In this article i will explain how you can crack wireless network's
WEP key using
Backtrack in six easy steps
WiFi Hacking Part 2
I believe all my blog readers have read the previous article
WiFi Hacking Part 1, and know what are the tools and stuff that you require for WiFi hacking
Commonly Used Terms :-
- WEP - Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
- Access Point (AP)- A wireless router
- MAC Address - Media Access Control address, a unique id assigned to wireless adapters and routers .It comes in hexadecimal format (ie 00:15:eR:21:a3:63)
- BSSID - Access Point’s MAC address
- ESSID - Access Point’s Broadcast name
Cracking WEP Using Backtrack
Step -1 Booting Backtrack
Boot your copy of Backtrack from your USB drive (refer my article on
how to make a bootable Backtrack USB ),Once booted you will be prompted for the login details, enter usename as
"root" and password as
"toor", finally enter
"startx "
to start backtrack .Now once you have logged in, launch a new konsole
terminal by clicking the konsole terminal icon which is there on the
task bar .Now plug in your
Wifi usb card and type in the following commands in the terminal as shown
ifconfig wlan0 up
where wlan0 is the name of the wireless card ,it can be different .To
see all wireless cards connected to your system simply type" iwconfig "
Step -2 Putting your WiFi card on Monitor Mode
The purpose of this step is to put your card into what is called monitor
mode. Monitor mode is the mode whereby your card can listen to every
packet in the air ,It is similar to a Promiscuous mode which is used for
packet sniffing in a LAN .You can put your card into Monitor mode by
entering the following commands in a terminal
airmon-ng start (your interface)
Example :- airmon-ng start wlan0
Now a new interface
mon0 or
ath0 will be created , You can see the new interface is in monitor mode by entering "
iwconfig" as shown
Step -3 Monitor the air for WiFI connections
Now after putting the card in monitor mode you will need to monitor the air for available
wireless networks (WiFi connections)around you , For this you'll have to use a tool called "airodump" .
So you can start monitoring the air with airodump by enter the following commands
airodump-ng mon0
where mon0 is the new interface which we created in the previous step
Bssid shows the mac address of the AP,
CH shows the channel in which AP is broadcasted and
Essid shows the name broadcasted by the AP,
Cipher shows the
encryption type ,
Stop the process by pressing
"ctrl +c " and select your target ,Since i am only cracking
WEP i will take "johny" as my target from now on
Step -4 Capturing Data with Airodump
Now to crack the WEP key you'll have to capture the targets data into a
file, To do this we use airodump tool again, but with some additional
switches to target a specific AP and channel. Most importantly, you
should restrict monitoring to a single channel to speed up data
collection, otherwise the wireless card has to alternate between all
channels .You can restrict the capture by giving in the
following commands
airodump-ng mon0 --bssid -c (channel ) -w (file name to save )
As
my target is broadcasted in channel 2 and has bssid
"98:fc:11:c9:14:22" ,I give in the following commands and save the
captured data as "johnywep"
airodump-ng mon0 --bssid 98:fc:11:c9:14:22 -c 2 -w johnywep
Do not close this terminal (run the other commends simultaneously in an another terminal)
Step -5 Using Aireplay to Speed up the cracking
You will have to capture at least
25,000 data packets to crack WEP .This can be done in two ways, The first one would be a
(passive attack )
wait for a client to connect to the AP and then start capturing the
data packets but this method is very slow, it can take days or even
weeks to capture that many data packets
The second method would be an
(active attack )this method is fast and only takes minutes to generate and inject that many packets .
In an active attack you'll have do a Fake authentication (connect) with
the AP ,then you'll have to generate and inject data packets.This can
be done very easily by using a tool called "aireplay"
So you can do a Fake authentication with the AP using aireplay by entering the following commands in a new terminal
aireplay-ng - 1 3 -a (bssid fo the target ) (interface)
In my case i enter the following
aireplay-ng -1 3 -a 98:fc:11:c9:14:22 mon0
After doing a fake auth ,now its time to generate and inject
Arp (data )packets . To this you'll have to open a terminal simultaneously and enter the following commands
aireplay-ng 3 -b (bssid of target) -h ( address of your card (mon0)) (interface)
In my case i enter
aireplay-ng 3 -b 98:fc:11:c9:14:22 -h 00:c0:ca:50:f8:32 mon0
If this step was successful you'll see Lot of data packets in the airodump capture ( step 4 ) as shown
Wait till it reaches at least
25000 packets , best would be to
wait till it reaches around 80,000 to 90,000 packets .Its simple more
the data packets less the time to crack .once you
captured enough number of packets, close all the process's by pressing
"Ctrl +c" or by simply clicking the into mark which is there on the terminal
Strep -6 Cracking WEP key using Aircrack
Now its time crack the
WEP key from the captured data, we use Aircrack to achieve this
Enter the following commands to crack the WEP key
aircrack-ng (name of the captured file (step 4) )
In my case i enter
aircrack-ng johnywep-0.1-cap
With in a few minutes Aircrak will crack the WEP key as shown
Voila you have successfully cracked the WEP key in Six simple steps
