TAZ Forum Community

Okay this is my first tutorial so go easy on me.
This is a tutorial for cracking WEP and injecting packets for networks with no clients. You'll be able to do so on a windows platform (tested in VISTA and works)!
-------------------------------------------------------------------------------------------

First of all I've got all my info out of this thread and the links posted there:
http://tazforum.thetazzone.com/viewtopi ... sc&start=0
I can only make this tutorial thanks to Zermelo that kept answering my question when I was lost.

GETTING EVERYTHING READY:

- The first and most important thing to do is to get an adapter that works with airodump:
check this thread for that:
http://tazforum.thetazzone.com/viewtopic.php?t=6235
and this one:
http://tazforum.thetazzone.com/viewtopi ... 01&start=0

- Then you need to install the proper drivers for your card. (I used the commview drivers.) If your card isn't compatible with Commview you'll need to install the wildpackets drivers.

to do this for cards compatible with commview download commview here and install its drivers:
http://www.tamos.com/bitrix/redirect.ph ... es/ca5.zip

for other cards download the wildpackets drivers here:
http://www.wildpackets.com/support/downloads/drivers

NOTE: I'm going to base the rest of this tutorial on a card with the commview drivers installed!

- Next step is to download this .dll file (again only commview driver users):
http://darkircop.org/commview.dll

- Next up, download the aircrack package. Download it here:
http://dl.aircrack-ng.org/aircrack-ng-svn-win.zip

unzip the file to your c:\ drive (it can be another drive but this is the easiest)

put the commview.dll file you just downloaded in the map you extracted (it's called aircrack and if you extracted it to your c: drive like I said it should be in c:\aircrack\)

Now go to you place where you installed Commview in (the program itself) and look for a file called "ca2k.dll" (default install dir is c:\program files\commview for wifi\)

Copy this file to the same folder as the commview.dll (c:\aircrack\)

OKAY that was a whole lot! this was just to get everything ready! If you did all of this correct you'll be able to move to the next step!
-------------------------------------------------------------------------------------------

THE CRACKING:

Step 1:
- Open a command prompt (start > run > cmd.exe)

Step 2:
- type the following in the command prompt:

- HIT ENTER

Step 3:
- type the following in the same command prompt:

- HIT ENTER
- You should see something like this coming up in the command prompt


Step 4:
- Open a new command prompt (LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!)
- Typ the following the the new command prompt:

-HIT ENTER

Step 5:
- Now typ this in the same command prompt:

- HIT ENTER

note: if you know what channel the to-monitor-network is on you can make it this. I recommend this!:


Airodump-ng should start capturing data from the networks on the given channel now, you'll notice it isn't going fast (except if it's a big company's network or something). We are going to speed this process up!
Take a note of the following:
1: BSSID of the network you want to crack = MAC address.
2: ESSID of the network you want to crack = name of the network (example: wifi16, mynetwork,...)
3: The mac of the card you are using to monitor the packets

LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!

Step 6:
- Open a new command prompt
- Type in the following:

- HIT ENTER

Step 7:
- Type in the following in command prompt:


yes quite confusing so a quick example:
ESSID = wifi16
BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you'll get this as the outcome:


if you get:

It means MAC filtering is enabled on the network you want to crack and you'll need to get hold of a mac address that's allowed access.

if you keep getting:

Try moving closer to the AP!

Step 8:
in the same command prompt as the one in step 7 type:


yes quite confusing once again so a quick example:
BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you'll get this:


Step 9:
if you wait a little bit you'll soon be prompted with a packet like this:


note: size can vary, I always pressed in y and it worked
- press in Y
- HIT ENTER

You should see something like this coming up (or similar):


Note 1: It doesn't need to be 1500 bytes!!
Note 2: Check the bold part, you're going to need this file!
AGAIN DON'T CLOSE THIS COMMAND PROMPT!!

if you keep getting:

Just keep trying! It automatically starts over again (moving closer to the AP has been reported to help.)



anyways, if you got the bytes of keystream (everything worked) it's time for the next step!

Step 10:
- Press CTRL + C in the command prompt used in step 8
- Now type in the following:


Remember the file I made bold in part 8? Well it's obviously the same as in 9 meaning you need to put the same filename here.
The part I made green here is the filename you use to save the packet, you can choose whatever you want but you must use this filename in the upcomming steps!

Step 11:
Now that we've got our ARP REQ packet we can start injecting!
Here's how to do this.
- Go to the command prompt used in step 9
- Type in the following:

The green part once again indicates the filename!

You should now see something like this coming up:

- Type in Y
- HIT ENTER

This should come up now:

You'll see the numberOfPackets rising really fast, you are injecting these packets now.

Step 12:
Now go back to the command prompt where you had airodump-ng in open
and press CTRL + C
now type in the following:

Note: Filename = The name of the file where the data packets are saved, this will be used in the next step

If all goes correct you should be capturing as much packets per second as you are injecting (maybe even more).

Step 13:
when you think you have enough...
note: 200000 min for 64bit (just capture 1Million to be sure)
...press CTRL + C in the command prompt that has airodump-ng running and enter the following:


note:
Filename = see previous step
64 = the bit depth of the key (128 for 128bit etc...)


and if it goes like planned a message will pop-up saying:


That's it! I hope this was helpful, any question/remarks/complaints please ask/tell and I'll try to help/respond as soon as possible!!

Extra useful links:
WEP CRACK tutorial from nokia:
http://tazforum.thetazzone.com/viewtopi ... f1722a5366

Info about the attack used(fragmentation):
http://www.aircrack-ng.org/doku.php?id=fragmentation

Zermelo's thread about this subject:
http://tazforum.thetazzone.com/viewtopi ... sc&start=0

Topic on another forum about this:
http://tinyshell.be/aircrackng/forum/in ... pic=1626.0
-------------------------------------------------------------------------------------------

Greetz .Transmit
(If you all like this tut I'll make one on cracking WEP with commview too)

This tut is AWESOME!!! And so far it works like a charm, thanks very much.

The only thing I had trouble with is step 3. It didn't work for me unless I entered the device id

WRONG WRONG WRONG

Step one is Turn ON Laptop...

Just Kidding Nice example with good detail. Way to pull all that info into one place.

Now go dig it!

I just submitted the thing

I had trouble with step 3 as well what did you all do excactly. mine said somthing about adapter not found. its a netgear and i know it works with comm view,wil packets, aircrack and back track so i was just trying to do it this way in order to make a video tutorial or somthing

I'm doing video tutorials for backtrack, but I've been a bit lazy lately

Strange, I'll try and see if I can get a solution for that problem with step 3, what error were you getting exactly?


EDIT: K maybe found a solution for the ones in trouble with step 3!

Try this (let me know if it works):
type this in the command window where the airserv command failed:

Quotes are important!

You probable get something like this:


now type this:

Quotes are important!

The red parts need to be the same! (they probably differ for everyone)

Let me know if it works! and still try to give me the full error.

Yep thats what I had used earlier and it worked. I guess it depends on your config and cards.

will try in the a.m. i just got back from my bacholer party so im not really feeling like............well you know

Hello there!
This tutorial looks really amazing, however I'am having a trouble with the step number 3 - after typing airserv-ng -d commview.dll instead of
Opening card commview.dll
Setting chan 1
Opening sock port 666
Serving commview.dll chan 1 on port 666

I see

Opening card commview.dll
F1
init_lib<>
airserv-ng: wi_open<>: No error

After I try to type in step 5
airodump-ng 127.0.0.1:666
or
airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666 (In my case channel 7 is the best one)

I just get a message Failed to connect
In other words connecting to 127.0.0.1:666 is not possible in my case.

I ask you for apologies, I am a newbie, just let me know if you have any idea how to work this out.
I am using Windows Vista on Acer laptop with Atheros AR5005G network adapter, I installed everything according to the advices (drivers, dll files etc., commview is working normally as well).

Every little helps.

Thanks.[/i]

gismo are you sure you got the right drivers?? I solved the problem installing Commview drivers, i had Wildpackets first.

I wanted to ask if the debug function would work like this in case i am using wildpackets: airserv-ng -d "peek.dll|debug" Or what else??

The AP i am connecting to seems to have a very low traffic so i keep having (at step 9):
Data packet found!
Sending fragmented packet
No answer, repeating...
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating...
Sending fragmented packet
...

even after trying for 2 hours...is the low traffic the problem?? I'm saying it because in airodump i got around 10 beacons per second but NO DATA (data=0) for my AP. How could i increase that?? I tried by connecting (without a valid WEP Key) using my integrated wireless card, and i had some data, but not sufficient or useful.

Can someone give me some hints please?

check my tutorial for clientless WEP cracking with fake auth, its written for backtrack, but does the exact same thing, range is often a problem.

i don't think range is my problem, signal is very strong, could it be that anyway? i ll read your tut carefully, thanx

Hi, I can get to step 9, but when I enter Y after 'Use this packet?', I get blue screen, flashed error message and my computer dies.

the program was just recently patched to windows, so its a bit buggy. It may be a driver problem, try reinstalling your wildpackets driver.