Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: WEP Cracking Issues

  1. #11
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Its not bad...its ..."unique" You'd hate to see me try french..all I know is parlez-vous français?`and... Voulez une manière trois ?

    Oh yea..and my favoriate....

    A obtenu une autre bière Frenchie ?
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  2. #12
    Junior Member
    Join Date
    May 2007
    Posts
    28

    Default

    thanks guys, now I know wep cracking, english and French this forum is the best
    , ok so I have one more question when do I the aireplay-ng attack use the -b and -h to generate traffic all I see is read and the numbers going up, but (arp remains 0) and sent remains 0 which is telling me that I am not injection any packets. I have a DWL-G650 h/w vers B5 f/w ver 2.54, and a Netgear WG511T. are these capable of injection packets.
    A wise man ask questions, A fool is afraid of knowledge!!

  3. #13
    Member
    Join Date
    May 2007
    Posts
    138

    Default

    Quote Originally Posted by -=Xploitz=- View Post
    parlez-vous français?
    Xploitz...you'd probably be better off asking parlez-vous anglais?

    piccolo_21: Your Netgear WG511T can definitely inject and will work straight out of the box with BT, no messing around, and despite having a very expensive card as well it seems to have become my weapon of choice

    I'm trying to remember the questions you asked about which things to cancel, basically, (if I remember Xploitz's video correctly), he uses Airodump to find his network...which channel, the BSSID (which means the AP's MAC adress), and the ESSID, (which is the network name).

    He then 'locks' airodump to the correct channel, (with the -c command), and the correct BSSID, (with the --bssid command), to ensure that he's only capturing the data he wants...and then leaves that running for the duration of the "crack". Basically airodump is the tool which captures the data, (IVs), which will be crunched by aircrack...when there's sufficient IVs to do it.

    The next stage is the "fake-auth", you need to do this in order for the AP to accept the packets you send it, (injecting), and for it spit out IVs...to be captured by airodump and then crunched with aircrack when you have enough. The fake-auth process is the aireplay -1 command, (where it says association successful with the smiley face.

    If all goes well then your MAC address should appear under the "STATION" section in the airodump window...and this tells you that the AP will accept packets from you when you start injecting, (and spit out the sacred IVs).

    The aireplay -3 command is where you wait for an ARP packet which you will send back to the AP to get the IVs flowing...this can take a while if you don't have a "client", (possibly hours), although if you have a spare computer that you can get to be the "client" then just disconnect/reconnect it to the wireless network and you'll get an ARP.

    When you get an ARP to play back, it will ask you if you want to send the packet...just type "y" and it'll start sending them. At this point your IVs should rise, (the #s in the airodump window), and you're away. You may start sending them and the IVs might not go up...this means that your fake-auth has timed out, just repeat the aireplay -1 command and you'll be back in business.

    If you're using the basic BT Live CD, wait until you get to 100,000 IVs and start aircrack...just remove the -z part from Xploitz code he uses in the video, (he's using a later version of aircrack, but lets not over complicate things by explaining the PTW attack as it's not available in the standard BT distro).

    So basically, read this and watch Xploitz's video and you should be on your way...as one final thing I'll even type the codes you want to use too. How nice am I being tonight?

    So, first things first:

    airodump-ng <interface> (with the Netgear that'll be ath0)

    (to do the initial scan to find out the details of your network)

    Write down: 1) The CHANNEL number, 2) The BSSID, 3) The ESSID, 4) Your card's MAC...that'll be printed on the card, (so do that first).

    Now, you need to set your card up ready to inject:

    airmon-ng stop ath0
    airmon-ng start wifi0 <CHANNEL>

    That's monitor mode sorted and your card's locked to the right channel.

    airodump-ng -c <CHANNEL> --bssid <BSSID> --ivs -w <A FILE NAME> ath0

    Now airodump's capturing IVs from your AP only!

    aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <MAC> ath0

    If all went well you got the smiley face and you've fake-authed

    aireplay -3 -b <BSSID> -h <MAC> ath0

    Now you're waiting for an ARP, ideally you'll speed this up by connecting a "client"...otherwise you're in for a potentially long wait.

    When it asks if you want to send the packet, type "y" and it'll start sending it.

    Your IVs should now be going up, just like you see in the video, when you reach 100,000 move onto the next command!

    aircrack-ng -f 16 <A FILE NAME*.ivs>

    Notice the *.ivs after the file name, (the file name can be anything you choose, just make sure it's the same as the one you used in airodump), you need to add these!

    After a while, aircrack should pop up with the key. In the interim keep the injection and airodump running as these will continue to feed into the file aircrack is crunching and help it find the key...more IVs makes it easier for aircrack.

    Some of the commands are different, use these if you're using the basic BT Live CD...Xploitz has modified his, (now I'm even repeating myself lol), and some of the commands differ. When you make this work, thank Xploitz for his excellent video tutorial, his thread needs bumping and anyone who can make a video gets my respect...long story!

    Finally, I take no responsibility for the misuse of this information...but if I knew it was being misused I wouldn't hesitate to report you for it! Accessing other people's wireless is a crime, so don't end up in jail and afraid to take a shower...it's really not cool!!!

    Finally, forgive my drunken spoonfeeding...it's late on Saturday night here and having been away for a month I owe it to the community

  4. #14
    Junior Member
    Join Date
    May 2007
    Posts
    28

    Default

    Again thanks alot for all the help so far, I just have one more question, after I did aireplay-ng -1 0 -e <esid> -a <bssid> -h <mac my mac after I fake auth> ath0, I got read 37648585 packets (got 711 arp requests), sent 422456 packets, but not once did it ask me to type Y to start send. But I am figuring since it is sending it shouldn't be a big deal. But it keeps saying Notice: got a deauth/disasoc packet, is the source mac associated? But i have already done the fake auth command a few times, and the number of ivs is only moving from 5-20 in 5 mins, really slow.#/s is 1 sometimes 0.

    Did I miss something......
    A wise man ask questions, A fool is afraid of knowledge!!

  5. #15
    Member
    Join Date
    May 2007
    Posts
    138

    Default

    got a deauth/disasoc packet, is the source mac associated?
    This message suggests that your fake-auth has timed out, and the fact that your IVs aren't shooting up suggests the same.

    Try changing the aireplay-ng -1 0 (etc) to aireplay-ng -1 600 (etc)...this should regularly update your authorisation and stop you from disconnecting. Failing that, there's a more expansive code in the aircrack tutorial, (on the aircrack site), for "picky" APs. I can't remember the exact code off the top of my head as I've never needed to use it, (the fact that you're successfully fake-authing suggests you won't need it either), but it's there to try if you have no luck.

    As a tip, when you use the aireplay-ng -3 command you'll notice that it says something like "saving packets in replayxxxxx.cap"...so if you keep getting the "deauth/are you associated?" message just stop the replay attack, re-auth and then add "-r replayxxxxx.cap" to your code after the -h <MAC> and before the <INTERFACE>.

    That way you won't need to wait for another ARP, you can just use the packets you've already got...but do stop the injection before trying to fake-auth again because APs can get overwhelmed by the flood of packets you're sending and not allow you to fake-auth, (at least mine does).

    Remember, the -r technique is only useful if you've already got at least one ARP in the replayxxxxx.cap file though!

  6. #16
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by TrialAndError View Post
    Xploitz...you'd probably be better off asking parlez-vous anglais?
    OOOpps!! Your right. I was pretending I was -=Ze Frenchie=-

    Quote Originally Posted by TrialAndError View Post
    This message suggests that your fake-auth has timed out, and the fact that your IVs aren't shooting up suggests the same.
    I'd put money on it that hes channel hopping. Simply because almost always 1 fake auth will last the during the entire pen testing process. Try this
    piccolo_21.....

    airmon-ng stop ath0
    airmon-ng start wifi0 <channel AP is on here>

    EXAMPLE...

    airmon-ng start wifi0 6



    Also make sure your using this format for airodump...

    airodump-ng -c <Channel of AP> -w <capture File Name> --bssid <Your AP's BSSID HERE> ath0

    These 2 steps should put an end to your channel hopping once, and for all.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  7. #17
    Member
    Join Date
    May 2007
    Posts
    138

    Default

    Of course he is, which would explain the (got 711 arp requests), sent 422456 packets ...well spotted Xploitz!

    Although surely the deauth packets are a result of losing his fake-auth...again probably a result of channel hopping, lol.

  8. #18
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by TrialAndError View Post
    Although surely the deauth packets are a result of losing his fake-auth...again probably a result of channel hopping, lol.
    Most definitely!
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  9. #19
    Junior Member
    Join Date
    May 2007
    Posts
    28

    Default

    Thanks alot guys, I have finally done it 100% -. This forum is the best, help like this is never free .

    Thanks, I can close this thread now.
    A wise man ask questions, A fool is afraid of knowledge!!

  10. #20
    Member
    Join Date
    May 2007
    Posts
    138

    Default

    Thanks alot guys, I have finally done it 100% -. This forum is the best, help like this is never free .
    You're right...this forum is the best, and you're welcome

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •