simple_wep_crack
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
simple_wep_crack [2007/05/16 22:53] – darkaudax | simple_wep_crack [2008/06/10 00:08] – rc1 mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: Simple WEP Crack ====== | ====== Tutorial: Simple WEP Crack ====== | ||
- | Version: 1.04 May 15, 2007\\ | + | Version: 1.08 May 9, 2008\\ |
By: darkAudax | By: darkAudax | ||
- | |||
===== Introduction ===== | ===== Introduction ===== | ||
Line 12: | Line 11: | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | I would like to acknowledge and thank the [[http:// | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
- | |||
===== Assumptions ===== | ===== Assumptions ===== | ||
Line 22: | Line 20: | ||
* You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding. | * You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding. | ||
* You are physically close enough to send and receive access point packets. | * You are physically close enough to send and receive access point packets. | ||
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the command | + | |
+ | | ||
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
- | |||
- | In the examples, the option " | ||
===== Equipment used ===== | ===== Equipment used ===== | ||
Line 39: | Line 36: | ||
You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. | You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. | ||
- | |||
===== Solution ===== | ===== Solution ===== | ||
- | |||
==== Solution Overview ==== | ==== Solution Overview ==== | ||
Line 56: | Line 51: | ||
- Start aireplay-ng in ARP request replay mode to inject packets | - Start aireplay-ng in ARP request replay mode to inject packets | ||
- Run aircrack-ng to crack key using the IVs collected | - Run aircrack-ng to crack key using the IVs collected | ||
- | |||
==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | ==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | ||
- | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only " | + | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only " |
First stop ath0 by entering: | First stop ath0 by entering: | ||
Line 123: | Line 117: | ||
http:// | http:// | ||
- | + | ==== Step 2 - Start airodump-ng to capture the IVs ==== | |
- | ==== Step 2 - Use aireplay-ng to do a fake authentication with the access point ==== | + | |
- | + | ||
- | In order for an access point to accept a packet, the source MAC address must already be associated. | + | |
- | + | ||
- | The lack of association with the access point is the single biggest reason why injection fails. | + | |
- | + | ||
- | To associate with an access point, use fake authentication: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Where: | + | |
- | *-1 means fake authentication | + | |
- | *0 reassociation timing in seconds | + | |
- | *-e teddy is the wireless network name | + | |
- | *-a 00: | + | |
- | *-h 00: | + | |
- | *ath0 is the wireless interface name | + | |
- | + | ||
- | Success looks like: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | + | ||
- | Or another variation for picky access points: | + | |
- | + | ||
- | aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00: | + | |
- | + | ||
- | Where: | + | |
- | * 6000 - Reauthenticate very 6000 seconds. | + | |
- | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | + | |
- | * -q 10 - Send keep alive packets every 10 seconds. | + | |
- | + | ||
- | Success looks like: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | # and so on. | + | |
- | + | ||
- | Here is an example of what a failed authentication looks like: | + | |
- | 8: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | 18: | + | |
- | + | ||
- | Notice the "Got a deauthentication packet" | + | |
- | + | ||
- | === Troubleshooting Tips === | + | |
- | + | ||
- | *Some access points are configured to only allow selected MAC addresses to associate and connect. | + | |
- | + | ||
- | Run: tcpdump -n -vvv -s0 -e -i < | + | |
- | + | ||
- | You would then look for error messages. | + | |
- | + | ||
- | *If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. | + | |
- | + | ||
- | Run: " | + | |
- | + | ||
- | Here is a typical tcpdump error message you are looking for: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Notice that the access point (00: | + | |
- | + | ||
- | If you want to select only the DeAuth packets with tcpdump then you can use: " | + | |
- | + | ||
- | + | ||
- | ==== Step 3 - Start airodump-ng to capture the IVs ==== | + | |
The purpose of this step is to capture the IVs generated. | The purpose of this step is to capture the IVs generated. | ||
Line 208: | Line 123: | ||
Open another console session to capture the generated IVs. Then enter: | Open another console session to capture the generated IVs. Then enter: | ||
- | | + | |
Where: | Where: | ||
*-c 9 is the channel for the wireless network | *-c 9 is the channel for the wireless network | ||
- | *- -bssid 00: | + | *-'''' |
*-w capture is file name prefix for the file which will contain the IVs. | *-w capture is file name prefix for the file which will contain the IVs. | ||
*ath0 is the interface name. | *ath0 is the interface name. | ||
Line 229: | Line 144: | ||
- | ==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | + | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== |
- | + | ||
- | The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. | + | |
- | + | ||
- | Open another console session and enter: | + | |
- | + | ||
- | | + | |
- | + | ||
- | It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. On your home network, here is an easy way to generate an ARP request: | + | |
- | + | ||
- | Here is what the screen looks like when ARP requests are being injected: | + | |
- | + | ||
- | | + | |
- | You should also start airodump-ng to capture replies. | + | |
- | Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | + | |
- | + | ||
- | You can confirm that you are injecting by checking your airodump-ng screen. | + | |
- | + | ||
- | + | ||
- | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | + | |
- | + | ||
- | The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | + | |
- | + | ||
- | Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. | + | |
- | + | ||
- | Two methods will be shown. | + | |
- | + | ||
- | Start another console session and enter: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Where: | + | |
- | * -z invokes the PTW WEP-cracking method. | + | |
- | * -b 00: | + | |
- | * output*.cap selects all files starting with " | + | |
- | + | ||
- | Version: 1.04 May 15, 2007\\ | + | |
- | By: darkAudax | + | |
- | + | ||
- | + | ||
- | ===== Introduction ===== | + | |
- | + | ||
- | This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. | + | |
- | + | ||
- | For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. | + | |
- | + | ||
- | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | + | |
- | + | ||
- | I would like to acknowledge and thank the [[http:// | + | |
- | + | ||
- | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | + | |
- | + | ||
- | + | ||
- | ===== Assumptions ===== | + | |
- | + | ||
- | First, this solution assumes: | + | |
- | * You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding. | + | |
- | * You are physically close enough to send and receive access point packets. | + | |
- | * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman options may have to be changed. | + | |
- | + | ||
- | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | + | |
- | + | ||
- | In the examples, the option " | + | |
- | + | ||
- | ===== Equipment used ===== | + | |
- | + | ||
- | In this tutorial, here is what was used: | + | |
- | + | ||
- | *MAC address of PC running aircrack-ng suite: 00: | + | |
- | *BSSID (MAC address of access point): 00: | + | |
- | *ESSID (Wireless network name): teddy | + | |
- | *Access point channel: 9 | + | |
- | *Wireless interface: ath0 | + | |
- | + | ||
- | You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. | + | |
- | + | ||
- | + | ||
- | ===== Solution ===== | + | |
- | + | ||
- | ==== Solution Overview ==== | + | |
- | + | ||
- | To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). | + | |
- | + | ||
- | Once we have captured a large number of IVs, we can use them to determine the WEP key. | + | |
- | + | ||
- | Here are the basic steps we will be going through: | + | |
- | + | ||
- | - Start the wireless interface in monitor mode on the specific AP channel | + | |
- | - Use aireplay-ng to do a fake authentication with the access point | + | |
- | - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs | + | |
- | - Start aireplay-ng in ARP request replay mode to inject packets | + | |
- | - Run aircrack-ng to crack key using the IVs collected | + | |
- | + | ||
- | + | ||
- | ==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | + | |
- | + | ||
- | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only " | + | |
- | + | ||
- | First stop ath0 by entering: | + | |
- | + | ||
- | | + | |
- | + | ||
- | The system responds: | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | | + | |
- | + | ||
- | Enter " | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | If there are any remaining athX interfaces, | + | |
- | + | ||
- | Now, enter the following command to start the wireless card on channel 9 in monitor mode: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Note: In this command we use " | + | |
- | + | ||
- | The system will respond: | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | | + | |
- | + | ||
- | You will notice that " | + | |
- | + | ||
- | To confirm the interface is properly setup, enter " | + | |
- | + | ||
- | The system will respond: | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | Mode: | + | |
- | Bit Rate:0 kb/s | + | |
- | Retry: | + | |
- | Encryption key:off | + | |
- | Power Management: | + | |
- | Link Quality=0/ | + | |
- | Rx invalid nwid: | + | |
- | Tx excessive retries: | + | |
- | + | ||
- | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | + | |
- | + | ||
- | To match the frequency to the channel, check out: | + | |
- | http:// | + | |
- | + | ||
- | + | ||
- | ==== Step 2 - Use aireplay-ng to do a fake authentication with the access point ==== | + | |
- | In order for an access point to accept a packet, the source MAC address must already be associated. | + | In order for an access point to accept a packet, the source MAC address must already be associated. |
The lack of association with the access point is the single biggest reason why injection fails. | The lack of association with the access point is the single biggest reason why injection fails. | ||
Line 448: | Line 203: | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *Some access points are configured to only allow selected MAC addresses to associate and connect. | + | *Some access points are configured to only allow selected MAC addresses to associate and connect. |
- | Run: tcpdump -n -vvv -s0 -e -i < | + | Run: tcpdump -n -vvv -s0 -e -i < |
You would then look for error messages. | You would then look for error messages. | ||
Line 464: | Line 219: | ||
Notice that the access point (00: | Notice that the access point (00: | ||
- | If you want to select only the DeAuth packets with tcpdump then you can use: " | + | If you want to select only the DeAuth packets with tcpdump then you can use: " |
- | + | ||
- | + | ||
- | ==== Step 3 - Start airodump-ng to capture the IVs ==== | + | |
- | + | ||
- | The purpose of this step is to capture the IVs generated. | + | |
- | + | ||
- | Open another console session to capture the generated IVs. Then enter: | + | |
- | + | ||
- | | + | |
- | + | ||
- | Where: | + | |
- | *-c 9 is the channel for the wireless network | + | |
- | *- -bssid 00: | + | |
- | *-w capture is file name prefix for the file which will contain the IVs. | + | |
- | *ath0 is the interface name. | + | |
- | + | ||
- | While the injection is taking place (later), the screen will look similar to this: | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
- | + | ||
- | | + | |
==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | ==== Step 4 - Start aireplay-ng in ARP request replay mode ==== | ||
Line 510: | Line 237: | ||
Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | Read 629399 packets (got 316283 ARP requests), sent 210955 packets... | ||
- | You can confirm that you are injecting by checking your airodump-ng screen. | + | You can confirm that you are injecting by checking your airodump-ng screen. |
+ | |||
+ | === Troubleshooting Tips === | ||
+ | |||
+ | * If you receive a message similar to "Got a deauth/ | ||
==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== | ||
Line 519: | Line 250: | ||
Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. | Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. | ||
- | Two methods will be shown. | + | Two methods will be shown. |
Start another console session and enter: | Start another console session and enter: | ||
Line 530: | Line 261: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | To also use the FMS/Korek method, start another console session and enter: | + | To also use the FMS/KoreK method, start another console session and enter: |
| | ||
Line 538: | Line 269: | ||
* output*.cap selects all files starting with " | * output*.cap selects all files starting with " | ||
- | You can run this while generating packets. | + | If you are using 1.0-rc1, add the option " |
+ | |||
+ | You can run this while generating packets. | ||
Here is what success looks like: | Here is what success looks like: | ||
Aircrack-ng 0.9 | Aircrack-ng 0.9 | ||
- | |||
- | [00:01:18] Tested 0/140000 keys (got 30680 IVs) | ||
- | |||
- | | ||
- | 0 0/ 1 12( 170) 35( 152) AA( 146) 17( 145) 86( 143) F0( 143) AE( 142) C5( 142) D4( 142) 50( 140) | ||
- | 1 0/ 1 34( 163) BB( 160) CF( 147) 59( 146) 39( 143) 47( 142) 42( 139) 3D( 137) 7F( 137) 18( 136) | ||
- | 2 0/ 1 56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140) | ||
- | 3 0/ 1 78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142) | ||
- | 4 0/ 1 90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141) | ||
- | |||
- | KEY FOUND! [ 12: | ||
- | Decrypted correctly: 100% | ||
- | |||
- | To also use the FMS/Korek method, start another console session and enter: | ||
- | |||
- | | ||
- | |||
- | Where: | ||
- | * -b 00: | ||
- | * output*.cap selects all files starting with " | ||
- | |||
- | You can run this while generating packets. | ||
- | |||
- | Here is what success looks like: | ||
- | |||
- | Aircrack-ng 0.8 | ||
Line 582: | Line 289: | ||
Probability: | Probability: | ||
- | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. | + | Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.) |
simple_wep_crack.txt · Last modified: 2018/03/11 20:13 by mister_x