Hello guys, nice to see you all again. It has been a week for me to prepare this post, not to mention the many years I took to master the how-to in this post. What how-to? Yep you guest it right. WEP Wifi Hacking!!
As I said above, it took me ages to master the skill of hacking WEP Wifi password, but once you successfully crack 2 or 3 times (poor victims lol), this wicked practice will be at your fingertips.
Why i needed a century to learn? Apparently most guides available out there seem to cater the seasoned and experienced hacker, I'm no hacker thus I could hardly understand the instructions laid in the guide. In addition of not being very, what can I say, bonded to Linux (command line anyone?), I am also subjected to limited hardware compatibility (more on this later) during the inception of wireless hacking/ WEP cracking. I think things have improved lately, well at least not as bad as what I've experienced. So not to waste anymore your precious time, let's start shall we....
If you are interested in gaining additional info, kindly read the articles as follow;
What is WiFi (Wireless Fidelity)
Wired Equivalent Privacy (WEP)
Aircrack-ng (the software used to crack WEP)
Disclaimer: The author does not condone hacking or similar act in anyway whatsoever. This post is intended for educational purpose and to create awareness that WEP protection is not safe any longer. The practice done by the author was made on the author's own network infrastructure.
1) PREPARATION OF INGREDIENTS
What do you need
- Linux Backtrack 5 OS. Can be downloaded here http://www.backtrack-linux.org/downloads/
- Compatible wireless dongle/ adapter (more on this later)
- USB flash drive or DVD, or any storage medium to boot linux from, and of course with ample spaces.
- Unetbootin, the software to put Linux Backtrack to USB drive (or anything) and boot linux from there http://unetbootin.sourceforge.net/
- Some patience
2) PREPARE LINUX
After you have downloaded Linux Backtrack 5 (the latest at the time of writing), you need to extract the Linux to the USB drive.
BackTrack Live USB Install
This method of getting a live install to a USB drive is the simplest available using Unetbootin. Note that we will format the USB drive and erase its contents.
- Plug in your USB Drive (Minimum USB Drive capacity 2 GB)
- Format the USB drive to FAT32
- Download Unetbootin from http://unetbootin.sourceforge.net/
- Start Unetbootin and select diskimage (use the backtrack-final ISO)
- Select your USB drive and click “OK” for creating a bootable BackTrack USB drive
- Log into BackTrack with the default username and password root / toor.
After putting Backtrack Linux into the USB flashdrive, restart your pc and boot from the flashdrive containing Backtrack Linux. You can either set boot priority in the BIOS or just choose boot option by pressing F12 (may vary depending on your pc). When Backtrack is booting, it will ask to choose display mode, just press "spacebar" to continue. After that, it will stop at one point, stating type startx to start Backtrack in X window system. Just type in "startx" and press "enter".
3. PREPARING WIFI DONGLE/ADAPTER INTO MONITORING MODE
- Launch Terminal by clicking the icon as shown below
In the terminal, type airmon-ng and press Enter. This part is very important to determine whether your wifi dongle/adapter support monitoring mode. If yours does support, it will show like the pic below
It shows that my adapter is Atheros AR2425 (AR 5007EG) and the driver version. Yours might be different depending on the model of the adapter. As long as it shows similar like this, then you can proceed. The interface is marked as wlan0, if you have 2 compatible adapters, it may be marked as wlan0 and wlan1. You can choose either one.
- In the same terminal, type airmon-ng start wlan0. The command will enable monitor mode on your adapter - as you can see with mon0 shown in the pic below
4. CHOOSING ACCESS POINT AND PACKET CAPTURING
- In the same terminal, type airmon-ng mon0 and press Enter. This will list down all available access point within the area.
So as you can see above is the list of available access points. I'm going to launch a simulated attack on my own access point, XtremeWifi (partly visible). The most important thing to consider here is the BSSID and channel number (CH). BSSID is the unique identity number of the access point (regardless of the access point name) and the access point transmit signal through specified channel (CH). From the pic above, we can also determine that my access point use WEP security.
Next, COPY the BSSID NUMBER (highlight all the 12 digits, right click and copy) and REMEMBER THE CHANNEL (CH). In this simulated attack, my channel number is 2. After that, PRESS CTRL+C to stop the console.
- Open a NEW terminal and type airodump-ng -w wep -c [channel number] --bssid [paste your bssid number (right click and select paste) mon0
- Press ENTER. See pic below for guide
- You can see that your adapter began capturing data (marked #Data in pic below) from the specified access point. This data will be used to crack the WEP password later.
- Next open a new terminal (third) and type aireplay-ng -1 0 [paste bssid number] mon0 and press Enter. See pic below;
- After you have completed the above, open a new terminal (fourth) and type aireplay-ng -3 -b [paste bssid number here] mon0 and press Enter. This process accelerate packets capturing thus allowing more #Data to be obtained.
- Go back to the terminal containing the #Data (second terminal) and observe the #Data. Typically a 64bit WEP encryption requires 10,000 to 30,000 #Data to decipher the encryption. In my case, I set my router to 128bit WEP and it requires 140,000 #Data. Quite a lot if you ask me.
- The only way to increase #Data is to make sure that the access point is busy transferring packet/data. So to accelerate the capturing, I downloaded a file from the internet to simulate access point ---> client pc transfers. If you happen to attack someone else's access point, then it may take some time (or you can call that person and ask him to use his internet, that should work).
5. CRACKING THE WEP PASSWORD
- Let the fun begins. Fire up a new terminal and type aircrack-ng wep-01.cap and press Enter.
I started cracking at 2156 #Data (a long way to go I know). Aircrack called #Data as IV (Initialisation Vector), dont worry its the same.
- And the result................................(that's not my access point, poor victim lol heheheh)
Note: if aircrack-ng fails to crack at certain #Data/IVs, dont close anything because aircrack-ng will try to crack again once you have captured 5000 IVs and it will do that until... well if you got 1 million IVs and still fail, please redo the whole process for the sake of sanity.