**DISCLAIMER** - I know that many people have thrown up various
tutorials before about hacking wep with Backtrack 3 but I never felt
that they fully explained everything very well for noobs. (at least not
the ones I read) This is in no way meant to attack someone else that
has posted a tut on this before...I simply wanted to put one up that
was very easy to follow even if you had never done anything like this
before. Since this explains EVERYTHING in detail, it is quite long.
The Backtrack 4 beta is out but until it is fully tested (especially if
you are a noob) I would get the BT3 setup. The rest of this guide will
proceed assuming you downloaded BT3. I downloaded the CD iso and burned
it to a cd. Insert your BT3 cd/usb drive and reboot your computer into
BT3. I always load into the 3rd boot option from the boot menu.
(VESA/KDE) You only have a few seconds before it auto-boots into the
1st option so be ready. The 1st option boots too slowly or not at all
so always boot from the 2nd or 3rd. Experiment to see what works best
2. Preparing the victim network for attack
Once in BT3, click the tiny black box in the lower left corner to
load up a "Konsole" window. Now we must prep your wireless card.
You will see the name of your wireless card. (mine is named "ath0")
From here on out, replace "ath0" with the name of your card.
airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
What these steps did was to spoof (fake) your mac address so that JUST
IN CASE your computeris discovered by someone as you are breaking in,
they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.
Now you will see a list of wireless networks start to populate. Some
will have a better signal than others and it is a good idea to pick one
that has a decent signal otherwise it will take forever to crack or you
may not be able to crack it at all.
Once you see the network that you want to crack, do this:
hold down ctrl and tap c
This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.
**Now from here on out, when I tell you to type a command, you need to
replace whatever is in parenthesis with what I tell you to from your
screen. For example: if i say to type:
then dont actually type in
Instead, replace that with whatever the channel number is...so, for example you would type:
Can't be much clearer than that...lets continue...
Now find the network that you want to crack and MAKE SURE that it says
the encryption for that network is WEP. If it says WPA or any variation
of WPA then move on...you can still crack WPA with backtrack and some
other tools but it is a whole other ball game and you need to master
Once you've decided on a network, take note of its channel number and
bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:
the FILE NAME can be whatever you want. This is simply the place that
airodump is going to store the packets of info that you receive to
later crack. You don't even put in an extension...just pick a random
word that you will remember. I usually make mine "wepkey" because I can
always remember it.
**Side Note: if you crack more than one network in the same session,
you must have different file names for each one or it won't work. I
usually just name them wepkey1, wepkey2, etc.
Once you typed in that last command, the screen of airodump will change
and start to show your computer gathering packets. You will also see a
heading marked "IV" with a number underneath it. This stands for
"Initialization Vector" but in noob terms all this means is "packets of
info that contain clues to the password." Once you gain a minimum of
5,000 of these IV's, you can try to crack the password. I've cracked
some right at 5,000 and others have taken over 60,000. It just depends
on how long and difficult they made the password.
Now you are thinking, "I'm screwed because my IV's are going up really
slowly." Well, don't worry, now we are going to trick the router into
giving us HUNDREDS of IV's per second.
3. Actually cracking the WEP password
Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0
This will send some commands to the router that basically cause it to
associate with your computer even though you are not officially
connected with the password. If this command is successful, you should
see about 4 lines of text print out with the last one saying something
similar to "Association Successful :-)" If this happens, then good! You
are almost there. Now type:
This will generate a bunch of text and then you will see a line where
your computer is gathering a bunch of packets and waiting on ARP and
ACK. Don't worry about what these mean...just know that these are your
meal tickets. Now you just sit and wait. Once your computer finally
gathers an ARP request, it will send it back to the router and begin to
generate hundreds of ARP and ACK per second. Sometimes this starts to
happen within seconds...sometimes you have to wait up to a few minutes.
Just be patient. When it finally does happen, switch back to your first
Konsole window and you should see the number underneath the IV starting
to rise rapidly. This is great! It means you are almost finished! When
this number reaches AT LEAST 5,000 then you can start your password
crack. It will probably take more than this but I always start my
password cracking at 5,000 just in case they have a really weak
Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:
aircrack-ng -b (bssid) (filename)-01.cap
Remember the filename you made up earlier? Mine was "wepkey". Don't put
a space in between it and -01.cap here. Type it as you see it. So for
me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to
crack the password. typically you have to wait for more like 10,000 to
20,000 IV's before it will crack. If this is the case, aircrack will
test what you've got so far and then it will say something like "not
enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay
running...it is just letting you know that it is on pause until more
IV's are gathered. Once you pass the 10,000 mark it will automatically
fire up again and try to crack it. If this fails it will say "not
enough IV's. Retry at 15,000." and so on until it finally gets it.
If you do everything correctly up to this point, before too long you
will have the password! now if the password looks goofy, dont worry, it
will still work. some passwords are saved in ASCII format, in which
case, aircrack will show you exactly what characters they typed in for
their password. Sometimes, though, the password is saved in HEX format
in which case the computer will show you the HEX encryption of the
password. It doesn't matter either way, because you can type in either
one and it will connect you to the network.
Take note, though, that the password will always be displayed in
aircrack with a colon after every 2 characters. So for instance if the
password was "secret", it would be displayed as:
This would obviously be the ASCII format. If it was a HEX encrypted
password that was something like "0FKW9427VF" then it would still
Just omit the colons from the password, boot back into whatever
operating system you use, try to connect to the network and type in the
password without the colons and presto! You are in!
It may seem like a lot to deal with if you have never done it, but
after a few successful attempts, you will get very quick with it. If I
am near a WEP encrypted router with a good signal, I can often crack
the password in just a couple of minutes.
I am not responsible for what you do with this information. Any
malicious/illegal activity that you do, falls completely on you
because...technically...this is just for you to test the security of
your own network. :-)
I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE
TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one
wants to hold your hand through this...read the tut and go experiment
until you get it right.
There are rare occasions where someone will use WEP encryption with SKA
as well. (Shared Key Authentication) If this is the case, additional
steps are needed to associate with the router and therefore, the steps
I lined out here will not work. I've only seen this once or twice,
though, so you probably won't run into it. If I get motivated, I may
throw up a tut on how to crack this in the future.
Hermes kelly bag is actually a made popular brand in apparels and incredible accessories. Hermes usa hand bag has been very sold products inside accessory market from its manufacture day. However, and as long as you hasn't already achieved a service where if your are reasonable for have the reliable mind you or do not like to waste time way too much on a handbag, can i be mindful of counterfeit Hermes usa purses and handbags usa. Replica Hermes affordable handbags lighten woman's wardrobes. So where will we buy them? several individuals are being in complete agreement on the Internet. available on the internet reap some benefits brag us the but many respected pieces on clothes, purses and handbags and any old accessories. refined hermes usa. a clear hermes usa evaluation amongst a few bags can be done in an amazing time. all you have to home are exploring the latest information that is disbursed in holder of fashion and buying on a steady hermes usa store. http://hermeskelly.ucoz.com/ hermes kelly
Hermes kelly bag generally is a prominent emblem in garments and divine accessories. Hermes usa handbag has been very exchanged for money products both in dispenser topic from its advent day. However, make sure you have not achieved an email finder service where if your are affordable to get the authentic also or never also want to hang around very more advanced than on a handbag, how can i be mindful of fraud Hermes usa totes usa. Replica Hermes clutches lighten women's wardrobes. So where can we buy them? but a majority of individuals think you are in agreement of this Internet. available on the web strengths possess us the most shown admiration for pieces on clothes, shopping bags and every alternate classic accessories. beautiful hermes usa. a clear hermes usa evaluate amongst an assortment bags can be done in an incredible time. all you need in order to do are looking at the latest information additionally that is released in common box of style and buying on a reliable hermes usa store. http://hermeskellysale.blogspot.com/ kelly bag hermes
Hermes usa is actually a made popular emblem in clothing and utterly divine accessories. Hermes usa handbag has been extremely cashed out fashion accessories both in dispenser area of interest from its birth day. However, make sure you has not achieved a service where if your are cost effective for get the respectable anyhow or you should not want to waste time too more advanced than on a handbag, can i consider duplicate Hermes usa purses and handbags usa. Replica Hermes purses lighten women's wardrobes. So where are we able to will also get them? many people are in complete agreement on the Internet. available on the web the benefit possess us the but the majority respected checkers on clothes, wholesale handbags and some other old-fashioned accessories. neat hermes usa. a clear hermes usa comparison amongst an assortment bags additional details done in a dazzling time. all that's necessary to do are exploring the latest documentations additionally that is given in planting container of style and purchasing on a hermes usa store. http://hermesusa.webs.com/ hermes usa