User Tools

Site Tools


simple_wep_crack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
simple_wep_crack [2008/12/28 15:39] – Added additional step for injection testing darkaudaxsimple_wep_crack [2018/03/11 20:13] (current) – [Introduction] Removed link to trac mister_x
Line 1: Line 1:
 ====== Tutorial: Simple WEP Crack ====== ====== Tutorial: Simple WEP Crack ======
-Version: 1.09 December 282008\\+Version: 1.20 January 112010\\
 By: darkAudax By: darkAudax
  
Line 6: Line 6:
  
 This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts.  It assumes you have a working wireless card with drivers already patched for injection. This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts.  It assumes you have a working wireless card with drivers already patched for injection.
 +
 +The basic concept behind this tutorial is using aireplay-ng replay an ARP packet to generate new unique IVs.  In turn, aircrack-ng uses the new unique IVs to crack the WEP key.  It is important to understand what an ARP packet is.  This [[arp-request_reinjection#what_is_arp|"What is an ARP?"]] section provides the details.
  
 For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]].  Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]]. For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]].  Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]].
  
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
- 
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org/wiki/Team|Aircrack-ng team]] for producing such a great robust tool.  
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Line 21: Line 21:
   * You are physically close enough to send and receive access point packets.  Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength.  So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[injection_test#hidden_or_specific_ssid|these instructions]].   * You are physically close enough to send and receive access point packets.  Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength.  So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[injection_test#hidden_or_specific_ssid|these instructions]].
   * There is at least one wired or wireless client connected to the network and they are active.  The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.   * There is at least one wired or wireless client connected to the network and they are active.  The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.
-  * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman options may have to be changed.+  * You are using v0.9 of aircrack-ng. If you use a different version then some of the common options may have to be changed.
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
Line 115: Line 115:
           Tx excessive retries: Invalid misc:  Missed beacon:0           Tx excessive retries: Invalid misc:  Missed beacon:0
  
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.+In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
 To match the frequency to the channel, check out: To match the frequency to the channel, check out:
-http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap" tab.  This will give you the frequency for each channel.+http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 .  This will give you the frequency for each channel.
  
  
Line 130: Line 130:
  
 Where: Where:
-  *-9 means injectin test+  *-9 means injection test
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:14:6C:7E:40:80 is the access point MAC address   *-a 00:14:6C:7E:40:80 is the access point MAC address
Line 194: Line 194:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:14:6C:7E:40:80 is the access point MAC address   *-a 00:14:6C:7E:40:80 is the access point MAC address
-  *-h 00:0F:B5:88:AC:82 is our card MAC addresss+  *-h 00:0F:B5:88:AC:82 is our card MAC address
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
Line 240: Line 240:
   *Some access points are configured to only allow selected MAC addresses to associate and connect.  If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  If you suspect this is the problem, use the following command while trying to do fake authentication.  Start another session and...   *Some access points are configured to only allow selected MAC addresses to associate and connect.  If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  If you suspect this is the problem, use the following command while trying to do fake authentication.  Start another session and...
  
-Run: tcpdump -n -vvv -s0 -e -i <interface name> | grep -i -E "(RA:<MAC addreess of your card>|Authentication|ssoc)"+Run: tcpdump -n -vvv -s0 -e -i <interface name> | grep -i -E "(RA:<MAC address of your card>|Authentication|ssoc)"
  
 You would then look for error messages. You would then look for error messages.
Line 264: Line 264:
    aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0    aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
  
-It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.  On your home network, here is an easy way to generate an ARP request:  On wired PC, ping a non-existent IP on your home LAN.+It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.  See the [[simple_wep_crack#Generating ARPs]] section for tricks on generating ARPs if your screen says "got 0 ARP requests" after waiting long time.
  
 Here is what the screen looks like when ARP requests are being injected: Here is what the screen looks like when ARP requests are being injected:
Line 285: Line 285:
 Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process.  If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits. Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process.  If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits.
  
-Two methods will be shown.  It is recommended you try both for learning purposes.  By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method.  As a reminder, the PTW method only works successfully with arp request/reply packets.  Since this tutorial covers injection arp request packets, you can properly use this method.  The other requirement is that you capture the full packet with airodump-ng.  Meaning, do not use the "-''''-ivs" option.+Two methods will be shown.  It is recommended you try both for learning purposes.  By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method.  As a reminder, the PTW method only works successfully with arp request/reply packets.  Since this tutorial covers injection of ARP request packets, you can properly use this method.  The other requirement is that you capture the full packet with airodump-ng.  Meaning, do not use the "-''''-ivs" option.
  
 Start another console session and enter: Start another console session and enter:
  
-   aircrack-ng -z -b 00:14:6C:7E:40:80 output*.cap+   aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
  
 Where: Where:
-  * -z invokes the PTW WEP-cracking method. 
   * -b 00:14:6C:7E:40:80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.   * -b 00:14:6C:7E:40:80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
   * output*.cap selects all files starting with "output" and ending in ".cap".   * output*.cap selects all files starting with "output" and ending in ".cap".
  
-To also use the FMS/KoreK method, start another console session and enter:+To also use the FMS/Korek method, start another console session and enter:
  
-   aircrack-ng -b 00:14:6C:7E:40:80 output*.cap+   aircrack-ng -K -b 00:14:6C:7E:40:80 output*.cap
  
 Where: Where:
 +  * -K invokes the FMS/Korek method
   * -b 00:14:6C:7E:40:80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.   * -b 00:14:6C:7E:40:80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
   * output*.cap selects all files starting with "output" and ending in ".cap".   * output*.cap selects all files starting with "output" and ending in ".cap".
Line 331: Line 331:
   * Be sure to read all the documentation on the Wiki for the various commands used in this tutorial.   * Be sure to read all the documentation on the Wiki for the various commands used in this tutorial.
   * See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial: I am injecting but the IVs don't increase]]   * See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial: I am injecting but the IVs don't increase]]
 +
 +
 +===== Generating ARPs =====
 +
 +In order for this tutorial to work, you must receive at least one ARP packet.  On your home network, here is an easy way to generate an ARP packet.  On a wired or wireless PC, ping a non-existent IP on your home LAN.  A wired PC means a PC connected to your LAN via an ethernet cable.  Lets say your home LAN  address space is 192.168.1.1 through 192.168.1.254.  Pick an IP between 1 and 254 which is not assigned to a network device.  For example, if the IP 192.168.1.213 is not being used then "ping 192.168.1.213" This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.
  
simple_wep_crack.1230475190.txt.gz · Last modified: 2008/12/28 15:39 by darkaudax