WEP and WPA Cracking Made Simple

DfgDfg Admin
edited June 2012 in Tech & Games
Found this interesting guide.

Disclaimer: This article is for educational purposes. Do not attempt the following on hardware you do not own.

Before we begin it's important to make sure that you have everything you need. For the sake of this tutorial I will be using a live Backtrack 5 USB drive,WiFi card compatible with aircrack-ng, two computers (although you can get away with just using one), and of course a wireless router.

Backtrack can be downloaded for free at http://www.backtrack-linux.org/

A list of compatible cards can be found here. If you're going to need a new card I would recommend this one:
Alfa AWUS036NHR - High-Gain 2000mw 2W 802.11 B/G/N Wireless USB Network Adaptor - Wireless-N 802.11n Wi-Fi - 150Mbps - 2.4 GHz - 5dBi Antenna - Long Range - Realtek Chipset - Strongest on the Market - NEWEST VERSIONir?t=toste0b-20&l=as2&o=1&a=B005ETA5K2

It should work out of the box with Backtrack Linux.

Step 1 - Finding the name of your wireless interface
This step is easy enough. Type "airmon-ng" without the quotes into the terminal to find the interface name of your wireless card.
1.png
In this example the interface is wlan0. Your interface could very well be something different. Write down the name of the interface and keep it for reference.
Step 2 - Start your interface in monitor mode
The next step is to put the wireless card into monitor mode. In the last step we determined what the name of our wireless interface was. Type the following into the terminal, without quotes, where (interface) is the name of your interface. "airmon-ng start (interface)"
You might as well kill any processes that airmon-ng detects may cause trouble. Killing the processes is easy enough. Keep in mind that the PID will be different every time. In the screen shot below, 2836, and 2884 are the processes we want to kill. Just type "kill (pid)" into the terminal, without quotes, for each PID. Of course replacing (pid) with the number provided.
2.png


Step 3 - Find the access point and it's BSSID
For this step type the following into your trusty terminal, once again keeping in mind to replace (interface) with the correct name: "airodump-ng (interface)"
2dot5.png
If you've followed all the previous instructions correctly, you should now have the following pop up:
3.png
The top column of BSSIDs correspond to access points. The station column on the bottom contains mac addresses that correspond to the clients connected to the access points. In this example there is a WEP connection by the name of "vulnerable". This is what I will be cracking. To stop airodump-ng you can press control-C(the information will still be on the screen and you can copy and paste from it easily).
If you are cracking WEP just take note of the BSSID of the access point, and the channel it's on (the CH column specifies the channel). If you are cracking WPA take note of the BSSID of the access point, the channel it's on(once again, the CH column specifies the channel), as well as the mac address of any clients connected to it. If the network you want to crack is WPA you can skip down to the WPA section now, otherwise continue reading for WEP cracking.
[h=2]WEP Specific Section[/h]
Step 4 - Dump packets into file
Now that you have the necessary information, type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)"
4.png
You should now be capturing data. When the amount of "#Data" becomes over 10000 you're generally good to go. Sometimes it takes a lot more though. The Data will rise depending on how much network traffic there is. If someone on the network jumps on youtube for example, you should have more than enough data in a very short period of time. If there isn't much network traffic you'll have to either wait, or use a method to get around it which I wont be covering in this tutorial.
5.png
Once the data has reached a sufficient amount it's time to crack it. This will be the last step. You're almost done.
7.png
Step 5 - Crack the Key
The final step is cracking the key. Type the following into the terminal without the quotes: "aircrack-ng -b (bssid) (file name from before)*.cap"
replace.png
If you're successful you should get something that looks like this:
replace2.png
If it doesn't find the key right away, don't get discouraged, just wait for it to collect more data and try again.
[h=2]WPA Specific Section[/h] Step 4 - Start Dumping Data to File
This step is actually exactly the same as it is in the WEP section, except this time we're looking for the WPA handshake. Type the following into the terminal without the quotes: "airodump-ng -c (channel) -w (file name of your choice) --bssid (bssid) (interface)
1.png
We're looking for a WPA Handshake. When we capture it, it will show up in the upper right corner. It will appear whenever a client connects to the access point. If there is a client currently connected you can send a deauth packet to knock it offline and generally have it reconnect.
2-fixed.png
Open up a new terminal and don't touch the one capturing data. For this one you might want to run airodump-ng, close it with control-c, and then copy and paste the correct information into the command.
The deauth command is as follows without the quotes: "aireplay-ng -0 1 -a (BSSID) -c (mac address of client) (interface)"
In this command the -0 specifies the deauthentication, and the 1 is the amount of times to perform it.
3.png
You should now have the handshake. Go back to the terminal that's collecting data. If everything went as planned the upper right should now say "WPA handshake". You can close out of that, and it's time to crack the passphrase.
4.png
WPA isn't quite as easy to crack. You can use a word list, or a program like john the ripper to brute force the handshake. In this example I'm using a word list that comes with Backtrack 5. There are plenty of word lists out there, and a lot of them are going to be better than this one. Nevertheless.
Type the following into a terminal "aircrack-ng -w (wordlist) -b (bssid) (file name from before)*.cap" I believe the word list can be found in multiple places, but in this example I used "/rofs/pentest/wireless/aircrack-ng/test/password.lst".
5.png
If you are successful you should see something that looks like this:
6.png
If you're not so lucky you need either another word list or you need to use john the ripper. Assuming that your dump is in /root/ (it should be if you followed this tutorial exactly), to use john the ripper do the following:
Change the directory to /pentest/passwords/john/ by issuing the command "cd /pentest/passwords/john" without the quotes. From there type in the command "./john --incremental --stdout | aircrack-ng -b (bssid) -w - /root/(file)*.cap" without the quotes, and then wait for what might be an eternity for it to find the correct key.


via: http://torustech.blogspot.com/2012/06/wep-and-wpa-cracking-made-easy.html

Comments

  • edited June 2012
    Awesome guide, quite a bit of variation from how I'd do it but it's still a perfectly working way :thumbsup: I even find my interface name differently, typing "ifconfig" instead of starting airmon-ng but I guess either works just fine. I've posted a WEP/WPA cracking guide in the past but I could definitely improve on it as cracking wireless networks is something I do quite regularly now.

    Who'd be interested in a video tutorial as well? I could easily make one using Camtasia, explaining each step and backing it up with some text, explaining the different commands and what's actually going on rather than just getting a skiddie to type in some random commands.
  • DfgDfg Admin
    edited June 2012
    Video tutorial would be great.
  • SlartibartfastSlartibartfast Global Moderator -__-
    edited June 2012
    ifconfig will soon be deprecated - not updated since the '01 i believe.

    ip addr
  • edited June 2012
    ifconfig will soon be deprecated - not updated since the '01 i believe.

    ip addr

    Jesus, I did NOT know that! But surely it will still be used... I mean, it works right?
  • SlartibartfastSlartibartfast Global Moderator -__-
    edited June 2012
    ifconfig has been around since the early 80s - people are used to it (think of all the automated scripts) - it will probably have a long phase out period.
Sign In or Register to comment.