///////////////////////////////////////////////////////////////////////////////////////
Title: Hacking WEP with Backtrack4 Final and Airoscript
Paper by: iTpHo3NiX
///////////////////////////////////////////////////////////////////////////////////////
NOTEWhen cracking the network from the screenshots, I had permission from my neighbor to pen test their wireless encryption and to write this paper. It is illegal to hack wireless networks without encryption, however if you would like to help secure your neighbors network (as I did and help him set up a MAC filter after this with a WPA2 encryption). Then take a look and show them this. Also hopefully this will also educate you in wireless security.
MethodThe simplest way (and a good way to show potential customers how easy it is to actually hack their wireless networks) to hack a WEP encrypted network is using Backtrack4 Final with Airoscript. Airoscript utilizes the aircrack-ng suite to automate WEP/WPA hacking (although WPA, best thing to do is use it to capture the handshake file, go offsite and use John the Ripper to bruteforce, or cowpatty to run a dictionary attack against the handshake file).
Devices Used- HP G60 Laptop (Wireless is broadcomm and not really supported with aircrack)
- Linksys WUSB54GC USB Wireless Adapter (very good for wifi penetration)
- Backtrack4 Final Live DVD
HintWith the final release of Backtrack4 there seems to be an error with Airoscript (just a very slight one) that requires you to navigate to the tmp directory after scan and change the extention of dump-01.cvs to dump-01.txt for airoscript to recognize the dump file to select which network you would like to attack.
The ProcessStep OneOpen the KDE Start Menu (after loading the desktop using startx) and navigate to "Backtrack-->Raido Network Analysis-->80211-->Cracking-->Airoscript"
Step TwoSelect your screen resolution (I chose 4)
Step ThreeSelect your wireless device. In most cases its wlan0, however since I'm using my Linksys WUSB54GC its going to be wlan1 and when prompted to put device into monitor mode, select "y" for yes.
Step FourNow you are at the main Airoscript page to select your options. Now normally option 9 which will go through the first three steps is not working out of the box with the final live cd (unless updated to the latest airoscript and the latest aircrack-ng suite) so we are manually going to go through the steps (however its still just as simple) So lets select option 1 to scan.
Step FiveThe next page asks you if you would like to apply a filter, since this is a paper on WEP cracking then I am going to select a filter for WEP (option 3) then to select whether you want it to scan on a specific channel or to scan all channels (via Channle Hopping or option 1)
This will open up a new window that is now scanning for targets
Step SixOnce you've picked up a few networks and have a target you would like to attack (I would note the BSSID and the ESSID with multiple options so you go after ther proper network. Close the scanning window. Now as I stated before unless you have an updated Airoscript/aircrack-ng you will need to go to the temp folder and rename the dump-01.cvs to dump-01.txt To do this simply open Konqueror (right next to the KDE start menu) Click on "Home Folder" you will be in /root and then you will want to go up a folder to just / go into the tmp folder then go into the tmp.RANDOMCHARACTOR folder right click on dump-01.cvs and click rename, then change the extention to dump-01.txt and you can now close Konqueror and continue with Airoscript.
Step SevenNow we select option 2 to simply select our target then you have a numbered list to select which network you would like to attack
Step EightNow I choose option 1 to select the associated client
Step NineNow we go for the attack so choose option 3, now this can vary for everyone, I personally choose option 1 which is a Fake authorization without user input (no need to select packets, a more automated attack)
Which will open up the following windows
Now I also like to run another attack at the same time, so select option 3 again, however this time I choose option 7 which is an ARP Replay which is again automatic so no user interaction.
Now its a waiting game and you will be having a window like this
Now this is just personal preference, you can start the cracking as soon as you get at least 1 ACK, however I like to wait until I get at least 100,000+ ACKs (usually 200,000+)
Step 10Now its time for the actual cracking (option 4) So you select option 4, then option 1 at the following screen for a PTW crack and soon you will have the WEP encryption key like this
Tutorial by iTpHo3NiX of EvilZone.org This is for educational purposes ONLY and is not to be abused. Hopefully this will pursued people to change their wireless configuration to run a MAC filter with WPA2 to help their internet to not be stolen.
