Wednesday, July 18, 2012

Cracking wep key


Required Tools For crack wireless key :-

  • You will need a computer with a wireless adapter listed here
  • Download Backtrack  and burn it’s image to a CD

Tools We are used :-

  • Kismet – a wireless network detector and packet sniffer
  • airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
  • airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
  • aireplay – a tool for forging ARP requests
  • aircrack – a tool for decrypting WEP keys
  • iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
  • macchanger – a tool that allows you to view and/or spoof (fake) your MAC address
What is :- 
  • AP: Access Point: a wireless router
  • MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
  • BSSID: Access Point’s MAC address
  • ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
  • TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
  • WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
  • WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption
STEP 1:-

Monitoring Wireless Traffic With Kismet

Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear.
root@bt:~# airmon-ng
Interface       Chipset         Driver
wlan0           Ralink 2573 USB rt73usb - [phy0]
STEP 2:-
root@bt:~# airmon-ng start wlan0 


STEP 3:-
Finding a suitable Target

After putting your card into monitor mode ,we need to find a network that is protected by WEP. You can discover the surrounding networks by entering the following command


root@bt:~# airdump-ng wlan0





STEP 4:-

Attacking The Target


Now to crack the WEP key you’ll have to capture the targets data into a file, To do this we use airodump tool again, but with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels .You can restrict the capture by giving in the following commands

root@bt:~#  airodump-ng --bssid 00:11:22:33:44:55 -c (channel no) -w (filename) mon0

  • -w tells airodump to write the file
  • -c is the channel of my target AP



STEP 5:-

using airplay speed up cracking:- 

root@bt:~# aireplay-ng -1 3 -a 00:11:22:33:44:55 mon0 


STEP 6:-

Associate your wireless card with the AP you are accessing.

root@bt:~#aireplay-ng -1 0 -e linksys -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 mon0
  • -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing aireplay-ng -h
  • 0 specifies the delay between attacks
  • -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
  • -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.macchanger -s mon0
STEP 7:-

Start packet injection with aireplay:-

root@bt:~# 
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 mon0


  • -b requires the MAC address of the AP we are accessing.
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.macchanger -s mon0
  • if packets are being collected at a slow pace you can typeiwconfig ath0 rate auto to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.
As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.

If you get a message like this:

Notice: got a deauth/disassoc packet. Is the source MAC associated ?
STEP 8:-
Decrypting the WEP Key with Aircrack:- 

root@bt:~# aircrack-ng filename.cap



Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.



















No comments:

Post a Comment