03-21-2015, 12:18 AM
So a lot of people want to learn how to hack WiFi Passwords, perhaps at school or somewhere else. There are a lot of people selling this method on the internet, which I don't understand because it's not their original work and plenty of people know how to do this, but in case you're not one of those people, here is how you do it.
1. Download Backtrack 3. It can be found here:
http://www.remote-exploit.org/backtrack_download.html (The space is an _ )
The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I would get the BT3 setup. The rest of this chapter will proceed under the assumption that you have BT3 installed and ready to go. I downloaded the CD iso and burned it to a CD, but you can use a USB if you'd like. Insert your BT3 CD or USB into the computer then reboot your system into BT3. I always load into the 3rd boot option from the boot menu. You only have a few seconds before it auto-boots into the first option so be ready. The 1st option always boots either extremely slowly or it won't boot at all. Experiment to see what works best on your computer.
2. Preparing the victim network for an attack
Once in Backtrack 3, click the tiny black box in the lower left corner to load up a "konsole" window. Now we must prep your wireless card. Type:
airmon-ng
You will see the name of your wireless card. Mine is named "ath0". From here on out, replace ath0 with the name of your wireless card. Now type:
airmon-ng stop ath0 (0 is a zero)
then type:
ifconfig wifi0 down
then:
macchanger --mac 00:11:22:33:44:55 wifi0
then:
airmon-ng start wifi0
What this step did was spoof (fake) your mac address so that just in case your computer is discovered by someone as you are breaking in, they will not see your real mac address. Moving on, now it's time to discover some networks to break into.
Type:
airodump-ng ath0
Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it's a good idea to pick one that has a decent signal strength otherwise it will take forever to crack, or you may not be able to crack into it at all. Once you see the network that you want to crack, then do this:
hold down crtl and tap c
This will stop airodump from populating networks and will freeze the screen so that you can see what you need.
*Now from here on out, when I tell you to type a command, you need to replace whatever is in the parenthesis with what I tell you from your scree. For example, if I say to type:
- c (channel)
then don't actually type in - c (channel). Instead. replace that with whatever the channel number is... So for example you would type:
- c 6 (Given the channel number is actually 6)
Now find the network that you want to crack and make sure that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on, you can still crack WPA with Backtrack 3 and some other tools, but it is a whole different beast, and you should probably master hacking WEP keys first.
Once you've decided on a network, take note of its channel number and bssid. The bssid will look similar to this: 05:gj:30:fo9:2n. The channel number will be under a heading that says "CH". Now, in the same konsole window, type:
airodump-ng-c(channel)-w(file name)--bssid(bssid)ath0
The file name can be whatever you want. This is simply the place that airodump is going to store the packets of information that you recieve later to crack. You don't even have to put an extension, just pick a random word that you will remember. I usually make mine "wepkey" because I can always remeber it.
*Side Note: if you crack more then one network in a single session, you must have different file name for each or it won't work. You can name them both wepkey1 and wepkey2 if you'd like.
Once you typed in that last command, the screen of airodump will change and begin to show your computer as gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector", but in noob terms it means "packets of info that contain clues to the password". Once you gain a minimum of 5,000 of these IV's, you an try to crack the password.
I've cracked some right at 5,000 and others at 50,000. It just depends on how complex the owner made their password.
Now you are thinking "I'm screwed because my IV's are going up very slowly". Well, don't worry. Now we are going to trick the router into giving us hundreds of IV's per second.
3. Actually cracking the WEP Password
Now leave his console window up and running and open up a second konsole window. In this one, type:
airplay-ng1 0 -a (bassid) -h 00:11:22:33:44:55 ath0
This will generate a bunch of text and you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean, just know they are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds, sometimes it takes a minute or two. Just be patient. When it finally does happen, switch back to your first console window and you should see the number underneath the IV start rising rapidly. It means you're almost finished! When this number reaches at least 5,000 than you may start your password crack, however you will probably need more then 5,000.
Now you beed to open a 3rd and final konsole window This will be where we actually crack the password. Type:
aircrack-ng -b(bassid)(filename)-01.cap
Remember the filename you made earlier? Mine was "wepkey". Don't put a space in between that and -01.cap. So for me, I would type wepkey-01.cap. Once you have done this you will see aircrack fire up and begin to crack the password. Typically, you will have to wait for more like 10,000 or 20,000 IV's before it will crack. If this is the case, aircrack will say something like "not enough IV's". DON'T DO ANYTHING. It will stay running, it is just letting you know it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it, likewise with 20,000 and so on.
If you do everything correctly up to this point, before long you will have the password. If the password looks goofy, don't worry, it will still work. Some passwords are saved in ASCII format, in which case aircrack will show you exactly what characters they typed in for their password. Sometimes though, the password is saved in a HEX format, in which case the computer will show you the HEX encryption of the password. It doesn't matter either way because you can type in either one and they will both work.
Take note though, that the password will always be displayed in aircrack wuth a colon after every two characters. So for instance if the password is "secret", it will come out as se:cr:et.
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "OFKW9427VF" then it would come out as OF:KW:94:27:VF.
Just omit the colons from the password, boot back into whatever operating system you were using, try to connect to the network and type in the password without the colons, and presto, you're into the network.
It may seem like a lot to deal with if you're a noob, but you will get the hang of it after a couple of tries.
1. Download Backtrack 3. It can be found here:
http://www.remote-exploit.org/backtrack_download.html (The space is an _ )
The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I would get the BT3 setup. The rest of this chapter will proceed under the assumption that you have BT3 installed and ready to go. I downloaded the CD iso and burned it to a CD, but you can use a USB if you'd like. Insert your BT3 CD or USB into the computer then reboot your system into BT3. I always load into the 3rd boot option from the boot menu. You only have a few seconds before it auto-boots into the first option so be ready. The 1st option always boots either extremely slowly or it won't boot at all. Experiment to see what works best on your computer.
2. Preparing the victim network for an attack
Once in Backtrack 3, click the tiny black box in the lower left corner to load up a "konsole" window. Now we must prep your wireless card. Type:
airmon-ng
You will see the name of your wireless card. Mine is named "ath0". From here on out, replace ath0 with the name of your wireless card. Now type:
airmon-ng stop ath0 (0 is a zero)
then type:
ifconfig wifi0 down
then:
macchanger --mac 00:11:22:33:44:55 wifi0
then:
airmon-ng start wifi0
What this step did was spoof (fake) your mac address so that just in case your computer is discovered by someone as you are breaking in, they will not see your real mac address. Moving on, now it's time to discover some networks to break into.
Type:
airodump-ng ath0
Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it's a good idea to pick one that has a decent signal strength otherwise it will take forever to crack, or you may not be able to crack into it at all. Once you see the network that you want to crack, then do this:
hold down crtl and tap c
This will stop airodump from populating networks and will freeze the screen so that you can see what you need.
*Now from here on out, when I tell you to type a command, you need to replace whatever is in the parenthesis with what I tell you from your scree. For example, if I say to type:
- c (channel)
then don't actually type in - c (channel). Instead. replace that with whatever the channel number is... So for example you would type:
- c 6 (Given the channel number is actually 6)
Now find the network that you want to crack and make sure that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on, you can still crack WPA with Backtrack 3 and some other tools, but it is a whole different beast, and you should probably master hacking WEP keys first.
Once you've decided on a network, take note of its channel number and bssid. The bssid will look similar to this: 05:gj:30:fo9:2n. The channel number will be under a heading that says "CH". Now, in the same konsole window, type:
airodump-ng-c(channel)-w(file name)--bssid(bssid)ath0
The file name can be whatever you want. This is simply the place that airodump is going to store the packets of information that you recieve later to crack. You don't even have to put an extension, just pick a random word that you will remember. I usually make mine "wepkey" because I can always remeber it.
*Side Note: if you crack more then one network in a single session, you must have different file name for each or it won't work. You can name them both wepkey1 and wepkey2 if you'd like.
Once you typed in that last command, the screen of airodump will change and begin to show your computer as gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector", but in noob terms it means "packets of info that contain clues to the password". Once you gain a minimum of 5,000 of these IV's, you an try to crack the password.
I've cracked some right at 5,000 and others at 50,000. It just depends on how complex the owner made their password.
Now you are thinking "I'm screwed because my IV's are going up very slowly". Well, don't worry. Now we are going to trick the router into giving us hundreds of IV's per second.
3. Actually cracking the WEP Password
Now leave his console window up and running and open up a second konsole window. In this one, type:
airplay-ng1 0 -a (bassid) -h 00:11:22:33:44:55 ath0
This will generate a bunch of text and you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean, just know they are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds, sometimes it takes a minute or two. Just be patient. When it finally does happen, switch back to your first console window and you should see the number underneath the IV start rising rapidly. It means you're almost finished! When this number reaches at least 5,000 than you may start your password crack, however you will probably need more then 5,000.
Now you beed to open a 3rd and final konsole window This will be where we actually crack the password. Type:
aircrack-ng -b(bassid)(filename)-01.cap
Remember the filename you made earlier? Mine was "wepkey". Don't put a space in between that and -01.cap. So for me, I would type wepkey-01.cap. Once you have done this you will see aircrack fire up and begin to crack the password. Typically, you will have to wait for more like 10,000 or 20,000 IV's before it will crack. If this is the case, aircrack will say something like "not enough IV's". DON'T DO ANYTHING. It will stay running, it is just letting you know it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it, likewise with 20,000 and so on.
If you do everything correctly up to this point, before long you will have the password. If the password looks goofy, don't worry, it will still work. Some passwords are saved in ASCII format, in which case aircrack will show you exactly what characters they typed in for their password. Sometimes though, the password is saved in a HEX format, in which case the computer will show you the HEX encryption of the password. It doesn't matter either way because you can type in either one and they will both work.
Take note though, that the password will always be displayed in aircrack wuth a colon after every two characters. So for instance if the password is "secret", it will come out as se:cr:et.
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "OFKW9427VF" then it would come out as OF:KW:94:27:VF.
Just omit the colons from the password, boot back into whatever operating system you were using, try to connect to the network and type in the password without the colons, and presto, you're into the network.
It may seem like a lot to deal with if you're a noob, but you will get the hang of it after a couple of tries.