Cracking WEP with Kali

What You Need for This Project

  • A wireless access point
  • A computer running any OS with any wireless NIC to be the client
  • An Eee PC--I used the EEE PC 900HA with Kali Linux on it

Observing the wlan0 Device

In the Terminal window, type in this command, and then press the Enter key: iwconfig You should see the wlan0 device, as shown below on this page. It is in Mode:Managed, which is the normal mode for wireless networking. We need to get the card out of that mode, so we will first disable it.
In the Terminal window, type in this command, and then press the Enter key:
ifconfig wlan0 down

Starting the wifi-0 Device in Monitor Mode

In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0
You have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.

Capturing Packets to View the Available Networks

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 2" at the bottom of the window. In the "Shell No.2" window, type in this command, and then press the Enter key:
airodump-ng -w test wlan0
This command opens a window showing all local networks, as shown below on this page. The captured packets are going to a file named "test", which isn't important. The columns in the output are explained below:
  • BSSID The MAC address of the access point
  • PWR Power level
  • Beacons The number of beacon packets captured
  • #Data The number of packets containing Initialization Vectors (IVs) - these are the packets we need to crack WEP.
  • CH The channel (1 through 11 are used in the USA)
  • MB The speed of the network in Mbps
  • ENC, CIPHER, AUTH These values specify the encryption method
  • ESSID The name of the network

Write down these three values for the network you want to crack:
  • BSSID
  • CH
  • ESSID
In the lower section of your screen, try to find the STATION Mac address that is associated with the access point you want to crack. If it has scrolled off the screen, stop the capturing with Ctrl+C, start it again with the airodump-ng -w test wlan0 command, and stop it as soon with Ctrl+C as soon as the lower portion of the chart shows your target network.
Write down the STATION address for your target network. This is the MAC address of the client.
Press Ctrl+C to stop the Airodump capture.

Restarting Monitoring on the Correct Channel

Click the "Shell" tab at the lower left of your screen to make it active—this is the window you used for the airmon-ng commands. In the Terminal window, type in this command, and then press the Enter key:
airmon-ng stop wifi0
In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0 11
Replace 11 with the CH number you wrote down in a previous step. Now the card is monitoring only the channel we are interested in.

Resuming Packet Capture

Click the "Shell No. 2" tab to make it active—this is the Konsole window you used for the airodump-ng command. In the "Shell No. 2" window, type in this command, and then press the Enter key:
airodump-ng -c 11 -w output wlan0
Replace 11 with the CH number you wrote in the box above on this page. Now the card is monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. Notice that the #Data are not rising quickly—you may not even see any data being captured at all. Leave this capture running.

Performing an ARP Replay Attack

Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs. In the "Shell" window, type in this command, and then press the Enter key:
aireplay-ng -3 -b 00:11:50:1E:43:87 -h 00:16:B6:5B:A3:D6 wlan0
Replace 00:11:50:1E:43:87 with the BSSID you you wrote down in a previous step (the access point's MAC address). Replace 00:16:B6:5B:A3:D6 with the MAC you wrote you wrote down in a previous step (the Wireless client's MAC address).
  The last line in your Terminal window should show the number of packets read, the number of ARP requests captured, and the number of packets sent, as shown below on this page. Within a few seconds, all three of these numbers should start rising rapidly. That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.
(The image below was taken with a different network adapter named rausb0, but now we are using the wlan0 adapter.)

If the number of ARP requests stalls at zero, disconnect the wireless client and reconnect it.
Look at the "Shell - Konsole <2>" window. The # Data value should be rising very rapidly, as shown below on this page.


Troubleshooting

If the ARP replay fails, you can just make the network busier. One simple way to do that is to open 30 Command Prompt windows on the client, each running this command, using your router's IP address instead of the example address below:
PING -T -L 65000 192.168.10.1
They won't get replies, but they should send a lot of packets to the router and make the DATA increase rapidly.

Cracking the Key

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 3" at the bottom of the window. In the "Shell No. 3" window, type in this command, and then press the Enter key:
aircrack-ng -a 1 -n 64 output*.cap
It should find the key within a few minutes, as shown below on this page.
(source: samsclass)

Post a Comment

 
Top