Well, let’s not kid ourselves that we’re going to try doing this just for the fun of it or the thrill of the “hunt” for the right password. Now,first a little basics – WEP or Wired Equivalent Protection – is an old, but still widely used WLAN encryption system, which is well-known for its vulnerability – depending on the decryption system, you can crack it open in under a minute. In our case, we’re going to go with the slower and legal (up to a point) passive hacking way.
First, you’ll need to google and download the following two programming packages – Commview for WiFi (available as a very useful for our purposes demo/trial version) and aircrack-ng for win with which will be doing the actual decryption of the WEP password. After you’ve downloaded and installed both programs, I’d recommend to tweak the CommView by going to Options\Memory Usage and select the maximum amount of packets to be retained in the buffer – 20000. Now, after we’ve finished setting up the stage for the first part of the WEP hack – the recon.
For our recon, we’re using the CommView for WiFi package as a packet sniffer and monitor. Now, this is the slower, passive method to go, but it can be argued that it’s legal up to the point of using the retrieved password, whereas an active hack is considered a crime from the beginning. Now, first start the program and select “Start capture” or Ctrl+S and you should get this prompt:
First, select start scanning to “meet the neighbors”. In our case, we have people on channels 6,7 and 11. Although we see a guy on 11 with a decent signal strength we’ll have to ignore him, because he’s using WPA. Our only victim is channel 7. so we select under Capturing: Channel 7 and “Capture”. Now we have to wait, which depending on the network we’re going after might take anything between 5 minutes and days. The good thing is that the program is lightweight enough,that you could freely play Modern Warfare 2 while you wait without any performance SNAFU’s. The bad thing , however, is that this program takes over your WLAN card, so if you don’t have an additional one and/or a wired ethernet connection … Well, you’re screwed and you’d have to forget about twitter and facebook.Now, when the entries in the packet buffer get near to 20000 please highlight them all and then right click + save packets as. IMPORTANT – save them as *.cap files.
Also, to avoid unnecessary memory usage and false positives, select only “capture data packets”. After you’ve captured at least 20000 packets from a single source (I’d recommend more), we should be ready to try and get the password for the network.
For this part, we’ll need the Aircrack-NG suite for windows (don’t download the Linux version) and for the sake of usability I’d recommend we use the Aircrack-NG GUI.exe (in \Bin). Now, we start the program and we’re greated with this:
As you probably see, I’ve already selected the encryption, Key size (try first for 64bits then 128) and a PTW attack. The first two are self-explanatory, but the latter one is the real peach. When we’re using it, it’ll cut drastically the amount of captured packets needed to crack a WEP encryption down to around 20000-30000 (usually) packets for 64bits, which is the more common one in my experience, (from an original 250 000 minimum) and ca. 80-100000 packets for the 128bit version (down from 1000 000+ ). I’ve also selected the previously saved captured packets files, so we just press launch so we get this prompt:
Index number of attack network: 1 (afterall, we’ve got more than enough captured packets to go for at least the 64bit key, so we press 1 and then the enter key. If we’re successful, we’ll get this:
So, now, we know the password and the network name (the deleted ESSID) so you could “borrow” some bandwidth from you’re crusty neighbor. Now,as this is illegal, I recommend that you don’t do it, because it’s wrong and worse, punishable by law (if they catch you). So don’t do it( near your home or workplace at least).
Well, that’s how you do a passive WEP hack thru Windows 7, so go nuts! Sometime in the near-future will try to do the same, but with a WPA encrypted network which is a whole different strory.
bk109 out “warwalking” the mean streets of suburbia… No one is safe! (Except everyone,’cause I ain’t doin’ illegalz stuffz an’ shitz!
