• cracking wep with windows xp pro
  
• cracking wep with windows xp pro cont
  
• cracking wep with windows xp part 2
  
• cracking wep with windows xp part 2 continued
  
• cracking wep with windows xp part 2 continued 2
  

• 2007 a hacking odyssey part one: reconnaissance
  
• 2007 a hacking odyssey part one: reconnaissance continued
  
• 2007 a hacking odyssey part one: reconnaissance continued 2
  
• 2007 a hacking odyssey part one: reconnaissance continued 3
  
• 2007 a hacking odyssey part one: reconnaissance continued 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap
  
• 2007 a hacking odyssey part two:  network scanning and nmap continued
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 2
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 3
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 4
  

• 2007 a hacking odyssey part two:  network scanning and nmap cont 5
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 6
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 7
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 8
  
• 2007 a hacking odyssey part two:  network scanning and nmap cont 9
  

• computertutorials
  
• computertutorials2
  
• securitytutorials2
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials3
  
• securitytutorials4
  

CRACKING WEP WITH WINDOWS XP PRO CONT...

DATA:

As I mentioned before it is impossible to give an exact number of IV’s that need to be collected to crack a WEP key. The more we can get the more chance we have of cracking the WEP key. From trial and error I have found that I can crack a 40 bit WEP key in a few seconds with around 250,000 – 400,00 IV’s. You may be able to do it with more IV’s or less IV’s, it is different every time.
For a 104 bit WEP key you will need anything up to 2000000 IV’s and maybe even more. The fewest amount of IV’s I have ever been able to use in one of my lessons for a 104 bit crack is 710,325 and this took just 4 minutes 31 seconds to crack but in other lessons I have had to collect in excess of 2 million.

This is where the very handy feature of Airodump amending to existing files is useful. If you have collected 500,000 and run a 64 bit attack on the file but are unsuccessful, simply start Airodump again and use the same file name, all the new IV’s will be added to the ones you already have, so you don’t have to start from the beginning all over again!

So now sit there and wait for the amount of IV’s that you decide on to be collected!


Aircrack-ng


So once you have decided you have enough IV’s press CTL + C to end Airodump. I have collected 413,994 IV’s for this crack.

You will still have the white command prompt open so just type Aircrack-ng at the prompt. (Or ‘CD’ to it)

You will now get a list of ‘usages’ for Aircrack that you can use.

Code:
 
  Common options:

      -a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
      -e <essid> : target selection: network identifier
      -b <bssid> : target selection: access point's MAC
      -q         : enable quiet mode (no status output)
      -w <words> : path to a dictionary file

  Static WEP cracking options:

      -c         : search alpha-numeric characters only
      -t         : search binary coded decimal chr only
      -d <start> : debug - specify beginning of the key
      -m <maddr> : MAC address to filter usable packets
      -n <nbits> : WEP key length: 64 / 128 / 152 / 256
      -i <index> : WEP key index (1 to 4), default: any
      -f <fudge> : bruteforce fudge factor,  default: 2
      -k <korek> : disable one attack method  (1 to 17)
      -x         : do bruteforce the  last two keybytes
      -y         : experimental  single bruteforce mode

  Aircrack-ng 0.3 - (C) 2006 Thomas d'Otreppe
  Original work: Christophe Devine
  http://www.aircrack-ng.org

  usage: aircrack-ng [options] <.cap / .ivs file(s)>


As this paper is getting a bit long I will just cover the options we need to crack a WEP key from a file. If you want to try the other options out..try them and see what you come up with. The helpful descriptions provided speak for themselves really.

So we have collected 413,994 IV’s which is not enough for a 104 bit WEP crack so we will try a 40 bit WEP crack instead (we can always add IV’s to the file later on if it does not work)

So we issue the following command to Aircrack:

Code:
 C:\Docu~\nokia>aircrack-ng -n 64 WEP1.ivs


We use the –n 64 switch to tell it we think it is a 64 bit WEP key.

You can also use the –f switch, which is the fudge factor switch.
In the programmers own words:

“By default, this parameter [fudge factor] is set to 2 for 104-bit WEP and to 5 for 40-bit WEP. Specify a higher value to increase the brute force level: cracking will take more time, but with a higher likelihood of success.

So if you have no joy cracking it you can try again with the –f 5 switch.


If you forget what you called the Airodump file it is saved in the following directory by default:

C:\Documents and Settings\%User Name%

If you selected to only save the IV’s it will be an .IVS file, if you said No and wanted to save everything it will be a .cap file.

Our scan only turned up one network so Aircrack will only crack those IV’s, if you have more than one network you will need to use the –m switch to tell it the BSSID of the AP whose packets you want to use,



The result of issuing our command is:

Code:
                                      Aircrack-ng 0.3


                      [00:00:00] Tested 1231 keys (got 413994 IVs)

   KB    depth   byte(vote)
    0    0/  4   A6(  68) 82(  40) EE(  20) E4(  15) 18(   5) 23(   5) 04(   3)
    1    0/  3   22(  75) 52(  19) 43(  15) 5A(  13) 21(   8) 8A(   5) B2(   4)
    2    0/  1   04(  76) 33(   8) 8B(   5) C8(   5) 47(   0) 62(   0) 63(   0)
    3    0/  1   09( 106) FB(  15) ED(  12) 58(  12) F0(  11) 29(   7) C8(   5)
    4    0/  1   EB( 153) 19(  27) 0E(  15) 38(  15) B8(  13) E0(  10) DC(   9)

                         KEY FOUND! [ A6:22:04:09:EB ]



There you have it our 40 bit WEP key is A6:22:04:09:EB.

With 413994 IV’s this key took Aircrack less than 1 second to crack. Which is an example of how good Aircrack truely is. With 250,000 ish IV's chances are it would only take a few seconds more to crack but I like to collect a few more IV's to be on the safe side.

Like I said the programmer has done all the hard work for us, we just need to tell it what to do. For an end users part WEP cracking is not a skilful hack in any way whatsoever (we just tell Aircrack what we want it to do) unless you want to write your own program for it!

Troubleshooting:

Common problems are:

Incompatible Wireless Card.

90% of my students who come to me complaining they can’t crack WEP and that Aircrack does not work are failing because they do not have a compatible Wireless Adaptor.
If you are giving the commands that I am giving here, or get an error message when installing the driver I can almost guarantee you that your card is not compatible. It is possible to flash the firmware of some Prisim2 Cards, this pages helps you do this:
http://tinyshell.be/aircrackng/wiki/index.php?title=Prism2_flashing

Can’t receive DATA / IV’s with Airodump:

To receive IV’s from an AP there has to be a client associated with it that is sending / receiving traffic. If you are not receiving IV’s the most likely causes of this are that there is no associated clients or you are too far away from the AP. As far as I know Aireplay does not work with Windows so you will have to use a Packet Injection application of your choosing. I will cover this in Part 2.

Finally, if you are just plain unlucky you may just not be able to crack the WEP with the IV’s you have. If this happens the only option is to start from the beginning again.

If you cant crack the 64 bit WEP collect more IV’s and try doing it as a 104 bit WEP key.

My thanks go to Chris Divine, KoreK and all who helped him, for writing such a helpful application and to Thomas d'Otreppe who I believe imported it on to Windows?


FAQ

The following FAQ has been put together from questions in this thread. Additionally the following link was found by Moo and has proved very helpful:

http://www.wirelessdefence.org/Contents/AircrackORIGINAL.html

Can we ask that you look through the FAQ in that link and this FAQ before you post questions here, thanks

Q. I can't get the Wild Packet drivers to work for my xxxxx wireless card. After I install it says the card will not work properly now?

A. You won’t be able to connect to the internet / AP in the conventional way after you install the Wild Packet drivers - these drivers place your card in a promiscuous mode to enable you to receive traffic not destined for you.

If you fire Airodump up after installing the drivers it should work, if they have been installed correctly. There are two versions of the drivers. If it does not work then either the drivers either haven’t been installed properly, you have installed the wrong version, or they are incompatible with your card.

After you have finished go to your device manager in your control panel and 'roll back' the driver to revert back to the original one so you can get normal connectivity.
____________________________________________________________

Q. Can I have two different wireless cards installed, one for general internet surfing and another with the Wild Packet drivers installed for penetration testing?

A. Yes, this is a good solution; I do it most of the time when I need internet connectivity and a passive connection at the same time. If you have more than one PCMCIA slot on your laptop use the same slot for each card - this will prevent you having to constantly reinstall the relevant drivers!
____________________________________________________________

Q. When I load Airodump I get the following error "LoadLibrary(Peek.dll) failed, make sure this file is present in the current directory." what does this mean?

A. You will need to get the peek.dll and peek5.sys files and put them in the same directory as Aircrack.

The easiest way to get them is to go here:
http://tinyshell.be/aircrackng/wiki/index.php?title=Links
and download Winaircrack - which is a GUI version of Aircrack - copy and paste peek.dll and peek5.sys in to your directory.

You should have added cygwin1.dll, peek.dll and peek5.sys in to your directory before starting Airodump/Aircrack
____________________________________________________________

Q. When a click on (airdecap-ng,arpforge-ng.....),they quick open and close?

A. Read all of the paper......specifically the part about adding them to your path – once you have done this double clicking on the wont work any more.
____________________________________________________________

Q. I have it running fine, but the IV collection is really slow, can I speed it up at all?

A. If the wireless network does not have many clients, then IV collection will be very slow. If this is your own network open up a command prompt and type:

ping "ip address of AP" -l 65500 -t (That’s a small L not a |)

This will send a constant stream of ICMP packets 65500B big to the AP which should generate a good stream of IV's. This will only work if you are already associated with the AP and is for use to test YOUR OWN WEP KEY you cannot use it against somebody elses AP until you have associated with it.
____________________________________________________________

Q. How do I use Packet Injection to speed up collection of IV’s? / I can’t seem to get packet injection program xxxxxx to work properly, can you help?

A. Unfortunately Packet Injection is outside the scope of this tutorial and may be covered in a future one. For the time being you will have to do some research on Google.

Enjoy.

Original Tutorial by nokia for TheTAZZone-TAZForum

Originally posted on June 23rd, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.