permalink

213

Cracking WEP Using Backtrack: A Beginner’s Guide




A. SCOPE

This tutorial is intended for user’s with little or no experience with linux or wifi. The folks over at remote-exploit have released “Backtrack” a tool which makes it ridiculously easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.

Required Tools

  • You will need a computer with a wireless adapter listed here
  • Download Backtrack and burn it’s image to a CD

B. OVERVIEW

BACKTRACK is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.

Tools Overview

  • Kismet – a wireless network detector and packet sniffer
  • airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
  • airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
  • aireplay – a tool for forging ARP requests
  • aircrack – a tool for decrypting WEP keys
  • iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
  • macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

Glossary of Terms

  • AP: Access Point: a wireless router
  • MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
  • BSSID: Access Point’s MAC address
  • ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
  • TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
  • WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
  • WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption

Since Backtrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a linux partition on your hard drive or a usb storage device. Backtrack has some NTFS support so you will be able to browse to your windows based hard drive should you have one, but it will mount the partition as “read-only”. I dual boot windows and ubuntu on my laptop so I already have a linux swap partition and a reiserfs partition. Backtrack had no problem detecting these and mounting them for me. To find your hard drive or usb storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.

C. DISCLAIMER

Hacking into someone’s wireless network without permission is probably against the law. I wouldn’t recommend doing it. I didn’t break into anyone else’s network while learning how to do this.

D. IMPLEMENTATION

STEP 1

Monitoring Wireless Traffic With Kismet

Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear. Type startx to start KDE (a ‘windows’ like workspace for linux).

Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:

kismet

Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0′, and sit back as kismet starts detecting networks in range.

NOTE: We use kismet for two reasons.

  1. To find the bssid, essid, and channel number of the AP you are accessing.
  2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point?) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device’s name just type:

iwconfig

Which will look something like this:

iwconfig.png

While kismet detects networks and various clients accessing those networks you might want to type ‘s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here.

Select the AP (access point) you want to access. Copy and paste the broadcast name(essid), mac address(bssid), and channel number of your target AP into a text editor. Backtrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In Backtrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for more help with this

STEP 2

Collecting Data With Airodump

Open up a new terminal and start airodump so we can collect ARP replies from the target AP. Airodump is fairly straight forward for help with this program you can always type “airodump-ng -h” at the command prompt for additional options.

airodump-ng ath0 -w /mnt/hda2/home/ryan/belkin_slax_rcu 9 1

Breaking down this command:

  • ath0 is my wireless card
  • -w tells airodump to write the file to
    /mnt/hda2/ryan/belkin_slax_rcu
  • 9 is the channel 9 of my target AP
  • 1 tells airodump to only collect IVS – the data packets with the WEP key




STEP 3

Associate your wireless card with the AP you are accessing.

aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0

  • -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing aireplay-ng -h
  • 0 specifies the delay between attacks
  • -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
  • -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • ath0 at the end is my wireless adapters device name in linux

STEP 4

Start packet injection with aireplay

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0

NOTES:

  • -b requires the MAC address of the AP we are accessing.
  • -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0
  • if packets are being collected at a slow pace you can typeiwconfig ath0 rate auto to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.

As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.

If you get a message like this:

Notice: got a deauth/disassoc packet. Is the source MAC associated ?

Just reassociate with the AP following the instructions on step 3.

STEP 5

Decrypting the WEP Key with Aircrack

Find the location of the captured IVS file you specified in step 2. Then type in a terminal:

aircrack-ng -s /mnt/hda2/home/belkin_slax_rcu-03.ivs

Change /mnt/hda2/home/belkin_slax_rcu-03.ivs to your file’s location

Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.

aircrack.png

If this guide doesn’t fully answer your questions you can always refer to the forums at remote-exploit.org

Author: Ryan Underdown

My name is Ryan Underdown, I’m the director of search engine marketing for Web-Op where I get to work on lots of interesting projects. Please follow me on twitter.

213 Comments

    • Actually u were right the first time. Once you have selected your ap airmon will put your wireless card in monitor mode and there would be no need for kismet. In fact in BT3 kismet channel hops and screws up aireplay attempts in my experience.

  1. Hi Ryan, thanks for the response.

    Can I ask you some questions?

    This tut is made for BT and you run the commands from terminal as root?

    I personally use ubuntu (easy peasy) because I’m a noob on my Asus 1008HA.

    I’ve been using this tut to try to hack my host, but he usus MAC filtering.

    http://dev.eek.be/2010/02/hacking-wep-encryption-on-ubuntu/

    Do you know HOW and WHEN I should implement this mac change?

    Also how come it doesn’t work for me when I use ath0 like in your tut and it does work when I use mon0 like in the other tut? Are there multiple ways to arrive at the same result?

    Thanks Ryan

    • Hi carlos. If the host is uses mac filtering u probably need to find a client that is connected and spoof your mac with macchanger to be the same as the client. I’ve never done it but I believe that should work for u. As for ath0 vs mon0 – basically the name of your interface assigned is likely determined by the type of wireless card and maybe even the version of linux u use. All u need to do is type iwconfig and figure out which interface is your wireless adapter and replace that name where I mention ath0 in my tutorial. Hope that helps.

  2. Thanks for the reply Ryan!

    I’ll do some research on how to find out a client that is connected to the host!

    Thanks again for you help!

  3. mr. ryan

    is there a way to speed up the data collection. i’v been looking at my screen for 24hrs and am only at 10,476

    • I think there is a wide difference in packet injection speed between wireless cards. A card w atheros chipset tends to work best. I’ve tried rt61 and broadcom 43xx which both technically support injection without much luck. Outside that ur on your own. Sorry.

  4. Hey Ryan,

    I was able to boot the live CD but the Wireless assistant is not recognizing my Netgear WG311 adapter and wants to close. Also, when I attempt to open Kismet nothing seems to happen.

    • I’ve had this happen to me before with adifferent wireless card. If you’re not using BT4 I would try that and see if it works otherwise u can type in “iwconfig” in a terminal window and see if your wireless adapter is detected. If it is showing up you can try typing “ifconfig ath0 up” where ath0 is your wireless card as named in your iwconfig. Sometimes they show up named as “mon0″ or “wlan0″ or even “eth1″ or some such variant depending on the chipset of your wireless adapter. I’ve never used a netgear. By chance is it a usb adapter? If so you may be shit out of luck. I hear many usb adapters don’t support packet injection. You can use “aireplay-ng –test ath0″ to see if your card supports injection. Remember to substitute your adapters name for ath0. Hope that helps.

  5. Hey,

    Thanks for the quick response. I am using Backtrack 3. Also it’s a PCI not USB. I’ve just learned that the WG311 comes in v1, v2, and v3. The v1 apparently has the sought after Atheros chipset (with packet injection) while the other two may not be supported. I hope I have that right, don’t want to misinform anyone. Considering I just purchased it this past weekend I would say it may be the v3. I’ll try typing iwconfig when I get home to my pc. (at work at the moment) Thanks again!

    • Np I now use the wordpress android app so I reply anytime :) Id recommend downloading and burning bt4 if u have any problems. The guys behind backtrack have packaged up a lot of patched drivers in the latest release – so in case u don’t have an atheros chipset it won’t mean packet injection won’t work. I’ve tried three non atheros chipsets without too much of a hitch. BT4 is a big upgrade.

  6. Great advice Ryan. I’m downloading BT4 now. Also for the record after typing in iwconfig into the terminal it responded with “no wireless extensions” Typing “kismet” into the terminal resulted in dialogue that suggested the same. I’ll keep you posted along the way.

  7. Hy Ryan,
    I have Intel 4965 wireless card, all commands works perfectly, but recive very very slow the IV’s, in 2 hours i recive only 80IV’s, i hear something about driver to instal or other things but i don;t know what to do.
    i use bt4!

  8. Hi, can anyone tell me if there is a list of wireless adapters that work with black track 3? I know, (or i think) that not all wireless adaptares works with it. I have a WIRELESS EZ connetct G USBB2.0 Adapter, model SMCWUSB-G from “SMC Networks”, because a friend told me it works. This USB adapter it´s for 802.g up to 54 Mbps. But i wold like to try other wireless adapters. Thank you

  9. Hi excellent tutorial!

    Quick question I’m a Linux noob I have literally almost no idea how to use it, despite this I’m running the BT4 live cd and succesfully running aireplay and airodump seperatly however the rate I’m recieving ivs is very slow and I wanted to know if there’s a way I can run them both together from live cd prompt, everthing I try just now causes either program to stop. Any help would be great!

  10. Well, it’s been a while but I thought I would give an update on the BT4 install. It installed just fine but the issue is apparently my chipset on my adapter. Apparently, the Netgear WG311 comes in four different versions – WG311v1, Wg311v2, WG311v3, and WG311T. v1 and T are both Atheros chipsets and are compatible out of the box. v2 is Texas Instruments chipset. v3 is Marvel chipset and not supported. However there is a program called Ndiswrapper which may allow me to install the windows .sys and .inf drivers on linux. I’m looking into that now. A word of advice to those who want to crap WEP, stay away from the Netgear WG311v2 and WG311v3 as they seem to be incompatible with BT3 and BT4.

    • @studiotime ndiswrapper isn’t going to work for you simply because windows drivers don’t support packet injection

  11. hi Ryan plaese tell me do i need to install aircrack-ng and airply ect on back track OS i`m new to linux please help me i know for you it is a stupid question but please i`m new

    • Hi saqib – all the programs u need come with any version of backtrack already. Just open a terminal window and type in their full name ie aireplay-ng

  12. Pingback: The Myths of Website security, SSL, and padlock symbol « Revert to Type

  13. Hi Ryan, my problem at this time is that i have backtrack 3 running on a usb card; on a laptop with a d-link card. now i got kismet to work perfect the first time i used it! but now it won’t work… so i know it’s not the card but some setting or saved error!
    Can you help?

  14. Pingback: Advice for my WEP/WPA Cracker

  15. Pingback: The Myths of Website security, SSL, and the padlock symbol | Website Design West Midlands

  16. Hi Ryan
    I dunno if this thread is still active and if u visit this page all together but i have a problem ^^ (how strange isn’t it?) :D
    Okay so i burned the image and booted into Linux, started kismet and got it to search for networks
    Then i got to step 2 where my little adventure ended. I dont understand this airdump-ng thingy cuz it doesnt want to start..
    I run Windows Vista home premium and i have only one disk C:/ so i cant make airdump to work…i get only type airdump-ng –heelp for more help?!?!?
    So without disk partition for linux or a usb device i cant do this at all?
    If i can or if u have any solution for me plz –help me :D
    Karlo

  17. sorry for posting again but i just realized that i didnt provide u with enough info…
    I use BT4 and my card is Intel wifi link 4965AGN…
    In airodump i type “airodump-ng wlan0 -w /root/Desktop 1 1″
    And i get the –help message after that…it seams im not doing the right thing…plz tell me how to mount a usb to work with this and does it has to b a specific usb or it can be any type(i mean regular cheap usb 1-2GB)
    ty again

  18. hi i am using ubuntu

    i have succesfully cracked one wpa tkip-psk network
    but the password has been changed so have to do again but seem to get this error alot

    [sudo] password for bill:
    23:36:03 Waiting for beacon frame (BSSID: 00:26:5A:83:B6:7F) on channel 4
    23:36:03 mon0 is on channel 4, but the AP uses channel 1

    either this or i capture no packets please help me thanks in advance!

  19. Hi Ryan. For some reason, I can’t view your tutorial due to comments being posted over it? I’ll try a couple different browsers, but I have already tried loading IE a few different times to no avail…

  20. i followed your steps, everything works fine until i start the command to inject packets, it keeps on reading packets i let it till 30000 but it never starts injecting packets so the data can raise, it stays to 0, what can i do, i tried on multiple networks and the same result.

  21. @Karlo I think you need to mount a Usb stick or something where airodump-ng can store its dump data.
    I don know it by heart how to mount a USB stick but it works with all types of filesystems(fat32,ntfs….)
    Just google it.

    @Bill I think you are capturing packets with ariodump the same time you try to use aireplay.
    In standart settings airodump jumps from channel to channel and if airodump target the mon0(your capturing device)
    at channel x for listening to packets you cant inject packets to channel y the same time.
    Just get the channel of the AP you want to attack and let airodump only capture packets on this channel. After that it should work to inject and capture at the same time(as it should be)!
    You can also start aircrack after you set all ready and capturing packets and just try to crack the password.
    It may wont work directly but aircrack retries the crack prozess by itself after airodump has catured 5000 IV-Packets

    @namp got the same problem according to this I trying to do it after the tutorial’s steps wich I think may work better to try everything by myself.
    It very frustrating when you know how…
    But you just got 300 IV’s after an hour -.-
    Just keep trying ;)

    @Ryan
    I think I just can’t more than say a big big THANKS to you for this detailed tutorial.

  22. Hi there, thanks man for this great tutorial… I’ve got a problem i hope you can help me..
    As i searched for a solution for days but couldn’t find an answer..

    When It starts collecting Data.. it starts with 205, I’ve seen many video tutorials showing that it increases more than 2000/second, but that wasn’t happening to me, it started with 205 and after 37 minutes it was 212… :S
    I’m really confused.. can you tell me why is it so slow? and how can I make it faster? thanks again.

  23. Hi there. Thanks for this great tutorial. I am new to the backtrack environment. I am having a problem with step 2. Same problem as Karlo. I am running back track 4 R1 as a live cd (not installed) for step 2 i typed airodump-ng wlan0 -w /root/test 6 1 but each time it is telling me “airodump-ng –help” for help. Can you please tell me where my mistake lies. Thanks in advance.

  24. hi
    i’m i’ve backtrack4 installed in my laptop sony vaio vpceb36fg but it seem that i’m not having drivers for my touch pad and wireless adopter how to over come this pls help me

  25. hi..
    cannot display AP details when use airodump-ng ra0..backtrack 4..first time oni can display like normal..but now cannot..signal fine oni …help me wats the prob?

  26. I am getting “no wireless extensions” message written while executing iwconfig on backtrack shell.can somebody help me to know what is reason behind it.and how to know about your wireless adapter card.

  27. hey m not gtng a gui version in backtrack though i am using bt4…it is only a cli.how do i switch it to gui?!

  28. hi
    i m having problem on booting backtrack3
    i install it on my usb after restart there comes option to choose i start with the first one after that screen goes blank then nothing happen.

    Acer aspire 4520
    windows 7 ultimate

  29. ok so when I type in airmon-ng it shows this: http://i51.tinypic.com/rs8zy9.jpg

    what do I do? when I type in ‘iwconfig’ it shows two things: l0 and eth0, both of which it labels as ‘no wireless extentions.’

    My laptop has a wireless adapter in it, which I’m guessing is eth0? Shouldn’t it have a description or something?

  30. Hey Ryan!

    Is it possible to break the wireless ad-hoc networks created from a laptop using the same? Or does a dedicated access point is required for this technique to work?
    I tried it on an ad-hoc wireless network with WEP protection created by a laptop running windows. But it wasn’t replying to any of the ARPs sent. Packets were captured but ARP replies were null. What can be the possible reason? IVS were also no captured!

  31. Hey Ryan
    First of all thanks for your great step-by-step helpful tutorial and keeping this post alive after 3years!!

    I wondered did you hear anything about AirPcap?
    with windows based Wi-Fi devices with packet capture and injection support?
    http://www.cacetech.com/products/airpcap.html

    Any idea about this? and Do you think this one works with win?

    Yashar
    a fan of you from Iran

  32. Ryan,

    Great tut mate. I’ve got very little linux knowledge, but just got my first WEP key cracked – thanks a bunch!

    Took a couple hours to get it working (tried running the BT4 image as a VM first not knowing that VM’s don’t load wireless adapters..) then had to use unetbootin to make my usb drive bootable (only had an iso w/out blank dvd’s to work with)…

    BT4 is a bit different to what was written in your guide… the biggest change that I found tho was:
    airodump-ng wlan0 -w /mnt/blahblah –channel 1 –ivs – which is only a little different to what you wrote, but after going through the airodump help files I figured it out pretty quickly.

    Also in your guide it may not hurt to tell people what should be the result after a certain step has finished. After a couple of the steps I sat there thinking ‘wtf – is it finished?’ … and Step 3 I had to re-do like 10 times to get it to find the correct channel which was a bit weird.

    Anyway, great guide – thanks for posting it (and checking back over the comments for what.. a couple years? gw :)

  33. Dear Ryan,
    Thank a lot for the great tutorial which I’d never seen it before. I have some problems about BackTrack and I’d like to request for some advise. Just the case not disturbing your time, May I ask you to response my issue to this post or even email me at [email protected] My problem is when I load Backtrack 3 (CD) in my laptop Dell Latitude D630 it run until enter the mode “ Window “ like workspace for linux. There’s icon “Home”,”System” on screen and icon “Menu”, “Shell Konsole”……..etc. on taskbar below. The BT3 run quite well but unfortunately the wireless card do not support and the WEP cracking is fail. Then I use another desktop computer Dell Vostro 200 which is installed wireless PCI card TP-LINK model TL-WN651G (Atheros chipset). When BT3 was loaded the display at this time are differ from when I load on Laptop eventhough I use the same CD as earlier. The BT run and ask for username and password, when I type “root” and “toor” already also type “startx” in command line the system do not display as same as “Window like”. Could you please advise where the problem are and how to fix this problem. I believe this will not affect the WEP cracking anyway but I do familiarize with the window like pattern.
    Many Thanks & Best Regards

  34. guys I did all the steps and they all did work, however, they cracked key doesnt work. As a matter of fact, its the wrong key! how come ?

  35. Iam using the backtrack 4 and runing it from live-cd … every thing is doing well ..
    but i cant get a fake authentication … its typing to me that tha authentication successful …
    but getting no associtation to the target AP…
    what is the matter by that !! .. any one can help !

  36. Hey Ryan I know it’s been years but any chance you wouldn’t mind popping up a quick blog with the proper commands and what-not for Backtrack 4 R2? It’s the newest version.

    By the way you wrote this blog it doesn’t sound like it would be hard for you to write a new one.

    Sorry if this sounds like a selfish request! Warm regards.

  37. Hello,

    I recently bought a Alfa USB network card (AWUS036H), but it seems as though my laptop’s built in card is the one being used when I am running the live CD. How would I go about enabling the USB card instead of the on board NIC?

  38. Derek

    May 22, 2011
    at 11:17 pmHello,

    I recently bought a Alfa USB network card (AWUS036H), but it seems as though my laptop’s built in card is the one being used when I am running the live CD. How would I go about enabling the USB card instead of the on board NIC?

    Hi

    I have same problem With this Alfa, Please Help

    Thx