The document provides step-by-step instructions for cracking WEP encryption on a wireless network using Backtrack Linux, including how to monitor wireless traffic, inject packets, and capture data to crack the WEP key using the aircrack-ng tool. It also briefly outlines cracking WPA encryption by using a dictionary attack against captured traffic with aircrack-ng. The author concludes by noting that penetration testing can help find network vulnerabilities but that security is not perfect.
1. Project Report<br />-459105253365on<br />-22459952540<br />Project by - Nutan Kumar Panda<br />Technology Evangelist ISEH<br />R&D - ATL Guwahati<br />WEP Crack<br />Step 1<br />After the installation of Backtrack 4 (or live CD of BT4) in the laptop or wifi enabled desktop its time to launch the console, Backtrack’s built in command line. It’s in the taskbar in the lower left corner<br />Step 2<br />First run the command to check your network interfaces available<br />“airmon-ng”<br />This will show our wireless card name, in my case its wlan0. It could be different so take note of the label and write it down<br />Step 3 (Optional)<br />This step is optional, you can skip this as in this only the MAC address is changed for some extra precaution.<br />First stop the wireless interface, change the MAC and then start the interface again by typing the following commands<br />“airmon-ng stop wlan0”<br />“ifconfig wlan0 down”<br />“macchanger --mac 00:11:22:33:44:55 wlan0”<br />“airmon-ng start wlan0”<br />Airmon-ng can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. And the command ifconfig is to list all the interfaces available on the machine. With additional options it can be used to start and stop interfaces.<br />Step 4<br />Now its time to select the wifis available near you or the one which you want to crack. Type<br />“airodump-ng wlan0”<br />This will show all the wireless networks available around with its ESSID, BSSID, Channel no., etc. Note the details of the one which you want to crack and press ctrl+c to stop searching for wireless interfaces.<br />(I got one wireless interface.)<br />Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs (Initialization Vector) for the intent of using them with aircrack-ng.<br />Step 5<br />Now we are going to watch what’s going on with the network and capture the information. Type the following command.<br />“airodump-ng –c (channel) –w (file name) --bssid (bssid) (wlan0)”<br />Where “–c” is the channel number, “-w” is the name of the router interface “--bssid” is the address of the wireless interface (address of AP) of the Wi-Fi we are cracking.<br />Press enter it will look like this<br />Now in this figure our target wireless interface has been captured. <br />Step 6<br />Leave the above Konsole open and running in background and open another Konsole and enter the command<br />“aireplay-ng -1 0 –a (bssid) -h 00:11:22:33:44:55 –e (essid) wlan0”<br />Aireplay-ng is used to inject frames. The primary function is to generate traffic for the later use in “aircrack-ng” for cracking WEP keys. Here “essid” is the name of SSID, the access point’s name (i.e. in above case is “39dathana”) “-h” is the new faked MAC address given by us in starting.<br />Step 7<br />If done correctly a message will be displayed with “Association successful .<br />Now we are now almost there. <br />Step 8<br />Now it’s time for the command<br />“aireplay-ng -3 –b (bssid) -h 00:11:22:33:44:55 wlan0”<br />Here we're creating router traffic to capture more through put faster to speed up our crack. We are sending a Standard ARP request in this step. “-3” is for ARP request replay attack <br />Step 9<br />After a few minutes, that front window will start going crazy with a lot of read/write packets. Now you will have to wait for few minutes/hours. Basically you want to wait until enough data has been collected to run your crack. Watch the number in the quot;
#Dataquot;
column you want it to go above:- <br />10,000 (very few chance of cracking)<br />30,000 (recommended)<br />Above 30,000(you will succeed, definitely)<br />In the image shown in step 8 it is only one. As said earlier, wait for it to reach at least 30,000. Remember it could take time depending on the wireless router/modem which we are cracking and the hardware configuration of our wireless desktop or laptop used.<br />Step 10<br />Now as we have reached the recommended amount of “#Data” required, now is the moment of truth. The final command is to generate the keys. For this let the 2nd Konsole window also running and open third Konsole to type the command<br />“aircrack-ng -b (bssid) (file name-01.cap)”<br />Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it uses all the packets in the capture. The second method is the FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing. Here the “file name-01.cap” is the name of file name we entered above. We can see it on our Backtrack desktop or by typing the command “dir”. In my case it is “39dathana-01.cap”. <br />If you don’t get enough data it will fail, otherwise it will look something like this.<br />Now it says “Key Found” and “Decrypted correctly: 100%”<br />You have cracked the wireless interface successfully <br />WPA Crack<br />DO all nine (but not the 10th ) steps as above.<br />Then type:<br />aircrack-ng -w dictionaryfile -b <bssid> abc-01.cap<br />Your wireless interface will be cracked.<br />Conclusion<br />One man's penetration test is another's vulnerability audit or technical risk assessment. <br />Nothing is perfect or 100% in providing security or for any kind of network. Still this is the step forward by us to detect the threats and vulnerability of the network and we feel that by using Backtrack a security officer can easily do the same. <br />This project is a result of our hard work. I hope that our project will meet all the requirements for which it made. Although every effort has been made to minimize the error in this project, but if there exists some error than valuable suggestion is welcomed. <br />Reference<br />http://www.backtrack-linux.org<br />http://www.metasploit.com<br />http://en.wikibooks.org/wiki/Metasploit<br />http://carnal0wnage.blogspot.com<br />