How to hack/test the security of your own wifi connection(WEP)- NOOBS GUIDE

Discussion in 'BlackHat Lounge' started by toyo, Jun 16, 2010.

  1. toyo


    Dec 20, 2008
    Likes Received:
    This guide is for informational purposes only, and for testing the security your own wireless internet connection. Accessing other wireless connections without consent/permission is illegal in most countries, and according to a recent case in Singapore, you can face jailtime for it.

    This guide is for those running OSX and windows through bootcamp/vmware/parallels.

    Most wireless hacking software is in linux. There is hardly any packet sniffing software in windows because most wireless cards don't have drivers to sniff in windows. Since I'm not familiar with linux, and have a macbook pro,- I chose to sniff for packets in OSX and crack it in Windows(It is possible to sniff packets and crack the WEP in OSX alone).

    Softwares Used
    1. KisMAC(OSX) (for packet sniffing only-Kismet is the linux equivalent and is way more popular)
    Download Kismac from the authors site-

    2. Aircrack(Windows) (for cracking the dump file from Kismac. Aircrack can be ran on OSX/linux)
    Download page- (scroll down for Windows
    Installing instructions- .


    For Kismac, Apple's Airport/Broadcom wireless cards in most recent Macbooks should be fine for packet sniffing. Packet Injection, which speeds up the packet collection by 10-100 times, is not supported by the Apple Wireless Broadcom Card. You will need to get a wireless USB card- The Alfa cards are the best around, and they can get fantastic signals- ( This is the 1MW version, the 2MW version is out, but most users find the 1MW to detect more wireless networks)

    You can check out wireless card compatibilities on the respective software sites.

    Packet Sniffing

    The Packet Sniffing part is the most important/time consuming part of cracking a WEP connection. Simply install Kismet on OSX, load it up.

    If you are using Apple's native Broadcom card, simple click on Kismac on the top left hand side of the screen-- preferences--- drivers

    On the drivers tab, choose Airport / Airport Extreme - Active only
    Close the preference tap
    Scan for wireless connections- Wait for 2 minutes
    If your house/area has lots of wifi connections, you should find at least a few.
    If you find too few connections- you might want to get that Alfa wireless card, as suggested above. After scanning for signals, head back to preference--driver.

    Change your driver to Airport/Airport Extreme - Passive only. In the data collection option on the same screen, choose "keep everything". Close preference.

    Go back to the main page, and click start scan again.

    The waiting game starts. If everything is fine, you will see your Wireless Card collecting packets on the main screen. The packets is not important, to effectively crack a wireless WEP connection, you will need as many IV packets as possible. You can check the IV packets collection status by clicking on the respective wireless connection on the kismac main screen.

    On a busy network with a good signal, it took 5 minutes to collect 5000 IV Packets. For other networks, it might be slower. If you are cracking your own connection, you can speed up the IV collection by running downloads/torrents to max out your internet connection on another computer.

    If your network card supports it, you might want to restrict data collection to specific channels depending on the wireless connection. Click on your target wireless connection, and look for the main channel. Then through preferences-drivers only tick the box for the main channel for the wireless card that you are using. This speeds up IV packets collection.

    On a good connection, it took me around 2-10 hours to collect 200k IVs(You will need around 150k-250k IV packets to crack a 64bit WEP connection or around 1million IV packets to crack a 128 bit WEP connection).

    If you have a wireless card which supports packet injection(Skip this if you are using Apple's native wireless card)

    You should check on the respective software site whether your wireless card is supported for packet injection. The Alfa Wireless Card/Antenna which I recommended above is supported by KisMac for packet injection.

    If you have Alfa wireless card, simple head to preferences-drivers- choose the RTL driver, and choose "keep everything" on the dump collection preferences.

    Start Scan. Make sure channel hopping is enabled. Leave it for 10-15 mins.

    Find the connections which has collected the most packets. Click on it. Find the main channel. Restrict data collection to the main channel(under preferences-drivers).

    To effectively inject packets, you will need a decent number of Injection packets, which is visible when you click on the wireless connection from Kismac main window. To collect more injection packets in a short time, run "Authentication Flood". Your Injection Packets should increase tremendously after a few seconds if it's a active connection with a good signal.

    Then, Reinject Packets. If reinjection is success full, your IV packets should increase tremendously. I usually collection 200k IVs in 5-10 minutes on a connection which has been successfully reinjected.

    After Collecting Enough IV Packets
    After collecting a decent amount of packets, simple close Kismac and save it.(it doesn't matter where you save it).

    For 64 Bit WEP Connection- You will need around 150k-250k IV packets( you can crack a connection with less number of IV packets if you're lucky)
    For 128bit WEP connection- By definition, and according to the software sites, you will need around 1 000 000 000 packets, but I have cracked a 128 bit connection with only 200k IV packets.

    Stage 2- Cracking the WEP Passkey with Aircrack

    This is a fairly easy process. You will need to transfer your dumplog file from OSX to Windows. To transfer the files directly, you will need Macdrive. You can install the evaluation copy on the OEM site.

    Simply go to the directory which you have extracted Aircrack. Open the "bin" folder". Open up the file called Aircrack-ng GUI. Load up the dumplog files. The files can be obtained from
    Mac OSX drive(C:, D:, E:,F:,G:, etc)--users--"your username when you ran kismet on OSX-- The dumplog files will be in this directory.

    You can load up as many dumplog files as you can on aircrack.

    After loading the file, click launch, choose the right network connection with a decent amount of IV packets to crack, and the software will do the cracking.

    If cracking is unsuccessful, try the 128 bit WEP connection(or vice versa). If cracking is unsuccessful, aircrack will ask you to try again with more IVs.

    Note: This guide is only for crack 64/128 bit WEP connections
    The KisMac in-built cracking software doesn't work 99% of the time,
    collect IVs with KisMac, and crack it with aircrack.
    You can collect IVs with airodump(comes with aircrack) and crack it with aircrack in Windows/Linux/OSX, but make sure your network card/driver is supported.
    You can just use google to find more exhaustive guide for wireless cracking in linux/Mac OSX/ rarely Windows.
  2. xhpdx

    xhpdx Regular Member

    Sep 21, 2008
    Likes Received:
    Seems like a good guide, but I prefer BackTrack for cracking wep. Burn it on a cd or make a bootable usb and hack like a pro from Linux without the limitations of windows