User Tools

Site Tools


how_to_crack_wep_via_a_wireless_client

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
how_to_crack_wep_via_a_wireless_client [2008/04/22 16:08]
netrolller3d 1.0 too.
how_to_crack_wep_via_a_wireless_client [2009/09/11 21:12]
darkaudax fixed typo
Line 1: Line 1:
 ====== Tutorial: ​ How to crack WEP via a wireless client ? ====== ====== Tutorial: ​ How to crack WEP via a wireless client ? ======
-Version: 1.16 August 252007 \\+Version: 1.17 September 112009 \\
 By: darkAudax \\ By: darkAudax \\
 \\ \\
Line 7: Line 7:
  
 ===== Introduction ===== ===== Introduction =====
-There has been a lot of discussion over time of how to use a wireless client workstation to generate packets to crack   WEP instead of the wireless access point itself. This tutorial describes four approaches with examples of how to do this. The examples provided are from from real working equipment, not theory. ​ Each was used in real life and successfully cracked the WEP keys.+There has been a lot of discussion over time of how to use a wireless client workstation to generate packets to crack   WEP instead of the wireless access point itself. This tutorial describes four approaches with examples of how to do this. The examples provided are from real working equipment, not theory. ​ Each was used in real life and successfully cracked the WEP keys.
  
 The basic idea is to have the wireless client workstation generate data packets with IVs which we can use to crack the WEP key. Normally we have the access point itself generate the data packets with IVs.  So why would you need to leverage a wireless client workstation instead of the access point? Here are just a few of the reasons: The basic idea is to have the wireless client workstation generate data packets with IVs which we can use to crack the WEP key. Normally we have the access point itself generate the data packets with IVs.  So why would you need to leverage a wireless client workstation instead of the access point? Here are just a few of the reasons:
Line 33: Line 33:
   * You have Wireshark installed and working. ​ Plus you have a basic understanding of how to use it.   * You have Wireshark installed and working. ​ Plus you have a basic understanding of how to use it.
   * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0.  This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses.   * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0.  This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses.
- 
-In the examples, the option "​double dash bssid" is shown as "​-''''​-bssid"​. ​ Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs", "- -arpreplay",​ "- -deauth",​ "- -channel",​ "- -arp" and "- -fakeauth"​. 
  
 ====Equipment used==== ====Equipment used====
Line 50: Line 48:
 Operating System: Linux \\ Operating System: Linux \\
 MAC address: does not matter MAC address: does not matter
 +Wireless interface used: ath0
  
 ===Ethernet wired Workstation=== ===Ethernet wired Workstation===
Line 62: Line 61:
 Operating System: Linux \\ Operating System: Linux \\
 MAC address: 00:​09:​5B:​EC:​EE:​F2 MAC address: 00:​09:​5B:​EC:​EE:​F2
 +
  
  
Line 140: Line 140:
   airodump-ng --channel 9 --bssid 00:​14:​6C:​7E:​40:​80 -w aprcapture ath0   airodump-ng --channel 9 --bssid 00:​14:​6C:​7E:​40:​80 -w aprcapture ath0
  
-Be sure NOT to use the "- -ivs" option since you will later use the PTW method to crack the WEP key. This is "​aircrack-ng -z". The PTW requires the full packet and only works on arp request/​reply packets.+Be sure NOT to use the "-''''​-ivs" option since you will later use the PTW method to crack the WEP key. This is "​aircrack-ng -z". The PTW requires the full packet and only works on arp request/​reply packets.
    
 Now use interactive replay in a second separate session: Now use interactive replay in a second separate session:
Line 355: Line 355:
   * Atheros chipsets: ​ The MAC address of the card MUST be the same as source MAC address of the packets you are generating. ​ Use your favourite method to change the MAC of your card.   * Atheros chipsets: ​ The MAC address of the card MUST be the same as source MAC address of the packets you are generating. ​ Use your favourite method to change the MAC of your card.
   * It sometimes does not work smoothly with ralink.   * It sometimes does not work smoothly with ralink.
-  * Keep an eye on the forms for more compatibility information.+  ​* It supports Broadcom chipsets only with the b43/​b43legacy drivers, not bcm43xx. 
 +  * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack. 
 +  ​* Keep an eye on the forums ​for more compatibility information.
  
 Here is the command to run: Here is the command to run:
how_to_crack_wep_via_a_wireless_client.txt · Last modified: 2018/03/11 20:17 by mister_x