Archive for December, 2005

WEP cracking with Auditor and Proxim (8470-WD) card

Sunday, December 11th, 2005

Introduction:

This tutorial explains how to crack most WEP encrypted Access Points out there. The tools used will be as follows:

Airodump
Aireplay
Aircrack

As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the Atheros based card mentioned above).

Getting Started:

Let’s see, First thing you are going to want to do is charge your laptop to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Auditor final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so.


First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:

Since my Proxim card uses madwifi, I have to place the card in pure 802.11b mode first:

iwpriv ath0 mode 2

Then change the card into monitor mode

iwconfig ath0 mode monitor

Then bring the card up

ifconfig ath0 up

Going for the kill:

Open a terminal window and fire up Airodump to sniff the packtes.

airodump ath0 tocrack


Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as ‘weak key’ packets, we want as many of them as we can get (500k+ is a nice number, the more the better). Now we are going to capture a ‘weak key’ packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of ‘weak key’ replies sent out so we can eventually crack the password. So now open another terminal window and execute aireplay

aireplay -i ath0


Here we are going to grab a few packets from the Access Point until we catch a ‘weak key’ packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit ‘y’ then return, but do not choose a packet with a destination address of FF:FF:FF:FF:FF:FF


If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack.


Run aircrack to crack the wep from the captured file.

aircrack -q 3 -f 2 tocrack.cap

What i did there was set aircrack to read my packet file called tocrack.cap (what airodump creates). If all goes well you will get the key in a few mins.


Happy WarDriving.

Note: some portions of the texts of this article are extracted from the WEP Cracking by UmInAsHoE.

Posted in Security, Wireless | No Comments »