Cracking WEP with Kali
What You Need for This Project
- A wireless access point
- A computer running any OS with any wireless NIC to be the client
- An Eee PC--I used the EEE PC 900HA with Kali Linux on it
Observing the wlan0 Device
In the Terminal window, type in this command, and then press the Enter key: iwconfig You should see the wlan0 device, as shown below on this page. It is in Mode:Managed, which is the normal mode for wireless networking. We need to get the card out of that mode, so we will first disable it.In the Terminal window, type in this command, and then press the Enter key:
ifconfig wlan0 down
Starting the wifi-0 Device in Monitor Mode
In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0
You have now stopped the wireless card and restarted it with the special
MadWiFi drivers, which are necessary for cracking WEP. Now the card is
monitoring on all channels.
Capturing Packets to View the Available Networks
In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 2" at the bottom of the window. In the "Shell No.2" window, type in this command, and then press the Enter key:
airodump-ng -w test wlan0
This command opens a window showing all local networks, as shown below
on this page. The captured packets are going to a file named "test",
which isn't important.
The columns in the output are explained below:
- BSSID The MAC address of the access point
- PWR Power level
- Beacons The number of beacon packets captured
- #Data The number of packets containing Initialization Vectors (IVs) - these are the packets we need to crack WEP.
- CH The channel (1 through 11 are used in the USA)
- MB The speed of the network in Mbps
- ENC, CIPHER, AUTH These values specify the encryption method
- ESSID The name of the network
Write down these three values for the network you want to crack:
- BSSID
- CH
- ESSID
Write down the STATION address for your target network. This is the MAC address of the client.
Press Ctrl+C to stop the Airodump capture.
Restarting Monitoring on the Correct Channel
Click the "Shell" tab at the lower left of your screen to make it active—this is the window you used for the airmon-ng commands. In the Terminal window, type in this command, and then press the Enter key:
airmon-ng stop wifi0
In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0 11
Replace 11 with the CH number you wrote down in a previous step. Now the
card is monitoring only the channel we are interested in.
Resuming Packet Capture
Click the "Shell No. 2" tab to make it active—this is the Konsole window you used for the airodump-ng command. In the "Shell No. 2" window, type in this command, and then press the Enter key:
airodump-ng -c 11 -w output wlan0
Replace 11 with the CH number you wrote in the box above on this page.
Now the card is monitoring only the channel we are interested in. This
captures packets on the desired channel, and dumps into the file
output.cap. Notice that the #Data are not rising quickly—you may not
even see any data being captured at all. Leave this capture running.
Performing an ARP Replay Attack
Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs. In the "Shell" window, type in this command, and then press the Enter key:
aireplay-ng -3 -b 00:11:50:1E:43:87 -h 00:16:B6:5B:A3:D6 wlan0
Replace 00:11:50:1E:43:87 with the BSSID you you wrote down in a previous step (the access point's MAC address).
Replace 00:16:B6:5B:A3:D6 with the MAC you wrote you wrote down in a previous step (the Wireless client's MAC address).
  The last line in your Terminal window should show the number of packets read, the number of ARP requests captured, and the number of packets sent, as shown below on this page. Within a few seconds, all three of these numbers should start rising rapidly. That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.
(The image below was taken with a different network adapter named rausb0, but now we are using the wlan0 adapter.)
If the number of ARP requests stalls at zero, disconnect the wireless client and reconnect it.
Look at the "Shell - Konsole <2>" window. The # Data value should be rising very rapidly, as shown below on this page.
Troubleshooting
If the ARP replay fails, you can just make the network busier. One simple way to do that is to open 30 Command Prompt windows on the client, each running this command, using your router's IP address instead of the example address below:
They won't get replies, but they should send a lot of packets to the router and make the DATA increase rapidly.PING -T -L 65000 192.168.10.1
Cracking the Key
In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 3" at the bottom of the window. In the "Shell No. 3" window, type in this command, and then press the Enter key:
aircrack-ng -a 1 -n 64 output*.cap
It should find the key within a few minutes, as shown below on this page.
(source: samsclass)
Post a Comment