Dark Tavern: LiLj438 - Viewing Profile

Well HF, I have procrastinated about this for a long time but I finally sat down and did it. Here is the full noob friendly start-to-finish tutorial on cracking WPA encrypted networks. I know that others have done this and I applaud their efforts. I still am getting many requests, though, to post a WPA cracking guide so here it is.

Here is the key for this guide:
Black text = regular info
Blue text = important notes to remember
Red text = ACTUAL commands you type in
Yellow = extra info behind what you're doing

Standard Disclaimer: Breaking anyone's wifi encryption is illegal even if you do not use their internet. I take no responsibility for anything you do with this guide. This is meant for informative purposes only.

There is a major difference between WEP encryption and WPA encryption. That difference is security. WEP encryption can be broken just about every time. It doesn't matter if:
A. people are on the network or not
B. password is easy like "football" or hard like "anw034n98ns0NG"
C. SKA (Shared Key Authentication) is used or not
Regardless of these factors, WEP encryption can be broken. I've already written a guide for that. The link to it is in my signature.

IMPORTANT NOTE: WPA, on the other hand, is another story. There are 2 MAJOR factors that MUST BE PRESENT in order for you to break WPA encryption. They are:
A. There ABSOLUTELY MUST be someone wirelessly connected
B. The password MUST be in your dictionary file

Let's get started.

For this guide, you will need the free linux distribution known as Backtrack 3. It can be downloaded here:
http://www.remote-ex. ..k_download.html

IMPORTANT NOTE: Once you download it, burn the iso image to a cd. Don't just drag and drop the file to the cd and burn it. Actually burn the image file using image burning software so it will work correctly. ImgBurn is excellent free image burning software. It can be found here:
http://www.imgburn.c. ..hp?act=download

Now put the cd in and reboot your computer. It should automatically begin to load up Backtrack 3. Pay attention, though, because it will pop up some boot options for only about 4 seconds. I have ALWAYS picked the VESA/KDE option for booting into Backtrack 3. It has always been the most compatible with the systems I've tested it on. If it doesn't work well for you, try some of the other boot options.

Once Backtrack 3 loads up, click the little black box that is in the bottom left next to where the "start button" would be in Windows. This will open up a Konsole window. Go ahead and open up 2 different Konsole windows. We will need both of them.

In the first Konsole window, type:
ifconfig
This will tell you what you're wireless interfaces are. They will typically be something like wifi0, ath0, ath1, eth0, eth1, etc.
(mine are wifi0 and ath0) From here on out, when I tell you a command to type in, replace "ath0" with whatever interface your computer uses.
Once you know your wireless interfaces, type:
airmon-ng stop ath0
then type:
ifconfig wifi0 down
then type:
airmon-ng start wifi0

It should look something like this:


What this did, is it reset your wireless interface and brought it back up in what's called "monitor mode". This is necessary in order for you to be able to "monitor" the airwaves and pick up the wireless handshake later on. (you'll learn what a "wireless handshake" is!)

Now type:
airodump-ng ath0

This will start the airodump-ng program that will begin to rapidly list all of the wifi networks within range of you. Look under the "ENC" heading in this list. This is telling you the type of encryption that these networks are using. "OPN" means there is no encryption. WEP and WPA are self explanatory. Look through the networks and zero in on those that are using WPA encryption.

Now, once you have found your WPA networks, look below into the client list. This is the list of computers that are using the various networks. The far left set of numbers/letters is the bssid of the router that they are connected to. Look through these and see if any of these match the bssid of the network that you want to crack. If none of these match the network you are trying to break, then come back another day because YOU CANNOT PROCEED WITHOUT A CLIENT CURRENTLY CONNECTED TO THE NETWORK YOU WANT TO CRACK.

If someone IS on the network you want to break, then congrats because you are one step closer to your goal.

Here is a picture explaining what you should be looking for:


Now, go to the second Konsole window that you opened earlier. It's time to try and capture the handshake.

A handshake is the term that relates to what happens when a computer is wirelessly authenticated on a network. Basically, the computer tells the router it wants to connect, and then the router and computer compare keys to see if they match up. If they match up, then the router authenticates the computer and gives it access to the network. This is what we are after. The key to the network is heavily encrypted in the handshake file. Without the handshake, we are stuck.

The way that you capture the handshake is to send a signal to the router that will very briefly disconnect the computer that is already connected. That computer will automatically try and reconnect with the router and when it does, we will be there monitoring the airwaves to try and pick up the handshake file. Type this command:
aireplay-ng –deauth 10 -a Mac_of_Router -c Mac_of_Client ath0

What this command will do is send the disconnect command to the router TEN times in a row. The Mac_of_Router is the bssid of the network. The Mac_of_Client is the mac address of the currently connected computer. This is all illustrated in the picture below:



While that command is running it should look like this:



If we are successful in capturing the handshake file, the words “WPA Handshake” should pop up in the top right corner of our first Konsole window. It will look like this:



If you have successfully made it this far, congratulations! Don't get too excited yet though, the biggest roadblock of all is still ahead. It all comes down to how much effort they put into their password AND how good your dictionary file is!

IMPORTANT NOTE: I am going to upload my personal dictionary files and provide the links at the bottom of this tutorial. I have compiled these files from all over the web, deleted most of the duplicates, and split them into several smaller files so that they could each be run at different times rather than one massive file that takes up your computer for several days.

Now that you have the handshake file, you can close one of the Konsole windows and just use one. The Aircrack-ng program will be used now to test the handshake file against each entry in your dictionary word lists. However, since Backtrack 3 runs off of a live cd, it is somewhat slow in testing the keys. (typically around 100-200 words tested per second) I downloaded the windows version of Aircrack-ng so that I could reboot into Windows and have it run MUCH faster. (typically testing 400-450 words per second) The windows version of Aircrack-ng can be found here:

http://www.aircrack-ng. org

Don't worry about it saying you must develop your own dll's and whatnot in order to use the features of the program. It will run dictionary attacks straight out of the installation so no extra setup is needed.

Now you can run aircrack-ng straight from Backtrack 3 or save your handshake files to a flash drive and reboot into windows. If you are wanting to reboot into Windows, your handshake files are located in one of the two directories that is on the desktop of Backtrack 3. When you are ready, open up the command prompt and navigate to the directory where Aircrack-ng is located. (In Backtrack 3 you can run aircrack-ng straight from the default directory of the Konsole window. In Windows, you must navigate to the directory that it is installed to. You will have to get into the “bin” subfolder of the main Aircrack-ng directory.) Once you are ready, type this command:

aircrack-ng location-of-handshake -w location-of-dictionary-file

This command starts aircrack-ng, then tells it where to find the handshake file. The “-w” command is letting it know we are doing a dictionary attack which is followed by the location of our dictionary file. It will then pop up a list of all networks that had packets capture in this one file. It will also let you know which networks have verified handshake files captured. After this command is typed in, you type in the number of the handshake file you want to crack, and it begins.

Here is a picture of this command in Backtrack 3:


After this is done, you simply sit back and wait. Probably not at your computer either. A good dictionary file can take hours (or days) to crunch through) I have mine broken down in a way that each one takes around 5 – 8 hours to run from start to finish. This way I can leave it running overnight and if it fails, fire up the next list on the next night.

If all is successful with your aircrack-ng command, you will see this screen pop up as it rapidly tries every password you have against the handshake file. It will look like this:




This about wraps it up for the tutorial. Below are the links to my various dictionary files.

Download Dictionary Files Here

They all range from around 100 mb to 500 mb.
I tried to compress them to be more manageable and easy to download. I'm not posting a virus scan of all of them. I have good rep and if you won't just test it yourself, then look elsewhere for your dictionary files.

Post any questions you have and I will try to get to them as I have time.
Don't steal my work without giving me credit.
[/quote]

Basic Entry into a WEP Encrypted Network

**DISCLAIMER** - I know that many people have thrown up various tutorials before about hacking wep with Backtrack 3 but I never felt that they fully explained everything very well for noobs. (at least not the ones I read) This is in no way meant to attack someone else that has posted a tut on this before...I simply wanted to put one up that was very easy to follow even if you had never done anything like this before. Since this explains EVERYTHING in detail, it is quite long. Enjoy.

1. Getting the right tools

Download Backtrack 3. It can be found here:

http://www.remote-ex... k_download.html

The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I would get the BT3 setup. The rest of this guide will proceed assuming you downloaded BT3. I downloaded the CD iso and burned it to a cd. Insert your BT3 cd/usb drive and reboot your computer into BT3. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you.

2. Preparing the victim network for attack

Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Type:

airmon-ng

You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card.
Now type:

airmon-ng stop ath0

then type:

ifconfig wifi0 down

then:

macchanger --mac 00:11:22:33:44:55 wifi0

then:

airmon-ng start wifi0

What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.

Type:

airodump-ng ath0

Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all.
Once you see the network that you want to crack, do this:

hold down ctrl and tap c

This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.

**Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type:
-c (channel)
then dont actually type in
-c (channel)
Instead, replace that with whatever the channel number is...so, for example you would type:
-c 6
Can't be much clearer than that...lets continue...

Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.



Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:

airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0

the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it.

**Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc.

Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password.

Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second.

3. Actually cracking the WEP password

Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0



This will send some commands to the router that basically cause it to associate with your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)" If this happens, then good! You are almost there. Now type:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0



This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.

Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:

aircrack-ng -b (bssid) (filename)-01.cap

Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.



If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.

Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!

It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.

I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-)

I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right.

There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future.

Lastly, if you like it, great! Just don't copy it without giving me the credit.

-kumalynx