simple_wep_crack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
simple_wep_crack [2008/04/23 21:56] – 1000/second is impossible without the -x switch. netrolller3d | simple_wep_crack [2010/01/11 22:46] – Added details on generating ARPs darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: Simple WEP Crack ====== | ====== Tutorial: Simple WEP Crack ====== | ||
- | Version: 1.07 January | + | Version: 1.20 January |
By: darkAudax | By: darkAudax | ||
Line 6: | Line 6: | ||
This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. | This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. | ||
+ | |||
+ | The basic concept behind this tutorial is using aireokat-bg replay an ARP packet to generate new unique IVs. In turn, aircrack-ng uses the new unique IVs to crack the WEP key. It is important to understand what an ARP packet is. This [[arp-request_reinjection# | ||
For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. | For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. | ||
Line 14: | Line 16: | ||
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
- | |||
===== Assumptions ===== | ===== Assumptions ===== | ||
Line 22: | Line 23: | ||
* You are physically close enough to send and receive access point packets. | * You are physically close enough to send and receive access point packets. | ||
* There is at least one wired or wireless client connected to the network and they are active. | * There is at least one wired or wireless client connected to the network and they are active. | ||
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman | + | * You are using v0.9 of aircrack-ng. If you use a different version then some of the common |
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
Line 39: | Line 40: | ||
===== Solution ===== | ===== Solution ===== | ||
- | |||
==== Solution Overview ==== | ==== Solution Overview ==== | ||
Line 49: | Line 49: | ||
- Start the wireless interface in monitor mode on the specific AP channel | - Start the wireless interface in monitor mode on the specific AP channel | ||
+ | - Test the injection capability of the wireless device to the AP | ||
- Use aireplay-ng to do a fake authentication with the access point | - Use aireplay-ng to do a fake authentication with the access point | ||
- Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | ||
Line 83: | Line 84: | ||
| | ||
- | Note: In this command we use " | + | Substitute the channel number that your AP runs on for " |
+ | |||
+ | Note: In this command we use " | ||
The system will respond: | The system will respond: | ||
Line 119: | Line 122: | ||
http:// | http:// | ||
- | ==== Step 2 - Start airodump-ng to capture the IVs ==== | + | |
+ | ==== Step 2 - Test Wireless Device Packet Injection ==== | ||
+ | |||
+ | The purpose of this step ensures that your card is within distance of your AP and can inject packets to it. | ||
+ | |||
+ | Enter: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | *-9 means injection test | ||
+ | *-e teddy is the wireless network name | ||
+ | *-a 00: | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
+ | The system should respond with: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The last line is important. | ||
+ | |||
+ | See the [[injection_test|injection test]] for more details. | ||
+ | |||
+ | |||
+ | ==== Step 3 - Start airodump-ng to capture the IVs ==== | ||
The purpose of this step is to capture the IVs generated. | The purpose of this step is to capture the IVs generated. | ||
Line 146: | Line 181: | ||
- | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | + | ==== Step 4 - Use aireplay-ng to do a fake authentication with the access point ==== |
In order for an access point to accept a packet, the source MAC address must already be associated. | In order for an access point to accept a packet, the source MAC address must already be associated. | ||
Line 161: | Line 196: | ||
*-e teddy is the wireless network name | *-e teddy is the wireless network name | ||
*-a 00: | *-a 00: | ||
- | *-h 00: | + | *-h 00: |
*ath0 is the wireless interface name | *ath0 is the wireless interface name | ||
Line 175: | Line 210: | ||
Where: | Where: | ||
- | * 6000 - Reauthenticate | + | * 6000 - Reauthenticate |
* -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
* -q 10 - Send keep alive packets every 10 seconds. | * -q 10 - Send keep alive packets every 10 seconds. | ||
Line 207: | Line 242: | ||
*Some access points are configured to only allow selected MAC addresses to associate and connect. | *Some access points are configured to only allow selected MAC addresses to associate and connect. | ||
- | Run: tcpdump -n -vvv -s0 -e -i < | + | Run: tcpdump -n -vvv -s0 -e -i < |
You would then look for error messages. | You would then look for error messages. | ||
Line 223: | Line 258: | ||
If you want to select only the DeAuth packets with tcpdump then you can use: " | If you want to select only the DeAuth packets with tcpdump then you can use: " | ||
- | + | ==== Step 5 - Start aireplay-ng in ARP request replay mode ==== | |
- | ==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | + | |
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | ||
Line 232: | Line 266: | ||
| | ||
- | It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. | + | It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. |
Here is what the screen looks like when ARP requests are being injected: | Here is what the screen looks like when ARP requests are being injected: | ||
Line 247: | Line 281: | ||
* If you receive a message similar to "Got a deauth/ | * If you receive a message similar to "Got a deauth/ | ||
- | + | ==== Step 6 - Run aircrack-ng to obtain the WEP key ==== | |
- | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | + | |
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | ||
Line 257: | Line 290: | ||
Start another console session and enter: | Start another console session and enter: | ||
- | |||
- | | ||
- | |||
- | Where: | ||
- | * -z invokes the PTW WEP-cracking method. | ||
- | * -b 00: | ||
- | * output*.cap selects all files starting with " | ||
- | |||
- | To also use the FMS/Korek method, start another console session and enter: | ||
| | ||
Line 272: | Line 296: | ||
* -b 00: | * -b 00: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | |||
- | You can run this while generating packets. | ||
- | |||
- | Here is what success looks like: | ||
- | |||
- | Aircrack-ng 0.9 | ||
- | |||
- | [00:01:18] Tested 0/140000 keys (got 30680 IVs) | ||
- | |||
- | | ||
- | 0 0/ 1 12( 170) 35( 152) AA( 146) 17( 145) 86( 143) F0( 143) AE( 142) C5( 142) D4( 142) 50( 140) | ||
- | 1 0/ 1 34( 163) BB( 160) CF( 147) 59( 146) 39( 143) 47( 142) 42( 139) 3D( 137) 7F( 137) 18( 136) | ||
- | 2 0/ 1 56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140) | ||
- | 3 0/ 1 78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142) | ||
- | 4 0/ 1 90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141) | ||
- | |||
- | KEY FOUND! [ 12: | ||
- | Decrypted correctly: 100% | ||
To also use the FMS/Korek method, start another console session and enter: | To also use the FMS/Korek method, start another console session and enter: | ||
- | | + | |
Where: | Where: | ||
+ | * -K invokes the FMS/Korek method | ||
* -b 00: | * -b 00: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | You can run this while generating packets. | + | If you are using 1.0-rc1, add the option " |
+ | |||
+ | You can run this while generating packets. | ||
Here is what success looks like: | Here is what success looks like: | ||
Line 317: | Line 326: | ||
Probability: | Probability: | ||
- | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. | + | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.) |
Line 324: | Line 333: | ||
* Be sure to read all the documentation on the Wiki for the various commands used in this tutorial. | * Be sure to read all the documentation on the Wiki for the various commands used in this tutorial. | ||
* See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial: | * See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial: | ||
+ | |||
+ | |||
+ | ===== Generating ARPs ===== | ||
+ | |||
+ | In order for this tutorial to work, you must receive at least one ARP packet. | ||
simple_wep_crack.txt · Last modified: 2018/03/11 20:13 by mister_x