First of all , thanks to The Doctor who has taken his time to write such a complete and easy-to-follow tutorial on cracking WEP with backtrack 3. This tutorial is a very easy to understand , and clearly describe how to hack wep with backtrack 3 as the supporting security penetration distro. This tutorial will absolutely guide you on how to crack wep with backtrack 3.This backtrack 3 WEP cracking tutorial is divided into 4 sections :
1. Setting Up the wireless card
2. Finding an AP
4. Finally crack the password
Here we go :
Introduction to Backtrack 3 and Linux
Backtrack 3 is a linux live cd based program, which means that it runs directly from a disc. you have to download the program from backtrack.com and then burn it to disc. don’t try installing it. you will more than likely screw up your computer if you don’t know what your doing. if you know about linux or already run it, then you can skip this intro. If you don’t know anything about linux or are a newbie to the linux scene, then pay close attention to the following.
After you have successfuly downloaded the .iso image, you will need to BURN it. you HAVE TO use any iso burning program that your little blackend-hacker heart disires, and yes, if you are successful in cracking a wep code, you are a hacker to me, even if your just wet behind the ears, hacker in training i would say. personally i use clonecd to burn cd images and clonedvd to burn dvd images. you can also use nero 8 or 9, if you don’t know how to do this then i suggest you go to www.emule-project.net and learn the basics of downloading and use the program to download a copy of clonecd or clonedvd or nero. now that you have the burned disc with backtrack 3, we can get to the linux part. you’ll need to know how to get into the bios settings of your computer, if you don’t know how then you probably shouldn’t be reading this tutorial. but so you know, you have to restart your computer then while its booting you just press F2 or delete depending on your computer bios. when you get in there, you will need to change your boot sequence. by default, the cd/dvd drive is the first on the list of the boot sequence. this is what you want. so if this is already the case, don’t mess with it. if not then you need to change it so that your cd/dvd drive boots first. once this is done you can exit and save changes. your computer will restart, you want to make sure that your backtrack 3 disc is in the drive when you start your computer. once the cd/dvd starts up, it will have a list of stuff to choose from, the top one says something like “BT3 GRAPHICS WITH KDE” this is the one that you want. its a simple interface that is based on linux. it will look a lot like windows or if your used to mac or apple it looks a lot like that in the file systems. once you click the top option it will go through a whole speel of stuff that it says is opening and what not. just give it some time and eventually you will get into the backtrack desktop. now that your here i will explain a little about linux.
linux is an old operating system based off of unix. its a programming operating system but don’t be scared. linux is a severly misunderstood operating system. personally i use Kubuntu, i like it. it looks a lot like vista and its free as opposed to windows. linux being free also means that you don’t have to download a hacked version of windows and get a hacked serial. if you bought your windows operating system, then lucky you, you probably have enough money to pay for a lot of stuff, including your own internet!
the linux command lines are similiar to the commands used in DOS. you use a command to run a program. in this tutorial i will explain some of the more complex commands, such as:
airodump-ng –ivs –channel 11 -w /root/wepivs eth0
this command will be explained in further detail later on in the tutorial. for now, lets discuss some of the programs that you will be using.
The main program that you will use is called Konsole. its a terminal program not disimular to ms-dos prompt. or if you run windows xp or vista, the command prompt. to access this program, look to the bottom left of the screen and you will see a button that has a K on it. this is backtracks start button. to the right of this is the Konsole quick launch button. you can use this to open one or more Konsole’s concurrently. you will need to open more than one konsole, so remeber where this is.
the other thing that you will be using is the button to the right of the Konsole quick launch button. it looks like a HDTV. I don’t know what to call this but it will open up a window kinda like the My Computer folder on the desktop of windows. from here, there are only two places that you may need to go. the first is Home. you just click on the link and it will show you the /root folder. this folder is simular to the c:/ disc in windows. this is where you will be placing the wep iv’s that you are going to capture. a wep iv is basically a wep code that has been encrypted. by capturing these iv’s, you can crack the wep password. these are the only programs that you should use as a beginner. the media folders is a place where any usb mass storage devices are (usb hard-drives, bump disk). you probably wont need to open this, but i just want you to know where it is in case you do have extra usb stuff.
if you feel frisky, try out some of the other programs that are in the start menu under backtrack. i stongly caution you, however, that some of the programs in that section can potentially get you into a lot of trouble if you don’t know your way around mirrors and routers. but for all intents and purposes, you will only need the programs discuss previously.
now that you know how to open a Konsole, and how to run around your /root and media folders, i will tell you some small disadvantages to the program. it does take time. it might take hours or minutes. it all depends on how close you are to your Access Point (target wifi), your signal quality, and your wireless card capabilities. don’t worry about compatibility, because i use a wireless adapter that isn’t on the official compatibility list and it works fine.
the other disadvantage is that if you do have a usb hard drive that you happen to have music on, you won’t be able to listen to it while the program is running. at least not on the cd version which is what i use, i don’t know about the dvd version because i don’t use it. i like the cd version. it was smaller
a simple command for Konsole that you might want to know is:
Shift-Insert: this is the paste command, you can use this to copy and paste things like complex commands into the console. you can right click on the desktop, go to new and open a new text document to do a little typing. this will be useful for typing out a command and copying it then pasting it in the Konsole. the copy command and the paste command for the text program are the same as windows.
CTRL-C for copy and CTRL-V for paste.
this pretty much concludes the introduction, remeber to read carefully and remeber that commands put into the Konsole are sensitive. one letter out of place, or a space, hyphen or command sequence in the wrong order will make the command non-functionable. if at first it doesn’t work. retype it. also remeber to ONLY close or open a new console when stated. i spent a lot of time and effort to make this a step by step procedure for ease of use.
Author’s note: I know that this has been a little long winded, but i do it only for your benifit. the more you know, the more you’ll get out of the program. have fun, keep your ass covered, and if the NSA show up….well your on your own, but if it were me, i would take the job more money than i’m making now!! OBOVE ALL: don’t give up, this is a simple program and once you know how to use it it is really fun to watch your friends faces as you crack there internet wide open I sincerly hope you get as much enjoyment out of it as i have, and i sincerly hope this helps somebody, somewhere or else i just did a lot of typing for nothing!!
The Doctor(P.H.D. Hacking)
1: setting up the wireless card
first thing you need to do is open a Konsole and type this:
modprobe -r iwl3945
this will set your wireless utilities up. the next command that you type is:
this sets up the driver for your card. usually these commands don’t need to be used as the backtrack program pre-loads your drivers on startup.
the next command to put in is:
this will show you your wireless settings. you want to make a note (on paper) of your adapters interface name, its usually something like eth0 (eth zero) or wlan0 (wlan zero). for instructional purposes we will say that your adapters interface name is eth0 (e t h #zero…get it?).
the next thing you want to do is stop the adapter, to do this you type the command:
airmon-ng stop eth0
this stops the adapter so that you can make a few minor adjustment to it. The next thing you type is:
ifconfig eth0 down
This configures your card the way that it needs to be to run the programs that your about to start.
Now you want to change your mac address, this helps to protect you from being found out. i don’t recommend you use this part of the command structure unless you know what your doing, but if you do type the following command:
macchanger –mac 00:11:22:33:44:66 eth0
this makes it so that you change the mac address of the adapter to a fake one. it comes in handy later on, makes it simpler to type in to.
NOTE: you sholdn’t need to do this if your getting permission to do hack the target AP. also, some AP’s do a thing called mac filtering which makes it so that you get booted off if you are useing a fake mac address. you can just see the mac address of you apapter by typing:
macchanger -s eth0
this will show the current mac address of your adapter.
2: Finding an AP (access point [target wifi])
this is probably the easiest part. what your going to do is open a new konsole (or terminal) and type in the following command:
this will show you the AP’s in your range, what you want to do is write down(on paper) the BSSID (mac addy of the target AP) the channel of the target AP, the ESSID (the name of the target AP, for instruction purposes i will say that your ESSID is belkin54g. after you have all the info (411) you can then move on to the next step. you can close the konsole that you opened to find your target AP.
next we can start to capture wep iv’s.
type the following command in the konsole that you already had up and running:
airodump-ng –ivs –channel 11 -w /root/wepivs eth0
breakdown of command
airodump-ng is the program.
–ivs (note the 2 dashes [-]) tells the program only to capture and record wep iv’s.
–channel 11 tells the program to focus on the specific channel which is 11. you can change 11 depending on the channel of your target AP.
-w /root/wepivs tells the program to save the captured wep iv’s to the file /root/wepivs. if i were you, i would use this same set up as i state here, but you can always save them to a different area, but the way i have it set up here is the easiest way to find it later on.
now don’t close the window that you just did all that work in or you will have to start all over. just leave it running, it is already recording wep iv’s, just not to fast.
you need to start the adapter now, your going to enable the monitor mode, which is why you did all that crap in step 1.
open a new konsole and type in the following command:
airmon-ng start eth0 11
breakdown of command
airmon-ng is the program
start is going to start the adapter which is
eth0 The adapter and
11 which is the channel that the adapter is going to monitor, the channel you want is the one that you wrote down ON PAPER earlier.
now that you have enabled the monitor mode on your adapter, you can look at the first konsole and you notice that your Beacons numbers are going mad, which it wasn’t before. now that the card is monitoring, it is capturing wep data, the number that you want to look at real hard is the one to the right of the beacons number. its labeled as #Data, this is the wep iv’s that you have captured.
3: aireplay-ng, the wierdo
this is the wierd part. you kind of have to do some backtracking (pardon the pun). you are going to type this command into your konsole:
aireplay-ng -3 -b 00:11:22:33:44:66 -h 00:11:22:33:44:66 eth0
breakdown of command
aireplay-ng is the program
-3 is the type of packet injection (makes you get ARP’s, discuss later)
-b is the mac address of your target AP which i have for instructional purposes as 00:11:22:33:44:66
-h is your wireless mac address which i have for instructional purposes as 00:11:22:33:44:66
now after you have started this it will start saying something about packets and a whole lot of mumbo-jumbo that you probably don’t understand. the only thing you need to look at on this is the ARP number. this number will slowly increase as time goes on. the only problem is that if you look back at your first konsole, you will see that your beacons count is slow again. to fix this, open a new konsole, don’t close the other two or you’ll have to start all over. now in the new konsole type the command that we used to start the adapter, which, if you don’t want to go find that again, is:
airmon-ng start eth0 11
now your beacons number will start going mad again and you will start to capture more wep iv’s than before and your second konsole that you did the aireplay-ng program in will get more ARP’s. now all you gotta do is sit back, and do some type of hobby that you enjoy while the program collects data.
4: Finally cracking the password
you WILL have to have a lot of packets, i mean a lot. somewhere in the range of 200,000 to 500,000 data packets, again this number is in the first konsole (airodump-ng program that shows the beacons) next to the beacons number, its listed as #Data. once you have a bunch of wep iv’s, you can use that third konsole that you had up to use to restart the monitor mode from the last command of the previous section.
the command for the cracking procedure is:
aircrack-ng -s /root/wepivs-01.ivs
breakdown of command
aircrack-ng is the program
-s will show you a interactive menu, you will need this to pick the target ap so don’t mess with this option.
/root/wepivs-01.ivs is the file name of the wep iv’s that you just spent all that time collecting. you’ll note that it differs slightly from the name you put in earlier. what you put in was /root/wepivs, but the program airodump-ng likes to put the -01.ivs on the end of the file. kinda like how windows puts the .avi or .txt on the end of a video or text file.
this will go through some paces and if you have enough wep iv’s, you will have a successful crack. if not it will say something like “Failed: Next try at 5000 iv’s”. this means that it doesn’t have enough iv’s and that you need to get more. don’t worry though all the other stuff you have been doing is still running and still capturing wep iv’s. the 5000 is a representational number. this number goes up in increments of 5000. if you have 200,384 wep iv’s, and you get a failed after trying to crack it, it will say something like “Failed: Next try at 205,000″. you can choose to leave the program running and let it auto-crack every five thousand iv’s or you can close it every time you get a failed and retry anytime that you choose. once the crack is successfully completed, you will get a number that looks like a mac address i.e. 00:11:22:33:44:55. this is the wep code. all you have to do is remove the : parts and put the numbers in where you put the wep code in to get on your wireless internet.
And that’s it! thats all there is to the program. That wasn’t so bad was it? it may take some time and a little typing and a lot of head sctraching and endless hours in front of the mirror asking “why did i want to learn how to hack again?”, but all-in-all the program is simple and easy and once you know how to use it, it gets faster and easier. so thats all from me and i hope that you enjoyed me teaching you your first successful hack of a wep code. if there are questions….i don’t know what to tell you. im not giving out my email for obvious reasons. the only thing i will say is that google has links to thousands of forums for backtrack 3 discussions. if you have a problem that is the best place to start. I actually had to use 5 different manuals to learn that a lot of the stuff that they wanted me to do either didn’t work or was redundant. which is why i made this for you! anyway, im done typing now and im tired because it just took me several hours to type this. see the sacrifice i made for you?
All in a nights work,
The Doctor (P.H.D. Hacking)
Random articles :
- Installing Linux applications with Aptitude (ghacks.net)
- Windows 7 Hack: Start Windows Explorer from ‘My Computer’ (taragana.com)
- 50 Amazing Ubuntu Tips (vault9.net)
- Secrets for controlling VirtualBox from the command line (linux.com)