Crack WEP with Intel PRO/Wireless 3945ABG is a task that can employ you for a long time. The Intel PRO/Wireless 3945ABG network adapter driver that comes from the manufacturer does not provide packet injection and network monitoring capabilities which are needed to crack WEP, and therefore before you attempt WEP cracking efforts, you have to update your driver first which can be a daunting task.

Note : I”m using Ubuntu 8.10 (Linux) as the OS for this tutorial (you can also use any other distribution of linux like Fedora, Redhat, Suse, Mandriva, Kubuntu, etc).

You can download the copy of ubuntu for free from here, Remember you need to have some basic knowledge of linux else you may get lost in the wonderland.

There are many ways to crack Wifi key using WEP encryption algorithm, but i am going to concentrate only on the below listed 2 ways :

1. Aircrack-ng ( A bit complicated to setup but very powerful to use )

2. Live CD Wifiway ( Easy way to get started ) – [Not discussed here]

Method 1 : Aircrack-ng :

Part 1 : Install Wifi cracking program.

Connet to internet and type the following command in terminal:

sudo apt-get install aircrack

sudo apt-get install aircrack-ng

This command executed in the terminal window will get aircrack, aircrack-ng and install them.

Part 2 : Install Intel Pro/Wireless 3945ABG patched driver.

When searching web, you can find information about endless number of drivers for the Intel PRO/Wireless 3945ABG adapter, such as mac80211, IEEE80211, ipwraw, iwl3945, ipw3945, iwlwifi, madwifi, serialmonkey driver, driver from tinyshell.be, wildpacket driver, and many others. Installing and/or patching them may not be very easy.

I had good luck with the ipwraw driver from aircrack. The lines of code below installs the driver (together with other two packages) to your Ubuntu installation.

Note : Do not type the bold text in terminal, it is just an information part, Also wlan0 can be wifi0 in your case so you need to check it by typing iwconfig in terminal.

sudo apt-get install build-essential (get core files)

sudo apt-get install libssl-dev (get supporting library)

wget http://dl.aircrack-ng.org/drivers/ipwraw-ng-2.3.4-04022008.tar.bz2 (downloads driver)

tar -xjvf ipwraw-ng* (extract the archive file)

cd ipwraw-ng (go to the extracted folder)

make (compile the source files into a binary)

sudo make install (install the driver)

sudo make install_ucode

echo “blacklist ipwraw” | sudo tee /etc/modprobe.d/ipwraw (blacklist the default ipwraw)

sudo depmod -ae (create a dependency file for the modules)

sudo modprobe -r iwl3945 (unload driver that you do not need)

sudo modprobe ipwraw (load the driver that you installed)

sudo ifconfig wlan0 up (enable the network adapter)

airmon-ng start wlan0 (put your interface into monitor mode)

Now you should have an upgraded driver available. If you get the following error message when setting your network interface into monitor mode

wlan0 iwl3945 – [phy0]/usr/sbin/airmon-ng: line 316: /sys/class/ieee80211/phy0/add_iface: No such file or directory

mon0: ERROR while getting interface flags: No such device

nthen it means you are not using ipwraw. Check your loaded modules with the lsmod command. If you see something like iwl3945 or mac802 on the list, then you are not using the patched driver.

You should see something like ipwraw, and the iwl3945 and iwlwifi should not be on the list. This is what you do want to see in your iwconfig (type it in terminal) screen:

Important : Once your driver is set to Monitor mode, you will not be able to browse the web in your internet browser until the adapter is set back to the Managed mode.

Part 3 : Now, Lets start the WEP cracking process.

Ques : How WEP cracking works?

Ans : Ok, we have all the hardware and software ready, now it is time to explain how WEP cracking works. Here are the basic steps we will be going through:

1. Start the wireless interface in monitor mode

2. Start airodump-ng to discover all the available networks and find your target

3. Change your MAC address (optional)

4. Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs

5. Use aireplay-ng to do a fake authentication with the target access point

6. Start aireplay-ng in ARP request replay mode to inject packets

7. Run aircrack-ng to crack key using the IVs collected

Sounds easy ? Let”s get into the details.

Step 1 : Start the wireless interface in Monitor Mode

If you want to listen to network traffic and to capture network traffic, your network adapter needs to be in Monitor mode. We already covered this above, As a reminder, we had used the following command to put the network adapter in Monitor Mode + wlan0 can be wifi0 in your case so you need to check it by typing iwconfig in terminal :

airmon-ng start wlan0

Step 2 : Start airodump-ng to discover all the available networks

If you want to crack WEP, you need to know a little more than just the network name. You also need to know the MAC address of the wireless access point which you can find by executing the following command:

sudo airodump-ng wifi0

This is what you will get :You can see names of available wireless networks in the most right column and MAC addresses of access points in the most left column. This screen also tells you how each network is secured (WEP, WPA, OPN, etc). You can also find out on which channel each access point operates.

Step 3 : Change your MAC address (optional)

In order to take advantage of the packet injection technique, you need to be associated with the target wireless access point. Many wireless networks are protected not only by WEP encryption but additionally also by MAC filtering. If that is the case with your target network, you need to first discover a MAC address of an already associated user and then use that MAC address for your own authentication and association. Read the following page :

How to break MAC filtering (wifi security)

Note, you will need to disable your network adapter before changing your MAC address and then enable it again.

How do I find a MAC address?

Remember, you need to find a client on the network that is already associated with your target access point. You can do so by executing the following command in your Ubuntu terminal window:

sudo airodump-ng -c 11 –bssid 00:02:72:51:DB:28 -w wepdump -i wifi0

where,

-c is the channel on which your target access point is broadcasting

BSSID is the MAC address of the access point

-w wepdump is the name of file where you want to save your initialization vectors

-i means that you want to save initialization vectors only and discard all other data

The screen will look similar to the screen above.

Step 4 : Start airodump-ng to collect the new unique IVs

By now, you should have all the needed information about your target access point (name, MAC, channel, etc.), your MAC address changed to the same address as some other client on the network, and your network interface set in Monitor mode. Now you want to start capturing all the new unique so-called Initialization Vectors (IVs) included in packets that go out of your access point. You can do this by starting airodump-ng on your access point channel with a BSSID filter (access point MAC address).

Open new terminal window and do:

sudo airodump-ng -c 11 –bssid 00:02:72:51:DB:28 -w wepdump -i wifi0

Note : This is the same command as in step 3. We used it in step 3 to find someone that is already using your wireless access point, Now we use it to capture initialization vectors.

The screen will look similar to the screen above in step 3.

Step 5 : Use aireplay-ng to do a fake authentication with the access point

Now it is time to sort of “login” into your wireless network. In order for an access point to accept a packet, the source MAC address must already be associated.

If the source MAC address you are injecting (later) is not associated with the access point then the access point ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new initialization vectors are created because the access point is ignoring all the injected packets. The lack of association with the access point is the single biggest reason why packet injection fails. At this point you are just connecting to the access point and telling it you are here and want to talk to it. This does not give you any ability to transfer data.

Open another terminal window and do:

sudo aireplay-ng -1 0 -e datel -a 00:02:72:51:DB:28 -h 00:13:CE:EC:45:20 wifi0

Where,

-e datal is the AP`s ESSID, Check it out in above screen of step 3 to find the ESSID of the AP you want to crack

-a 00:02:72:51:DB:28 is the MAC id of the AP

-h 00:13:CE:EC:45:20 is your computer MAC id or the faked MAC id you are using in step 3

-1 means fake authentication

0 means Re- Association timing in seconds

This is what the output should look like :

Remember, the MAC address you target for injection must be associated with the access point by either using fake authentication or using a MAC address from an already-associated client (step 3), or both at best.

Possible problem : If you get “Got a deauthentication packet” and then continuous retries, then you are probably dealing with MAC filtering (that is some access points are configured to only allow selected MAC addresses to associate and connect). Go back to step 3. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list ( fake already associated MAC id from the connected machines in step 3 ).

Possible problem : If you keep getting “Sending Authentication Request” or “Sending Association Request” that keep coming back, then you are too far away from the access point or are dealing with weak signal. Also, check that you are communicating on the same wireless channel as the access point.

Possible problem : If you get “Waiting for beacon frame (BSSID: …) No such BSSID available.” then you are dealing with weak wifi signal. Get closer to the access point.

Part 6 : Start aireplay-ng in ARP request replay mode to inject packets

To crack a WEP key for a wireless access point, we need to gather a lot of initialization vectors (IVs), ideally somewhere around 80,000 of them. Normal network traffic does not typically generate these initialization vectors very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them (this can take as much as half day or longer).

Alternatively, you can use a technique called packet injection to speed up the process. Injection involves having the access point resend selected ARP packets (they include IVs) over and over very rapidly. This allows us to capture a large number of initialization vectors in a short period of time. So, the purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network.

Open another terminal window and do:

sudo aireplay-ng -3 -b 00:02:72:51:DB:28 -h 00:13:CE:EC:45:20 wifi0

Where,

-b 00:02:72:51:DB:28 is the MAC id of the AP

-h 00:13:CE:EC:45:20 is your computer MAC id or the faked MAC id you are using in step 3

This command will start listening for ARP requests and when it hears one, aireplay-ng will immediately start injecting it.

You can generate an ARP request by pinging some other client that is already associated.

This is what the output should look like :

You can confirm that you are injecting by checking your airodump-ng and aireplay-ng screens. The data packets should be increasing rapidly. The ”#/s” should be somewhere in the range of 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second. The ARP packets and Sent packets should be increasing rapidly as well.

Possible problem : Note, if the ARP packets count and the Sent count as well are stuck at zero, then your network interface is likely not associated with your access point. Or, you can also be too far away from the access point (weak signal).

Possible problem : Message similar to “Got a deauth/disassoc packet. Is the source mac associated?” means you have lost association with the access point. Go back to your other window from step 5 and re-run fake authentication. This is not necessary if you went through step 3 though.

Step 7 : Run aircrack-ng to crack the WEP key using the IVs collected

Once you have captured a large number of initialization vectors, you can use them to determine the WEP key.

There are two basic methods for cracking WEP : The PTW method and the FMS/Korek method.

To crack the WEP, Open another terminal window and execute the following commands :

sudo aircrack-ng -z -b 00:1A:92:77:BB:D9 wepdump*.ivs

sudo aircrack-ng -a 1 -0 -n 128 wepdump*.ivs

Where,

-z invokes the PTW WEP-cracking method

-b selects the access point we are interested in

wepdump*.ivs selects all files starting with “wepdump” and ending in “.ivs” (this comes from your airodump-ng command earlier)

-a denotes FMS/KoreK attack

-n selects the type of WEP key (128-bit in our case)

These commands will calculate WEP key from the captured initialization vectors. This is what the output looks like :

and you are done. Now set your network card back to normal mode using the following command and then try to connect to that access point using the cracked key in step 7.

sudo modprobe -r ipwraw (unload patched driver)

sudo modprobe iwl3945 (load the default driver back)

Courtesy maxi-pedia