Tutorial- Cracking WEP with no Clients
TUTORIAL BY JAYMILL230 FOR THETAZZONE/TAZFORUM
Ok, this tutorial should be pretty straightforward and easy, then again, thats the entire idea behind a tutorial right? Anyway, to business, this tutorial will show you how to crack WEP very quickly using the aircrack on the backtrack security liveCD, that you can find here;
**quick note, cracking WEP with no clients will be out tonight/sometime real soon**
We will go over
1) Putting your atheros based card into monitor mode
2) Getting packet injection ready
4) Cracking the WEP
This is the easier method, the one where the WEP has clients present, and you can use a deauth attack on them. Ok, enough talk, to business!
The first thing to do is boot up backtrack, basically by booting to a CD like you normally would, if you can’t figure this out, ask down below, or go use google. login to backtrack under root (password ‘toor’), and then type “startx” into the command line to start out GUI.
Sweet, now we are running *nix, and we can start the good stuff. Open up a command line, but clicking on the icon that looks like one on the bottom next to the ‘start’ type thingy (let me know if I get to technical )
Now, we need to enter this into the command line;
|$ airmon-ng start wifi0 6
**starts wifi0 on channel 6, change for the channel of the network you are attacking, use kismet for this, not covered in this tutorial**
$ wlanconfig ath0 destroy
Sweet, now we have our card in monitor mode, and we can move onto bigger and better things.
Start up Airodump and getting some info ready
ok, lets start airodump so we can get some info out of it, and then we can just leave it running.
|$ airodump-ng –ivs –write bob –channel 6 ath1
**basically heres what each thing means;
Now that airodump is running, we need to snag a couple pieces of information from it, 1) The MAC address of the AP we are attacking, it’ll be in the first column. 2) the essid of the network, i.e. “linksys”, or something similar.
Now, open up a new terminal (DON”T CLOSE AIRODUMP). type this line in;
|$ export AP=mac_of_ap|
Now we also have to get our mac address; this is easy in backtrack just type in the following;
|$ macchanger –show ath1
**your output here**
This basically just stored those as variables, so you don’t have to type them a bunch of times in the coming steps.
Getting everything ready
Basically what we are going to do to the network, is fake authorize ourselves using aireplay. Then using the same program, we are going to grab some peices of packets out of the replies given by fakeauth, and use those to create an arp reply packet with packetforge, to inject into the network to create IV’s, so we can crack the key! Whew, lets get started!
First we need to set up, but NOT run our fake auth attack;
|$ aireplay-ng -1 0 -e linksys -a $AP -h $MAC ath1|
so, we are running aireplay attack 1, with no delay, linksys is the essid of the network we are attacking, -a is the MAC of the AP we are attacking, and -h is our MAC address. Don’t run this yet, we will soon enough.
Open up another command line, so we can get ready to sniff out the packets we need. Enter the following;
|$ aireplay-ng -5 -b $AP -h $MAC|
Cool, step 1 of 2 is done for getting ready to create IV’s, next we have to sniff a packet, and then create one of our own. So run the aireplay -5 command first, it will start to sniff the network, then run the first command. Eventually the -5 will find a packet that it can use, and it will ask you if you want to use it, say yes (type y and press enter). Now you can cancel the first command (stop it from fake auth’ing over and over) by pressing ctrl-c. Leave the window open.
Now, after we told aireplay-ng -5 yes, it should have created a .xor file. In the output, the name of it should be there. The line looks like this;
|Saving Keystream in fragment-0215-124336.xor
**yours will be different**
Now, using this .xor file we can create an arp-reply package which we can inject to create weak IV’s. So in the same window we ran the aireplay-ng -5 command, type in the following;
|$ packetforge-ng -0 -a $AP -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y your_.xor_file.xor -w arp-request|
That will generate what we need, now we can run the final injection command that will inject the arp-request packets. Enter the following;
|aireplay-ng -2 -r arp-request ath1
*you will have to say yes again btw*
Now you get to watch your #data column in airodump (you didn’t close it did you?) skyrocket! Wait a few minutes, and when you have 100k packets (the #data column, 1 mil for 128 bit) run the following command to crack the key!
|$ aircrack-ng -n 64 -b $AP *.ivs
**note, if its 128 bit, change 64 to 128**
There ya go! You have cracked WEP when there are no clients on the network!
**This is an education peice, you should not be cracking anybody elses network, it can get you fined/landed in jail, I take no responsibility for anything you do with this information**