How to Hack Wi-Fi: Cracking WEP Passwords with Aircrack-Ng

step 4 it looks like you forgot
-ng after airodump
and --write before WEPcrack

Thanks MLloiz!

I made the corrections.

DJ;

That command should be;

airmon-ng start wlan0

OTW

DJ;

I fear I'm asking the obvious, but do you have a wlan0? You can find out by typing;

iwconfig

Does a wlan show?

OTW

DJ:

That's what I thought. When you are using a VM,the wireless connection is translated to a wired connection by the vm. The hack wireless using a vm, you need an external wireless adapter. I recommend the Alfa cards.

OTW

DJ:

Hacking cable is just hacking. All the hacks I show here can be done on cable except the wireless hacks.

OTW

if the wep ap am attacking has no client I can't do injections right?

Lion:

You need to intercept at least one frame from a coonected client to be able to inject ARP's.

OTW

ques: got frames - over 150k - do I cancel command? with Ctrl>C ?
I dont think the airplay worked - using an extender ..

I'm old but never really did unix -
where do you "find" the cap file ? I'm using a live cd/usb ..

how did you know to add -01 to the file name cap ?

TIA

Hersey:

Yes, you can cancel with Ctrl C. The key is how many IV's did you capture?

The cap file will be generally be in the user's directory. If you are logged in as root, it will be in the /root directory.

Aircrack-ng automatically appends the number at the end of the file. The first time it is run, it will append -01, the second time -02, etc.

OTW

I've just created an account just to say a big THANKS for your tutorials. They're absolutely great for a nooby like me. :)

BTW: I've just craked a neighbour's WiFi, but I can't get an IP from her router's DHCP nor I can connect with an static IP. In your opinion, what do you think is the cause for that?

Also, I was following the tutorial, and meanwhile on my PC I've changed directories on the cli. It turns out that airodump-ng writes the .cap file on the cwd, and it took me 25 minuts of reading man pages, until it occured to me where the files where, since misteriously they weren't appearing on the Home directory. :)

Drtek:

Welcome to Null Byte! I'm glad you are enjoying the tutorials.

As for why you can't connect, it may be that they have MAC filtering on. Just spoof your MAC address with hers. You can get their MAC address by watching them connect when you have your wireless card in monitor mode and then watch for them to connect in airodump-ng at the bottom of the screen (see Step 4 above).

I'm not sure I understand the second part of your question. Are you using aircrack-ng in Windows?

OTW

Thanks, I'll try it.

Nop, I'm using BackTrack. Reading the answer you gave to Hersey I got a little confused and I thought that airodump-ng made /root (or any other user's /home) the default location for creating the .cap files, but it turns out that it leaves the files wherever you happen to be on the terminal when you launch the command. Now that I think of it it's obvious that as a command line general rule, you execute the command on the directory you happen to be and the results are written on the same place unless specified otherwise. In my case I was on a the man directories. So, I had a dolphin window opened at /root, with some of the first attempts .cap files, and I couldn't understand why the heck airodump-ng wasn't creating new ones despite it looked it was running ok, and aireplay-ng was outputting files properly there, until it occurred to me to cancel the process on the terminal window, and invoke ls. Then I saw all the files sitting at the /man directory. You know... too much caffeine and late night computing are bad for the brain.

hello sir..ok so am applying this crack on a wep...i have done everything with success..injected lots of packets...
but when i do...aircrack-ng wepcrack-01.cap...
i get
opening wepcrack-01.cap
Got no data packets from target network!

Quitting aircrack-ng.....
how possibile?

I also noticed that navigating cd /root/ and doing ls...i have lots of files with the name wepcrack...may be other cracks i tried? may this be the problem? that am indicating the wrong file to aircrack-ng?...

You are right!

Each time you capture packets, it creates a new file.The most recent is the one with the highest number.

OTW

as you can see..the highest number is 3..but what about the .cap and the .kismet.csv ecc??? because the .cap is not giving me anything

ok enough master OTW..hurrayyyyyyyyyyyyyyyyyyy KEYFOUND!!!.... hurrayy..hurrayyyyyyyy!!!

Congratulations Lion King! I am very proud of you!

THanks master!

Hi! And thanks of excellent how to:s! I am beginning to make Linux and Hacking familiar to me and I tried to follow your how to as instructed. Unfortunately my Kali Linux terminal gives following error message:

root@Hattiwatti:/home/ristosutinen# aireplay-ng -3 -b 02:BD:B9:E2:A1:78 -h 94:44:44:96:53:73 mon0
The interface MAC (00:C0:CA:59:2D:F2) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 94:44:44:96:53:73
13:05:19 Waiting for beacon frame (BSSID: 02:BD:B9:E2:A1:78) on channel -1

13:05:19 Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch

Please specify an ESSID (-e).

Can you help / tell what is wrong, please?

Risto:

It is telling you that you entered the wrong MAC for your mon0.

OTW

Thanks for the answer. I realise it was unhappy to the MAC I told it but thing I do not understand is why. See, the MAC I wrote is the one Airodump command gives as clients MAC. Also what does it mean while telling "Couldn't determine current channel for mon0" and why does it get this error?

Thank you of advices

R.

It is telling you that your MAC is wrong, not the client's.

how should i find mac address of client??

Maybe I am missing something... but everything has worked fine until the end! Aircrack-ng has gotten the Hex code for the AP, but how do I apply that code to gain entry? It feels like I tripped right before the goal line... How do I apply that Hex code to get the ASCII password??

The key I have recieved is 12:34:56:78:90:12:34:56:78:90:12:34:56

Simply to put the hex in for the password.

Hello.

A problem with my newest nightmare (its name is "vodafoneC3E7"). I've had 1.323.000 beacons (and only 270 data), but no MAC client. What should I do? I've tried to deauthenticate, but still no client. And I was on it aaaaaaaaaaaaaall weekend long (exactly 72 hours). Any ideas?

Before >aireplay-ng -3 -b xy:z9:etc...... mon0,
I did >aireplay-ng -1 0 -a xy:za:etc....... -e vodafoneC3E7 mon0
and I got >"Successful :-)"
The deauthenticate command was >aireplay-ng -deauth 0 -a xy:z9:etc........... mon0

?????

Thank you.

Den:

You will have to be more explicit in asking you question or provide screenshots.

OTW

collected 10,000 packets still key not found! should i go on collecting them?

hello, I got myself in this phase and fail to move on

Thanks, I solved the problem. I run the live cd BT5 on and now I installed BT5 update and upgrade. It works perfectly! Thank you!

Simply enter the key in hex.

Neo:

That key that aircrack-ng returned to you was in hex. Simply enter it.

OTW

Okay I wasn't sure about the ASCII vs hex thing. It's just that I saw Astenon's comment above and the key he received was "12:34:56:78:90:12:34:56:78:90:12:34:56". That's very different from mine which is quite a bit shorter and includes letters. Should I enter it with or without the colons? I did try entering it both ways and neither seems to establish the connection.

Hex includes the letters A-F. This is something you should be familiar with.

You wouldn't expect the keys to be the same, would you?

Actually now that I think way back to some classes I've taken I do recall that. It has been a while. I do sometimes forget information that I don't make regular, practical use of. Thanks for the reminder.

Senseis,

I hav tried to crack the wep key off different networks lo learn and increase my understanding of the aircrak-ng suite. Yet, this week i have been struggling with a particular WiFi. The increase rate of the data (IVs) is slow, so i tried to boost it using the arp injection. I don't know why, but it is not efficient. Instead of having a fast increase of data due to ARP replay, i only end up capturing 10's or maybe a 100 of ARP and aknowledgement packets after maybe 10 or 15 mins.

I did some readings and tried also to do a clientless crack usinf a FakeAuth followed by an ARP Injection. Still the same issue.

I even tried to replay different types of packets i captured earlier during the week (using aireplay-ng -2 -p 0841 -r capture.cap ...) But same issues.

I don't understand why the arp injection doesn't work or it seems sometimes to start working before it quickly stops.

Could it be because of some firewalls or other type of protection (even if arp is at the data link layer) or am i doing something wrong??

Edit1:

While i am at it, i noticed that the aireplay-ng doesn't allow us to specify the channel. so whenever i tried to use it i end up having a message in the terminal like, interface is on channel 6, channel 1 expected. the only solution i found is to try again until it so happens that i lunch the script when the interface is on the right channel. I am pretty confident that a way to fix the channel during aireplay exists.

Final thing, can 1 interface card be used to hack 2 or more WiFis at the same time (they can be on the same channel or not) (i noticed that airodump works fine, but something is off when i use aireplay)

Edit2:

To verify that i didn't do any arror, i tried the same technique at work on some random WiFi. It works (not as fast as i remember but that's probably because of the WiFi signal quality)

Also why is the number of Data significantly lower than the number of ARP and ACK intercepted???

Sir OTW, I'm having doubt if my alfa card can inject packets. because in basic test it shows "Injection is working". But when i try to attack a client-less WEP encrypted AP by using macchanger, It generates thousands of packets but not able to send it. I tried it again another day but still the same.

To inject ARP packets, you must use the MAC address of an authenticated client.

I've just created an account just to say a big thanks for your tutorials.
I got a problem and i need your help. Can someone help me? thats the problem!! What should i do?

Bill:

This is a common problem. Check out this link for a .solution .

OTW

hi there, I just bought Alfa AWUS036H 1000mW wifi adapter and tried WEP crack of my home router. I was working on my i5 desktop computer with Kali booted from USB stick.

I had no client connected to wifi so I used deauth type of attack but data was rising very slow (after 20 mins I had maybe 300).

Am I doing something wrong? Do I need to install driver and not to use generic one which adapter automatically obtains when connected to the host?

Thanks

\\EDIT

I found I have that problem when cracking WEP on my ASUS RT-10, but when I create one wifi VLAN with WEP encryption on my Linksys E2000 (with dd-wrt fw) I am able to rapidly increase Data packets - but I do not know why.

Sir OTW, I have been injecting packets for 11hours now but to no avail. I have captured 12038 IVs but still can't crack the password. By the way, I use a random spoofed MAC that finally spoofs to one of clients MACs, I have 214 ARP requests and 4351 ACKs. Should I keep goin? Why is it taking so long??

You need about 17.5k-20k IV. No it shouldn't take this long in most cases. More like 50 second-ish maybe 20 mins. You may have a weak signal. But if you're getting IVs just wait for it.

Sir OTW, i'm really impressed by your tutorials so far and now I wanted to try on my own so i made a live usb for kali and tried to crack my own router's wifi wpa. But i ran into a problem that is after this command airodump-ng --bssid (my router's mac) -c (my router's channel -w WEPcrack mon0 , I see no clients connected to it however my phone and other phones are connected to this wifi. Can you tell me where am i going wrong.

Also I am using an atheros wifi usb as wireless adaptor and monitor mode is enabled on it.
I'll be glad if you could help as you are my only source :)

Please post some screenshots. There are innumerable reasons it is not working.

See I can't find any clients station even though my phones are connected to this router. The hidden essid is KICK
Let me know if you need any more info.

Here you go sir OTW.

What channel is the AP on? 1,8 or 3?
I am guessing channel 1?
The if is on ch 8 for some reason.

The router is on channel 1.
The fixes channel mon0: is not on 8. It is changing randomly like 1,6,8,11 likewise.

it looks like your trying to crack a WPA encryption. try this tutorial https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-psk-passwords-using-aircrack-ng-0148366/

and when you get to step 3 put --ignore-negative-one at the end of the line

ex: airodump-ng --bssid F4:3E:61:9C:A6:D5 -c 1 --write WPAcrack mon0 --ignore-negative-one

OrangeHead,

Yes I know I'm trying to to crack a WPA encryption and I'm following the the tutorial you mentioned. It's just I commented in the wrong section by mistake.

So i tried what you told but still no luck!! I still can't see any clients. Any more solutions?
Thanks for the help.

Can you provide a screenshot please? and did you try the deauth even though no devices are connected?

Good catch OrangeHands!

Sir OTW,

Where is the key in the screenshot below??

Image Link

Please attach the screenshot.

Can i hack this k.r.kannan network. is it possible to hack. because of it's haven't a #Data packets?
Reply me quick....

Be patient. When someone associates with the AP, you will get data packets.

so every time i attempt the injection i get
The interface MAC (74:2F:68:9B:9E:9F) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 14:99:E2:E8:1C:FD
20:03:15 Waiting for beacon frame (BSSID: 00:26:B8:A5:14:6A) on channel -1

20:03:15 Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch

Please specify an ESSID (-e).
I know that means my MAC address is wrong for mon0..
but how do i correct that?

Turn off network manager try again.

I just saw that Kali released an update to 1.1 that had a kernal patch for injection attacks.. i'm applying that now first.

Ok. I have no clue to what you refer except the recent Distro update to 1.1.0.
Good Luck and read the comments section or search WHT for the fix next.

yeah it was just the distro update, i misread it.

I turned off the network manager and it worked! thanks Cyber

I'm getting an error. My wlan0 isn't showing a mon0 device.

I am failing to get that software for hacking or hacking tools guy please help me

Download and install Kali Linux. Everything you need is there.

Hello.
Please anyone can help me. ?
I want to hack my neighbor wifi password. Because I ask them nicely to give me the password .but they just refused.
So sir /madam please I read all ready tutorial just give me the link of software.

Simply download Kali Linux at www.kali.org.

Hello..thanks for replying me.
I just ask u one more question?

I try to download kali Linus it's about 3.2gb. Now I want to this is just software or windows çd. And it's asking for boot. So brother my laptop is acer laptop. I3..2.4 processor . Windows 7 .6 gb ram.

It is a Linux distribution with all the hacking tools. You can install it in VM or dual boot.

Hi, love your tutorials, but I was trying this today and was doing fine till step 5.
Regarding the aireplay-ng command I have a some questions.

1. What does the -3 in the command mean?
2. Also, I had to use the --ignore-negative-one option. I'm not exactly sure what it means and if that has any effect on the fact that I have read thousands of packets without any ARP requests and sent packets (some ACKS but 0 pps).

Thanks!

First: I really like your tutorials, Master OTW.

But I've come across a problem: How do I know how many IVs I've collected so far? And also, is there a way of getting IVs faster? Currently I'm injecting packets (I have 380k packets), but when I run aircrack-ng it says I only have ~500 IVs. What am I doing wrong?

Any help appreciated.

Thanks ! It works for me.

What is the format of the following password? How do one translate it to ascii 14:82:56:32:10

Hello,

I just want to confirm that i am currently using
(D-Link Wireless 108G DWA-520 Desktop Adaoter)
Can i hack any wifi with this device or not please replay me fast as you can.

_that's cool I've been trying for cracking that fucking password for almost 2 weeks
with lists of about 150 GB which doesn't sound good for an apprentice hacker ,,

but if someone here is active i was always wondering if there is a method of a generating a long list of passwords with smaller size ,,

thanks a lot

Well i guess its a bit late for a comment, but I'd like to say a big THANKS to OTW for that tutorial.

I'm not getting any data in airodump-ng .
Dual boot mac n Ubuntu 18.04