A. SCOPE
This tutorial is intended for user’s with little or no experience with linux or wifi. The folks over at remote-exploit have released “Backtrack” a tool which makes it ridiculously easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.
Required Tools
- You will need a computer with a wireless adapter listed here
- Download Backtrack and burn it’s image to a CD
B. OVERVIEW
BACKTRACK is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.
Tools Overview
- Kismet – a wireless network detector and packet sniffer
- airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)
- airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)
- aireplay – a tool for forging ARP requests
- aircrack – a tool for decrypting WEP keys
- iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
- macchanger – a tool that allows you to view and/or spoof (fake) your MAC address
Glossary of Terms
- AP: Access Point: a wireless router
- MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
- BSSID: Access Point’s MAC address
- ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
- TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
- WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
- WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption
Since Backtrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a linux partition on your hard drive or a usb storage device. Backtrack has some NTFS support so you will be able to browse to your windows based hard drive should you have one, but it will mount the partition as “read-only”. I dual boot windows and ubuntu on my laptop so I already have a linux swap partition and a reiserfs partition. Backtrack had no problem detecting these and mounting them for me. To find your hard drive or usb storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.
C. DISCLAIMER
Hacking into someone’s wireless network without permission is probably against the law. I wouldn’t recommend doing it. I didn’t break into anyone else’s network while learning how to do this.
D. IMPLEMENTATION
STEP 1
Monitoring Wireless Traffic With Kismet
Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear. Type startx to start KDE (a ‘windows’ like workspace for linux).
Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:
kismet
Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0′, and sit back as kismet starts detecting networks in range.
NOTE: We use kismet for two reasons.
- To find the bssid, essid, and channel number of the AP you are accessing.
- Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point?) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device’s name just type:
iwconfig
Which will look something like this:
While kismet detects networks and various clients accessing those networks you might want to type ‘s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here.
Select the AP (access point) you want to access. Copy and paste the broadcast name(essid), mac address(bssid), and channel number of your target AP into a text editor. Backtrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In Backtrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for more help with this
STEP 2
Collecting Data With Airodump
Open up a new terminal and start airodump so we can collect ARP replies from the target AP. Airodump is fairly straight forward for help with this program you can always type “airodump-ng -h” at the command prompt for additional options.
airodump-ng ath0 -w /mnt/hda2/home/ryan/belkin_slax_rcu 9 1
Breaking down this command:
- ath0 is my wireless card
- -w tells airodump to write the file to
/mnt/hda2/ryan/belkin_slax_rcu - 9 is the channel 9 of my target AP
- 1 tells airodump to only collect IVS – the data packets with the WEP key
STEP 3
Associate your wireless card with the AP you are accessing.
aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
- -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing
aireplay-ng -h - 0 specifies the delay between attacks
- -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
- -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0 - ath0 at the end is my wireless adapters device name in linux
STEP 4
Start packet injection with aireplay
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
NOTES:
- -b requires the MAC address of the AP we are accessing.
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0 - if packets are being collected at a slow pace you can type
iwconfig ath0 rate autoto adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.
As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.
If you get a message like this:
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Just reassociate with the AP following the instructions on step 3.
STEP 5
Decrypting the WEP Key with Aircrack
Find the location of the captured IVS file you specified in step 2. Then type in a terminal:
aircrack-ng -s /mnt/hda2/home/belkin_slax_rcu-03.ivs
Change /mnt/hda2/home/belkin_slax_rcu-03.ivs to your file’s location
Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.
If this guide doesn’t fully answer your questions you can always refer to the forums at remote-exploit.org
hi,i use rt73 chipset.can support packet injection.but can’t inject at 500pps.i can inject only around 399pps.can someone tell me why and help me to solved this problem? i cracking wep use windows.take around 10-20 minute to get the key.so tired to waiting.
i cracking use windows+vmware+usb wifi.i just take 1 hour to learn this tutorial. i find tutorial here tutorial cracking wireless wep use windows
Hi,
Great tutorial but it doesn’t say anything about channel hopping and channels and so far it is the only thing i can’t figure out.I am using BT3 here’s what i do step by step:
1)I open kismet to get essid bssid and channel of the AP i want to access (it has wep encryption i’ve checked it).I leave kismet running so in that way i have my card in monitor mode :)
2)I open a new window and type:
airodump-ng -c 1 –ivs -w network –bssid [bssidhere] wlan0
as the AP’s channel was 1 and my device is wlan0
3)aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [myfakedMAChere] wlan0
In this way i associate my wireless card to the AP i am accessing.
I’ve already faked my MAC before step 1 by typing:
ifconfig wlan0 down
macchanger –mac 00:11:22:33:44:66 wlan0
ifconfig wlan0 up
4)So far so good.Then:
aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 wlan0
At first i got the message:
“wlan0 is on channel X,but the AP uses channel 1″
X refers to various channels as channel hopping is enabled
So i rebooted and started again from scratch and this time while in kismet at the begin (i had the APs sorted by signal strength) i pressed shift+l to lock on the same channel as the AP’s.And on my right where was “ipw3945″ and below it a number of channel the number freezed to 1.
So here we are again – step four – ,this time the command of step four is working and i am reading packets but ARP count doesn’t increase at all!
I tried to set my card on a fixed channel this way:
ifconfig wlan0 down
iwconfig wlan0 channel 1
Then i’d type “ifconfig wlan0 up” but i got an error for the above command:
error for wireless request “Set Frequency” (8B04):
SET failed on device wlan0; Input/outpout error
What did i do wrong plz help :(
Can you add information about disabling channel hopping?
wow this tutorial is awsome!
i\ve recognized that this tutorial has good replys since jul 12th, 2007
well now, we can say that it’s 2009 :D
Lovely tutorial, 2 years favourit for people :) good job mate, keep it up!
Hi,
i have a problem here. My wlan0 is in Monitor mode, but i can’t get any #data from the AP. and when i type “airmon-ng start wlan0″ it shows
ERROR: Neither the sysfs interface links nor the iw command is available.
Please Download and install iw from http://dl.aircrack-ng.org/iw.tar.bz2
Can anyone show me what should i do now?
Hey Kevin,
You using backtrack?
can you do a tut on cracking wpa with backtrack3?
And also i downloaded the torrent of backtrack3 but it’s an ISO file. Do you know how i can open it or get onto a dvd/cd disk?
Thanks in advance.
ERROR: Neither the sysfs interface links nor the iw command is available.
Please Download and install iw from http://dl.aircrack-ng.org/iw.tar.bz2
I get the same with my Intel chipset. Downloading the iw and attempting to make fails due to missing headers on the cd. Can the developers compile it ans either add to the CD, or provide the binaries to install ..each time??
At the lspci my wireless card is “Intel Corporation PRO/Wireless 3945ABG”. when i use aircrack on my ubuntu as normal i can crrack WEP both inject and monitor, if boot BT i just get an error when starting airmon-ng :O something with *fs and iw :/ how is hat pissible ? ;D
does any body know if bt 3 works with acer 8930 intel wifi 51oo card
thanks
Nice Tutorial, IT WORKED !
Thanks :-Q
I am using backtrack 3 and i faced the following issues
1) when i start running kismet using the command -> start-kismet-ng, I will get this error msg “ERROR: Neither the sysfs interface links nor the iw command is available.
Please Download and install iw from http://dl.aircrack-ng.org/iw.tar.bz2”
Kismet did open though and I can view the detected APs
2) However everything is smooth and I can collect the packets but the ARP is not increasing at all.
Is there something wrong?
im a sub-noob,
im having boot errors. i booted from cd but its telling me kernel image cannot be found. wat duh hell? someone plz help!. NB. i burned the iso image to the cd.
Hi, I’m new with BC3, I tried to load BT2 and it works but it have a problem beceause it doesn’t recognise my wirelless card,so beceause I can’t find the solution I tryed to load my BT3 boot cd,but it DOESN’T want to load maybe beceause i have Atheros AR5007EG Wireless Network Adapter on fujitsu-siemens esprimo v5535 notebook ,with core 2 duo procesor, I switch off the button for wirelles ,,but still i cant load BT3.Looked everywhere on the forums but still nothing do you have any experience of this?
I finally loaded BT3 but using the NO DHCP option , evetything is fine ,exept I can’t make the packet injection.I started aireplay-ng -1 0 -a [Mac of ap] -h [My mac] ath0 … it’s telling that it works,and that is connected succsesfully … then aireplay-ng -3 -b [Mac of ap] -h [My mac] ath0 , and it started counting,but in the shell where the DATA is, isn’t happening nothing,the number of DATA is growing very slow.So I think that packet injection is not functional.
Any suggestion?
I have a cable internet connection,but I can’t connect to internet,I don’t know where in BT3 is my LAN card ,beceause i must put my ip adress(which is dynamic),then defaut gateway and DNS server.
Please help.
Great guide but one problem; Can’t find that ESSID >_< I use BT3 Final but I can’t find that darn ESSID on any of the wifi net’s around me, any suggestions?
Is it to have a atheros card .. for cracking the ………..
the atheros chipsets have proven to be pretty reliable.
Oh never mind ^_^ . I found it out by myself! The SSID & ESSID was the same (I’m totally new to linux so don’t be mad at me if I say something silly).
kudos for this tutorial works like charm, i have onw question what if target AP has 2 words in a name like (Dude’s Network) do you just type Dude’s network in command or is there other way of doing that.
worked for 7 single named AP-s but this one is no go?????
Hi, I am new to linux just recently made the switch. Since I cant crack wep under windows everything points to linux. I also just downloaded and ran off the ISO CD image. Following the tutorial I cant even get past step 1. I tried to start kismet and the window/shell disappears or says “plz conf at least one packet source, no packet sources are defined in kismet.conf” I searched kismet.conf but i dont understand how to do what it ask me. I also have tried to use airodump-ng but it says ” ARPHRD_IEEE80211_FULL or ARPHRD_80211_PRISM instead. Make sure RFMON is enabled: run ‘airmon-ng start atho ‘
Sysfs injection support was not found either.” If someone has the time and is kind enough to guide me step by step. plz email me at flopelayo3@gmail.com
Hi Floyd
Sounds like you dont have support for your wireless card.
Hi!
I am using Ubuntu and all the time when I am running BT3, i get the message” wrong resoluttion”. Sorry that I ask so stupid thing.
But it would be nice to get the program running. I tried to fix it from the text mode, but still didn’t work.
Pingback: Cracking my Routers security - AOA
Ryan, been fighting trting to get past STEP 2
I’m trying to save to a USB plugin, it gives a target of ‘/mnt/sdb1/
So I enter – airodump-ng -w /mnt/sdb1 1 1
1 is the channel
I log into kismet on wifi0
Any advice would be excellent
this steps works only if the chipset of the wireless card is atheros?
the card must be pci or i can use a usb wireless too with atheoros chipset?
iam confused.should i download backtrack backtrack 2 or backtrack 3?
i ask something but someone it..
why?????????
wow i just had a look at this page and it’s great thanks!
do you have to know a lot of linux to understand all the steps?
thanks again!
@El_duderino hmm i dont see why thats a problem
Ok when I run Airodump it gives me the message: No interface specified. I got the atheros driver from wildpacket for my orinoco gold and it installed fine. How do I put it in monitor mode or should it already be in monitor mode? I am also still able to detect wireless networks even with the athros driver installed which I read somewhere that with the Atheros driver installed. I shouldn’t be able to still do. What am I doing wrong?
hey, so my macbook wont work with backtrack for cracking WEP?
Kismac works in passive mode, but active doesn’t work…
hey ryan
my laptop i am using is acer travel mate 5300
wireless: acer nplify 802.11b/g/Draft-N
STEP 1
FATAL: Please configure at least one packet source. Kismet will not function if no packet sources are defined in kismet.conf or on the command line. Please read the README for more information about configuring Kismet.
but i need help
hey this was awsome.im a real new b… i need help getting bt3 to run on my sytem.. i have a dell xps 1530 with vista. i already have vmware, and bt3 burned to an image disc or whatever u call it…. but i cant get bt3 to run???? do ui need linux operating system to run it or what??? please help me if u can….
Hi Guys , i am getting the same error message as motivator.
has any one found a solution
thanks
hi ryan,
just want to ask how long before it crack the wep? does it takes more than an hour??? in my case, its more that one hour already after i enter aircrack but still i still dont get the WEP… pls do help, tia
Required Tools
1. You will need a computer with a wireless adapter listed ( here )
Not Found
The requested URL /wiki/Compatibility was not found on this server.
Apache/2.0.55 (Unix) Server at madwifi.org Port 80
ryan,
i can’t follow the step #2 (i have a dual boot on xp and ubuntu)
no luck when i type:
airodump-ng eth1 -w /mnt/hda5/home/tai/write
(eth1 is my adapter; hda5 is linux partition)
please need your help. thanks.
Thank you man, very nice tutorial for beginers, which I am. Finally someone to brake all this code so we can understand what it stands for, and its much easier to remember by knowing what I’m doing.
hi ryan nite tute pls i will like to find out if this tutorial is applicable to window users thanks alot.
Ok Guys all i need is the right program to get into a wep, this is what i have, a Netgear Wireless adapter plug into a desktop running windows xp professional,, what do i need to do and which program? thanks a lot…
hey man pretty nice is this compatible with windows XP? maybe with Windows 7? thanks. and i hav to wait till i get a blank CD. i hav blank music CD’s but i don’t tihnk they’ll work. too bad i’ll have to w8 awhile. thanks though! ^^
O
Great tutorial, but a very basic question: how do you open up a second (or third) terminal window? I haven’t succeeded in this until now, only with Control-C I can start a new action.
@ wepcracker8: what do u mean u have blank “music cd’s” ?! If it’s a recordable CD it’ll work.. No matter what u planned on putting on it to begin with.. (700mb cdr?!)
just download the BT3 iso, get sumthing like “Alex Feinman’s Iso Recorder” and burn that image to a disc.. Restart your PC, boot from CD, and you’re good to go.
And @ anyone asking if it’s “windows compatible” .. Find out for yourself, or use BT3 as the guide as MEANT for >_> It’s not that hard you know..
there’s a bazillion guides on youtube as well, if reading is too hard for ya, maybe you should try one of those :)
nice guide, tho it didnt really work for me it gave me enough clues to figure it out myself. Thx a bunch!
I have been looking for a tutorial like this for months. Linux is would have been much more attractive to Windows users if tutorials like this were more common.
Thank you. You are a great trainer.
Hi Ryan,
Its a great tutorial that you have written here. I did the first part of running kismet correctly. But when I try to do the airodump, it says Sysf packet injection not supported. I am using this Intel 5300 AGN wifi card. Could you please tell me how do I got about making this card work for me.
Thanks,
raqz
Hi raqz – sounds like your card isn’t going to work with packet injection :(
I’m using BT3 and can’t seem to get aircrack to work . any help would be great
hi ryan ,in bt3 there is a tool called spoonwep2 and spoonwap , when using it does it do all the work automatically all by itself ,so no need to open konsole and type any commands ?
Hi Scorpion – its been my experience that the scripted wep crackers suck. If they work for you then you are lucky. I haven’t tried spoonwep so my apologies to the coders of it if I’m wrong.
I was trying to crack backtrack 4 not knowing it was already cracked. Now my computer wont bring up any of my programs. It is saying something about formatting which I dont want to do. How do I undo what I did? Help me please!
backtrack 4 released goto http://backtrack-linux.org
Hi Catyz – I tried to check out bt4 recently but my ancient laptop only has a cd drive so the 1.4(?)gb dvd required was prohibitive. Frankly I don’t understand the need to double the size of the offering when the core functionality is likely unchanged. Would love to hear some reader’s thoughts on the matter.
hey where i’m gonna find kismet and black track for download
dear all, I’m a level zero linux user… ;(
I’m using backtrack 4 live cd.
I’m in in the graphic interface. I just downloaded drivers for the card on my usb key.
How can I mount them? what is the path? I’m not able to see any drive with backtrack 4.. please help
Why use Kismet if you can use sudo airmon-ng ?
Does it make a difference in the final result? Beside the fact that you can organise them via signal strength?
thanks