First we need to scan for available wireless networks.
Theres this great tool for windows to do this.. called
“NetStumbler” or "Kismet" for Windows and Linux and "KisMac"
for Mac.
The two most common
encryption types are:
1) WEP
2) WAP
WEP i.e Wire Equivalent Privacy is not consideres as safe as
WAP i.e Wireless Application Protocol.
WEP have many flaws that allows a hacker to crack a WEP key easily..
whereas WAP is currently the most secure
and best option to secure a wi-fi network..
It can’t be easily cracked as WEP because the only way to
retreive a WAP key is to use a brute-force attack or
dictionary atack. Here I’ll tell you how to Crack WEP
To crack WEP we will be using Live Linux distribution called
BackTrack to crack WEP. BackTrack have lots of
preinstalled softwares for this very purpose..
The tools we will be using on
Backtrack are:
Kismet – a wireless network detector
airodump – captures packets from a wireless router
aireplay – forges ARP requests
aircrack – decrypts the WEP keys
1) First of all we have to find a wireless access point along
with its bssid, essid and channel number. To do this we will
run kismet by opening up the terminal and typing in kismet.
It may ask you for the appropriate adapter which in my
case is ath0. You can see your device’s
name by typing in the command iwconfig.
2) To be able to do some of the later things, your wireless
adapter must be put into monitor mode. Kismet
automatically does this and as long as you
keep it open, your wireless adapter will stay in monitor
mode.
3) In kismet you will see the flags Y/N/0. Each one stands
for a different type of encryption. In our case we will be
looking for access points with the WEP encryption. Y=WEP
N=OPEN 0=OTHER(usually WAP).
4) Once you find an access point, open a text document and
paste in the networks broadcast name (essid), its mac
address (bssid) and its channel number. To get the above
information, use the arrow keys to select an access point
and hit <ENTER> to get more information about it.
5) The next step is to start collecting data from the access
point with airodump. Open up a new terminal and start
airodump by typing in the command:
airodump-ng -c [channel#] -w [filename] –bssid [bssid] [device] In the above command
airodump-ng starts the program, the channel of your access point
goes after -c , the file you wish to output the data goes after -w ,
and the MAC address of the access point goes after –
bssid. The command ends with the device name. Make sure to
leave out the brackets.
6) Leave the above running and open another terminal. Next
we will generate some fake packets to the target access
point so that the speed of the data output will increase. Put
in the following command:
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44: 55:66 -e [essid] [device]
In the above command we are using the airplay-ng program.
The -1 tells the program the specific attack we wish to use
which in this case is fake authentication with the access
point. The 0 cites the delay between attacks, -a is the MAC
address of the target access point, -h is your wireless
adapters MAC address, -e is the name (essid) of the target
access point, and the command ends with the your wireless
adapters device name.
7) Now, we will force the target access point to send out a
huge amount of packets that we will be able to take
advantage of by using them to attempt to crack the WEP key.
Once the following command is executed, check your
airodump-ng terminal and you should see the ARP packet
count to start to increase. The command is:
aireplay-ng -3 -b [bssid] -h 00:11:22:33:44: 5:66 [device]
In this command, the -3 tells the program the specific type
of attack which in this case is packet injection, -b is the MAC
address of the target access point, -h is your wireless
adapters MAC address, and the wireless adapter device name
goes at the end.
Once you have collected around 50k-500k packets, you may
begin the attempt to break the WEP key. The command to
begin the cracking process is: aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs
In this command the -a 1 forces the program into the WEP
attack mode, the -b is the targets MAC address, and the -n
128 tells the program the WEP key length. If you don’t know
the -n , then leave it out. This should crack the WEP key
within seconds. The more packets you capture, the bigger
chance you have of cracking the Download Backtrack Linux here WEP key.
For BackTrack Linux: Click Here
Theres this great tool for windows to do this.. called
“NetStumbler” or "Kismet" for Windows and Linux and "KisMac"
for Mac.
The two most common
encryption types are:
1) WEP
2) WAP
WEP i.e Wire Equivalent Privacy is not consideres as safe as
WAP i.e Wireless Application Protocol.
WEP have many flaws that allows a hacker to crack a WEP key easily..
whereas WAP is currently the most secure
and best option to secure a wi-fi network..
It can’t be easily cracked as WEP because the only way to
retreive a WAP key is to use a brute-force attack or
dictionary atack. Here I’ll tell you how to Crack WEP
To crack WEP we will be using Live Linux distribution called
BackTrack to crack WEP. BackTrack have lots of
preinstalled softwares for this very purpose..
The tools we will be using on
Backtrack are:
Kismet – a wireless network detector
airodump – captures packets from a wireless router
aireplay – forges ARP requests
aircrack – decrypts the WEP keys
1) First of all we have to find a wireless access point along
with its bssid, essid and channel number. To do this we will
run kismet by opening up the terminal and typing in kismet.
It may ask you for the appropriate adapter which in my
case is ath0. You can see your device’s
name by typing in the command iwconfig.
2) To be able to do some of the later things, your wireless
adapter must be put into monitor mode. Kismet
automatically does this and as long as you
keep it open, your wireless adapter will stay in monitor
mode.
3) In kismet you will see the flags Y/N/0. Each one stands
for a different type of encryption. In our case we will be
looking for access points with the WEP encryption. Y=WEP
N=OPEN 0=OTHER(usually WAP).
4) Once you find an access point, open a text document and
paste in the networks broadcast name (essid), its mac
address (bssid) and its channel number. To get the above
information, use the arrow keys to select an access point
and hit <ENTER> to get more information about it.
5) The next step is to start collecting data from the access
point with airodump. Open up a new terminal and start
airodump by typing in the command:
airodump-ng -c [channel#] -w [filename] –bssid [bssid] [device] In the above command
airodump-ng starts the program, the channel of your access point
goes after -c , the file you wish to output the data goes after -w ,
and the MAC address of the access point goes after –
bssid. The command ends with the device name. Make sure to
leave out the brackets.
6) Leave the above running and open another terminal. Next
we will generate some fake packets to the target access
point so that the speed of the data output will increase. Put
in the following command:
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44: 55:66 -e [essid] [device]
In the above command we are using the airplay-ng program.
The -1 tells the program the specific attack we wish to use
which in this case is fake authentication with the access
point. The 0 cites the delay between attacks, -a is the MAC
address of the target access point, -h is your wireless
adapters MAC address, -e is the name (essid) of the target
access point, and the command ends with the your wireless
adapters device name.
7) Now, we will force the target access point to send out a
huge amount of packets that we will be able to take
advantage of by using them to attempt to crack the WEP key.
Once the following command is executed, check your
airodump-ng terminal and you should see the ARP packet
count to start to increase. The command is:
aireplay-ng -3 -b [bssid] -h 00:11:22:33:44: 5:66 [device]
In this command, the -3 tells the program the specific type
of attack which in this case is packet injection, -b is the MAC
address of the target access point, -h is your wireless
adapters MAC address, and the wireless adapter device name
goes at the end.
Once you have collected around 50k-500k packets, you may
begin the attempt to break the WEP key. The command to
begin the cracking process is: aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs
In this command the -a 1 forces the program into the WEP
attack mode, the -b is the targets MAC address, and the -n
128 tells the program the WEP key length. If you don’t know
the -n , then leave it out. This should crack the WEP key
within seconds. The more packets you capture, the bigger
chance you have of cracking the Download Backtrack Linux here WEP key.
For BackTrack Linux: Click Here
No comments:
Post a Comment