By the time I started this project the driver lacked several key features:
WEP support, WEP sniffing and capability to send raw packets. With the help of
the open source driver developers I managed to add the required features. All
the work was done with version
acx100-0.2.0pre8_plus_fixes_43 to which you have to apply my ACX111 patch for the required features. Just
download both files, go to that directory and follow these instructions:
Linux prompt>tar -xjf acx100-0.2.0pre8_plus_fixes_43.tar.bz2
Linux prompt>patch -p0 < wepacx111_and_others.patch
Linux prompt>cd acx100-0.2.0pre8_plus_fixes_43
Linux prompt>make config.mk
See if is there any warning about something you lack, if so fix it and then:
The process might end with errors at the USB module compilation stage, if so
don't care, ignore the error but check that the PCI module was created as
src/acx_pci.ko or src/acx_pci.o.
If you want to install this driver as the default ACX driver then (as root):
Linux prompt>make install
In case of compilation errors in the USB module you will have to do a manual
installation simply by doing something like (as root):
cp src/acx_pci.ko /lib/modules/`uname -r`/kernel/drivers/net/wireless/
You may prefer not to install this driver as default because it is not the
latest one. Actually the required features may have already been implemented in
the latest driver release, but I have not tested it. So you may try to download
the latest distribution, do not patch it, compile and install it. Then test the
active WEP crack as explained below to see if it works. If not then download
the release linked above, patch it, compile but do not install it. Instead copy
the module acx_pci.ko or acx_pci.o (depending on your kernel version) from
acx100-0.2.0pre8_plus_fixes_43/src into the working directory where you will
run the tools given below. This way active WEP cracking will use the old
patched but successfully tested driver, while normal linux operation will use
the brand new driver you installed.
(Update: Latest legacy driver I tested, version 20060521, for ACX111
does implement all the required features, but it fails when trying to change
the MAC of the adapter. This is not a strictly needed feature, but sometimes it
is convenient, so here it is a patch to fix the
MAC change problem for that version.)
RT2500 driver procedure
By the time I started working with this chipset the driver lacked several
required features: sniffing of all packets in monitor mode (certain types were
missed) and capability to send raw packets. Thanks to an open source and well
documented driver I managed to add the required features. All the work was done
rt2500-1.1.0-b3 to which you have to apply my RT2500 patch for the required features. Just
download both files, go to that directory and follow these instructions:
Linux prompt>tar -xzf rt2500-1.1.0-b3.tar.gz
Linux prompt>patch -cp0 < rawrt2500_and_others.patch
Linux prompt>cd rt2500-1.1.0-b3/Module
If you want to install this driver as the default RT2500 driver then (as root):
Linux prompt>make install
You might prefer not to install this driver as default if it is not the
latest one. Actually the required features might have already been implemented
in a later driver release. So you may try to download the latest distribution,
do not patch it, compile and install it. Then test the active WEP crack as
explained below to see if it works. If not then download the release linked
above, patch it, compile but do not install it. Instead copy the module
rt2500.ko or rt2500.o (depending on your kernel version) from
rt2500-1.1.0-b3/Module into the working directory where you will run the tools
given below. This way active WEP cracking will use the old patched but
successfully tested driver, while normal linux operation will use the brand new
driver you installed.
(Update: Latest legacy drivers for RT2500, RT2570 and RT73 (and
possibly for the other Ralink chipsets) do implement all the required
Your next step is to install Aircrack ( => Aircrack-ng, but its command line options may
not be backwards compatible, so you may need to change some things in the
script) in the execution path if you want AirMonitor to automatically find the
WEP key. Finally you just have to start the attack. Simply download the
(Update: In order to speed up the attack in certain cases, you will
also need these files: WLAN Brute Active,
WLAN Brute Passive,
airmon script, set execution bit after download for the three scripts, brute force packet, and patch for last available version of Aircrack, 2.41.)
Compile the two C files (see source for instructions) and edit the csh script
to configure it with your particular data (see source for instructions).
(Update: Configuration of the script is now also possible through
command line arguments, execute with '-h' to see options). Basically you have
to configure the ESSID, MAC and channel of the access point you want to crack.
If you run AirMonitor without configuring the ESSID it will show the list of
visible access points. Optionally you can configure the output data path (if
not enough free disk space in the current directory), the MAC you want to set
to your interface (this allows disguising your identity and bypass any MAC
filter in the access point) and the capture mode (weak or full). The first mode
will capture only weak IV packets, it is recommended if you are short of disk
space, but will not work with modern access points which skip weak IVs (or most
of them). In that case you will have to configure the full mode (you'll need
several hundreds megabytes of free disk space). Finally you can configure some
technical data if auto detection does not work, like the module name (acx,
acx_pci, rt2500, rt2570 or rt73), the wireless interface name and the firmware
directory in case of an ACX111 chipset.
(Update: Now there are two new options to speed up the attack. One
is to enable a specific attack for routers with ESSID of the form WLAN_XX,
where XX is a two digit hexadecimal number. Those routers usually have a
predictable default WEP key which can be decrypted with just one data packet
captured. This option is enabled by default and if the chosen ESSID is not of
that type then the option is automatically disabled. If the AP under attack is
of that type but it does not use the default predictable key, then the option
is automatically disabled and the attack continues like for any other kind of
router. The second new option is provided to attack an AP without traffic. As
far as I know this is the only tool that is able to do that. This attack
consists in sending special packets to try to force the AP to answer with a
valid WEP data packet, that once it is captured it will allow to carry on the
normal attack. It only works with adapters with Ralink chipsets. Depending on
the kind of router of the AP, the attack may succeed within a few seconds, or
can take hours or days, or may not work at all. In any case you won't loose
anything trying because as soon as there is normal traffic in the network the
attack would continue as usual. However this option is disabled by default
because it is very aggressive, nevertheless note that when a packet is captured
and the active attack begins, it would get aggressive anyway, that is what
"active WEP cracking" is about :-)
AirSend is the program responsible for the active part of the attack, it
replays packets from the pcap file you give it as a parameter. There can be
more than one packet in the file. You can control how many times the file is
replayed (with the -c option, 0 means replay forever) and at what speed (with
the -d option, which sets the number of microseconds to wait between
consecutive packets, a negative value means as fast as it can; note that values
below the millisecond are not useful because the kernel will schedule away the
process and will not resume it until typically several milliseconds later, due
to it is not a real time application). Some other options are provided to forge
the 802.11 header (FC, A1, A2 and A3 fields) and so, for example, any packet
can be replayed as broadcast going from a client to the access point even if it
actually was a unicast packet going from the access point to a client; WEP
payload would be perfectly valid, though.
WeakCap is provided in case you are short of disk (it was my case), so
total disk space required for a successful WEP crack is only a few megabytes.
However it will take more time to collect enough packets to find the WEP key.
Note that it is not useful if the access point skips weak IVs, something common
in newer hardware.
AirMonitor will take care of initializing and configuring the wireless
adapter, bringing all pieces together to perform the active attack, and most
important, it will monitor the free disk space and that the card is operating
well. It happens from time to time that my ACX111 card stops collecting packets
when performing the attack, I don't know if it is a problem of the driver, the
adapter, other element or simply the attack is too heavy. It is fixed by
reloading the driver, so the script checks for this condition and if found,
reinitializes the card to keep carrying the attack on. AirMonitor will also
start Aircrack when there is enough data collected and will restart it each
time a substantial amount of new data is captured. When the key is found it is
displayed on screen (and saved in a file) and the attack is stopped.
When you have everything set up the attack is simply started by executing
the script AirMonitor as root. It will take care of running the rest of
programs required. In the output directory will appear a temporal pcap file
which stores captured packets. Each time the card hangs, the content of this
file is appended to another pcap file named as the ESSID of the access point
The attack is performed at the highest speed to collect as much packets as
possible. Therefore the access point and even clients may experience a deadly
slow down of performance, so it is advisable to run the attack when no one is
using the network, at least interactively. I've reached speeds of more that one
thousand packets per second, but poor wireless coverage will proportionally
decrease that speed; a good antenna, specially if it is very directional, may
enhance the rate a lot.
AirMonitor will run until the WEP key is found by the automatically
launched Aircrack process. Operating at a speed of 1000 packets/s you can
collect 3.6 million packets per hour, so the WEP key can be found in less than
5 minutes of attack (actual time depends on the packet rate, the key itself,
the key length and statistical fluctuations). This is true if the access point
does use weak IVs, if not it may take a few hours of continuous attack (though
it can be split along different periods) to gather enough packets so that
Aircrack can find the WEP key.
AirMonitor can be interrupted at any time using ctrl-c, but it may leave
some running processes and temporary files. The best moment to stop it is when
it is waiting to associate with the AP (the output on screen announces this
condition and informs about being the best moment to interrupt the script).
However when you restart AirMonitor everything is set up properly and no data
is lost. So the best trick to stop AirMonitor at the desired time is to hit
ctrl-c, restart it and interrupt it again when it is waiting for association.
This way all files are closed properly and no processes are left running,
except Aircrack, you have to stop it manually, otherwise it will run until the
key is found or it fails to find it.
Active WEP cracking for dummies
If you say "fine, but I do not dare installing linux and doing everything
else", this section is for you. Here are instructions and precompiled binaries
so you don't need nearly any linux knowledge. First download the Knoppix 3.9 CD image (better look for your nearest mirror) and burn it
on a 80 min CD, then download this
package and unpack it in a floppy diskette, USB memory or directory of a
hard disk partition. Use a text editor to configure the variables at the
beginning of the file airmonitor.csh as explained above, or use command line
arguments. If you are using an ACX111 card don't forget that the firmware file
has to be accessible to Knoppix. If you did not install the card driver in the
windows partition then copy it to the working directory. Firmware file can be
found in the manufacturer driver media or, if you installed the driver in your
windows partition, usually in c:/windows/system32/drivers and is commonly named
TIACX111.BIN, FwRad*.bin or FW*.bin (see section "Firmware for ACX111 cards" of
the ACX driver
documentation for more details). You can download it also here, but
rename it to TIACX111.BIN.
Now place the Knoppix CD into the CD reader and boot the computer from it,
in case of a problem see the Knoppix help to fix it. Once linux is booted press
Ctrl-Alt-F1 to get a root shell and mount the media where you placed the tools.
This is achieved with a command like "mount /mnt/fd0", "mount /mnt/sda", or
"mount /mnt/hda1" for a floppy, USB memory or hard disk partition respectively.
The actual device may depend on your particular setup, execute "ls /mnt" to see
the list of devices accessible by Knoppix. Then go to the directory with a
command like "cd /mnt/fd0", "cd /mnt/sda", "cd /mnt/hda1" or similar depending
on your configuration. Finally type "./airmonitor.csh" to start the attack and
collect packets, be sure to have enough free space in the data directory. And
that's all, AirMonitor will tell you when the WEP key is cracked by Aircrack.
Active WEP cracking for extreme dummies (or for lazybones ;-)
Ok, I actually did all the work for you, so simply download my prepared 700 MB Knoppix CD image,
which includes everything that is required and all ready to run. Then you just
have to boot from this CD (pay attention to select the proper keyboard layout
at boot, it defaults to Spanish layout). This image boots into text mode by
default, but you can boot into graphics mode if you like (it takes more time to
boot and uses more resources). Once you have a root shell prompt type the
command ". /cdrom/CheapHighTech/bin/setup". Then execute "airmonitor.csh"
without parameters to see whether your wifi card is detected and to show APs
around. Note the required parameters of the AP you want to attack (ESSID, MAC
and channel) and execute the script with those parameters, like this:
"airmonitor.csh <ESSID> <MAC> <channel>", this is usually enough.
There are other command line arguments available, run "airmonitor.csh -h" to
see them all. Look inside the script for a short explanation of each parameter.
Note that in this mode all data is written into memory, this is usually ok for
recent systems, but old systems may run out of memory. If the computer hangs or
resets then all data recorded are lost. You can overcome these caveats by
using a hard disk, USB pen drive, etc. and select it with the corresponding
command line argument.
Here are the steps for a quick start if you have a USB, PCI or CardBus
wireless adapter based on the ACX111, RT2560, RT2570 or RT73 chipsets and a
standard linux distribution, details can be found in the text above:
- Download, compile and install the Aircrack ( => Aircrack-ng) package.
- Download the latest or the tested driver package for
ACX111 or for
RT2500 (or RT2570 or RT73) depending on your wireless card.
- Download the Active WEP Crack package.
- Unpack both files.
- Patch the driver, if required.
- Compile and install or copy the driver module to the working directory.
- Compile the Active WEP Crack tools.
- Configure the Active WEP Crack script (don't forget firmware if
- Start the Active WEP Crack.
Simplified variant using Knoppix:
Even more simplified variant using my prepared Knoppix:
- Download my prepared 700 MB
Knoppix 3.9 CD image and burn it (not necessary if booting a virtual
machine, only useful for USB Ralink adapters).
- Boot from this CD (select keyboard layout and text/graphical interface at
boot, with kernel arguments).
- Run ". /cdrom/CheapHighTech/bin/setup".
- Run "airmonitor.csh".
- Choose AP to attack and use its data to run "airmonitor.csh <ESSID>
- Sit and wait for the result :-)
Just for completeness it is interesting to mention another way of cracking
a WEP network. It is based on a brute force attack to try to find the right key
simply by checking many combinations. The best way to accomplish that is by
capturing a couple of WEP packets (really only two packets are needed, the
smaller size, the better; you can use the same method as described above for
capturing a broadcast packet) and launch an offline key trying process.
A brute force search method would, in principle, try all possible key
combinations to find the right WEP key. However doing it so is not very
practical because it may take too much time. For the weakest WEP key (40 bits)
it would take several months in a fast PC (can be faster using several
computers in parallel) but for a stronger key (104 bits and above) there is not
enough computing power in the world to have a likely chance to find the key in
a reasonable time.
A very quick approach, only practical for 40 bit WEP keys, is to restrict
the search to keys composed only of 7 bit ASCII printable characters (in case
the key was set in ASCII mode by the network administrator) or decimal digits
(in case the administrator set manually the key in hexadecimal mode). Both are
common cases in poorly configured networks regarding security. Restricting the
key search in that way, a modern PC can try all combinations in less than 24
hours for each of both cases. I wrote a couple of very simple programs to try
this attack using the decrypt tool included in the AirSnort package. To try
them simply download FindWEPkey HEX and ASCII versions, configure the system function call
accordingly to your case and compile (see source for details). You would need
the AirSnort tool decrypt compiled and installed in your execution PATH.
In case of stronger WEP keys (104 bit and above) or WPA
algorithm the only viable method is the dictionary attack, in which a list
of words, numbers and combinations of them is used sequentially to see if any
match is produced with a poorly chosen passphrase or key. See Aircrack ( =>Aircrack-ng), coWPAtty and
WPA Cracker (dead
As we have seen, it is very easy and quick to break into a WEP
protected network, no matter how long is the WEP key, how low is the network
traffic or whether weak IVs are not used. So administrators willing to protect
their networks should move to a stronger algorithm like WPA, but always taking
care of choosing robust passphrases.
E-mail: padilla at
domain "gae ucm es" (my PGP/GPG public key)
First version: 8-Apr-2005, last update: 7-Dec-2009
This link: http://www.gae.ucm.es/~padilla/extrawork/activewepcrack.html
Go to the parent page: Cheap Hi-Tech.