simple_wep_crack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
simple_wep_crack [2008/01/09 15:28] – Added requirement for clients darkaudax | simple_wep_crack [2009/09/26 14:36] – Fixed typos darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: Simple WEP Crack ====== | ====== Tutorial: Simple WEP Crack ====== | ||
- | Version: 1.07 January 4, 2008\\ | + | Version: 1.10 September 26, 2009\\ |
By: darkAudax | By: darkAudax | ||
Line 14: | Line 14: | ||
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
- | |||
===== Assumptions ===== | ===== Assumptions ===== | ||
Line 22: | Line 21: | ||
* You are physically close enough to send and receive access point packets. | * You are physically close enough to send and receive access point packets. | ||
* There is at least one wired or wireless client connected to the network and they are active. | * There is at least one wired or wireless client connected to the network and they are active. | ||
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman | + | * You are using v0.9 of aircrack-ng. If you use a different version then some of the common |
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
- | |||
- | In the examples, the option " | ||
===== Equipment used ===== | ===== Equipment used ===== | ||
Line 41: | Line 38: | ||
===== Solution ===== | ===== Solution ===== | ||
- | |||
==== Solution Overview ==== | ==== Solution Overview ==== | ||
Line 51: | Line 47: | ||
- Start the wireless interface in monitor mode on the specific AP channel | - Start the wireless interface in monitor mode on the specific AP channel | ||
+ | - Test the injection capability of the wireless device to the AP | ||
- Use aireplay-ng to do a fake authentication with the access point | - Use aireplay-ng to do a fake authentication with the access point | ||
- Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | ||
Line 58: | Line 55: | ||
==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | ==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | ||
- | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only " | + | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only " |
First stop ath0 by entering: | First stop ath0 by entering: | ||
Line 85: | Line 82: | ||
| | ||
- | Note: In this command we use " | + | Substitute the channel number that your AP runs on for " |
+ | |||
+ | Note: In this command we use " | ||
The system will respond: | The system will respond: | ||
Line 121: | Line 120: | ||
http:// | http:// | ||
- | ==== Step 2 - Start airodump-ng to capture the IVs ==== | + | |
+ | ==== Step 2 - Test Wireless Device Packet Injection ==== | ||
+ | |||
+ | The purpose of this step ensures that your card is within distance of your AP and can inject packets to it. | ||
+ | |||
+ | Enter: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | *-9 means injection test | ||
+ | *-e teddy is the wireless network name | ||
+ | *-a 00: | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
+ | The system should respond with: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The last line is important. | ||
+ | |||
+ | See the [[injection_test|injection test]] for more details. | ||
+ | |||
+ | |||
+ | ==== Step 3 - Start airodump-ng to capture the IVs ==== | ||
The purpose of this step is to capture the IVs generated. | The purpose of this step is to capture the IVs generated. | ||
Line 131: | Line 162: | ||
Where: | Where: | ||
*-c 9 is the channel for the wireless network | *-c 9 is the channel for the wireless network | ||
- | *- -bssid 00: | + | *-'''' |
*-w capture is file name prefix for the file which will contain the IVs. | *-w capture is file name prefix for the file which will contain the IVs. | ||
*ath0 is the interface name. | *ath0 is the interface name. | ||
Line 148: | Line 179: | ||
- | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | + | ==== Step 4 - Use aireplay-ng to do a fake authentication with the access point ==== |
- | In order for an access point to accept a packet, the source MAC address must already be associated. | + | In order for an access point to accept a packet, the source MAC address must already be associated. |
The lack of association with the access point is the single biggest reason why injection fails. | The lack of association with the access point is the single biggest reason why injection fails. | ||
Line 163: | Line 194: | ||
*-e teddy is the wireless network name | *-e teddy is the wireless network name | ||
*-a 00: | *-a 00: | ||
- | *-h 00: | + | *-h 00: |
*ath0 is the wireless interface name | *ath0 is the wireless interface name | ||
Line 177: | Line 208: | ||
Where: | Where: | ||
- | * 6000 - Reauthenticate | + | * 6000 - Reauthenticate |
* -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
* -q 10 - Send keep alive packets every 10 seconds. | * -q 10 - Send keep alive packets every 10 seconds. | ||
Line 209: | Line 240: | ||
*Some access points are configured to only allow selected MAC addresses to associate and connect. | *Some access points are configured to only allow selected MAC addresses to associate and connect. | ||
- | Run: tcpdump -n -vvv -s0 -e -i < | + | Run: tcpdump -n -vvv -s0 -e -i < |
You would then look for error messages. | You would then look for error messages. | ||
Line 225: | Line 256: | ||
If you want to select only the DeAuth packets with tcpdump then you can use: " | If you want to select only the DeAuth packets with tcpdump then you can use: " | ||
- | ==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | + | ==== Step 5 - Start aireplay-ng in ARP request replay mode ==== |
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | ||
Line 241: | Line 272: | ||
Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | ||
- | You can confirm that you are injecting by checking your airodump-ng screen. | + | You can confirm that you are injecting by checking your airodump-ng screen. |
Line 248: | Line 279: | ||
* If you receive a message similar to "Got a deauth/ | * If you receive a message similar to "Got a deauth/ | ||
- | + | ==== Step 6 - Run aircrack-ng to obtain the WEP key ==== | |
- | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | + | |
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | ||
Line 255: | Line 285: | ||
Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. | Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. | ||
- | Two methods will be shown. | + | Two methods will be shown. |
Start another console session and enter: | Start another console session and enter: | ||
Line 266: | Line 296: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | To also use the FMS/Korek method, start another console session and enter: | + | To also use the FMS/KoreK method, start another console session and enter: |
| | ||
Line 274: | Line 304: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | You can run this while generating packets. In a short time, the WEP key will be calculated and presented. | + | If you are using 1.0-rc1, add the option "-K" for the FMS/KoreK attack. (1.0-rc1 defaults |
- | + | ||
- | Here is what success looks like: | + | |
- | + | ||
- | Aircrack-ng 0.9 | + | |
- | + | ||
- | [00:01:18] Tested 0/140000 keys (got 30680 IVs) | + | |
- | + | ||
- | | + | |
- | 0 0/ | + | |
- | 1 | + | |
- | 2 0/ 1 56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140) | + | |
- | 3 0/ 1 78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142) | + | |
- | 4 0/ 1 90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141) | + | |
- | + | ||
- | KEY FOUND! [ 12: | + | |
- | Decrypted correctly: 100% | + | |
- | + | ||
- | To also use the FMS/Korek method, start another console session and enter: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Where: | + | |
- | * -b 00: | + | |
- | * output*.cap selects all files starting with " | + | |
- | You can run this while generating packets. | + | You can run this while generating packets. |
Here is what success looks like: | Here is what success looks like: | ||
Line 318: | Line 324: | ||
Probability: | Probability: | ||
- | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. | + | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.) |
simple_wep_crack.txt · Last modified: 2018/03/11 20:13 by mister_x