Hacking WEP made easy with KisMac

Sure, cracking WEP (Wired Equivalent Protection) on regular wifi networks might be old news, but not when it’s now something almost anyone can try (at their own risk of course). This video by Oliver Greiter of EthicalHack.org shows how you could easily reveal a hidden SSID and hack WEP encryption in about 10mins on a Mac with just KisMac (realistically, time required varies with encryption level).

What you need:
1. KisMac (Mac OS X version of Kismet)
2. A prism2 chipset wireless adapter (Unfortunately, Airport Extreme doesn’t work for cracking yet)

If you’re wondering how you can get this particular wireless adapter, the video shows Oliver using a prism2 usb adaptor, which is widely used and pretty cheap, e.g. D-Link DWL-122. Just beware that these manufacturers tend to change their chipsets without warning so check around first.

How do you protect yourself then?
Since WEP has been known to be a relatively weak form of protection, it still forms a good deterrent. If someone’s wardriving around your neighborhood, he’s likely to pick on an easier target like an open network, than to pick a WEP encrypted one. Still if you have to use WEP (being compatible with most devices), at least use it in conjunction with MAC address filtering.

Interestingly I used to turn off WEP and only use MAC filtering since I though WEP was useless… to my horror I discovered that MAC filtering alone was easy to circumvent since it’s much easier to clone a MAC address than to crack WEP. I discovered this when I found an intruder on my wifi network using one of my machine’s addresses. For the best form of protection though, try WPA or better still, authenticate your network users using a VPN server. You can learn more about wireless security on Wikipedia.

See ethicalhack.org for a higher quality Quicktime version for the video.

13 thoughts on “Hacking WEP made easy with KisMac

  1. Kismac R75 works with airport extreme card. It dynamically loads the patch drivers to enable passive(this allow us to sniff packets in stealth mode :P) mode on the card. Once you quit the software the patch drivers is removed, thus not messing with any of your device settings.

    Cracking wep in fast timing requires place where there are lots of nodes connected to the network. This is usually good for example in the CBD as you have a lot of people connecting on/off from the network. You will require couple of thousands of those “key” packets (not normal data packets) to achieve your goals.

    The time taken might range from 10mins (in a busy CBD) or even days if you are trying to tap onto your neighbors bandwidth as they are not generating enough of those “key” packets.

    Kismac is able to work with certain chipset makers to enable additional functions to trick the AP into releasing a lot of this “key” packets to speed up your entire process. However I do not know whether you are still in stealth mode if you attempt this method.

    Note: Have fun in the name of education, but you will get into serious trouble if you are caught messing with people network. Conduct the above experiment for the purpose of learning in a controlled kind of enviroment(ie: lab) 😀

  2. My friend tried it with his Orinoco wireless card and true enough, it definitely takes longer than 10mins in real life… depends on network traffic.

  3. This looks great, if you were able to find a prism2 wireless adapter…..I’ve tried searching all over google and froogle with no luck whatsoever, seems like this wireless adapter is rare find from what I can tell.

  4. The video was created in a “lab environment” which had simulated network traffic. It was only a 64bit WEP key which also decreases cracking time. On the job, (I work as a security consultant) the quickest I have cracked WEP is 1 hour and the longest was 5 days.

    The card I use is a Netgear MA111 (USB Card) which you can pick up on eBay quite cheaply.

  5. Sacrelicious, have you gotten maps working in R75? I have my map all setup but KisMAC is giving all networks the same coords. However, even then it isn’t marking them on the map.

  6. Hezekiah – If I remember correctly what i read from some forum discussion, you need to set up GPS to get live-mapping. Maybe you could try R65 to see whether it works as R75 is not officially release.

  7. I managed to crack my 104bit WEP key in 1hr 40m with a pingflood (generated 350,000+ Initialisation Vectors) and it worked a charm. Ping flood is unrealistic amounts of data tho probably… had about 6 on the go… 😛

    Got a DWL G122 USB but it uses Ralink… not sure if thats the same as prism2…

  8. Using a DWL 222 which is b not g and is running so slow-feel like im never gonna crack it! also does anyone know if someone can BLOCK you as i cant access a network even though No WEP key is showing?

    any advice or links would be appreciated!

  9. I have an Intel MacBook Pro with KisMac and a Netgear MA111 (USB Card). But I can’t get it to pick up and Unique IV’s. Any Ideas?

Comments are closed.