We left off at sniffing the packets, but unless you can spare a whole week if trying to get access to a mostly inactive network, we’re going to need to generate some sort of traffic to speed things up.

To do this, we are going to take advantage of packet injection, and only then we’ll see that Data counter jump up to a useable level.
Let’s open another terminal, and run the command:

aireplay-ng -1 1 -a 00:12:17:05:92:5D wlan0

What this will accomplish is start a “fake authentication” to the access point. Most access points will respond to the auth request, thus generating data.

Once we’re authenticated, even with a bogus request, we should be able to start replaying ARP requests. To do this, we’ll run:

aireplay-ng -3 -b 00:12:17:05:92:5D wlan0

I suggest running it on another terminal window so we can see everything going at once. Up until now, we should have 3 terminal windows open, one with airodump-ng sniffing data, another with aireplay-ng doing fake auths and the last one replaying ARP requests.

Lastly, we’ll start our fourth last terminal window and run aircrack-ng, which will analyze the dump traffic, and hopefully get the key. Run:

aircrack-ng /root/*.ivs

This will read all files that contain IV captures, and start the cracking process. The program will retry the crack if unsuccessful over and over, so this can be left running in the background.
Within a few minutes, we get our prize:

Now we know that my public wireless has the key of 1234512345 as expected. Note that if I had a 128 bit WEP key, the process shouldn’t take much longer than 64 bit. NOTE: we got a LOT more than 3110 IVs. I’m not sure why only 3110 are counted, but be sure that you will likely not get far with anything under 20k IV’s.

So, what have we learned from this?? DO NOT USE WEP!!!. At the very least, use WPA PSK with a unique AP name, as WPA PSK can also be cracked using huge pre-computed Rainbow Tables (I won’t go into this yet… plus you’d need my 64GB tables to do it). WPA Enterprise, or WPA2 Enterprise are the best way to go, but unfortunately many home environments don’t have a RADIUS server for authentication… so stick with WPA PSK and you should be fine.

This is where it gets fun. In this part, we’ll set our wireless interface to monitor mode, and we’ll start sniffing some packets and dumping the captures into a file for further analysis.

To start, we have to list the available wireless interfaces to the system. Hopefully your card is compatible and has a driver already loaded. Let’s fire up Konsole (a terminal application), which is the third icon from the bottom-left, and we’ll type:

iwconfig

This will throw us back the list of wireless interfaces. iwconfig is similar to ifconfig, and easy to remember because of the single letter change.
Once we determined that our wireless card is there, and what it’s name is, we’ll set it into monitor mode by running:

airmon-ng start wlan0

Obviously, replace wlan0 for whatever your interface name is.
After we set the card in monitor mode, we’ll be given an alternate interface name usually in the form of mon[x]. We’ll be using that interface to sniff packets.
Next, let’s do a short site survey to see what’s really around us. We’ll run airodump-ng to do this as follows:

airodump-ng mon0

This will give us the list of AP’s and stations close to us, and if your card supports it, a signal strength and receive quality indicator. It’s best that your receive quality is close to 100, as this will help when injecting packets later on…
If you see, the Channel keeps varying, this is because we’re surveying the entire spectrum for available networks. Once we find the one we’d like to peek into, it’s very important to lock the card in that channel so we can listen to the maximum number of packets.
Let’s lock the card into channel 1 so we can hear that AP better… we do that by using iwconfig again:

iwconfig wlan0 channel 1

And then let’s see the results:

airodump-ng –channel 1 mon0

Hopefully now there will be beacons more often (which are useless, but good indicator that we have signal, the faster they flow the better).
We’ll set the proper airodump-ng parameters so we lock to a specific Channel, specific AP (or BSSID), and we write the captured IV’s into a file that we can use…

airodump-ng –ivs –write /root/capture –bssid 00:12:17:05:92:5D –channel 1 mon0

By doing this, we’ll start listening to ALL network traffic going and coming out of that specific AP. If the network is pretty active, we should see the “#Data” counter go up, which is exactly what we want. The more “Data” the faster we can get that WEP key.
Just to give you an idea, it’s very unlikely you’ll get far with anything less than 50000 IV’s (“Data”). This is why on the next section I’ll go over how to inject packets to generate fake traffic and get that Data counter up to something usable in minutes.

It’s been long known that WEP is a very insecure wireless encryption protocol, and this is due to weak Initialization Vectors (IV) being used within. See, the engineers that designed the WEP protocol attempted to create a stronger encryption by adding a 24 bit IV to the cypher key that changes constantly, thus “eliminates” the repeated encryption of data with the same key over an over. The problem is, these IV’s are too short, and are periodically reused… which means that if we can sniff enough data over the air, and get the AP to reuse IV’s eventually, we can figure out the key.

In this tutorial I plan to do exactly that, grabbing the WEP key of my own “public” wireless network, which I made “1234512345”. Simple.

First, we’ll start by grabbing a copy of BackTrack. BackTrack is a live Linux distro that has a (pretty big) collection of little tools that aid security professionals in penetration testing. Of course, put in the wrong hands, this distro can do some serious damage. Fortunately, we won’t be doing any of that here.

You can grab the distribution by going to http://www.remote-exploit.org/backtrack_download.html and downloading the ISO. I’ve been using the BackTrack 4 Beta lately, so i’ll be showing that one around.

Once you got the ISO cooked and ready to go, reboot your PC and watch that kernel uncompress… sweet… after a while you’ll be presented with this:

We’re going to login as root with password toor. After we’re in, we’ll type in startx to start X and KDE so we can get some GUI and multitask on command windows easily. After the GUI is loaded, you’ll see KDE which looks like this:

And that’ll be all for today. I’ll continue the guide later so we can put your wireless card to better use.