simple_wep_crack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
simple_wep_crack [2008/04/22 16:22] – Better double-dash workaround, add note about madwifi-specific instructions and avoid questions like "Don't deauth packets have new IVs?". netrolller3d | simple_wep_crack [2009/09/26 14:36] – Fixed typos darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: Simple WEP Crack ====== | ====== Tutorial: Simple WEP Crack ====== | ||
- | Version: 1.07 January 4, 2008\\ | + | Version: 1.10 September 26, 2009\\ |
By: darkAudax | By: darkAudax | ||
Line 14: | Line 14: | ||
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
- | |||
===== Assumptions ===== | ===== Assumptions ===== | ||
Line 22: | Line 21: | ||
* You are physically close enough to send and receive access point packets. | * You are physically close enough to send and receive access point packets. | ||
* There is at least one wired or wireless client connected to the network and they are active. | * There is at least one wired or wireless client connected to the network and they are active. | ||
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman | + | * You are using v0.9 of aircrack-ng. If you use a different version then some of the common |
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
Line 39: | Line 38: | ||
===== Solution ===== | ===== Solution ===== | ||
- | |||
==== Solution Overview ==== | ==== Solution Overview ==== | ||
Line 49: | Line 47: | ||
- Start the wireless interface in monitor mode on the specific AP channel | - Start the wireless interface in monitor mode on the specific AP channel | ||
+ | - Test the injection capability of the wireless device to the AP | ||
- Use aireplay-ng to do a fake authentication with the access point | - Use aireplay-ng to do a fake authentication with the access point | ||
- Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | ||
Line 83: | Line 82: | ||
| | ||
- | Note: In this command we use " | + | Substitute the channel number that your AP runs on for " |
+ | |||
+ | Note: In this command we use " | ||
The system will respond: | The system will respond: | ||
Line 119: | Line 120: | ||
http:// | http:// | ||
- | ==== Step 2 - Start airodump-ng to capture the IVs ==== | + | |
+ | ==== Step 2 - Test Wireless Device Packet Injection ==== | ||
+ | |||
+ | The purpose of this step ensures that your card is within distance of your AP and can inject packets to it. | ||
+ | |||
+ | Enter: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | *-9 means injection test | ||
+ | *-e teddy is the wireless network name | ||
+ | *-a 00: | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
+ | The system should respond with: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The last line is important. | ||
+ | |||
+ | See the [[injection_test|injection test]] for more details. | ||
+ | |||
+ | |||
+ | ==== Step 3 - Start airodump-ng to capture the IVs ==== | ||
The purpose of this step is to capture the IVs generated. | The purpose of this step is to capture the IVs generated. | ||
Line 146: | Line 179: | ||
- | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | + | ==== Step 4 - Use aireplay-ng to do a fake authentication with the access point ==== |
In order for an access point to accept a packet, the source MAC address must already be associated. | In order for an access point to accept a packet, the source MAC address must already be associated. | ||
Line 161: | Line 194: | ||
*-e teddy is the wireless network name | *-e teddy is the wireless network name | ||
*-a 00: | *-a 00: | ||
- | *-h 00: | + | *-h 00: |
*ath0 is the wireless interface name | *ath0 is the wireless interface name | ||
Line 175: | Line 208: | ||
Where: | Where: | ||
- | * 6000 - Reauthenticate | + | * 6000 - Reauthenticate |
* -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
* -q 10 - Send keep alive packets every 10 seconds. | * -q 10 - Send keep alive packets every 10 seconds. | ||
Line 207: | Line 240: | ||
*Some access points are configured to only allow selected MAC addresses to associate and connect. | *Some access points are configured to only allow selected MAC addresses to associate and connect. | ||
- | Run: tcpdump -n -vvv -s0 -e -i < | + | Run: tcpdump -n -vvv -s0 -e -i < |
You would then look for error messages. | You would then look for error messages. | ||
Line 223: | Line 256: | ||
If you want to select only the DeAuth packets with tcpdump then you can use: " | If you want to select only the DeAuth packets with tcpdump then you can use: " | ||
- | ==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | + | ==== Step 5 - Start aireplay-ng in ARP request replay mode ==== |
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | ||
Line 239: | Line 272: | ||
Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | ||
- | You can confirm that you are injecting by checking your airodump-ng screen. | + | You can confirm that you are injecting by checking your airodump-ng screen. |
Line 246: | Line 279: | ||
* If you receive a message similar to "Got a deauth/ | * If you receive a message similar to "Got a deauth/ | ||
- | + | ==== Step 6 - Run aircrack-ng to obtain the WEP key ==== | |
- | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | + | |
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | ||
Line 264: | Line 296: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | To also use the FMS/Korek method, start another console session and enter: | + | To also use the FMS/KoreK method, start another console session and enter: |
| | ||
Line 272: | Line 304: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | You can run this while generating packets. In a short time, the WEP key will be calculated and presented. | + | If you are using 1.0-rc1, add the option "-K" for the FMS/KoreK attack. (1.0-rc1 defaults |
- | + | ||
- | Here is what success looks like: | + | |
- | + | ||
- | Aircrack-ng 0.9 | + | |
- | + | ||
- | [00:01:18] Tested 0/140000 keys (got 30680 IVs) | + | |
- | + | ||
- | | + | |
- | 0 0/ | + | |
- | 1 | + | |
- | 2 0/ 1 56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140) | + | |
- | 3 0/ 1 78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142) | + | |
- | 4 0/ 1 90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141) | + | |
- | + | ||
- | KEY FOUND! [ 12: | + | |
- | Decrypted correctly: 100% | + | |
- | + | ||
- | To also use the FMS/Korek method, start another console session and enter: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Where: | + | |
- | * -b 00: | + | |
- | * output*.cap selects all files starting with " | + | |
- | You can run this while generating packets. | + | You can run this while generating packets. |
Here is what success looks like: | Here is what success looks like: | ||
Line 316: | Line 324: | ||
Probability: | Probability: | ||
- | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. | + | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.) |
simple_wep_crack.txt · Last modified: 2018/03/11 20:13 by mister_x