one4all
Would you like to react to this message? Create an account in a few clicks or log in to continue.
one4all

Find new knowladge about network and computing.
 
HomeHome  Latest imagesLatest images  SearchSearch  RegisterRegister  Log inLog in  

one4all :: Select Forum :: Other :: Tutorial
 

 Cracking WEP

Go down 
AuthorMessage
Admin
Admin
Admin


Posts : 94
Points : 5628
Join date : 2009-12-26
Age : 34
Location : Malaysia

Cracking WEP Empty
PostSubject: Cracking WEP   Cracking WEP EmptyThu Dec 31, 2009 4:14 am
Quote :
This tutorial was made by using Backtrack 3, a Linux live cd.




Following this tutorial word for word will only work on Linux, it's
recommended you download and burn backtrack to a disc. Backtrack
includes everything you need.

Pre-requisites:

Kismet - Kismet is a wireless network detector, and also a packet sniffer
airmon - This tool can set your wireless network adapter into monitor mode
iwconfig - This tool configures your wireless network adapters. This can also show if your adapter is in monitor mode or not.
macchanger - This tool lets you spoof your MAC (Media Access Control) address
airodump - airodump captures packets from the target AP (Access Point, wireless router)
aireplay - aireplay creates ARP requests used to get IV's from an AP
aircrack - aircrack decrypts WEP keys from captured IV's

OR

backtrack (2, beta 3) - Linux live cd, includes everything needed

What we're going to do here today is crack a WEP (Wired Equivalent
Privacy) secured network. This can be done by faking authentication
with the router, and acquiring specializd packets called IV's
(Initialization Vector) that are used to crack the WEP key. It usually
takes around 20,000 IV's for a successful crack, but this depends on
the level of encryption (40-128bit), and the strength of the key. 128
bit is the most secure, but of course, they can all be cracked, it just
changes the time required to crack.

WEP uses the stream cipher RC4 for encryption, and the CRC-32 checksum
for integrity. Standard 64-bit WEP incorporates a 40-bit key, which is
added to a 24-bit IV, which forms the RC4 key. A 128-bit key is usually
a string of 26 hex characters, which represents 4 bits each, resulting
in 104 bits, with the addition of a 24-bit IV. The same goes for a
256-bit WEP key, this is entered as 58 hex characters, with 4 bits
each, resulting in 232-bits of protection.

Now that you have a generalized background of WEP encryption, you're ready to move on the actual cracking of this encryption.

Open up kismet, and enable monitoring mode on your device (ex: eth1).
Now run iwconfig to check that you have selected the right target network.

Now run airodump to start collecting data while we make certain changes: (exCracking WEP 1<blockquote>airodump-ng eth1 -w /mnt/hda1/home/evox/(*filename*) --channel 4 --ivs</blockquote>* eth1 is the network adapter (may be different)
* -w tells airodump to write the data to the following file (/mnt/hda1/home/evox/*.ivs)
* --channel 4 is the channel we are connecting through, replace with the channel of the target AP
* --ivs tells airodump to only collect IV's

Now we're going to fake authentication with aireplay.
<blockquote>aireplay-ng -1 0 -e *ESSID* -a *BSSID (MAC)* -h *ADAPTER MAC* eth1</blockquote>* -1 is the type of attack, in this case, we're faking authentication with the AP
* 0 stands for the delay between attacks
* -e *ESSID*, replace *ESSID* with the ESSID (broadcast name) of your target AP.
* -a *BSSID*, replace *BSSID* with the MAC Address of the AP
* -h *ADAPTER MAC*, replace *ADAPTER MAC* with the MAC address of your wireless adapter, this can be viewed by

using macchanger (ex: macchanger -s eth1)
* eth1 is the wireless adapter

Now that we faked authentication with the AP, we need to start injecting packets with aireplay.
<blockquote>aireplay-ng -3 -b *BSSID (MAC)* -h *ADAPTER MAC* eth1</blockquote>* -3 is the type of attack we are initiating, in this case, packet injection (ARP request forging)

If you get a deauth/disassoc packet, re-fake authenticate with the AP using aireplay as mentioned before.

When you start getting a boat load of ARP packets (receiving and
transmitting), wait a little while (it took me 2 minutes), and then go
to the following step.

Now we're going to crack the IV's that we captured using airodump, with aircrack.
<blockquote>aircrack-ng -s /mnt/hda1/evox/*.ivs</blockquote>* replace '*' with what you named the file in the first step

If you collected around 20,000 IV's, you should definitely have enough,
just sit back and wait for aircrack to crack the wep key. When it's
done, write down the WEP key, and enjoy your access to the 'protected'
network!

If you didn't have enough IV's, keep using airodump to collect IV's, and aireplay to get more ARP requests.

If I missed anything, or wrote something wrong, please tell me. Enjoy!





Back to top Go down
https://one4all.forumotion.net
 
Cracking WEP
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
one4all :: Select Forum :: Other :: Tutorial-
Jump to: