Crack WEP encryption (wifi security)

Efforts to crack WEP encryption have been around and even publicly discussed since the inception of the WEP protocol, and this page brings you information about how to discover and calculate a WEP key from network traffic. This introduction to WEP cracking may be useful to anyone who intends to investigate network security.
Cracking WEP itself is relatively easy and can take anywhere from as little as a few minutes to a few hours (depends on the amount of network traffic, connection quality, etc.). Setting up your equipment so that it does what it needs to do can take weeks (depends on what you have and what you already know). Before you proceed to WEP cracking, read our first page of this "tutorial" which can provide an idea about setting your computer and also about the legality of WEP cracking.


Now we can proceed to demonstrating how to crack WEP encryption.

What do I need to discover a wireless network WEP key?

Here is a list of assumptions that you need to meet in order to be able to discover a WEP key from network traffic. Note, the assumptions listed below are specific to this tutorial. Other tutorials on the web are based on different assumptions.

• Software and hardware: Ubuntu, Intel PRO/Wireless 3945ABG with the ipwraw-ng-2.3.4 driver (or alternatively TP-LINK TL-WN321G network adapter with the rt73-k2wrlz-3.0.1. driver), aircrack-ng-1.0. (Of course, you can use some other adapter as well, Intel and TP-LINK is what we used.)
• You are physically close enough to the access point to send and receive packets. Remember that just because you can receive packets from the wireless access point does not mean you will be able to transmit packets to the access point. The wireless card strength is typically less than the access point strength, so you have to be physically close enough for your transmitted packets to reach and be received by the access point.
• There is at least one wireless client connected to the network and active. The reason is that WEP cracking relies on ARP packets and if there are no active clients then there will never be any ARP request packets.

Ensure that all of the above assumptions are true, otherwise the examples that follow will not work.
We have tested WEP cracking with two network adapters: Intel PRO/Wireless 3945ABG with the ipwraw-ng-2.3.4 driver and alternatively TP-LINK TL-WN321G network adapter dongle with the rt73-k2wrlz-3.0.1. driver. The Intel adapter is referenced as wlan0(wifi0), and the TP-LINK adapter is referenced as rausb0. You can find the name of your network adapter by executing the iwconfigcommand.

Does my network adapter driver work correctly?

One of the assumptions in this article is that your network interface drivers need to be patched for monitor mode and packet injection. (See the How to crack WEP with Intel PRO/Wireless 3945ABG link mentioned above for more details.)

Monitor mode test

If you loaded your driver module correctly, your network adapter might already be in Monitor mode. If it is not, try executing the following command:

sudo airmon-ng start wlan0

Wlan0 (and also wifi0) is the name of your Intel 3945 network adapter. It would be rausb0 if you worked with the TP-LINK 321. You can find the name of your network adapter by executing the iwconfig command. The print screen below shows you what you want to see in your iwconfig screen.

If the network interface is set correctly, it should say Monitor mode.

Packet injection test

Use the injection test to confirm your card can inject prior to proceeding. Try executing the following two commands in your terminal window:

aireplay-ng -9 wifi0
aireplay-ng -9 127.0.0.1:666

They both should result in the "Injection is working!" message. You can find more details here: http://aircrack-ng.org/doku.php?id=injection_test.

How WEP cracking works?

Ok, we have all the hardware and software ready, now it is time to explain how WEP cracking works.
Here are the basic steps we will be going through:

1. Start the wireless interface in monitor mode
2. Start airodump-ng to discover all the available networks and find your target
3. Change your MAC address (optional)
4. Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
5. Use aireplay-ng to do a fake authentication with the target access point
6. Start aireplay-ng in ARP request replay mode to inject packets
7. Run aircrack-ng to crack key using the IVs collected

Sounds easy? Let's get into the details.

1. Start the wireless interface in monitor mode

If you want to listen to network traffic and to capture network traffic, your network adapter needs to be in Monitor mode. We already covered this above and also on the How to crack WEP with Intel PRO/Wireless 3945ABG page.

2. Start airodump-ng to discover all the available networks

If you want to crack WEP, you need to know a little more than just the network name. You also need to know the MAC address of the wireless access point or wireless router which you can find by executing the following command:

sudo airodump-ng wifi0

This is what you will get.

You can see names of available wireless networks in the most right column and MAC addresses of access points in the most left column. This screen also tells you how each network is secured (WEP, WPA, OPN, etc). You can also find out on which channel each access point operates.

3. Change your MAC address (optional)

In order to take advantage of the packet injection technique, you need to be associated with the target wireless access point. Many wireless networks are protected not only by WEP encryption but additionally also by MAC filtering. If that is the case with your target network, you need to first discover a MAC address of an already associated user and then use that MAC address for your own authentication and association. Read the following two pages:

How to break MAC filtering (wifi security)
How to change MAC - Macchanger

Note, you will need to disable your network adapter before changing your MAC address and then enable it again, so it is an exercise that goes through the two pages referenced above as well as through point 1 and 2 again.

How do I find a MAC address?

Remember, you need to find a client on the network that is already associated with your target access point. You can do so by executing the following command in your Ubuntu terminal window:

sudo airodump-ng -c 11 --bssid 00:02:72:51:DB:28 -w wepdump -i wifi0

where -c is the channel on which your target access point is broadcasting, BSSID is the MAC address of the access point, and -w wepdump -i (we will explain later).

The screen will look similar to the screen above.

4. Start airodump-ng to collect the new unique IVs

By now, you should have all the needed information about your target access point (name, MAC, channel, etc.), your MAC address changed to the same address as some other client on the network, and your network interface set in Monitor mode. Now you want to start capturing all the new unique so-called Initialization Vectors (IVs) included in packets that go out of your access point. You can do this by starting airodump-ng on your access point channel with a BSSID filter (access point MAC address). Open new terminal window and do:

sudo airodump-ng -c 11 --bssid 00:02:72:51:DB:28 -w wepdump -i wifi0

This is the same command as in step 3. We used it in step 3 to find someone that is already using your wireless access point; now we use it to capture initialization vectors. The option -w wepdump is the name of file where you want to save your initialization vectors. Option -i means that you want to save initialization vectors only and discard all other data.
The screen will look similar to the screen above in step 3.

5. Use aireplay-ng to do fake authentication with the access point

Now it is time to sort of "login" into your wireless network. In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting (later) is not associated with the access point then the access point ignores the packet and sends out a "DeAuthentication" packet in cleartext. In this state, no new initialization vectors are created because the access point is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why packet injection fails. At this point you are just connecting to the access point and telling it you are here and want to talk to it. This does not give you any ability to transfer data. Open another terminal window and do:

sudo aireplay-ng -1 0 -e datel -a 00:02:72:51:DB:28 -h 00:13:CE:EC:45:20 wifi0

where -1 means fake authentication, 0 means reassociation timing in seconds, -e datel is the name of the network, -a is the access point MAC address, and -h is the MAC address under which you act (either your own or the spoofed one if you went through step 3).
This is what the output should look like.

Remember, the MAC address you target for injection must be associated with the access point by either using fake authentication or using a MAC address from an already-associated client (step 3), or both at best.
Possible problem: If you get "Got a deauthentication packet" and then continuous retries, then you are probably dealing with MAC filtering (that is some access points are configured to only allow selected MAC addresses to associate and connect). Go back to step 3. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.
Possible problem: If you get "Waiting for beacon frame (BSSID: ...) No such BSSID available." then you are dealing with weak wifi signal. Get closer to the access point.

Sending Authentication Request [ACK]

Sending Authentication Request [ACK] that just keeps repeating on the aireplay-ng screen is another common problem. If you keep getting "Sending Authentication Request" or "Sending Association Request" that keep coming back, then you are too far away from the access point or are dealing with weak signal. Remember, the fact that you can capture packets from the access point does not mean that the access point can also capture packets from your computer. The signal going out of your computer is much weaker.
Also, check that you are communicating on the same wireless channel as the access point.
Another problem can be that the access point utilizes MAC addressing and your MAC spoofing in step 3 did not go right. Run theifconfig [adapter_name] and macchanger --show [adapter_name] commands to verify your computer is communicating using MAC address of some already authenticated user. (See the download Macchanger page, "How to verify" section for more details.)
In some cases, the access point is unable to communicate quickly enough with your computer. In this case, try to increase your delay and timing:

sudo aireplay-ng -1 6000 -o 1 -q 10 -e datel -a 00:02:72:51:DB:28 -h 00:13:CE:EC:45:20 wifi0

Some times, the fake authentication just does not work no matter what you do and you have to proceed without it.

5.1 WEP crack without packet injection

If the previous step fails in your case, and you are unable to do authentication with either a fake or your own MAC address, the next step 6 - packet injection - will likely fail too. Try it out and see. If step 6 fails, return to this section. No worry, you can still crack WEP; it will just take more time. If you are unable to authenticate and as a result do packet injection, you will be watching the screen which you opened in step 4 for a while.

Your goal is to see at least 150,000 in the #Data column. If you look at the RXQ column in the print screen above, you can see there number 49. This value provides information about the quality of your wireless connection between the access point and your computer. Anything below 80 is considered weak. If the number fluctuates a lot, you have weak signal as well.
The RXQ value relates to the data stream going from the access point to your computer. Even if this number is above 80, the access point still may not be able to see your computer. This is the most common reason for fake authentication and packet injection to fail. If that is your case, just sit back and wait until the #Data column shows at least 150,000, and then try step 7 (WEP crack). Without authentication and packet injection, this process might take 1,5 - 2 hours. You can start trying WEP crack in step 7 as soon as the #Data reaches at least 80,000, but our experience is that WEP keys usually get cracked once having somewhere around 150,000 initiation vectors.

6. Start aireplay-ng in ARP request replay mode to inject packets

To crack a WEP key for a wireless access point, we need to gather a lot of initialization vectors (IVs), ideally somewhere around 150,000 of them. Normal network traffic does not typically generate these initialization vectors very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply passively listening to the network traffic and saving them (step 5.1). Alternatively, you can use a technique called packet injection to actively speed up the process. Injection involves having the access point resend selected ARP packets (they include IVs) over and over very rapidly. This allows us to capture a large number of initialization vectors in a short period of time. So, the purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. Open another terminal window and do:

sudo aireplay-ng -3 -b 00:02:72:51:DB:28 -h 00:13:CE:EC:45:20 wifi0

where -b is the access point MAC address, and -h is the MAC address under which you act (either your own or the spoofed one if you went through step 3).
This command will start listening for ARP requests and when it hears one, aireplay-ng will immediately start injecting it. You can generate an ARP request by pinging some other client that is already associated.
This is what the output should look like:

You can confirm that you are injecting by checking your airodump-ng and aireplay-ng screens. The data packets should be increasing rapidly. The ”#/s” should be somewhere in the range of 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second. The ARP packets and Sent packets should be increasing rapidly as well.
Possible problem: Note, if the ARP packets count and the Sent count as well are stuck at zero, then your network interface is likely not associated with your access point. Or, you can also be too far away from the access point (weak signal).
Possible problem: Message similar to "Got a deauth/disassoc packet. Is the source mac associated?" means you have lost association with the access point. Go back to your other window from step 5 and rerun fake authentication. This is not necessary if you went through step 3 though.

7. Run aircrack-ng to crack the WEP key using the IVs collected

Once you have captured a large number of initialization vectors, you can use them to determine the WEP key. There are two basic methods for cracking WEP: the PTW method and the FMS/Korek method.
To crack the WEP open another terminal window and execute the following commands:

sudo aircrack-ng -z -b 00:1A:92:77:BB:D9 wepdump*.ivs
sudo aircrack-ng -a 1 -0 -n 128 wepdump*.ivs

where -z invokes the PTW WEP-cracking method, -b selects the access point we are interested in, wepdump*.ivs selects all files starting with "wepdump" and ending in ".ivs" (this comes from your airodump-ng command earlier), -a denotes FMS/KoreK attack, and -nselects the type of WEP key (128-bit in our case). These commands will calculate WEP key from the captured initialization vectors. This is what the output looks like:

You made it! Interested in more fun stuff? Read the following two articles:

How to find MAC and IP addresses in network data
How to break MAC filtering

Now that you know how to break into a WEP-protected network and therefore have discovered the weak link in your wifi network, we would also like to draw your attention to our security tutorials. We have written a few tutorials related to wireless network security. You can read more about IPSec, VPN, MAC addressing, WPA, WPA2, PSK, and many other wireless security measures. Our wireless security tutorials help you to make your network more secure.
And lastly,

source : http://www.maxi-pedia.com/

What is WEP crack?

What is WEP crack?

First, let's explain some background to WEP cracking. WEP is short for Wired Equivalent Privacy or Wireless Encryption Protocol, and it is one of the measures in wireless security that were at the inception of wireless networking. WEP has been flawed since its inception, but because nothing better was available in the beginning of the Wi-Fi era, it was publicly implemented as "better to have flawed WEP than nothing at all." Because WEP includes many shortcomings, many enthusiasts out there enjoy simply going through the effort of attempting to "break it" or to "crack it". Cracking the WEP in this context means simply obtaining the WEP key to gain access to a wireless network access point and to the network.

Is WEP crack OK?

Second, we have to talk about the legality of WEP cracking. Some people do it for fun, some do it to learn, some do it as a proof of concept, some do it to test their network vulnerability, some do it "just because", some do it for other reasons.
Breaking someone's WEP key for the purpose of gaining access to someone else's Internet access or data is not ethical, and we can't assume any implied or expressed responsibility for your actions. This web page is provided for educational purposes only, and only to those visitors who wish to learn WEP cracking for legitimate reasons (such as testing their network).
We provide this tutorial which talks about How to crack WEP with Intel PRO/Wireless 3945ABG. To be fair, we also would like to draw your attention to our five-part wireless security tutorial which helps you to make your network more secure. Our tutorial talks about WPA, WPA2, MAC addressing, IPSec, VPN, PSK, and many other wireless security measures.

Is WEP crack easy?

It depends on your initial knowledge and equipment. Cracking WEP itself is relatively easy and can take as little as 5 minutes. The problem is often with setting up your computer, so that it does what it needs to do for WEP cracking. In most cases, you need to upgrade your wireless driver which you first need to find somewhere. Finding out how to set up your computer to crack WEP can take weeks!

WEP Cracking with Intel PRO/Wireless 3945ABG

The Intel PRO/Wireless 3945ABG network adapter is a relatively new network interface that is being put into currently manufactured laptops, especially ThinkPads. The driver that comes with the adapter from Intel does not support adapter promiscuous (monitor) mode and packet injecting and needs to be updated.

Method to Crack WEP with Windows XP, Windows Vista, or Linux?

There are many tools and approaches available on the web for WEP cracking, and one can get easily lost and confused when reading all the information provided on discussion forums (OmniPeek, WinAirCrack, airmon, aircrack, Kismet, mac driver, ipwraw driver, ilw3945, etc.). The first question that needs to be answered is which platform to use. Some have had success with Windows XP. We have not seen anyone having success WEP cracking with Windows Vista. It is advised to attempt WEP cracking with Linux (we used UBUNTU). This is for one major reason. Since Linux is open source, it is much easier to find or develop Wi-Fi drivers for your Intel PRO/Wireless 3945ABGnetwork adapter to get access the needed functionalities.
Are you new to Linux? Do not worry. Downloading UBUNTU image, burning it to DVD and installing it as a dual boot to your computer is very simple and takes no more than a few hours. Just follow prompts in the Ubuntu installation process. After installing Ubuntu, get all system updates in the system application manager.

Which Intel PRO/Wireless 3945ABG interface driver to use to crack WEP?

Once you have your operating system ready, you have to upgrade and/or patch your wireless card driver, and this is where the biggest problems start. Your wireless card driver needs to support two important functionalities:

Packet injection is a computer networking term which refers to sending a packet on a network into an already established connection.

Monitor mode, or RFMON mode, allows a computer with a wireless network interface card (NIC) to monitor all traffic received from the wireless network. Monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first.

When searching web, you can find information about endless number of drivers for the Intel PRO/Wireless 3945ABG adapter, such as mac80211, IEEE80211, ipwraw, iwl3945, ipw3945, iwlwifi, madwifi, serialmonkey driver, driver from tinyshell.be, wildpacket driver, and many others. Installing and/or patching them may not be very easy.
We have had good luck with the ipwraw driver from aircrack. The lines of code below install the driver (together with other two packages) to your Ubuntu installation.

sudo apt-get install build-essential (get core files)
sudo apt-get install libssl-dev (get supporting library)
wget http://dl.aircrack-ng.org/drivers/ipwraw-ng-2.3.4-04022008.tar.bz2 (downloads driver)
tar -xjf ipwraw-ng* (extract the archive file)
cd ipwraw-ng (go to the extracted folder)
make (compile the source files into a binary)
sudo make install (install the driver)
sudo make install_ucode
echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw (blacklist the default ipwraw)
sudo depmod -ae (create a dependency file for the modules)
sudo modprobe -r iwl3945 (unload driver that you do not need)
sudo modprobe ipwraw (load the driver that you installed)
sudo ifconfig wlan0 up (enable the network adapter)
airmon-ng start wlan0 (put your interface into monitor mode)

Now you should have an upgraded driver available. If you get the following error message when setting your network interface into monitor mode

wlan0 iwl3945 - [phy0]/usr/sbin/airmon-ng: line 316: /sys/class/ieee80211/phy0/add_iface: No such file or directory
mon0: ERROR while getting interface flags: No such device

then it means you are not using ipwraw. Check your loaded modules with the lsmod command. If you see something like iwl3945 or mac802 on the list, then you are not using the patched driver.

You should see something like ipwraw, and the iwl3945 and iwlwifi should not be on the list. This is what you do want to see in youriwconfig screen:

Important: Once your driver is set to Monitor mode, you will not be able to browse the web in your internet browser until the adapter is set back to the Managed mode.
The next step is to pick the program that does the job of WEP crack.

Which program to use to crack WEP?

Assuming we have our operating system ready and our driver updated to allow packet capturing and packet injection, we have to choose the right application that does the math when finally cracking WEP. We have chosen the aircrack-ng suite. Although Ubuntu comes with the aircrack preinstalled, it is advised to get the latest version:

sudo apt-get install aircrack

This command executed in the terminal window will get aircrack and install it.

How to crack WEP with Intel PRO/Wireless 3945ABG

How to crack WEP with Intel PRO/Wireless 3945ABG  is a task that can employ you for a long time. The Intel PRO/Wireless 3945ABG network adapter driver that comes from the manufacturer does not provide packet injection and network monitoring capabilities which are needed to crack WEP, and therefore before you attempt WEP cracking efforts, you have to update your driver first which can be a daunting task.

What is WEP crack?

First, let's explain some background to WEP cracking. WEP is short for Wired Equivalent Privacy or Wireless Encryption Protocol, and it is one of the measures in wireless security that were at the inception of wireless networking. WEP has been flawed since its inception, but because nothing better was available in the beginning of the Wi-Fi era, it was publicly implemented as "better to have flawed WEP than nothing at all." Because WEP includes many shortcomings, many enthusiasts out there enjoy simply going through the effort of attempting to "break it" or to "crack it". Cracking the WEP in this context means simply obtaining the WEP key to gain access to a wireless network access point and to the network. You can read more about WEP in general in our Wireless Wi-Fi network security tutorial 101 (part 1).

Is WEP crack OK?

Second, we have to talk about the legality of WEP cracking. Some people do it for fun, some do it to learn, some do it as a proof of concept, some do it to test their network vulnerability, some do it "just because", some do it for other reasons.
Breaking someone's WEP key for the purpose of gaining access to someone else's Internet access or data is not ethical, and we can't assume any implied or expressed responsibility for your actions. This web page is provided for educational purposes only, and only to those visitors who wish to learn WEP cracking for legitimate reasons (such as testing their network).
We provide this tutorial which talks about How to crack WEP with Intel PRO/Wireless 3945ABG. To be fair, we also would like to draw your attention to our five-part wireless security tutorial which helps you to make your network more secure. Our tutorial talks about WPA, WPA2, MAC addressing, IPSec, VPN, PSK, and many other wireless security measures.

Is WEP crack easy?

It depends on your initial knowledge and equipment. Cracking WEP itself is relatively easy and can take as little as 5 minutes. The problem is often with setting up your computer, so that it does what it needs to do for WEP cracking. In most cases, you need to upgrade your wireless driver which you first need to find somewhere. Finding out how to set up your computer to crack WEP can take weeks!

Crack WEP with Intel PRO/Wireless 3945ABG

The Intel PRO/Wireless 3945ABG network adapter is a relatively new network interface that is being put into currently manufactured laptops, especially ThinkPads. The driver that comes with the adapter from Intel does not support adapter promiscuous (monitor) mode and packet injecting and needs to be updated.

Crack WEP with Windows XP, Windows Vista, or Linux?

There are many tools and approaches available on the web for WEP cracking, and one can get easily lost and confused when reading all the information provided on discussion forums (OmniPeek, WinAirCrack, airmon, aircrack, Kismet, mac driver, ipwraw driver, ilw3945, etc.). The first question that needs to be answered is which platform to use. Some have had success with Windows XP. We have not seen anyone having success WEP cracking with Windows Vista. It is advised to attempt WEP cracking with Linux (we used UBUNTU). This is for one major reason. Since Linux is open source, it is much easier to find or develop Wi-Fi drivers for your Intel PRO/Wireless 3945ABG network adapter to get access the needed functionalities.
Are you new to Linux? Do not worry. Downloading UBUNTU image, burning it to DVD and installing it as a dual boot to your computer is very simple and takes no more than a few hours. Just follow prompts in the Ubuntu installation process. After installing Ubuntu, get all system updates in the system application manager.

Which Intel PRO/Wireless 3945ABG interface driver to use to crack WEP?

Once you have your operating system ready, you have to upgrade and/or patch your wireless card driver, and this is where the biggest problems start. Your wireless card driver needs to support two important functionalities:

Packet injection is a computer networking term which refers to sending a packet on a network into an already established connection.

Monitor mode, or RFMON mode, allows a computer with a wireless network interface card (NIC) to monitor all traffic received from the wireless network. Monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first.

When searching web, you can find information about endless number of drivers for the Intel PRO/Wireless 3945ABG adapter, such as mac80211, IEEE80211, ipwraw, iwl3945, ipw3945, iwlwifi, madwifi, serialmonkey driver, driver from tinyshell.be, wildpacket driver, and many others. Installing and/or patching them may not be very easy.
We have had good luck with the ipwraw driver from aircrack. The lines of code below install the driver (together with other two packages) to your Ubuntu installation.

sudo apt-get install build-essential (get core files)
sudo apt-get install libssl-dev (get supporting library)
wget http://dl.aircrack-ng.org/drivers/ipwraw-ng-2.3.4-04022008.tar.bz2 (downloads driver)
tar -xjf ipwraw-ng* (extract the archive file)
cd ipwraw-ng (go to the extracted folder)
make (compile the source files into a binary)
sudo make install (install the driver)
sudo make install_ucode
echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw (blacklist the default ipwraw)
sudo depmod -ae (create a dependency file for the modules)
sudo modprobe -r iwl3945 (unload driver that you do not need)
sudo modprobe ipwraw (load the driver that you installed)
sudo ifconfig wlan0 up (enable the network adapter)
airmon-ng start wlan0 (put your interface into monitor mode)

Now you should have an upgraded driver available. If you get the following error message when setting your network interface into monitor mode

wlan0 iwl3945 - [phy0]/usr/sbin/airmon-ng: line 316: /sys/class/ieee80211/phy0/add_iface: No such file or directory
mon0: ERROR while getting interface flags: No such device

then it means you are not using ipwraw. Check your loaded modules with the lsmod command. If you see something like iwl3945 or mac802 on the list, then you are not using the patched driver.

You should see something like ipwraw, and the iwl3945 and iwlwifi should not be on the list. This is what you do want to see in your iwconfig screen:

Important: Once your driver is set to Monitor mode, you will not be able to browse the web in your internet browser until the adapter is set back to the Managed mode.
The next step is to pick the program that does the job of WEP crack.

Which program to use to crack WEP?

Assuming we have our operating system ready and our driver updated to allow packet capturing and packet injection, we have to choose the right application that does the math when finally cracking WEP. We have chosen the aircrack-ng suite. Although Ubuntu comes with the aircrack preinstalled, it is advised to get the latest version:

sudo apt-get install aircrack

This command executed in the terminal window will get aircrack and install it.

How to crack WEP?

Once we have our computer ready for WEP cracking, we can proceed to the fun part which is described on the next page: How to crack WEP encryption (wifi security).

Few More wifi hacking icks

Essential Wireless Hacking Tools,& the most important wireless hacing tools ,here are the most essential tools for wireless hacking ,guys interested in gaining a deeper knowledge of wireless security and exploiting vulnerabilities will need a good set of base tools with which to work. Fortunately, there are an abundance of free tools available on the Internet. This list is not meant to be comprehensive in nature but rather to provide some general guidance on recommended tools to build your toolkit. Finding Wireless Networks:
Locating a wireless network is the first step in trying to exploit it. There are two tools that are commonly used in this regard:
Network Stumbler a.k.a NetStumbler – This Windows based tool easily finds wireless signals being broadcast within range – A must have. It also has ability to determine Signal/Noise info that can be used for site surveys. I actually know of one highly known public wireless hotspot provider that uses this utility for their site surveys.

(NetStumbler Screenshot)
Kismet – One of the key functional elements missing from NetStumbler is the ability to display Wireless Networks that are not broadcasting their SSID. As a potential wireless security expert, you should realize that Access Points are routinely broadcasting this info; it just isn’t being read/deciphered. Kismet will detect and display SSIDs that are not being broadcast which is very critical in finding wireless networks.




(Kismet Screenshot)

Attaching to the Found Wireless Network:Once you’ve found a wireless network, the next step is to try to connect to it. If the network isn’t using any type of authentication or encryption security, you can simply connect to the SSID. If the SSID isn’t being broadcast, you can create a profile with the name of the SSID that is not being broadcast. Of course you found the non-broadcast SSID with Kismet, right? If the wireless network is using authentication and/or encryption, you may need one of the following tools.

Airsnort – This is a very easy to use tool that can be used to sniff and crack WEP keys. While many people bash the use of WEP, it is certainly better than using nothing at all. Something you’ll find in using this tool is that it takes a lot of sniffed packets to crack the WEP key. There are additional tools and strategies that can be used to force the generation of traffic on the wireless network to shorten the amount of time needed to crack the key, but this feature is not included in Airsnort.
(Screenshot of Airsnort in Action) CowPatty – This tool is used as a brute force tool for cracking WPA-PSK, considered the “New WEP” for home Wireless Security. This program simply tries a bunch of different options from a dictionary file to see if one ends up matching what is defined as the Pre-Shared Key. 
(Cowpatty Options Screenshot) ASLeap – If a network is using LEAP, this tool can be used to gather the authentication data that is being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t protect the authentication like other “real” EAP types, which is the main reason why LEAP can be broken. 
(Asleap Options Screenshot)

Sniffing Wireless Data:

Whether you are directly connected to a wireless network or not, if there is wireless network in range, there is data flying through the air at any given moment. You will need a tool to be able to see this data. Wireshark (formerly Ethereal) – While there has been much debate on the proper way to pronounce this utility, there is no question that it is an extremely valuable tool. Ethereal can scan wireless and Ethernet data and comes with some robust filtering capabilities. It can also be used to sniff-out 802.11 management beacons and probes and subsequently could be used as a tool to sniff-out non-broadcast SSIDs. 
(Screenshot of Ethereal in Action) 
(Yahoo IM Session being sniffed in Ethereal) The aforementioned utilities, or similar ones, will be necessities in your own wireless security toolkit. The easiest way to become familiar with these tools is to simply use them in a controlled lab environment. And cost is no excuse as all of these tools are available freely on the Internet.

Protecting Against These Tools:

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools. NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption. Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update). Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access. ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type. Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.

Wifi hacking One More Method

Now that we are connected, we may now try a few methods of attack. Of course there are many, but allow me to test a few, and you may choose the one that best suits your situation. (Note, everything highlighted in yellow is code, what you type in the terminal)

Now that you are apart of the network by accessing the router, we may go back to the lovely command prompt, but this time within the Win32 environment. Open up the command prompt and type: ipconfig, so you can gain information about what the router gateway is, and what your IP is automatically assigned as, (such as, 192.168.1.XXX, or 172.16.1.XXX. Simple rule of thumb is, if it is a 192 prefix, then the router address will most likely be 192.168.0.1, and for 172, it will be 172.16.0.1). So, write down the default gateway, and paste it into your browser with http:// infront of it. Odds are, there will be a password. Considering yourself lucky if it does not require one. Second best bet is going to http://www.phenoelit.de/dpl/dpl.html, which lists all of the default username and passwords for each model number of a router out there that may be purchased by the public. If all works accordingly, now you will be able to poke around with all of the glorious settings, such as opening the ports, which is the MOST important thing to hold onto. We will discuss this later. Let us poke around and try this method of attack. Go back to command prompt and type: net view. This will display all computers connected on the network that you have so rudely joined. Now, we whip out our handy dandy program called Nessus, (or any OS fingerprinting tool that you may prefer such as, GDI, etc). The point of this is to find out what OS is on each local intranet IP address. Now, as we all know, Windows XP Pro is the sweet OS. Why, you may ask? By default, XP Pro comes with remote registry enabled by default. I ask myself why everyday, but why not profit from Microsofts flaws. Also, no, you are correct, noobs do not disable this service. This may be time for you to turn off yours by going into services.msc.  So, let us proceed while ignoring that last sidenote. Open up your registry editor, regedit. Click File>Connect Network Registry. (Please note that in certain scenarios, you may not connect to the remote registry if the person has a blank password. To test this theory, I hopped on a wi-fi network that I was indeed allowed to connect to, and tried to connect to a passwordless computer. Low and behold, it worked, but not all of the registry keys showed up, but enough to get yourself into trouble.) Follow the directions, click connect, etc. Now I know that you are thinking to yourself, we are riding on a lot of hope/faith here that everything the victim does fit's our needs. Well, yeah, duh.  This is why this is the 'non-preffered' method of choice. But its the snowballs chance in hell, so 'never going to happen you have to try it anyway' method. Let us proceed. Now, browse to the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Under the Terminal Server key, you'll find a REG_DWORD value named fDenyTSConnection. Double-click on that value to open the Edit DWORD Value box and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled). To reboot the machine if you are impatient, go back to the command prompt shell, and type: shutdown -m \\servername_or_ip_of_server_here -r Ah, now wait for the glorious boot up. If all goes accordingly, you will now be able to connect remotely to the noobs desktop, and do whatever the hell you want. Seriously, do I need to go into FURTHER detail!?

More plausible method

Let's say you are currently connected locally to the same access point, and are eager to try another form of attack. Now, since we wish to have remote access, let us apply what we call, a 'trojan.' A trojan gives you remote access from another place. So there are a couple of ways of doing this. One, you can download a program called Sub7. This is a VERY well known trojan. To get it, go to: http://www.hackpr.net/~sub7/. Follow the directions provided. Once you have created your server.exe, (tweaked it etc. and renamed it) we can proceed to our next step. Odds are, the noob has several victims on his network with open shares. Probably consists of .txt, .doc, .jpg, etc. files within its open shares. Usually, they are accessed quite often, especially if the document is currently being edited. Your job, (for once) is to google for something what we may call, a '.exe binder.' This is a beautiful tool indeed. It binds the server.exe that you have made, and enables you to spoof it as the picture file or text document that the person has in their shares. Once you spoof this, the victim will eventually execute the file, plus the hidden file that you have stealthily implemented. I would suggest to attach this on as many files as possible found on each computer. This is probably the most direct approach. Remember when you assigned a port to the Sub7 server.exe? Well, this brings us back to the default gateway IP address that we cracked, (accessed) earlier. Browse to the open port page, and add the port you had assigned to server.exe. While you're at it, you can go to a remote place such as a library and spoof send server.exe, (preferably rename it for the following instances to game.exe, or patch.exe, setup.exe. You get the picture.) Or apply it to a .jpg as a picture of something random to the e-mail address that you could have stealthfully acquired while sniffing on the network that you had connected to. Such as, getting a packet sniffer for windows and waiting for anything that is sent out with an @. This could also be very useful to get passwords, usernames, and so on. Anyway, be creative in terms of getting the server file to some computer on that network. For the time being, go back home, and leave your Sub7 client on, and it will notify you when it is executed. Thankfully, the programmers of the Sub7 are quite brilliant, and have the server.exe copied to some ambiguous directory, without self-destructing itself. Thus eliminating the idea that the file that 'does nothing' is a trojan. Eventually, the victim will connect, and you will have some fun from there.

Wifi Hacking (WEP Crack)

Let us set up a scenario here. You are eager to gain access to a non-specific, (or specific, if you have an apparent grudge with a mean neighbor) to a local computer. Here are the tools needed to gain access before we go on our mission.

* Laptop with preferably BackTrack 2 for Linux
* Supported wireless card for injection to work properly (please see the list found here >> http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#which_is_the_best_card_to_buy.)
* Enough battery life to serve you well
* Kismet or netstumbler, (to each his own, preferably Kismet for Linux so you do not have to reboot back and forth so often; this comes complete in BackTrack 2)

Part 1

Setting up the perfect OS

1. Download BackTrack 2 Final ISO image from: http://remote-exploit.org/backtrack_download.html

2. Download DeepBurner and install: http://www.deepburner.com/?r=download

3. Start up DB, and select burn ISO image file. Then, find your file, click burn.


Part 2

Beginning the project at hand

1. Start up your laptop into BackTrack 2. To do so, place the CD into the computer, turn it on, and select boot from CD, (it varies from laptop to laptop. It may have the option to hit a function key such as F10 to select boot device to boot from).







2. BT2 will ask you to put in your username and password; root/toor

3. Now, type in startx





4. Once the OS is loaded, click on the black box on the bottom left hand side, this is your shell.





5. Type in kismet and hit enter.

6. Kismet will eventually load, and pull up a fairly primitive color GUI within the shell that shows all access points within your designated area, constantly being updated.

7. After selecting your target, find out by kismet if it is WEP, WPA, etc. Preferably, WEP 64 or 128bit. It tells you in a sorted column on the right hand side.



8. Now, the fun begins. Open up a few tabs within the shell. Now type each line in each new tab. Everything within the parenthesis entails exclamations in terms of what it means, syntax, etc).

9. iwconfig wlan0 mode monitor (This places the wi-fi card in monitor mode; Syntax: iwconfig device_name_here mode command_monitor)

10. airodump-ng --ivs --write file_name --channel 11 wlan0 (Starts the monitoring, collects weak IV packets. Syntax: airodump-ng –ivs_creates_extension_type –-write any_given_filename_here –channel this specifies any specific channel you wish to listen to, so you can filter out any unnecessary data).



11. aireplay-ng -3 -b 00:16:B6:2E:C3:4E -h 00:14:A5:8A:02:CD wlan0 (Stimulates packets; injection. Syntax: aireplay-ng -3 attack level -b BSSID of router goes here, shown by kismet -h the attached computer to the bssid; the router wlan0=device that you are using, remains consistent).

12. aireplay-ng -0 wlan0 -a 00:16:B6:2E:C3:4E wlan0 (This is the deauthentication attack. Aireplay-ng -0 attack number wlan0 device type of yours -a BSSID goes here again wlan0 repeat your device here, yet again).

13. Now, watch the magic happen. To put it in layman's terms, MANY numbers will appear to be rapidly increasing. Within the airodump-ng tab you had opened, the SSID of the attacked victim will increase quite a bit. Look under the IVS column to view how many you have saved to the file. Let's for now on call this default victim SSID. Once the number hits 250,000 (if it is 64-bit encryption) or 1,000,000 for 128-bit, you will be able to execute your cracking method on the IVS file you have been continuously writing.

14. Cracking time! Cd to the directory that the file you have been saving. Then, execute the following: aircrack-ng -0 -n 128 -f 4 file_name.ivs (Syntax: aircrack-ng -0 attack type -n number of the encryption type, 64 or 128 -fudgefactor 2-18 *.cap or *.ivs depending on what file type you decided to save your file as while gathering packets).



15. After a minute or two, (possibly less) you will have your hexadecimal password so now you can connect to your noob, erm, I mean 'victim's' router.

16. Reboot your computer after jotting down the hex code, and log into your winbox on the same laptop.

17. I would recommend to now setup your 'anonymous tools.' I would suggest doing the following; download a program that IronGeek and I wrote that spoofs your MAC address and your NetBIOS each time upon startup. It is entitled MadMacs, and may be found at irongeek.com. Execute it, and reboot back into Windows.

18. Connect to SSID, and input the hex code twice WITHOUT THE COLLONS as required.





19. Hopefully, if you did not screw up, you will be connected.