Tuesday 13 April 2010

Get passphrase from WEP key

A while ago I found a problem on the Internet that was very similar to mine but I couldn't find the solution. The case is that when you have a wireless router the WEP key is generated from a passphrase.
Usually that passphrase is anything that comes to your mind, you use it, generate the WEP key and forget it, since all you need now is the WEP key itself.

All is good until you decide to expand your network. You want to connect another wireless router and use the same settings... and there's the catch. You don't remember the passphrase used to generate your WEP key.

I have searched the Internet for a program to reverse the process, something like wep to passphrase converter. But people were saying that it's impossible and the process is one way only.

So I did some research on my own and it turns out that a bit of reverse engineering plus a bruteforce method could find the passphrase in less than few minutes.
I wrote a program that implements the method.
You can download it here.
In order to run it you'll need to run "chmod +x 64reverse".

The program can reverse the 64bit WEP key back to it's passphrase, but not exactly the same, since there are few different combinations of passphrases that can result in the same WEP key, it is very possible that youll get some rubbish like " &s7S@ " but it'll still work. 128bit keys are not supported.

The program was compiled under Ubuntu Linux so it will not run under Windows. If you want the source code and compile it yourself, you can download it here.
If you don't know how to do that, just say a word in the comments and I'll do that and post it here.

This program was based on Linksys algorithm. Example generator can be found here.

9 comments:

  1. Well they're on a free hosting.
    Anyway must have been temporary cause they're working now.

    ReplyDelete
  2. This could possibly be a good find if it'd work consistently.

    I'm running Ubuntu 10.04. Let's say I have a key (F2:E8:54:22:F3), I've tried:
    ./64reverse f2e85422f3
    ./64reverse f2e85422f3 2
    ./64reverse f2e85422f3 3
    ./64reverse f2e85422f3 4
    All return a "Couldn't find WEP passphrase"

    Going to the netpoint.com/wep example ascii->hex generator, I tried taking a few generated keys from there that worked, so the program does work sometimes.

    I know the key works (and it's a WEP key) because I just tried connecting to the network again with it. I proceeded to connect to the internet and check for an ip lookup, just to verify it was a different IP (I have a business IP and a home IP).

    ReplyDelete
  3. Thanks so much, Matt! What a helpful little thing! Can you (or I, if I spend some time with the code) extend it to work with 128-bit keys too? Or would that take like 2^64 times more? (I feel like I ought to be able to make an educated guess about the O() time of something like this, but I in reality I'm afraid that's just not happening...)

    ReplyDelete
  4. @Armando
    As i wrote in the main post "This program was based on Linksys algorithm".
    There are other routers manufacturers that may use different "hashing" algorithms (for example NETGEAR).
    The program will not work for different algorithm than the one it was based on.

    ReplyDelete
  5. @Brad

    Unfortunately 128 bit keys are created using md5, so theres no way of reversing it, and bruteforcing it is only possible to something like 7-char long passphrases
    where it would take about one hour. 9 character long passphrases would take months ans 10-long years.

    ReplyDelete
  6. Thanks for the answer, Matt!

    ReplyDelete
  7. Hi Matt,
    I'm as good as brand new to this whole *NIX environment.
    I've downloaded your brilliant lil' file into my Downloads Folder, and changed the prompt within Terminal across to this Directory, ( 'User@Machine:~/Downloads' )
    I still need a little more help with regards to understanding the syntax required to utilise your file.
    The WEP Key in question is 03:04:08:24:08, but I'm still not completely sure of the necessary entry at the prompt 'to make it go'.
    Any assistance would be thoroughly appreciated,

    Regards,

    Poke808,225

    ReplyDelete
  8. Being a Software Companies In Leeds ourselves we, like you, cannot afford expensive software solutions to meet our needs. As such our business has developed automated solutions for business processes that are common to many small businesses

    ReplyDelete