A quick guide to cracking WEP

[AWBbox]

Quote:

Originally Posted by hobbes

ARP injection

Before setting off the deauth attack we need to set up aireplay to listen for the ARP request so it can rebroadcast the packet and generate traffic. Type the following command into a new console, but don't run it:

* aireplay -3 -b APMAC -h CLIENTMAC -x 500 DEVICE

Follow the same naming scheme as above. This command tells the program to listen for an ARP request coming from the clients MAC address and directed at the APs MAC address, then broadcast that request 500 times per second from your Atheros or Prism card.

Using the attacks

Run the -0 attack, then immediatly after run the -3 attack. Feel free to write a script to do this for you. You should see the -3 command output how many ARP requests it recieved then display how many have been transmitted. With any luck, the number in the Data column on airodump should be increasing at a high rate. You may need 250,000 packets to crack a short WEP key, and up to 2,000,000 for a longer one if you aren't lucky.

when i do this i dont get any data at all in the airodump window and no ARP requests are counted either, what am i doing wrong?

[trueblu8]

I can think of 3 things that could be wrong. 1. There is no client on. 2. You're too far away, check your signal strength in airodump, should be at least 30 or close to it. 3. You are using a card/adapter that doesn't have the right chipset in it, I've had good luck with a dwl-g650 which has the atheros chipset.

[AWBbox]

Thanks Trueblu8 i have checked and you are right. There are no clients, and the AP is pretty far away, as in, down the bottom of my street anyway, i think that my card is ok. It's a netgear MA401 i've heard people have had success using this type in the past. I hope i can too

By the way, how will i know when there are clients? will it show up on airodump or kismet?

[trueblu8]

You could check for clients in either one, but I prefer using airodump. The clients will appear under where it says: station. Yeah so basically it's two things that you need to do. First, find an ap in your area that has a decent signal, and then it's just a waiting game, which can be a real pain sometimes.

[yeehawjared]

does anyone have an updated wepcrack.pl script that works with B|T 1.0? If not I'll try to write it but it may take a while as I've never shell scripted before.

[litster]

Quote:

Originally Posted by yeehawjared

does anyone have an updated wepcrack.pl script that works with B|T 1.0? If not I'll try to write it but it may take a while as I've never shell scripted before.

Try wepcrack from TheGreatVirus at http://www.forums.tisnetworks.org/in...p?showtopic=34

scroll down to download wepcrack.mo for your BT iso.

[franky_402]

everytime i follow your steps i go to use aircrack and it says file not found. i try just dump dump.ivs and dump.cap i get nothing and if i look at aireplay it says saving arp requests to <some huge filename> and i try to aircrack that and it says i have only 8 ivs i have about 100000 arp replys and alot of data and everything is going good but i cannot figure this out?? someone please explain what is going on, also i am running live from the cd

[trueblu8]

dump-01.ivs

[franky_402]

i just noticed that i brought back a dead thread sorry guys