User Tools

Site Tools


simple_wep_crack

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
simple_wep_crack [2010/01/11 22:46]
darkaudax Added details on generating ARPs
simple_wep_crack [2018/03/11 20:13] (current)
mister_x [Introduction] Removed link to trac
Line 7: Line 7:
 This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts. ​ It assumes you have a working wireless card with drivers already patched for injection. This tutorial walks you though a very simple case to crack a WEP key.  It is intended to build your basic skills and get you familiar with the concepts. ​ It assumes you have a working wireless card with drivers already patched for injection.
  
-The basic concept behind this tutorial is using aireokat-bg replay an ARP packet to generate new unique IVs.  In turn, aircrack-ng uses the new unique IVs to crack the WEP key.  It is important to understand what an ARP packet is.  This [[arp-request_reinjection#​what_is_arp|"​What is an ARP?"​]] section provides the details.+The basic concept behind this tutorial is using aireplay-ng replay an ARP packet to generate new unique IVs.  In turn, aircrack-ng uses the new unique IVs to crack the WEP key.  It is important to understand what an ARP packet is.  This [[arp-request_reinjection#​what_is_arp|"​What is an ARP?"​]] section provides the details.
  
 For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. ​ Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]]. For a start to finish newbie guide, see the [[newbie_guide|Linux Newbie Guide]]. ​ Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step.  For more information on installing aircrck-ng, see [[install_aircrack|Installing Aircrack-ng]] and for installing drivers see [[install_drivers|Installing Drivers]].
  
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
- 
-I would like to acknowledge and thank the [[http://​trac.aircrack-ng.org/​wiki/​Team|Aircrack-ng team]] for producing such a great robust tool.  
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Line 117: Line 115:
           Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0           Tx excessive retries:​0 ​ Invalid misc:​0 ​  ​Missed beacon:0
  
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good.   ​It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.+In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this.  So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
 To match the frequency to the channel, check out: To match the frequency to the channel, check out:
-http://www.rflinx.com/help/calculations/#​2.4ghz_wifi_channels then select the "​Wifi ​Channel ​Selection and Channel Overlap"​ tab.  This will give you the frequency for each channel.+http://www.cisco.com/en/US/​docs/​wireless/​technology/​channel/​deployment/​guide/Channel.html#​wp134132 ​.  This will give you the frequency for each channel.
  
  
Line 287: Line 285:
 Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. ​ If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits. Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. ​ If this is the case, then you can include "-n 64" to limit the checking of keys to 64 bits.
  
-Two methods will be shown. ​ It is recommended you try both for learning purposes. ​ By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. ​ As a reminder, the PTW method only works successfully with arp request/​reply packets. ​ Since this tutorial covers injection ​arp request packets, you can properly use this method. ​ The other requirement is that you capture the full packet with airodump-ng. ​ Meaning, do not use the "​-''''​-ivs"​ option.+Two methods will be shown. ​ It is recommended you try both for learning purposes. ​ By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. ​ As a reminder, the PTW method only works successfully with arp request/​reply packets. ​ Since this tutorial covers injection ​of ARP request packets, you can properly use this method. ​ The other requirement is that you capture the full packet with airodump-ng. ​ Meaning, do not use the "​-''''​-ivs"​ option.
  
 Start another console session and enter: Start another console session and enter:
simple_wep_crack.1263246379.txt.gz ยท Last modified: 2010/01/11 22:46 by darkaudax