7/30/2019 Backtrack 3 WEP tutorial

1/7

This tutorial will show you, in explanatory detail, how to Break or crack WEP encryption using a simple

linux-based security suite titled BackTrack 3. You dont even need linux! A free, downloadable CD ISO

image will do all the work for you! The steps outlined here have been tested for clarity in a controlled,

legal home networking environment, and work great.

What you need:

1. A Computer (laptop) with a CD-ROM Drive and a wireless adapter (Preferrably not USB)2. The ability to burn ISO images to CD or DVDThe ability to burn ISO images to CD or DVD3. A copy of BackTrack 3 Security Suite fromRemote-exploit.org

Brief Background:

BackTrack 3 is a legal and mostly open-source security suite designed by security experts in the

computer and software Industry. Its creation is intended as both an educational tool, and as a toolbox

for network adminstrators who wish to secure a private or corporate network, or used in testing a

secured network. When searching for it, youll often see it titled as BackTrack3 or Backtrack 3. 3 is

the version number, and will change with time.

As Im sure youre now well aware, WEP is a first generation wireless encrpytion technology that was

used to provide basic security to users utilizing 802.11 wireless on their portable computers or

devices. It was soon found to be extremely vulnerable to hack attemptions, and has since been

replaced by the much more robust WPA technologies.

Common Shortcut terminiology (Important):

Throughout this post, Ill be referring to IDs, names, and addresses unique to your configuration.

Look for these in italics and replace them with values youve collected throughout the tutorial.

Although I will always show the # in front of the values, never include it in the actual command.

#SSID - Target SSID (ex: linksys) #BSSID - Target BSSID (ex: 2D:3F:33:45:56:53) #Channel- Target Channel (ex: 8 ) #adapter - Your adapter (ex: ath0 or eth1)

Step 1 - Get BT3 and Burn the Image:

Download Backtrack 3 fromRemote-exploit.org. Youll need to download the bt3-final.iso image. You

can also use the USB version, bt3final_usb.iso which includes some extra tools, but we wont be using

them here.

http://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.htmlhttp://www.remote-exploit.org/backtrack_download.html

7/30/2019 Backtrack 3 WEP tutorial

2/7

Burn the ISO images to a CD or DVD. You wont need to make any changes. I wont go into specifics

of how to burn an ISO here. If you dont have the vaguest idea how to do this, then its highly likely

that cracking WEP is definitely not for you. However for those of you know think you can figure it out

on your own, I have usedCDBurnerXP. Its open-source and simple to use, so thats good.

Alternatively, you can image a thumbdrive with the ISO. Thatll be MUCH faster than the optical drive

at any rate.

Step 2 - Boot BackTrack 3:

Throw the Backtrack 3 disc into your laptop or desktop (I havent tested this on a desktop, but Im

sure the steps are the same), set your BIOS to boot from your optical drive, and BOOT! Youll get a

prompt asking how to boot into Backtrack 3. You should boot using the KDE method. If you have

weird display issues, you can try the VESA boot method. At any rate, one of these should work. Once

youve become an elite hackmaster, and have memorized this process, you can use the command

console.

Step 3 - Obtain your target:

Now is were we get to the fun part. We need to know which router, or Access Point, we intend on

attacking.

First were going to use KISMET. Kismet is graphic 802.11 locator. It will show detailed information

about all the wireless networks and devices that are being picked up by your wireless router.

To use kismet, head to your KDE Menu (Where a Windows Startmenu would be). Then navigate to:

Backtrack 3 > Radio Network Analysis > 80211 > Analyser > Kismet

Wireless Networks will begin to appear in Kismet as it begins to gather and analyze radio packets.

These are all the wireless networks in your neighborhood or general area. You can see there is a

wealth of information here. From this point, well need to use the keyboard, so get rid of your mouse.

We need to sort our data, so while in the kismet window, hit the s key and then w for WEP. This

will sort all of the wireless networks by their WEP encrpytion. Youll see everythng is reordered and

sorted via the w column.

Once youve determined your target, you can use your keyboard arrow keys to navigate to your

target, and hit enter. Youll need some of the information on the new screen. You can write it down,

or you can use kedit by going to IDE > Editors > Kedit. This works like Windows Notepad, so you

can cut and past at your leisure.

http://cdburnerxp.se/http://cdburnerxp.se/http://cdburnerxp.se/http://cdburnerxp.se/

7/30/2019 Backtrack 3 WEP tutorial

3/7

Youll ned the following information:

SSID BSSID Channel

The SSID is essentially the friendly wireless name you see all the time. the BSSID is the MAC address,

or unique-hardware address of the AP or router.

Exit Kismet with CNTRL-Q. Note the Capital Q.

Step 4 - Get system ready to record:

Now the fun part. We need to get your computer ready to record all the radio packets you want to

capture, so you can analyze them later. Down by the KDE start menu, youll see a little Black Monitor

which will bring up a command console. Well be using these a lot, so just remember where it is.

Launch a new command window and enter the following:

airmon-ng

This will tell us how many adapters we have running. Stop everything that is running:

airmon-ng stop #adapter

Repeat the above command for every adapter listed from the airmon-ng command.

Now we have no running adapters, or virtual adapters. essentially, anything Kismet started to capture

radio packets has been turned off. On some laptops the above steps were absolutely essential, on

other laptops, not so much.

Start your adapter, capture only the channel that your target AP is broadcast on. We got this

information above:

airmon-ng start #adapter#channel

run airmon-ng one more time to see what your new adapter is named. Youll want to keep this in

mind as your adapterfrom here on out.

Step 5 - Recording packets:

7/30/2019 Backtrack 3 WEP tutorial

4/7

Were going to be gathering radio packets from you target router (AP) but we havent started

recording them yet. Obviously if we dont record, we wont beable to analyze them, so lets start

recording them now:

airodump-ng adapter -w /hackme channel #channelivs

Weve now begun recording all data packets on your channel and started writing them to a hackme

file located in the linux root, or /. For those of you really curious, the ivs tells it to record only

authentication data packets, which is the heart of WEP exploitation.

Leave this recording in this console Window. it will remain open for the remainder of this insane

adventure.

ss08-p11n1-ap01

Step 6 - AP assocation:

Now that were recording data, we need to do kind of a handshake with your target WEP router. You

see, when WEP computers and routers talk to one another, they initation their conversation with a

little handshake or hello. this comes before authentication ever happens. If you try to do some

authentication (step 7) without this hello, your target AP will simply ignore the authentication,

because, like most people, theres no sense in talking to some jerk who wont even say hello.

To associate your laptop with your access point, run the following command:

aireplay-ng -1 0 -e ssid-a #bssid #adapter

This is absolutely critical. Your return should try a couple of authentication requests, and then return

Assocation successful :-).If it does not, youre not going to be able to do packet injection (step 7).

If you dont get a friendly return, you can try this:

aireplay-ng test

If you get a return indicating that Packet Injection should be possible, try another AP. You can also try

getting physically closer to your target. Assocation and injection are difficult from distances, and may

not work at all. I wont go into deep troubleshooting of assocation at this point.

If for some terrible reason, your computer is not capable of assocation, dont fret. You wont be able to

do packet injection though. Which means the process of collecting packets will take MUCH longer. Skip

step 7 & 8 if you cant associate, but be advised it will likely take you hours if not days to collect

enough packets to crack WEP. Thats why injection is so useful.

7/30/2019 Backtrack 3 WEP tutorial

5/7

Once youve associated successfully, continue on to the next step!

Step 7 - Packet Injection:

In step 6, we said hello to the AP. The target AP or router is now aware of us. It knows we exist, and

wont be surprised when we try to shake hands and authenticate with the network (Send a WEP key,

authenticate, and get online to surf the web). This is where a major exploit becomes possible.

With every IVS packet we receive (The packets sent from the AP when we try to authenticate) we

become closer to cracking WEP. The best way to get hundreds of thousands of packets, is to

repeatedly try to authenticate with the AP or router. This process is knowing as packet injection. Were

injecting authentication packets repeatedly into the target AP, and forcing it to send us data back

telling us OMG! Youre sending me the wrong AUTH DATA! NOOB!. Whats funny about it, is that

with every wrong WEP Key. Try again! message it sends, were getting closer to the packets needed

to mathetmically break down WEP and help ourselves to the target AP.

To begin injection, do this (You can reuse the window created in step 6 if Authentication was

successful):

aireplay-ng -3 -b #bssid#adapter

This will send thousands of fake authentication requests. This process doesnt end, and will continue to

send until youve manually stopped it using CNTRL-C or close the window. Keep in mind, there is no

reason to stop it until weve received the WEP key.

Youll see your IVS packet count going higher and higher, likely incredibly quickly. Meaning, hundreds

every few minutes.

After youve collected between 300,000 (300k) and 500,000 (500k) IVS data packets, you can move

on to the next step.

If youre not collecting IVS packets, you can open a new command console and rerun step 6 while

step 7 is still running in another window. If you do this, youll notice that your ARP packet count

begins to go up with every connection attempt in the other window.

If you cant collect IVS packets, youll never get a WEP key. If your IVS count isnt going up, your

whole process is hosed. Figure out where the kink is, and try again.

Step 8 - Breaking the WEP key:

Okay, youve made it! Youve collected at least 300k IVS keys. Ifyou havent, but you have at least

100, you can try this step anyway. Itll be fun.

7/30/2019 Backtrack 3 WEP tutorial

6/7

Now that we have all this recorded IVS packet information, we can crack the WEP key in a matter of

moments. Run this command:

aircrack-ng -s /hackme-01.ivs

Now select the number that corrresponds to your target Access Point, or ssid. The screen will flash

with a bunch of crazy, matrix looking numbers, and in 5 seconds or less will actually give you your

Broken WEP key. 67:89:01:23:45 kotra

If it doesnt return a WEP practically immediately, just exit(CNTRL-C) and wait a few more minutes.

Eventually, youll have enough iVS packets to break the WEP key in literally just a few seconds.

Congratulations! Youre done!

I was one of the poor saps who couldnt associate, or do packet injection. Do I still have a

chance?

Yes! IVS packets are the whole key to successfully using airecrack to break a WEP key. If your

attempts at packet injection have failed, or you cant associate (which forces injection to fail by

default) then obviously, it becomes much harder to crack WEP. But you can still do it. Just record

(Step 5) IVS information until youve built up enough packets by watching OTHER computers

connecting to the AP. The more legitimate devices connecting to the AP, the better chance you have at

getting enough IVS data without waiting for a lifetime. If your AP has 2 or 3 laptops connecting to it

every few hours, you can leave your computer capturing IVS information for a couple of days, and still

break the WEP key using Step 8.

Why cant I crack WEP in Windows? Ive looked everywhere, and there just isnt a tutorial!

You can thank most Windows Hardware Vendors for that. The ability to snoop IVS packets comes from

a wireless cards ability to enter Promiscious mode, Monitor mode, or rfmon mode. This allows a

wireless card to captures all data packets, headers and all. Unfortunately, most windows drivers, with

the exception of a few custom hardware solutions (AirPcap), dont allow you to put your wireless card

into this kind of mode. Its not necessarily intentional. The likely explanation is that they simply didnt

realize Windows users would like this functionality. Heaven forbid someone desire to use Windows

hardware for something other than it was intended for.

So the linux community, like in many situations, simply wrote custom drivers to work with hardware,

and put it into promiscuous mode. No one has yet done this with Windows.

There are some, very limited wireless cards out there that will go into rfmon mode without much

effort, but my friend, I have to tell you, you probably dont have one of those cards.

7/30/2019 Backtrack 3 WEP tutorial

7/7

So for now, just continue to boot off of BackTrack 3 and have it do all the work for you!