Alright guys, I got bored and wrote a basic tutorial on how to gain access to wireless networks with WEP protection. Enjoy..
Cracking WEP (Wired Equivalent Privacy) Keys
Introduction –
This is a tutorial on how to crack in to wireless networks protected by WEP. The cracking process is relatively simple, and in some cases can be done in 10 minutes or less. I will be using BackTrack 4, which has all the required command-line tools to complete a successful WEP crack.
Before we begin you are going to need a wireless adapter that is capable of running in “monitor” mode, a copy of BackTrack 4, a DVD burner, a blank DVD, a program that can write ISO files to a DVD (I use MagicISO) and the willingness to learn.
(Alternatively, you can install BackTrack to a USB drive and boot from that.)
You can get a copy of BackTrack 4 from here -
http://www.backtrack-linux.org/downloads/
I went out and purchased an ALFA AWUS036H 1000mW Wireless G USB Adapter with a 9 dbi antenna. This adapter has a huge range and is great for war driving.
Contact Info:
AIM –
- - - - - - - - - - - - - - - - - - - - -
Starting up BackTrack –
Now that you have a copy of BackTrack 4 burned to a DVD, go ahead a restart your machine and boot from the DVD drive. (You may need to edit the boot options in your BIOS.)
Once the BackTrack DVD boots up, it will give you a selection of different boot options to choose from. Select the first option and hit enter.
If it has successfully loaded, you’ll be sitting at a command line, simply type “startx” to load the GUI.
Now the fun begins…
(GUI – Graphical User Interface)
Preparing your wireless adapter –
To begin, we need to set our wireless adapter to monitor mode and spoof the MAC Address. Start by launching Konsole, the command-line interface for BackTrack.
After Konsole opens, enter the following command:
airmon-ng
This will display your available wireless interfaces. As you can see, I have 2 different adapters, my built in wireless card (Intel 4965) and the one I purchased (RTL8187)
I will be using the RTL8187 on the wlan0 interface. Yours may be different, so through out the rest of this tutorial replace (Wireless interface) with the one you are using.
Now we have to turn off the interface we are going to use so that we are able to spoof the MAC.
Enter the following commands:
airmon-ng stop (Wireless interface)
ifconfig (Wireless interface) down
macchanger –mac 00:11:22:33:44:55 (Wireless interface)
airmon-ng start (Wireless interface)
Spoofing the MAC Address is not required, but it makes it easier later on when you need to enter your MAC, and it helps to hide your identity.
As you can see, under the wlan0 interface it says “Monitor mode enabled on mon0”
This means that monitor mode is enabled, but on the mon0 interface.
For that reason, we will now use the mon0 interface in the rest of the commands.
If you type airmon-ng again, you can see that the mon0 interface is now available.
Finding a WEP protected network –
Now we need to find a network that is protected by WEP. To begin discovering surrounding networks enter this command:
airodump-ng (Wireless interface)
(I entered airodump-ng mon0)
Once the list starts populating, it will look similar to the picture below.
When you find the network that you want to crack from the top half, press Ctrl+C to stop the command. Make sure you write down the BSSID, the Channel that the network is on (Under the CH column), and the ESSID.
I am going to choose the “NETGEAR” network.
(BSSID – Access point’s MAC Address
ESSID - Name of the wireless network)
Monitoring the desired network –
Now we are going to monitor the wireless network that you chose, capture all of the packets of information being sent within that network, and save it all to a file. To do this, run the following command:
airodump-ng -c (channel) –w (file to save info to) --bssid (bssid) (Wireless interface)
Where:
–c is the channel of the wireless network you’re attempting to crack
-w is the name of the file you want to store all of the information gathered in
--bssid is the BSSID of the network.
So the command that I used to monitor the NETGEAR network on channel 6 and save it to the file "netgear" was:
airodump-ng –c 6 –w netgear --bssid 00:18:4D:96:93:36 mon0
After the command is entered, you should see output similar to the picture below:
Leave that window be, and open up another Konsole window. Now enter the following command:
aireplay-ng -1 0 –a (bssid) –h 00:11:22:33:44:55 –e (essid) (Wireless interface)
Where:
-1 is a fake authentication
0 is reassociation timing in seconds
-a is the MAC Address of the Access Point
-h is our MAC address
-e is the name of the wireless network
In my example, I entered:
aireplay-ng -1 0 –a 00:18:4D:96:93:36 –h 00:11:22:33:44:55 –e NETGEAR mon0
Once the command is entered, it will attempt to send a fake authentication, and associate with the access point. If this is done successfully, you will see “Association Successful :-)”
(Sometimes you have to enter this command several times for it to work.)
Generating more network traffic –
We are now going to create a lot of extra traffic within the network to speed up our crack. Remember, you’re capturing and saving all of the information sent within the network, so the more you generate, the more information you can gather.
Run the following command:
aireplay-ng -3 –b (bssid) –h 00:11:22:33:44:55 (Wireless interface)
So for my scenario, I entered:
aireplay-ng -3 –b 00:18:4D:96:93:36 –h 00:11:22:33:44:55 mon0
After a minute or so, you’re Konsole screen should resemble the image below.
This is the part that takes the longest. While aireplay is spamming the network with packets, watch the #data column in the airodump Konsole screen. As you can see the value of #data is increasing. The more data you have, the more likely you are to crack the WEP key. Once the value reaches 10,000 go ahead and move on to the next section.
Do not stop airodump or aireplay until you have successfully cracked the key.
In the image below, you can see that the #data value is sitting at 7863. Several more minutes and we’ll be able to attempt and crack the key.
Cracking the WEP Key –
After you’ve reached a minimum value of 10k in the #data column, open up a third Konsole window and type the following command:
aircrack-ng –b (bssid) (filename-01.cap)
The filename is the name of the file you chose to save the information in when you began monitoring the chosen network. So the command I used was:
aircrack-ng –b 00:18:4D:96:93:36 netgear-01.cap
If you cannot remember the name of the file, browse your desktop and look for the filename that ends with the extension .cap .
Aircrack will then attempt to crack the WEP key. If there is not enough data, then it will tell you to try again when more has been gathered. 10,000 is usually a decent number to start with, but is not always enough – more may be required.
If the key is successfully cracked, your screen should look like the image below:
In my example, the key was: A1:2D:F1:5B:0E
Drop the colons and you have your WEP Key. (A12DF15B0E)
- - - - - - - - - - - - - - - - - - - - -
Conclusion –
As you can see, cracking WEP Keys is not a very difficult task. Sometimes it may take awhile to gather all of the required data, but in the end it’s an easy objective.