Saturday, March 28, 2009

peneterating a Wi-Fi through backtrack

This is meant for educational purpose only.Any resemblance to real persons, living or dead is purley coincidental...lolz.Any attempt made by you,makes you responsible...not me.
May be too intense for some of you kids,so take a good look at yourself and think what you want to do.I am writing this for people who don't have it in them to study and learn the basics.This is like a 'capsule' for them.This is meant for testing of your WEP protected wireless network.I hope you guys don't misuse this and land yourself in trouble.It goes without saying that this is for YOUR OWN NETWORK TESTING PURPOSES ONLY. Unauthorized access of other people's networks is illegal. If you have problems or questions about anything, for the love of god use google/wikipedia and do some shit work yourself.

hmmm...let's get started...
We need to have right tools but we need to understand the lingo too...
so cram this first...
AP: Access Point: a wireless router
MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
BSSID: Access Point's MAC address
ESSID: Access Point's Broadcast name. (ie linksys(like in my HP training center), default, IBM etc) Some AP's will not broadcast their name but Kismet may be able to detect it anyway
TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: i will not cover cracking WPA encryption...yeah.No spoonfeeding here lolz

Backtrack current stable ver 3.Backtrack is a linux live cd based program, runs directly from cd-rom.Get it from make a cd.don’t install it.You may fuck up your computer coz i know that you will not know what you are doing lolz.So ummm...if u are already familiar with linux and have played with it then you are ready...if not then pick up an e-book on linux and go through it for a 2-3 hrs and come back.

(ii).Wireless card
Atheros** or Prism2/2.5/3 wifi card (the injection card)
You make sure your wireless card has the right chipset.Why i say thi coz u stupid dumbo, most wireless cards are programmed only to accept data that is addressed to them,other cards,like the ones that are of use for wifi sniffing,are capable of picking up all traffic that is flying through the air.Common types are Atheros, Prism, Aironet, Realtek, Hermes, etc based cards. You are on your own figuring out what type of chipset your wireless card has, as its too vast to get into here...okay.
else there is one nifty wif-usb will do all the work.see here

What tools you require:-
airmon - It's a tool that can help you set your wireless adapter into monitor mode (rfmon)
airodump - It's a tool for capturing packets from a wireless router (otherwise known as an AP)
aireplay - It's a tool for forging ARP requests
aircrack - It's a tool for decrypting WEP keys
iwconfig - It's a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in "monitor" mode which is essential to sending fake ARP requests to the target router
Remember : your best tools are Patience, luck, persistence...

Here we go...
use your cd to bootup...
linux command lines are similiar to the commands used in DOS.Note that linux is case sensitive.

once you boot up enter these little commands in the Konsole to set things up...
xconf :This should create a file /etc/X11/xorg.conf and autodetects your video settings.
To get the KDE gui desktop...type in:
startx: you should be gleaming in the beautiful glow of the back|track KDE desktop.aren't you?? lol
let's get organized...
to crack a WEP key you must have a large number of encrypted packets to work on.This step can't be skipped.So, how to get the packets??well,the best way to get a large number of packets is to perform an ARP request reinjection attack (otherwise known as attack -3). In order to do this attack and get results there must be a client already authenticated with the AP, or about to connect to the AP.
At the bottom left of the screen is a little icon that looks like a monitor with a black screen. This is called the bash prompt. This is where you will be spending most of your time, so click on this to open up a new bash prompt.
type this:
modprobe -r iwl3945
this will set your wireless utilities up. the next command that you type is:
modprobe ipwraw
this sets up the driver for your card. usually these commands don’t need to be used as the backtrack program pre-loads your drivers on startup.
the next command to put in is:-
iwconfigto find out what your wireless interface is.
All interfaces will show up i.e.This will show you a list of all compatible network cards on your system.(mine is eth0).
sometime you may want to stop the adapter:
airmon-ng stop eth0

In order to connect to a wireless network in backtrack, you must type in
iwconfig eth0 essid nameofnetwork key whateverthekeyis

ifconfig eth0 up

dhcpcd eth0

A message should pop up in the bottom right of the screen saying something about ath0 being connected. To disconnect, before switching to another network, type:
ifconfig eth0 down
This configures your card the way that it needs to be to run the programs that your about to start.
Setting up your wireless interface in monitor mode.
type in:- iwconfig eth0 mode monitor

now type: airodump-ng eth0
this will show you the AP’s in your range, what you want to do is write down the BSSID (mac addy of the target AP) the channel of the target AP, the ESSID (the name of the target AP)

LEt's sniff now..getting excited hehe
Start airodump
airodump-ng --write out --ivs --abg eth0

This starts airodump-ng and tells it to begin sniffing data, write it to the file out, only capture IVs (Initialization Vectors).You will see a list of access points on the top half of the screen, and clients on the bottom.Find your access point in the list.Write down the BSSID or Mac address of the access point and any connected clients.
Our goal is to capture as many unique IVS as possible. Every time data is sent between the wireless server and client, each packet contains IV which are collected and then run through the aircrack-ng program for computation.

You should be seeing a ton of numbers flashing by.Thats because airodump-ng is searching all channels.Once you see your network, note what channel it is on (under the CH header). Stop airodump-ng by hitting:
go again but this time we will add --channel # where # is the channel number of the access point, say, channel 3

airodump-ng --channel 3 --write out --ivs --abg eth0

Airodump-ng should be running much faster now,numbers flashing at very fast speed.You will see a numbers passing very quickly :-the beacons.Beacons contain message that they are an access point..about 10 times a second.For this type of attack it is important for there to be a client connected to the access point.In backtrack, you should see at the bottom a client pop up, the first MAC is the access point and the 2nd is the Client.Write down both. Open a new bash prompt and type:

aireplay-ng -2 -b PPmac -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h VPmac eth0

Where PPmac is the mac address (bssid) of the access point and VPmac is the mac address of the client.
aireplay-ng will now start sniffing for a certain type of packet with a length no more and no less than 68 bytes between client and access point.At this point, if there is significant data transfer between the client and ap, it may snag the right type of packet already and there is no need to do the next step. In this case, hit Y to use the packet and skip the next step. If however, it keeps reading packets for a while (more than a couple min) and does not pop up saying "Use this packet?" then do the following:

Open a new prompt and type:--
aireplay-ng -0 1 -a PPmac -c VPmac eth0

This command will effectively terminate the connection between the AP and the client forcing the client to re-connect. It is this re-connection packet that we are looking to scoop up with the first instance of aireplay.See you are becoming smart...Now you see how close you are to penetrating.
When you see something at the bottom of the screen saying "Use this packet?" Hit Y and aireplay will start sending out tons of packets to the AP. Switch over to airodump-ng which should still be running in the first bash prompt. Look at the data rate of the targeted AP--VP.If all is going well, Aireplay is spewing out packets like hell to the access point and airodump-ng is picking up the chatter in between, the data should be rising quickly. This is exactly what we want.

If for some reason the numbers doesn't flash quickly,go back to the first aireplay-ng and hit:
If aireplay picks more packets,it will prompt you again...if you want to use them.Try more packets.try the aireplay-ng -0 method again. Experiment. Once you've got the data rate going up quickly, start aircrack-ng and start crunching the numbers.Write
To get a list of the files.One file should be the out file that you specified in airodump-ng.
Type in:
aircrack-ng -f 2 -a 1 -b PPmac -n 64 out-01.ivs
If it runs for a long time and finds nothing, either you don't have enough IVs, or you are searching under the wrong key length. Try 128. You can also run multiple instances of of aircrack with different variables. Aircrack will continually update,After a bit of time, it should spit out your WEP key. Congrats!
now use this key...
iwconfig wlan0 key [.......]


if this doesn't work for you...send in the comments.

next post will be on how to protect you USB from common viruses.
I will post it next weekend.


  1. OMG, this is soooooooooo over my head, it has nothing to do with being blonde either. hehehe


  2. I like the dark side of Vik.
    I remember backtrack, I used to brake into stores' networks on my macbook with bootcamp, but only on that time when I didn't had mobile internet :-) Just like you, I must recommend to behave nicely and respect poor bastards' bandwidth, networks and resources :-)

  3. @ chan
    it looks hard dear,but it ain't !
    give it a go someday :)

  4. @ runnerfrog

    thank you...i love the Darkside. can write a guest post here on your exploits someday brother.

    yes, these kids they don't know what they are seeking,they think they are in control,but in reality they know a little of what is happening.
    you said it all in the end.

  5. Hi, I have a macbook pro and have installes backtrack 4 for network testing is there a way to get my integrated wireless card to work with backtrack 4 or do I have to buy a pc. please help

  6. @ fjb

    You don't need to buy a pc.

    Chipsets supported by aircrack-ng are

    or you can use a Usb anyday.
    Like hawking's usb adapter.

    You can check the compatibility page on backtrack's website anyday.