Hacking WEP wifi passwords

1. Getting the right tools Download Backtrack 3. It can be found here: http://www.remote-e ploit.org/backtrack!download.html "he Backtrack # beta is out but until it is full$ tested %especiall$ if $ou are a noob& I would get the B"3 setup. "he rest of this guide will proceed assuming $ou downloaded B"3. I downloaded the 'D iso and burned it to a cd. Insert $our B"3 cd/usb dri(e and reboot $our computer into B"3. I alwa$s load into the 3rd boot option from the boot menu. %)*+,/-D*& .ou onl$ ha(e a few seconds before it auto-boots into the 1st option so be read$. "he 1st option boots too slowl$ or not at all so alwa$s boot from the /nd or 3rd. * periment to see what works best for $ou. /. 0reparing the (ictim network for attack 1nce in B"32 click the tin$ black bo in the lower left corner to load up a 3-onsole3 window. 4ow we must prep $our wireless card. "$pe: airmon-ng .ou will see the name of $our wireless card. %mine is named 3ath53& 6rom here on out2 replace 3ath53 with the name of $our card. 4ow t$pe: airmon-ng stop ath5 then t$pe: ifconfig wifi5 down then: macchanger --mac 55:11://:33:##:77 wifi5 then: airmon-ng start wifi5

8hat these steps did was to spoof %fake& $our mac address so that 9:+" I4 ',+* $our computeris disco(ered b$ someone as $ou are breaking in2 the$ will not see $our ;*,< mac address. =o(ing on... 4ow it>s time to disco(er some networks to break into. "$pe: airodump-ng ath5 4ow $ou will see a list of wireless networks start to populate. +ome will ha(e a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take fore(er to crack or $ou ma$ not be able to crack it at all. 1nce $ou see the network that $ou want to crack2 do this: hold down ctrl and tap c "his will stop airodump from populating networks and will free?e the screen so that $ou can see the info that $ou need. @@4ow from here on out2 when I tell $ou to t$pe a command2 $ou need to replace whate(er is in parenthesis with what I tell $ou to from $our screen. 6or e ample: if i sa$ to t$pe: -c %channel& then dont actuall$ t$pe in -c %channel& Instead2 replace that with whate(er the channel number is...so2 for e ample $ou would t$pe: -c A 'an>t be much clearer than that...lets continue...

4ow find the network that $ou want to crack and =,-* +:;* that it sa$s the encr$ption for that network is 8*0. If it sa$s 80, or an$ (ariation of 80, then mo(e on...$ou can still crack 80, with backtrack and some other tools but it is a whole other ball game and $ou need to master 8*0 first.

1nce $ou>(e decided on a network2 take note of its channel number and bssid. "he bssid will look something like this --B 57:gk:35:fo:sC:/n "he 'hannel number will be under a heading that sa$s 3'D3. 4ow2 in the same -onsole window2 t$pe: airodump-ng -c %channel& -w %file name& --bssid %bssid& ath5 the 6I<* 4,=* can be whate(er $ou want. "his is simpl$ the place that airodump is going to store the packets of info that $ou recei(e to later crack. .ou don>t e(en put in an e tension...Eust pick a random word that $ou will remember. I usuall$ make mine 3wepke$3 because I can alwa$s remember it. @@+ide 4ote: if $ou crack more than one network in the same session2 $ou must ha(e different file names for each one or it won>t work. I usuall$ Eust name them wepke$12 wepke$/2 etc. 1nce $ou t$ped in that last command2 the screen of airodump will change and start to show $our computer gathering packets. .ou will also see a heading marked 3I)3 with a number underneath it. "his stands for 3Initiali?ation )ector3 but in noob terms all this means is 3packets of info that contain clues to the password.3 1nce $ou gain a minimum of 72555 of these I)>s2 $ou can tr$ to crack the password.

I>(e cracked some right at 72555 and others ha(e taken o(er A52555. It Eust depends on how long and difficult the$ made the password. 4ow $ou are thinking2 3I>m screwed because m$ I)>s are going up reall$ slowl$.3 8ell2 don>t worr$2 now we are going to trick the router into gi(ing us D:4D;*D+ of I)>s per second. 3. ,ctuall$ cracking the 8*0 password 4ow lea(e this -onsole window up and running and open up a /nd -onsole window. In this one t$pe: airepla$-ng -1 5 -a %bssid& -h 55:11://:33:##:77 ath5

"his will generate a bunch of te t and then $ou will see a line where $our computer is gathering a bunch of packets and waiting on ,;0 and ,'-. Don>t worr$ about what these mean...Eust know that these are $our meal tickets. 4ow $ou Eust sit and wait. 1nce $our computer finall$ gathers an ,;0 reFuest2 it will send it back to the router and begin to generate hundreds of ,;0 and ,'- per second. +ometimes this starts to happen within seconds...sometimes $ou ha(e to wait up to a few minutes. 9ust be patient. 8hen it finall$ does happen2 switch back to $our first -onsole window and $ou should see the number underneath the I) starting to rise rapidl$. "his is greatG It means $ou are almost finishedG 8hen this number reaches ," <*,+" 72555 then $ou can start $our password crack. It will probabl$ take more than this but I alwa$s start m$ password cracking at 72555 Eust in case the$ ha(e a reall$ weak password. 4ow $ou need to open up a 3rd and final -onsole window. "his will be where we actuall$ crack the password. "$pe: aircrack-ng -b %bssid& %filename&-51.cap ;emember the filename $ou made up earlierH =ine was 3wepke$3. Don>t put a space in between it and -51.cap here. "$pe it as $ou see it. +o for me2 I would t$pe wepke$-51.cap 1nce $ou ha(e done this $ou will see aircrack fire up and begin to crack the password. t$picall$ $ou ha(e to wait for more like 152555 to /52555 I)>s before it will crack. If this is the case2 aircrack will test what $ou>(e got so far and then it will sa$ something like 3not enough I)>s. ;etr$ at 152555.3 D14>" D1 ,4."DI4GG It will sta$ running...it is Eust letting $ou know that it is on pause until more I)>s are gathered. 1nce $ou pass the 152555 mark it will automaticall$ fire up again and tr$ to crack it. If this fails it will sa$ 3not enough I)>s. ;etr$ at 172555.3 and so on until it finall$ gets it.

If $ou do e(er$thing correctl$ up to this point2 before too long $ou will ha(e the passwordG now if the password looks goof$2 dont worr$2 it will still work. some passwords are sa(ed in ,+'II format2 in which case2 aircrack will show $ou e actl$ what characters the$ t$ped in for their password. +ometimes2 though2 the password is sa(ed in D*I format in which case the computer will show $ou the D*I encr$ption of the password. It doesn>t matter either wa$2 because $ou can t$pe in either one and it will connect $ou to the network. "ake note2 though2 that the password will alwa$s be displa$ed in aircrack with a colon after e(er$ / characters. +o for instance if the password was 3secret32 it would be displa$ed as: se:cr:et "his would ob(iousl$ be the ,+'II format. If it was a D*I encr$pted password that was something like 356-8C#/J)63 then it would still displa$ as: 56:-8:C#:/J:)6 9ust omit the colons from the password2 boot back into whate(er operating s$stem $ou use2 tr$ to connect to the network and t$pe in the password without the colons and prestoG .ou are inG It ma$ seem like a lot to deal with if $ou ha(e ne(er done it2 but after a few successful attempts2 $ou will get (er$ Fuick with it. If I am near a 8*0 encr$pted router with a good signal2 I can often crack the password in Eust a couple of minutes. I am not responsible for what $ou do with this information. ,n$ malicious/illegal acti(it$ that $ou do2 falls completel$ on $ou because...technicall$...this is Eust for $ou to test the securit$ of $our own network. :-& I will gladl$ answer an$ legitimate Fuestions an$one has to the best of m$ abilit$. D18*)*;2 I 8I<< 41" ,4+8*; ,4.14* "D," I+ "11 <,K. "1 ;*,D "D* 8D1<* ":" ,4D 9:+" ,+-+ =* +1=* L:*+"I14 "D," I '<*,;<. ,4+8*;*D. 4o one wants to hold $our hand through this...read the tut and go e periment until $ou get it right. "here are rare occasions where someone will use 8*0 encr$ption with +-, as well. %+hared -e$ ,uthentication& If this is the case2 additional steps are needed to associate with the router and therefore2 the steps I lined out here will not work. I>(e onl$ seen this once or twice2 though2 so $ou probabl$ won>t run into it. If I get moti(ated2 I ma$ throw up a tut on how to crack this in the future.