You are on page 1of 8

How to Crack Wi-Fi Passwords

Warning: This tutorial is for education purpose only.(You are responsible for your

An internet connection has become a basic necessity in our modern lives. Wireless hotspots (commonly known as Wi-Fi) can be found everywhere! If you have a PC with a wireless network card, then you must have seen many networks around you. Sadly most of these networks are secured with a network security key. Have you ever wanted to use one of these networks? You must have desperately wanted to check your mail when you shifted to your new house. The hardest time in your life is when your internet connection is down. Cracking those Wi-Fi passwords is your answer to temporary internet access. This is a comprehensive guide which will teach even complete beginners how to crack WEP encrypted networks, easily.

How Are Wireless Networks Secured?

In a secured wireless connection, internet data is sent in the form of encrypted packets. These packets are encrypted with network security keys. If you somehow manage to get hold of the key for a particular wireless network you virtually have access to the wireless internet connection Broadly speaking there are two main types of encryptions used:

WEP (Wired Equivalent Privacy):

This is the most basic form of encryption. This has become an unsafe option as it is vulnerable and can be cracked with relative ease. Although this is the case many people still use this encryption.

WPA (Wi-Fi Protected Access):

This is the more secure alternative. Efficient cracking of the passphrase of such a network requires the use of a wordlist with the common passwords. In other words you use the old fashioned method of trial and error to gain access. Variations include WPA-2 which is the most secure encryption alternative till date. Although this can also be cracked using a wordlist if the password is common, this is virtually uncrackable with a

strong password. That is, unless the WPA PIN is still enabled (as is the default on many routers). Hacking WEP passwords is relatively fast.

Architecture of the attack:

This attack is known an Man In The Middle Attack(MITM).Through this attack we sniff the packets and after capturing them we can what the victim has sent to the router.

User requests to acknowledgement)

request goes to router(it requires user gets access to

Router goes to user and fetches with key

Here is what you would require to crack a WEP key: 1. Backtrack 5R1 2. A Wifi adapter capable of injecting packets , For this tutorial I will use Alfa AWUS036H which is a very popular card and it performs well with Backtrack

Step1:First Login to your Backtrack and plug in your Wifi adpter , Open a new konsole
and type in the following commands ifconfig wlan0 up where wlan0 is the name of the wireless card ,it can be different .To see all wireless cards connected to your system simply type in " iwconfig ".

Step2:Putting your WiFi Adapter on Monitor Mode

To begin, youll need to first put your wireless adapter into monitor mode , Monitor mode is the mode whereby your card can listen to every packet in the air , You can put your card into monitor mode by typing in the following commands airmon-ng start (your interface) Example :- airmon-ng start wlan0

Now a new interface mon0 will be created , You can see the new interface is in monitor mode by entering "iwconfig mon0" as shown

Step3:Finding a suitable Target

After putting your card into monitor mode ,we need to find a network that is protected by WEP. You can discover the surrounding networks by entering the following command airodump-ng mon0

Bssid shows the mac address of the AP, CH shows the channel in which AP is broadcasted and Essid shows the name broadcasted by the AP, Cipher shows the encryption type.

Now look out for a wep protected network In my case ill take linksys as my target for rest of the tutorial.

Attacking The Target

Now to crack the WEP key you'll have to capture the targets data into a file, To do this we use airodump tool again, but with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels .You can restrict the capture by giving in the following commands airodump-ng mon0 --bssid -c (channel ) -w (file name to save )

As my target is broadcasted in channel 6 and has a bssid "98:fc:11:c9:14:22" ,I give in the following commands and save the captured data as "RHAWEP" airodump-ng mon0 --bssid 98:fc:11:c9:14:22 -c 6 -w RHAWEP

Using Aireplay to Speed up the cracking

Now youll have to capture at least 20,000 data packets to crack WEP .This can be done in two ways, The first one would be a (passive attack ) wait for a client to connect to the AP and then start capturing the data packets but this method is very slow, it can take days or even weeks to capture that many data packets The second method would be an (active attack )this method is fast and only takes minutes to generate and inject that many packets . In an active attack you'll have do a Fake authentication (connect) with the AP ,then you'll have to generate and inject packets. This can be done very easily by entering the following commands aireplay-ng - 1 3 -a (bssid of the target ) (interface)

In my case i enter the following commands aireplay-ng -1 3 -a 98:fc:11:c9:14:22 mon0

After doing a fake authentication ,now its time to generate and inject Arp packets . To this you'll have to open a new Konsole simultaneously and type in the following commands aireplay-ng 3 -b (bssid of target) -h ( Mac address of mon0) (interface)

In my case I enter aireplay-ng 3 -b 98:fc:11:c9:14:22 -h 00:c0:ca:50:f8:32 mon0 If this step was successful you'll see Lot of data packets in the airodump capture as shown

Wait till it reaches 20000 packets , best would be to wait till it reaches around 80,000 to 90,000 packets .Its simple more the packets less the time to crack .Once youve captured enough number of packets, close all the process's by clicking the into mark which is there on the terminal

Cracking WEP key using Aircrack

Now its time crack the WEP key from the captured data, Enter the following commands in a new konsole to crack the WEP key aircrack-ng (name of the file ) In my case i enter aircrack-ng RHAWEP-0.1-cap With in a few minutes Aircrak will crack the WEP key as shown

Once the crack is successful you will be left with the KEY! Remove the colons from the output and youll have your WEP Key.

About the author:

Keshow Sablaka. To know more connect with me at facebook Or follow me at