Chris Hatcher

Cracking Wireless Internet (WEP Only)

This is a tutorial for the average user who wants to learn something interesting about how wifi security works, and how some security options are not practical.

How it Works

The Wifi we will be cracking today is "secured" with WEP, or Wired Equivalent Privacy. In WEP, the AP(Access Point) and client(user's computer) communicate with little packets of information. In the beginning of these packets, there is some of the WEP key that secures the internet. So if you get enough packets, you can put together the key literally in seconds. The amount of these "data packets" needed is at minimum 250,000 for 128-bit secured networks, and only about 22,000 for 64-bit secured networks.

The Tools We Need

  • airmon - a program that can set your wifi card in monitor mode
  • airodump - a program that is going to be capturing and sorting the packets
  • aireplay - a program that can help generate network traffic, producing more packets
  • aircrack - a program that will be decrypting the WEP keys
  • BACKTRACK V3 - the linux distro we will be using... remote-exploit.org
  • iwconfig - a program that shows and configures settings for your Wifi card
  • macchanger - a program that can change or display your Wifi card's MAC(Media Access Control) address

Terms You Should Know

  • bssid - the AP's MAC address
  • essid - the AP's name

STEP 1

Installing BackTrack

What You Need:
  • 1GB or greater empty USB Flash Drive | (you can also burn the .iso onto a cd and boot from that)
  • BackTrack v3 - Download from remote-exploit.org
1. Download BackTrack v3, and extract the contents to the USB drive using WinRAR.
WARNING: IF YOU PERFORM THE NEXT STEP WITH THE FOLDER ON YOUR HARD DRIVE, WINDOWS WILL NO LONGER BOOT
2. Then navigate into the folder ON YOUR USB DRIVE called "boot" and open the "bootinst.bat" file. This will make the USB drive bootable.
3. Press Enter
HOORAY!!! you installed BackTrack v3 onto your USB drive, and it is now bootable!

  • Restart the computer, and go into the bios settings by hitting F2 or F10... or if you see an option like on my laptop, "F9 - select boot device", hit that key instead and select the USB Drive. If you are in the settings, change the usb drive to first priority in the boot order.
  • Now reboot and just wait for BackTrack to start, or you already started it by hitting F9 or whatever key it was to select the boot device.
  • Select the startup option(in BackTrack) - I always choose the plain old GDK option, which is right under the experimental options.
  • BackTrack will now boot up and log in for you. If not, log in as "root" and type the password "toor". Then type "startx" and it will log in. Now we are ready to crack Wifi.

    SETP 2

    Using Airodump

  • Click the little black icon that looks like a >_ to open a Terminal like the command prompt found in Windows.
  • Use airmon to place your card in monitor mode by typing "airmon-ng start ". You can find your wifi card's instance name by typing ifconfig.
  • Next type in airodump-ng . from now on i'll be using my instance, ath0.
  • Pick a network to crack. I recommend cracking your own wifi because it is illegal to crack someone else's. Write down the bssid and essid of that network, and its channel.
  • Now we use airodump. Type this command - "airodump-ng ath0 --ivs --channel -w /"
    Breakdown:
    • ath0 - wifi card
    • --ivs - puts it in ivs mode, so it only collects the wep key parts
    • --channel - makes it stay on the channel of the essid you picked
    • -w / - that makes it write the ivs file (it'll be called -01.ivs) to the root directory for later use
    That's it! now it'll start picking up existing traffic, like if someone is browsing the internet at the time. But, it could take days to collect enough normal packets, so we have to stimulate some network traffic to speed up the gathering process.

    STEP 3

    Associate the wireless card with the AP you are attacking

    Leave the airodump running and...
  • Open a new Terminal
  • type in 
    aireplay-ng -1 0 -e ESSID -a BSSID -h YOUR MAC ADDRESS INSTANCE NAME(mine's ath0)

  • Retrieve your MAC address by typing in a new Terminal, macchanger -s
  • the -1 is the type of attack we are doing on the network.
  • So my command looked like: 
    aireplay-ng -1 0 -e 2WIRE444 -a 00:1B:11:EF:CE:48 -h 00:1f:e1:07:4c:b2 ath0

    STEP 4

    Create Network Traffic

  • Type in a new Terminal: 
    aireplay-ng -3 -b BSSID -h YOUR MAC ADDRESS INSTANCE NAME

  • -3 is the type of attack we are doing on the network.
  • if you get some message like "got a deauth/disassoc packet..." redo step 3.
    Once airodump piles up more than 250,000 DATA packets, go to step 5.

    STEP 5

    Cracking the WEP Key with Aircrack

    The location of the file is in the root directory, named -01.ivs, and the 01 number corresponds to the number of dumps you have done. Next time it will be -02.ivs.
  • Open another terminal and type in 
    aircrack-ng -s /-01.ivs

    You need more data packets if it does not crack it within the first 10 seconds.
    Here is a screenshot of my wireless network's successful crack -