How to crack WEP passwords

Introduction

When wireless routers first came out most were unprotected & ones that were, used simple 64bit WEP encryption. Times have changed. Newer 128bit WEP encryption has become popular & nearly all wireless routers are encrypted. This tutorial will show you how to retrieve WEP passwords. I will add a tutorial for cracking WPA soon. Now for the WEP cracking....


Things to know before we start

This method will not work with WPA passwords. I will write a tutorial for this at a later date.

This tutorial assumes you have a reasonably decent knowledge of computers.

You will be using a free live operating system called 'Backtrack 3'. No experience of this product is necessary.

Backtrack 3 is only compatible with a small selection of wireless adapters.
Here is a link to a page that lists all tested & compatible wireless adapters -
HCL:Wireless - Offensive-security.com
If your wireless adapter is not on this list, then it probably wont work.


Obtaining the Backtrack 3 Final disk

Here is a link to the official download page -
Remote-Exploit.org - Supplying offensive security products to the world

Download The first one on the list.

Once it has finished downloading, you must burn the downloaded image onto a blank disk. This can be done by lots of applications including Nero.

You now have the Backtrack 3 disk.


Booting Backtrack 3

Insert the backtrack 3 disk into your disk drive.

Make sure that your computer is set so it will boot of the disk drive. Most computers will have this set by default. If it isn't, then set it through the BIOS. I can't tell you how to do this, as most BIOSs are different.

Restart the computer with the Backtrack 3 disk in the drive.

If the computer is set up to boot from the disk drive, then your computer will boot off the Backtrack 3 disk rather than the operating system installed on your hard drive.

Now wait....

Lots of options will come up while Backtrack 3 is booting. Just ignore them.

After a few minutes, Backtrack 3 will be up & running.

Once the desktop is on screen, you can go to the next section.


Finding information about the wireless routers in the area

The 'KDE Menu' is the button in the bottom left corner of the screen. It is a blue icon.

Click on the KDE menu, click 'Backtrack', click 'Radio Network Analysis', click '802.11', click 'Analysing', click 'Kismet'.

A window should come on screen called 'Kismet'. Wait a few moments for Kismet to start. Once started, minimize it.

Click on the KDE menu, click 'Backtrack', click 'Radio Network Analysis', click '802.11', click 'Analysing', click 'Wicrawl'.

A window should come on screen called 'Wicrawl'. Wait a few moments for Wicrawl to start. On the Wicrawl menu toolbar there should be an option called 'Interfaces'. Click it. There will be a list of all the internet adapters (wired & wireless) connected to your computer. You need to select the wireless adapter you are using. If you don't know what it is, then test them all out. The scan will only work on functioning wireless adapters. On the Wicrawl menu toolbar there should be an option called 'Scan'. Click it. click 'Automatic Mode'. Once clicked, Wicrawl will start searching for wirless routers. Leave Wicrawl running. Minimize it.


Cracking the WEP password

Click on the KDE menu, click 'Backtrack', click 'Radio Network Analysis', click '802.11', click 'Cracking', click 'SpoonWEP'. A window called 'SpoonWEP' should come up on screen shortly after clicking on it.

As SpoonWEP is a Java application, it will take a few moments to start up.

Bring Wicrawl back up. In Wicrawl it should show a the 'BSSID' of all the access points it found.
Now you must type the BSSID number into the Victim MAC text box in SpoonWEP. Make sure you type it correctly.

Now close Wicrawl.

Bring Kismet back up. In Kismet it should show the channels of the found access points. Find the same access point you found in Wicrawl. Now look at it's channel number. Now you must drag the channel slider to the correct channel.

Close Kismet.

In SpoonWEP, Make sure that the MAC & the channel are correct & belong to the same access point.

All the other setting can be left as they are.

Press 'Launch'

The cracking proccess has begun. First it will capture IV & build a packet capture file, then it will find the key in the packet capture file. It is all automatic.

After a period of time, the password will be displayed in the bottom of the SpoonWEP window.

When you have the password, remove the colons & decapitalize all the letters.

You now have the password.


Troubleshooting

Please check the following -

- Your cracking a WEP router, not a WPA one.
- Your wirless adapter is compatible with Backtrack 3
- You're actually in range of the wireless router.