automated WEP Cracking

by awgh on December 23, 2008 · 15 comments

in Fun, Security

Updates Below!

I don’t know about the rest of you, but I have an entire room of my house which is simply a huge pile of electronics scrap.  A hacked Tivo, some chipped XBoxes, an old VCR, a pile of PCI video cards, a full shoebox of 64MB Compact Flash cards…  You get the idea.

One day, I decided to put some of this junk to good use and I wandered into the scrap heap looking for inspiration.

Inspiration came in the form of an Atheros wireless card and an old ITX barebones system that had been picked up from a junk table at DefCon for $60 the year before.  The ITX box has a single PCI slot, perfect for a decent Atheros wireless card with an external SMC antenna connector.  It also runs on 12V DC power, so I can run it off the car battery.

Over the next few weeks, I built a small embedded Linux system for the sole purpose of cracking WEP keys.

First, I added a USB wireless network card to use as a control interface that I could access from my iPhone.

I also built a small web service that completely automates the process using the Python web framework TurboGears, aircrack-ng, and screen.

The web interface is incredibly simple – it uses only a single combo box.  This makes it ideal for using from the iPhone.

Now, instead of being the sketchy guy sitting in my car with a laptop, I’m just another Seattle-ite staring into my iPhone while the computer doing the WEP cracking is running off my car battery halfway down the block.

Everything in the web interface is fire-and-forget.  You can view a list of available networks, select one for cracking, and it will automatically:

  1. Reconfigure the wireless interface to the correct channel
  2. Begin dumping packets with airodump-ng in a screen session
  3. Begin an ARP replay attack with aireplay-ng in a screen session
  4. Automatically kick off the actual WEP cracking by starting aircrack-ng in a screen session
  5. Once the crack has succeeded, save the ESSID, BSSID, and cracked WEP key in a SQLite database

Since each of the aircrack-ng tools are running in a separate screen session, you can disconnect from the control interface as soon as the crack starts.  You can also reconnect at any time during the crack and view each screen session separately.

When close enough to a target for the ARP replay attack to work, this script averages only 3 minutes to crack a WEP key.  This is on an ITX box with a wimpy Cyrix C3 processor with only 256MB of RAM!

My scripts and installation instructions available here.


I have ported these scripts to the EEE pc (I use Ubuntu Netbook Remix on a 900A), available here.

However, I can’t get airodump-ng to actually capture any packets!  I believe this is a problem with my madwifi driver, but I haven’t sorted it out yet.  Hopefully, if I post the scripts one of you can help me out 🙂

Another Update (October 2010):

Hello Hackaday!  Since writing this initial version, I’ve since learned a lot about Python job control.  Check out the Jabbercracky project, also on this site.  I’m planning on a much-improved version of Groo, using what I’ve learned from Jabbercracky, which will also add some new tricks, including some available WPA cracks.  I’d also like to improve the installer, and to also provide builds for Ubiquiti networks hardware.  If anyone is interested in helping out, please email me at awgh at awgh dot org.

Stay tuned…

{ 14 comments… read them below or add one }

Andreas Gohr December 29, 2008 at 5:34 am

Any chance to get a hand at the EeePC port you mentioned on your 25C3 talk?

Matt! January 2, 2009 at 9:30 am

Talk about thorough, saving to a SQL(lite) database instead of a plain text file… hardcore.

parker January 4, 2009 at 7:28 pm


nicolas January 21, 2009 at 12:46 pm

I know, Andreas just asked but i dont like to go by, unnoticed. Any chance – or progress on the eeepc-port?

wifibuster May 25, 2009 at 12:29 am

check out my script. It is also fully automated. Here’s the demo:

Wifiguy August 18, 2010 at 2:07 pm

I don’t know much about the madwifi drivers, but sometimes you have set up a monitor interface and use it for the sniffing and the injection.

EM August 22, 2010 at 8:31 am

Good job.
How does it compare to wesside-ng?

Scott August 26, 2010 at 3:57 pm

Very nice. Now if only this could be done on the iPhone.

Blurb October 7, 2010 at 3:16 pm

wifibuster: video has been deleted ?!

underdwg October 8, 2010 at 9:03 am

I had an Acer Aspire One I think it is the same wireless chip or similar and had to do as specified on this website ( and use the Ath5k Driver

Sintharas October 8, 2010 at 2:45 pm

Really nice piece of work you got there =)
I love your concept of the little box sitting in the car, doing everything completely automatic.^^

Trying to start the eee pc version asap 😀

math October 8, 2010 at 3:17 pm

Isnt the Madwifi driver superseded by the athk drivers which are integrated into the kernel, when testing my home network with an aspire one injection works wilst under ubuntu and havent used madwifi since 7.04 i think. secondly if I remember correctly when using madwifi you need to install a patch for some cards. which you can find on the air-crack website

Michael Fever October 8, 2010 at 11:13 pm

Nice work, now it if it just booted the os from usb stick and did all that for me that would be king.

zoobab October 13, 2010 at 2:32 pm

Leave a Comment

{ 1 trackback }

Previous post:

Next post: