Newbie Guide:- How to crack a WEP key, step by step. By another ne... http://forums.remote-exploit.org/showthread.php?

t=1556

Remote Exploit Forums > Newbie Area User Name User Name Remember Me?
Newbie Guide:- How to crack a WEP key, step by
Password Log in
step. By another newbie.

Page 1 of 6 1 2 3 > Last »

Thread Tools Search this Thread Display Modes

Newbie Guide:- How to crack a WEP key, step by step. By another newbie.

05-21-2006, 07:12 AM #1

Join Date: May 2006

BigDook Offline Posts: 4
Junior Member

Newbie Guide:- How to crack a WEP key, step by step. By another newbie.

Hi

I have downloaded the latest BT and finally figured out how to crack a WEP key. Thought i'd post my routine for
anyone else who might be having trouble.

BTW, i'm a complete newbie to BT and any Linux related stuff, but will be hoping to change that.

OK, first off some quick info on my specs. Acer Laptop (CeleronM) with built in Atheros 5005 wireless.

1. Fire up Kismet and find the AP you wanna access, sort the listed AP's by using "S" then "C". Then select your
AP, hit "Enter" to get any info you may need from it (MAC Address, WEP, Channel etc.) Then press "q" to come
out of that details screen, and with my AP select type "L"(capital) which as far as i can see makes your card lock
onto that AP.

2. Open a console screen, then enter the following command to launch AiroDump which will "sniff" the packets
about you.

Command = "airodump-ng -w capture -c 6 ath0"

OK, "airodump-ng" is the program itself.

"-w capture" Gets it to write the sniffed packets to a file called "capture.cap".
"-c 6" Makes the program ONLY sniff on channel 6.
"ath0" The name of my wireless card.

Leave that running, and keep an eye on the MAC address of your desired AP and the packets/data increasing (the
Data is the IV's)

3. Open another console to be used to make AirePlay perform a DE-AUTH attack on a specific machine connected
to that AP. This should make that specific machine disconnect and reconnect to the AP, and in the process make it
send data to the AP which will include the WEP key.

Command = "aireplay-ng -e DLINK -a 00:11:22:33:44:55 -c 66:77:88:99:00:AA --deauth 10 ath0"

"aireplay-ng" is the program itself

"-e DLINK" is the name of the SSID of the target AP.
"-a 00:11:22:33:44:55" is the MAC address of the target AP.
"-c 66:77:88:99:00:AA" is the MAC address of the target machine connected to that AP (you should be able to
find any machines connected to the AP from looking at the info in AiroDump).
"--deauth 10" The type of attack we're performing, in this case it's the DEAUTH attack repeated 10 times.
"ath0" The name of my wireless card.

Have that command ready to go, but don't do it yet.

4. Open another console screen, and again we're going to use AIREPLAY, but this time it's going to capture some
packets that might contain any IV data, then keep repeating to pump this info to the AP by "pretending" to be the
target machine that the other instance of Aireplay performed the DEAUTH attack on.

Command = "aireplay-ng --arpreplay -b 00:11:22:33:44:55 -h 66:77:88:99:00:AA ath0"

1 von 5 23.08.2006 20:46

Newbie Guide:- How to crack a WEP key, step by step. By another ne... http://forums.remote-exploit.org/showthread.php?t=1556

"aireplay-ng" Name of the program.

"--arpreplay" Is the function of aireplay you are trying to perform, in this case it's a replay of a ARP request, which
will contain IV data.
"-b 00:11:22:33:44:55" MAC address of the target AP.
"-h 66:77:88:99:00:AA" MAC address of the target machine connected to that AP.
"ath0" Name of my wireless card.

Right, run that command, and you should see it searching for packets.

Fire off the previous command to initiate the DEAUTH attack, then switch back to the aireplay replay screen. And
you should see it detect a deauth/discon of a machine, then it capture that packet, and start repeating to pump it
back to the AP by pretending to be the target machine.

Flick over to airodump screen, and HOPEFULLY it should have lots of DATA or IV packets coming through.

You can close down the DEAUTH screen of aireplay now, and then let the other one keep replaying that packet
until you feel you have enough packets to crack it, or just start the crack whilest more packets keep flooding
through.

5. Open the FINAL console screen which will be used to run AirCrack which will scan the captured packets from
AiroDump.

Command = "aircrack-ng -f 4 -m 00:11:22:33:44:55 -n 64 capture.cap

"aircrack-ng" Name of the program.

"-f 4" Run the Fudgefactor 4 times (hehe, i have no idea what this is but apparently increase the fudgefactor to
have a better chance of finding the key, but will take longer the higher the number".
"-m 00:11:22:33:44:55" MAC address of the target AP, so your not searching packets of AP's that you don't
wanna crack.
"-n 64" The amount of bits in the key, in this case it's 64, but theres also 128 etc.
"capture.cap" Name of the capture file being created by AiroDump.

Fire it off, and depending on how quick your machine is, how many IV's you've capped or what bit your key is (in
my case only 64) and BINGO! It finds the key.

I tested this on my home AP so i already knew the key, and only used one laptop.

Am sure i've got some terms wrong, or could do it more efficently, but this worked for this newbie, and i'm a very
happy chap.

Hope it helps anyone.

05-22-2006, 05:46 PM #2

Join Date: Apr 2006

michelinok Offline Posts: 145
Senior Member

Sticky this post!

05-22-2006, 06:32 PM #3

Join Date: Apr 2006

killnine Offline Posts: 71
Member

This seems to be a good run-through of why people use specific arguments to the applications. Very helpful,
thanks

2 von 5 23.08.2006 20:46

Newbie Guide:- How to crack a WEP key, step by step. By another ne... http://forums.remote-exploit.org/showthread.php?t=1556

05-23-2006, 11:57 PM #4

Join Date: Mar 2006

spons Offline Posts: 7
Junior Member

Nice one

Almost worked for me.

packet injection finaly works with the final on my card

It could be me, i tried 2 laptops with an atheros 5005 card,and i got data packages about 1 milion and more.

But when i start aircrack for a 128 bit key, set the command :
capture-01.cap is how my file looked like

aircrack-ng -f 4 -m 00:11:22:33:44:55 -n 128 capture-01.cap

it's not getting the key i think, i had it running for 24hours and still nothing?

Is there something i'm doing wrong here?

05-24-2006, 03:31 AM #5

Join Date: May 2006

BigDook Offline Posts: 4
Junior Member

Am assuming your testing this on your own access point? So your SURE which key type it is?

I "assumed" mine was a 128bit key, and after running for an hour, didn't find it.

I set it to 64bit, and with 5mins, BINGO....KEY!

Sure your searching for the right key bit type then?

05-24-2006, 11:17 AM #6

Join Date: Mar 2006

spons Offline Posts: 7
Junior Member

I know for sure it is 128bit, configuration in the router say's 128 bit encryption, and the thing was, i dint say that
it could not find it.

It was just still cracking the key after 24 hours, so i stoped it.

hmm, I have tried another accespoint, *belkin this time* put laptop 1 on it and with my other i tried to deauth and
arpreplay but it looks like i cant get it to deauth, nothing is hapening.
Last edited by spons : 05-24-2006 at 11:35 AM.

deauth problems...

05-26-2006, 12:31 AM #7

3 von 5 23.08.2006 20:46

Newbie Guide:- How to crack a WEP key, step by step. By another ne... http://forums.remote-exploit.org/showthread.php?t=1556

Join Date: May 2006

Location: Chicago
trueblu8 Offline Posts: 82
Member

deauth problems...

Damn I still cannot deauth, this is so frustrating!!!!!!!!! I feel like I've run every command known to man but it
won't work! Please somebody, anybody, please help! I have an atheros card, and am running auditor
200605-02-no-ipw-2001.

05-26-2006, 12:33 AM #8

Join Date: May 2006

Location: Chicago
trueblu8 Offline Posts: 82
Member

sorry had to post again as i forgot to subscribe....

thanks

05-30-2006, 11:24 AM #9

Join Date: Apr 2006

Miki@BT Offline Posts: 56
Member

thanks

wow,thx for that posting,it's very helpful,especialy the options!

05-31-2006, 01:25 AM #10

Join Date: May 2006

Location: Chicago
trueblu8 Offline Posts: 82
Member

Quote:

Originally Posted by trueblu8

Damn I still cannot deauth, this is so frustrating!!!!!!!!! I feel like I've run every command known to man
but it won't work! Please somebody, anybody, please help! I have an atheros card, and am running
auditor 200605-02-no-ipw-2001.

Yes, problem solved! I got rid of that damned auditor and d/l-ed BT Beta, and low and behold, problem solved,
works like a charm.

Page 1 of 6 1 2 3 > Last »

« Previous Thread | Next Thread »

Posting Rules

You may not post new threads

You may not post replies
You may not post attachments Forum Jump
You may not edit your posts Newbie Area Go

4 von 5 23.08.2006 20:46

Newbie Guide:- How to crack a WEP key, step by step. By another ne... http://forums.remote-exploit.org/showthread.php?t=1556

Posting Rules

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

All times are GMT. The time now is 06:44 PM. Mark Forums Read | View Forum Leaders

---- Default Style Contact Us - Remote Exploit Forums - Archive - Top

vBulletin skin developed by: eXtremepixels

Powered by vBulletin Version 3.5.3
Copyright ©2000 - 2006, Jelsoft Enterprises Ltd.

5 von 5 23.08.2006 20:46