Cracking WEP Using Backtrack - WiFi Hacking Part 2

In my previous article WiFi Hacking Part 1, i wrote about the necessary tools and stuff  that you require for WiFi Hacking .If you have not read the article, please go through it before reading this one

In this article i will explain how you can crack wireless network's WEP key using Backtrack in six easy steps

WiFi Hacking Part 2
I believe all my blog readers have read the previous article WiFi Hacking Part 1, and know what are the tools and stuff that you require for WiFi hacking

Commonly Used Terms :- 
  • WEP - Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
  • Access Point (AP)- A wireless router
  • MAC Address - Media Access Control address, a unique id assigned to wireless adapters and routers .It comes in hexadecimal format (ie 00:15:eR:21:a3:63)
  • BSSID - Access Point’s MAC address
  • ESSID - Access Point’s Broadcast name

Cracking WEP Using Backtrack

Step -1 Booting Backtrack

Boot your copy of Backtrack from your USB drive (refer my article on how to make a bootable Backtrack USB ),Once booted you will be prompted for the login details, enter usename as "root" and password as "toor", finally enter "startx " to start backtrack .Now once you have logged in, launch a new konsole terminal by clicking the konsole terminal icon which is there on the task bar .Now plug in your Wifi usb card and type in the following commands in the terminal as shown
ifconfig wlan0 up

where wlan0 is the name of the wireless card ,it can be different .To see all wireless cards connected to your system simply type" iwconfig "

Step -2 Putting your WiFi card on Monitor Mode

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air ,It is similar to a Promiscuous mode which is used for packet sniffing in a LAN .You can put your card into Monitor mode by entering the following commands in a terminal
airmon-ng  start (your interface)

Example :- airmon-ng  start wlan0

Now a new interface mon0 or ath0 will be created , You can see the new interface is in monitor mode by entering "iwconfig" as shown

Step -3  Monitor the air for WiFI connections 

Now after putting the card in monitor mode you will need to monitor the air for available wireless networks (WiFi connections)around  you , For this you'll have to use a tool called "airodump" .

So you can start monitoring the air with airodump by enter the following commands
airodump-ng  mon0

where mon0 is the new interface which we created in the previous step
Bssid shows the mac address of the AP, CH shows the channel in which AP is broadcasted and Essid shows the name broadcasted by the AP, Cipher shows the encryption type ,

Stop the process by pressing  "ctrl +c " and select your target  ,Since i am only cracking WEP  i will take "johny" as my target from now on

Step -4 Capturing Data with Airodump 

Now to crack the WEP key you'll have to capture the targets data into a file, To do this we use airodump tool again, but with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels .You can restrict the capture by giving in the following commands
airodump-ng mon0 --bssid -c (channel ) -w (file name to save )
As my target is broadcasted in channel 2 and has bssid  "98:fc:11:c9:14:22" ,I give in the following commands and save the captured data as "johnywep"
airodump-ng   mon0 --bssid  98:fc:11:c9:14:22   -c 2  -w  johnywep
Do not close this terminal (run the other commends simultaneously in an another terminal)

Step -5 Using Aireplay to Speed up the cracking  

You will have to capture at least 25,000 data packets to crack WEP .This can be done in two ways, The first one would be a (passive attack ) wait for a client to connect to the AP and then start capturing the data packets but this method is very slow, it can take days or even weeks to capture that many data packets

The second method would be an (active attack )this method is fast and only takes minutes to generate and inject that many packets .

In an active attack  you'll have do a Fake authentication (connect) with the  AP ,then you'll have to generate and inject data packets.This can be done very easily by using a tool called "aireplay"

So you can do a Fake authentication with the AP using aireplay by entering the following commands in a new terminal
aireplay-ng - 1  3  -a (bssid fo the target )  (interface) 

In my case i enter the following

aireplay-ng -1 3  -a 98:fc:11:c9:14:22 mon0 

After doing a fake auth ,now its time to generate and inject Arp (data )packets . To this you'll have to open a terminal simultaneously and enter the following commands
aireplay-ng 3  -b (bssid of target)  -h ( address of your card (mon0))   (interface)

In my case i enter
aireplay-ng 3  -b 98:fc:11:c9:14:22   -h 00:c0:ca:50:f8:32 mon0
If this step was successful  you'll see Lot of data packets in the airodump capture ( step 4  ) as shown

Wait till it reaches at least 25000 packets , best would be to wait till it reaches around 80,000 to 90,000 packets .Its simple more the data packets  less the time to crack .once you captured enough number of packets, close all the process's by pressing "Ctrl +c" or by simply clicking the into mark which is there on the terminal

Strep -6 Cracking WEP  key using Aircrack 

Now its time crack the WEP key from the captured data, we use Aircrack to achieve this

Enter the following commands to crack the WEP key
aircrack-ng  (name of the captured file (step 4) )

In my case i enter 

aircrack-ng johnywep-0.1-cap
With in a few minutes Aircrak will crack the WEP key as shown

Voila you have successfully  cracked the WEP key in Six simple steps

Hope you enjoyed the post, For further doubts and clarifications please pass your comments 

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger... said on July 11, 2011 at 6:31 AM :

nice info bro..

Unknown said on August 2, 2011 at 2:30 AM :

can you write a part 3 for how to hack a WPA encrypted wifi?


there is a problem me my data card is not connectin with backtrack remote exploite bootable cd

venky said on July 5, 2012 at 12:11 AM :

there is problem man


i did it all right and got the key but when i try to connect with it it says bad password

saad aziz said on March 9, 2013 at 9:33 AM :

its old but i appriciat..


Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger