-
Wep Cracking Tutorial
Hi, in this tutorial i will be showing you how to crack wep without any traffic on the network.
To use this tutorial you need to have packet injection working with your wireless card, kismet, aircrack suite, arpforge and a small amount of Linux knowledge (to open konsole and put your card into monitor mode)
For this tutorial i have use BackTrack (www.remoteexploit.org) Linux distribution as it contains all the programs and was easy to install packet injection for my driver.
My setup:
Dell Inspiron 1300 with an atheros wireless card running backtrack (i will refer to this as BT), my DLink DI524 router which has a 128 Bit encryption and nothing else connected wirelessly.
After you boot into BT (or anyother distro your using) put your card into monitor mode.
start kismet , we will use kismet to find out the information we will need about the AP we wish to hack
kismet will show all the wireless Access Points in range
I only have 1 in range (called Crossover) but you may have more around you.
press s then b , this will let you scroll up and down the list till you find the AP you wish to crack then press enter
this will give you more information about the access point, make a note of the name of it, the channel its on and the bssid (you can leave kismet open and just come back to it later to get the info) and also make sure its wep as this tutorial is for wep )
http://www.remote-exploit.org/
-
we will now run airodump to capture the IV's (data) we will need to crack the wep.
open a new konsole and run "airodumpng" , this will show you all the possible options you can use with this application,
we only need to capture so we will use the w , this is what we will call the file we are capturing and c to specify a channel, this will make it easier for us to capture the data from our AP.
im going to call my file "weptutorial" and my channel (the channel kismet shows) is 8 so my command is. we will also need to add the interface to use at the end of the command, iwconfig can show this but hopefully you know, mine is ath1
here is the command i will use:
airodumpng w weptutorial c 8 ath1
we should see our AP come up and we might have some traffic on it we might not.
-
i don't have any data on mine (as i have no wireless devices connected to it)
Now we are capturing data, we will need about 200 000 to 1 000 000 of these to crack wep.
while that's running open a new konsole and now we will speed up the traffic (if you have wireless devices and the data is going up fast enough then you dont need to do this stage)
we will now set up a method called chopchop, this is in aireplayng (run "aireplayng" like we did airodumpng to see all the options) and it will capture and data and resend it over and over to make the traffic on the network so we can capture more.
the command to do this is:
aireplayng chopchop b 00:0F:3D:3D:94:72 ath1
aireplayng = the program namechopchop
= the attack we are useingb 00:0F:3D:3D:94:72
= our AP's MAC address (kismet has this info and airosump also shows it)ath1
= our network interface
aireplay will keep reading packets till it finds one that it thinks contains an IV (data containing the wep) . If your network hs wireless traffic on it then you should get one soon, if not ( like me) then we can fake authentication with AP and hopefully it will throw a packet or 2 out that we can catch.
-
to do this we open another konsole and use the aireplayng command again but a different attack method
aireplayng fakeauth 50 e Crossover a 00:0F:3D:3D:94:72 h 11:22:33:44:55:66 ath1
aireplayng
= the program namefakeauth 50
= the attack we are using with the delay of 50e Crossover
= the name of the APa 00:0F:3D:3D:94:72
= our AP's MAC addressh 11:22:33:44:55:66
= a fake mac address for us to attack from so the routers admin cant see our real mac addressath1
= our network interface
we should see Sending Authentication RequestAuthentication successful
after a while the attack will stop but just rerun the command again
airodump will also show our new fake mac is connected to the ap
Hopefully the chopchop method we started will now catch some datapress y to let it send it, it will do something like this screenshot
-
you will notice airodump has gone crazy too and lots of clients connected to the AP
let it run its magic till the chopchop hits 100%
now we have a cap and xor file, we will turn this into a file we can send back to the AP.
to do this run an app called arpforgeng
this will edit the capture slightly, im not going to go into detail about this app.
arpforgeng replay_dec0831173203.xor 1 00:0F:3D:3D:94:72 11:22:33:44:55:66 192.168.0.200 192.168.0.1 arp.cap
arpforgeng
= the program namereplay_dec0831173203.xor
= the xor file that was caught by the chopchop method, yours will be slightly different1
= the type we are using00:0F:3D:3D:94:72
= the AP's mac address11:22:33:44:55:66
= our fake mac192.168.0.200
= the ip source, this can be anything
-
192.168.0.1
= the destination , this is the AP's iparp.cap
= the new capture file name
after this it will say done.
we will now send this modified capture file lots of times, and very fast, this will make the data in airodump go up.
aireplayng interactive r arp.cap ath1
press y when it asks if you want to send this packet
the data in airodump should now be rising very fast
-
at this stage you can stop the fake auth with ctrl+c. wait till you have about 100 000 before moving on (this may take a while) mine is doing about a hundred a second so make a brew.
when it hits around 100 000 we could start to crack the wep, we will leave the rest running and catching data so it will improve our chances.
Cracking Time
open a new konsole and run the command "aircrackng" to see all the possible options, we will only be using a few
-
aircrackng a 1 e Crossover b 00:0F:3D:3D:94:72 weptutorial02.cap
aircrackng = the program namea 1
= this is to choose what we are cracking 1 = wep, 2 = wpapske Crossover
= the AP nameb 00:0F:3D:3D:94:72
= the ap mac addressweptutorial02.cap
= this is the capture file that you called when you started
airodump, it will prob add 01 to yours but as i already had one called that it made it 02, just use tab to find out or look in the folder
It is now testing your keys and hopefully this will find your key (this will also take time, make a sandwich)
remember , the higher the encryption the longer it can take.
-
if the aircrack fails just restart it and let it catch more data, for this tutorial i needed over 800 000
This key (ModShackHack1) took me 1 hour 20 mins to crack, some may take less time some may take more
Hope You Crack Your WEP McScruff
