Attacker: A computer with an appropriate wireless NIC booted to Kali Linux (detailed instructions below).
Router: Use any wireless router that is available. Connect a cable from any numbered port on the router to any PC, and disable all other network adapters on the PC. Use IPCONFIG to find the Default Gateway on the PC and open that address in a Web browser. Configure the network to use WEP, and make a note of the key, which is ten hexadecimal characters.
Wireless Client: Use any computer with a wireless card. Connect to the wireless router, typing in the ten-character key when you are prompted to. Disable all other network adapters on the wireless client computer. On the wireless client, enter this command to send a constant series of pings to the router, using your router's IP address instead of the example address below:
ping -t 192.168.10.1
Insert the Kali Boot DVD.
Power the machine off.
Power the machine on again, and tap the F9 key to bring up the boot menu. Ensure that CD-ROM is highlighted and press Enter.
Accept the default boot option for Kali Linux.
Log in as root with the password toor
Open a Terminal window.
iwconfig
You should see the wlan0 device, as shown below on this page. It is in Mode:Managed, which is the normal mode for wireless networking. We need to get the card out of that mode, so we will first disable it.
In the Terminal window, type in this command, and then press the Enter key:
ifconfig wlan0 down
airmon-ng check
airmon-ng check kill
airmon-ng start wifi0
You have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.
In the "Shell No.2" window, type in this command, and then press the Enter key:
airodump-ng -w test -t wep wlan0
This command opens a window showing all WEP-using local networks, as shown below on this page. (My image showed the non-WEP networks too.) The captured packets are going to a file named "test", which isn't important.
The columns in the output are explained below:
You need four items from this screen, as highlighted in the figure above. Write down these three values for the network you want to crack:
Press Ctrl+C to stop the Airodump capture.
They stop the wireless card, check for processes that might interfere with "monitor mode", and kill those processes.
airmon-ng stop wifi0
In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0 11
Replace 11 with the CH number you wrote down in a previous step. Now the card is monitoring only the channel we are interested in.
airodump-ng -c 11 -w output -t wep wlan0
Replace 11 with the CH number you noted earlier.
Now the card is monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. Notice that the #Data are not rising quickly - you may not even see any data being captured at all.
Leave this capture running.
In the "Shell" window, type in this command, and then press the Enter key:
aireplay-ng -3 -b 00:11:50:1E:43:87 -h 00:16:B6:5B:A3:D6 wlan0
Replace 00:11:50:1E:43:87 with the BSSID you you wrote down in a previous step (the access point's MAC address).
Replace 00:16:B6:5B:A3:D6 with the MAC you wrote you wrote down in a previous step (the Wireless client's MAC address).
(The image below was taken with a different network adapter named rausb0, but now we are using the wlan0 adapter.)
aireplay-ng is waiting for an ARP packet. Disconnect the wireless client and reconnect it to create an ARP request.
Look at the "Shell - Konsole <2>" window. You usually need at least 50000 Data packets to crack a WEP key.
The #Data value should be rising very rapidly, as shown below on this page.
That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.
Troubleshooting
If aireplay-ng stalls waiting for a beacon frame and cannot find any matching beacons, try re-typing the ESSID using only lowercase letters, and avoid using copy-and-paste.Another option is to add the -D flag to the command to ignore beacons.
Troubleshooting
If the ARP replay fails, you can just make the network busier. One simple way to do that is to open 30 Command Prompt windows on the client, each running this command, using your router's IP address instead of the example address below:They won't get replies, but they should send a lot of packets to the router and make the DATA increase rapidly.ping -t -l 65000 192.168.10.1
aircrack-ng -a 1 -n 64 output*.cap
If a list of networks appears, find your
network and type in its number, followed by the
Enter key.
It should find the key within a few minutes, as shown below on this page.
Send the message to cnit.123@gmail.com with a subject line of Proj 22 From Your Name(s). If you are working in a group, list all the names in the subject line. Send a Cc to yourself.
If you don't have a cell phone that can take a photo, capture a snapshot on the Kali machine with Start, KSnapshot. Then send the email from the Kali machine using IceWeasel.
Last modified 12-2-14 2:01 pm by Sam Bowne