Cracking WEP: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
:In this lab, I will show you how to crack WEP using BackTrack 3. As you may know, WEP is a week security protocol that can be broken easily. There are dozens of articles about cracking WEP on the internet, so if this article doesn’t give you enough information, please do some online researches. The purpose of this lab is not encouraged you to be a hacker. I set this lab for educational purpose and to prove that WEP is a weak protocol that can be hacked easily.
:In this article, I will create a wireless network lab and show you how to crack a WEP key using BackTrack 3. As you may know, WEP is a week security protocol that can be broken or crack easily. There are dozens of articles about cracking WEP on the internet. If this article doesn’t give you enough information, please do some online researches to find more information and detail. The purpose of this lab is not encouraged you to be a hacker. I write this article for educational purpose, and to prove that WEP is a weak security protocol that can be hacked easily.
 
==Hardware required==
==Hardware required==
Here is a list of equipment and hardware Requirement for this lab:
:Here is a list of equipment and hardware Requirement for this lab:
:*A wireless router - this could be any wireless router that supported WEP security encryption.
:*A wireless router - this could be any wireless router that supported WEP security encryption.
:*A BackTrack 3 Live CD  
:*A BackTrack 3 Live CD  
:*2 wireless adapters - one of them should be a compatible wireless adapter.
:*2 wireless adapters - one of them should be a compatible wireless adapter.
:*At least 2 PCs – In this lab, I used a desktop and a laptop. I installed the compatible wireless adapter card in the desktop, and the other laptop has a build-in wireless adapter.
:*At least 2 PCs


==Setup the Wireless Lab==
==Preparing and Setting Up the Lab==
[[Image:topology.jpg|thumb|This is a picture of an idea for the network topology.|320px]]
[[Image:topology.jpg|thumb|This is a picture of an idea for the network topology.|320px]]


:Bellow are the software and hardware I used to this lab.  
:Bellow are the software and hardware I used in this lab. If you should setup a lab like mine, find somethings that suitable for you. The picture on the right shows some information and idea of this network topology.


:*The wireless router: I used the Linksys wireless router (WRT54G) as the wireless access point. I setup the wireless router as shown in the snapshot bellow.  
:*I used the Linksys wireless router (WRT54G) as the wireless access point. I set it up as shown in the picture on the right.  


:*The BackTrack 3 Live CD can be downloaded at http://www.backtrack-linux.org/downloads/. After the ISO image file has been downloaded, I burn it into a blank CD. If you would like instruction information of how to burn an ISO file to a CD/DVD, click on this link http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm.   
:*I download the BackTrack 3 Live CD image at http://www.backtrack-linux.org/downloads/. After the ISO image file has been downloaded, I burned the image into a blank CD. Instruction and information of how to burning a DVD/CD image to a DVD/CD can be found at http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm.   


:*Find a compatible wireless adapter from http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#compatibility. Find one and buy it or use the one that you have. The wireless adapter I used in this lab was the Alfa AWUS036H. I bought it online for $29.
:*I bought a wireless adapter online for $29. It was the Alfa AWUS036H. Compatibility wireless adapter can be found at http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#compatibility.  


:*I inserted the Alfa AWUS036H wireless adapter into an USB port on my desktop and insert the BackTrack 3 Live CD into the CD ROM. I called this desktop the “Sniffing PC.” Boot the Sniffing PC from the CD.
:*The wireless adapter (Alfa AWUS036H) is connected through an USB port on my desktop PC and the BackTrack 3 Live CD is inserted into the CD ROM of the PC. I called this desktop PC the “Sniffing PC.”  


:*I made sure that the laptop (the Target PC) and the wireless router WRT54G (the Target AP) are configured and communicated with each other correctly.  
:*I made sure that the laptop (Target PC) and the wireless access point (the Target AP) are configured and communicated with each other correctly. I boot the Sniffing PC from the CD.  


{|
{|
Line 31: Line 32:
[[Image:bt01.jpg|thumb|Selecting Wireless Assistant.|250px]]
[[Image:bt01.jpg|thumb|Selecting Wireless Assistant.|250px]]
:Follow the steps bellow to setup and capture packets using BackTrack 3.  
:Follow the steps bellow to setup and capture packets using BackTrack 3.  
===Checking the Adapter===
===Checking Compatibility for an Adapter===
:*On the Sniffing PC that is running BackTrack 3, select the small '''K''' icon located on the lower left hand corner. Select '''Internet''' and then click on '''Wireless Assistant'''. When the '''Wireless Assistant''' window appear, you should see the target wireless access point that you want to hack. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.”
:*In the Sniffing PC that is running BackTrack 3, select the small '''K''' icon located on the lower left hand corner. Select '''Internet''' and then click on '''Wireless Assistant'''. When the '''Wireless Assistant''' window appear, you should see the target wireless access point that you want to hack. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.”  
{|
{|
| [[Image:bt02.jpg|thumb|upright|If the device is compatible|300px]]
| [[Image:bt02.jpg|thumb|upright|If the device is compatible|300px]]
Line 38: Line 39:
|}
|}


:Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is Testing AR on channel 1, and MAC address is 00:13:10:3C:51:5B. When you done, close the Wireless Assistant window.
:Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is "TestingAP", channel 1, and the MAC address of 00:13:10:3C:51:5B. Close this window when you're done.


===1st Shell - Konsole Window===
===Generating faked MAC Address===
[[Image:bt04.jpg|thumb|Results of the commands.|250px]]
[[Image:bt04.jpg|thumb|Results of the commands.|250px]]
:*Run Shell – Konsole window. It is a small black screen icon located on the lower left hand corner next to the small K icon.  
:*Run Shell – Konsole window. It is a small black screen icon located on the lower left hand corner next to the small K icon.  
Line 52: Line 53:
  airmon-ng start ''<your device Interface>''
  airmon-ng start ''<your device Interface>''


:The purpose of these commands is to change the MAC Address of your wireless adapter to a faked MAC Address: 00:11:22:33:44:55.
:The purpose of these commands is to change the MAC Address of the wireless adapter to a faked MAC Address: 00:11:22:33:44:55.


:All the result of the commands above should look like the screenshot on the right.
:All the result of the commands above should look like the screenshot on the right.


===Capturing Data Packets===
[[Image:bt05.jpg|thumb|List of wireless access points around.|250px]]
[[Image:bt05.jpg|thumb|List of wireless access points around.|250px]]
:*Run the command bellow to see a list of the wireless access points around you.  
:*Run the command bellow to see a list of the wireless access points around you.  
Line 71: Line 73:
:*Now, I will use the second laptop (the Target PC) to watch some movies on youtube to generate more traffic between the Target AP and Target PC. Remember that the more packets traffic to the wireless access point, the more packets you can capture, and the more likely you will successfully crack the WEP key faster.
:*Now, I will use the second laptop (the Target PC) to watch some movies on youtube to generate more traffic between the Target AP and Target PC. Remember that the more packets traffic to the wireless access point, the more packets you can capture, and the more likely you will successfully crack the WEP key faster.


===2nd Shell - Konsole Window===
===Generating data Traffic===
:*Open a new Shell – Konsole windows without closing the first Shell - Konsole window. '''Important:''' Make sure to leave the previous command running. The following two commands will force the access point to inject packets to its clients, and create more traffics. So, when you are running these two commands, the client computers that are connecting to the access point may not be able to search the web or get disconnecting from the access point. Sometime you may have to power-cycle the access point to get it work again.
:*Open a new Shell – Konsole windows without closing the first Shell - Konsole window. '''Important:''' Make sure to leave the previous command running. The following two commands will force the access point to inject packets to its clients, and create more traffics. So, when you are running these two commands, the client computers that are connecting to the access point may not be able to search the web or get disconnecting from the access point. Sometime you may have to power-cycle the access point to get it work again.


Line 84: Line 86:
:You should get the output of these two commands similar to mine, the snapshot on the right.
:You should get the output of these two commands similar to mine, the snapshot on the right.


==Cracking the WEP key==
===Cracking the WEP key===
[[Image:bt08.jpg|thumb|thumb|upright|WEP cracking command output: KEY FOUND!|592px]]
[[Image:bt08.jpg|thumb|thumb|upright|WEP cracking command output: KEY FOUND!|592px]]
:'''NOTE:'''You should wait until enough packets has been captured before you run the cracking command bellow; otherwise it will not success. Look at this number on firs Shell - Konsole window. It is the number right bellow the #data column. Wait until this number goes above 10000 or 20000, and then process to the cracking step bellow.
:This is the final and the actual step to crack the WEP key.
:'''NOTE:'''You should wait until enough data packets has been captured before you run the cracking command bellow; otherwise it will not success. Look at this number on firs Shell - Konsole window. It is the number right bellow the #data column. Wait until this number goes above 10000 or 20000, and then process to the cracking step bellow.


===3rd Shell - Konsole Window===
This is the final and the actual step to get the WEP key.
:* Open the third Shell - Konsole window.
:* Open the third Shell - Konsole window.
:* Enter the following command.  
:* Enter the following command.  


  aircrack-ng -b <BSSID> <file name-01.cap>
  aircrack-ng -b ''<BSSID> <file name-01.cap>''
:The file name is the file name that you enter in the previously, and the BSSID is the MAC Address of the access point. Don't forgot to type the file name follow by -01.cap or you will get an error massage.
:The file name is the file name that you enter in the previously, and the BSSID is the MAC Address of the access point. Don't forgot to type the file name follow by -01.cap or you will get an error massage.


Revision as of 00:15, 31 July 2010

In this article, I will create a wireless network lab and show you how to crack a WEP key using BackTrack 3. As you may know, WEP is a week security protocol that can be broken or crack easily. There are dozens of articles about cracking WEP on the internet. If this article doesn’t give you enough information, please do some online researches to find more information and detail. The purpose of this lab is not encouraged you to be a hacker. I write this article for educational purpose, and to prove that WEP is a weak security protocol that can be hacked easily.

Hardware required

Here is a list of equipment and hardware Requirement for this lab:
  • A wireless router - this could be any wireless router that supported WEP security encryption.
  • A BackTrack 3 Live CD
  • 2 wireless adapters - one of them should be a compatible wireless adapter.
  • At least 2 PCs

Preparing and Setting Up the Lab

This is a picture of an idea for the network topology.
Bellow are the software and hardware I used in this lab. If you should setup a lab like mine, find somethings that suitable for you. The picture on the right shows some information and idea of this network topology.
  • I used the Linksys wireless router (WRT54G) as the wireless access point. I set it up as shown in the picture on the right.
  • The wireless adapter (Alfa AWUS036H) is connected through an USB port on my desktop PC and the BackTrack 3 Live CD is inserted into the CD ROM of the PC. I called this desktop PC the “Sniffing PC.”
  • I made sure that the laptop (Target PC) and the wireless access point (the Target AP) are configured and communicated with each other correctly. I boot the Sniffing PC from the CD.
Linksys wireless router(WRT54G)
A screenshot of BackTrack 3
Alfa AWUS036H

Capturing Packets

Selecting Wireless Assistant.
Follow the steps bellow to setup and capture packets using BackTrack 3.

Checking Compatibility for an Adapter

  • In the Sniffing PC that is running BackTrack 3, select the small K icon located on the lower left hand corner. Select Internet and then click on Wireless Assistant. When the Wireless Assistant window appear, you should see the target wireless access point that you want to hack. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.”
If the device is compatible
No usable wireless device found.
Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is "TestingAP", channel 1, and the MAC address of 00:13:10:3C:51:5B. Close this window when you're done.

Generating faked MAC Address

Results of the commands.
  • Run Shell – Konsole window. It is a small black screen icon located on the lower left hand corner next to the small K icon.
  • Enter the command bellow to find the adapter name. Once the name of your wireless adapter shown, take note of the interface name. Mine is wlan0.
airmon-ng
  • Enter the 4 commands bellow by typing each command and press Enter key.
airmon-ng stop <your device Interface>
ifconfig <your device Interface> down
macchanger --mac 00:11:22:33:44:55 <your device Interface>
airmon-ng start <your device Interface>
The purpose of these commands is to change the MAC Address of the wireless adapter to a faked MAC Address: 00:11:22:33:44:55.
All the result of the commands above should look like the screenshot on the right.

Capturing Data Packets

List of wireless access points around.
  • Run the command bellow to see a list of the wireless access points around you.
airodump-ng <your device Interface>
  • Once you see the Target AP, press Ctrl+C to stop scanning. On the list, you will see information such as the MAC Address (BSSID), power level, channel, encryption protocol, and the name of the access point (ESSID) of each device. Write down this information of the wireless access point that you are going to hack for later use. The Target AP used in this lab is the highlighted in red in the snapshot on the right.
Capturing packets traffic.
  • Run the command bellow. This command will capture the packets traffic between the Target AP and any wireless client.
airodump-ng -c <channel> -w <file name> --bssid <BSSID> <your device interface>
Note: The channel, BSSID, and your device interface is the information that you noted above. The file name can be any name you want. Here I used capfile as the file name. The command I used and the output is shown on the snapshot on the right.
  • Now, I will use the second laptop (the Target PC) to watch some movies on youtube to generate more traffic between the Target AP and Target PC. Remember that the more packets traffic to the wireless access point, the more packets you can capture, and the more likely you will successfully crack the WEP key faster.

Generating data Traffic

  • Open a new Shell – Konsole windows without closing the first Shell - Konsole window. Important: Make sure to leave the previous command running. The following two commands will force the access point to inject packets to its clients, and create more traffics. So, when you are running these two commands, the client computers that are connecting to the access point may not be able to search the web or get disconnecting from the access point. Sometime you may have to power-cycle the access point to get it work again.
  • When you are ready, enter the following command.
Creating traffic snapshot.
aireplay-ng -1 0 -a <BSSID> -h 00:11:22:33:44:55 -e <ESSID> <your device interface>.
The BSSID is the MAC Address and the ESSID is the name of the access point. In this lab, I enter 00:13:10:3C:51:5B as the BSSID and TestingAP as the ESSID.
  • Enter the following command. This command will force the access point to inject packets and speed the process.
aireplay-ng -3 -b <BSSID> -h 00:11:22:33:44:55 <your interface name>
You should get the output of these two commands similar to mine, the snapshot on the right.

Cracking the WEP key

WEP cracking command output: KEY FOUND!
This is the final and the actual step to crack the WEP key.
NOTE:You should wait until enough data packets has been captured before you run the cracking command bellow; otherwise it will not success. Look at this number on firs Shell - Konsole window. It is the number right bellow the #data column. Wait until this number goes above 10000 or 20000, and then process to the cracking step bellow.
  • Open the third Shell - Konsole window.
  • Enter the following command.
aircrack-ng -b <BSSID> <file name-01.cap>
The file name is the file name that you enter in the previously, and the BSSID is the MAC Address of the access point. Don't forgot to type the file name follow by -01.cap or you will get an error massage.
At this point, you should get the WEP key if you have captured enough data packets. The snapshot on the right is the command output of mine. KEY FOUND!

Conclusion

Cracking WEP is fairly easy. Even though I have little knowledge about using Linux and networking, I can crack a WEP key easily. Be patient typing the commands and you can do it, too. Remember that hacking others' network is illegal, so please don't. For educational purpose, I built my own lab and cracked my own network. It takes me a few days to complete this article, but the actual time that it takes me to crack the WEP key is less than five minutes. The following steps are what I actually done to crack the WEP key.

  • Step 1. I opened a Konsole window and typed the following commands.
airmon-ng
airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
airmon-ng wlan0
airodump-ng wlan0
airodump-ng -c 1 -w capfile --bssid 00:13:10:3C:51:5B wlan0
  • Step 2. I opened another Konsole window and typed the following commands.
aireplay-ng -1 0 -a 00:13:10:3C:51:5B -e TestingAP wlan0
aireplay-ng -3 -b 00:13:10:3C:51:5B -h 00:11:22:33:44:55 wlan0
  • Step 3. I opened another Konsole window and typed the following command.
aircrack-ng -b 00:13:10:3C:51:5B capfile-01.cap

KEY FOUND!

Retrieved from "https://wiki.ihitc.net/mediawiki/index.php?title=Cracking_WEP&oldid=3012"