Cracking WEP no clients from Virtual Machine

Ok another WEP cracking guide because I just felt there wasn’t enough out there already 🙂

I am going to crack my wireless access point with a Macbook pro running Backtrack 5 as a virtual machine. To do this in a virtual machine you must use a usb wifi adapter, built in hardware will NOT WORK in a VM.

Watch the video to see it in action and then read the post full the break down


My setup is as follows

  • Backtrack 5 R1 VM
  • USB Alfa AWUS036H (100mW) wifi adapter with 5dB arial (Very cheap off eBay and a lot with free delivery out there)

**For educational purposes only

**Note if you have Ubuntu you can install aircrack-ng and perform the same crack.

sudo apt-get install aircrack-ng
First run iwconfig it will list all your interfaces and show you which have wireless extensions. wlan0 is the general default and this is the name of our interface. The Alfa wireless card has a higher power output than is normally found but by default wont use it, Notice the TX Power is 20dB that is 100mW we need 30db for 1000mW.

run this command (only if you have a high powered card like the Alfa)

iw reg set NZ
replace NZ with your 2 character country code – upper case.

Important to note you may not be able to reach 1000mW depending on the laws set in your country.

Down & up the card with (Take note ifconfig and iwconfig are two different commands)
ifconfig wlan0 down
ifconfig wlan0 up

If it has worked you should see the TX Power is now at 30dB, we can now get started.
Your wireless adapter must be in monitor mode, most wireless cards require special drivers and the guys behind Backtrack have taken care of this for us.

airmon-ng start wlan0
This will create another interface for us called mon0 (zero) which is our in wireless interface in monitor mode, you must use this interface for all attacks and not wlan0. Now we will scan for access points
airodump-ng mon0
Find your target and take note of the “BSSID” (mac address) of the the access point and the CHannel we will re run the command with our extra parameters
airodump-ng mon0 -c 6 –bssid 00:1c:8c:d0:70:ec -w crackme
mon0 = our interface
-c 6 = channel 6 (or whatever your channel maybe)
–bssid = Mac address of the access point as shown by airodump
-w = output the result to this file (A must so we can crack it later)

Leave this window running and open a second terminal, we will fake authenticate our wifi card with the device, if we don’t the replay attack will fail. If there are devices on the network skip to the replay attack.

aireplay mon0 -1 3 -a 00:1c:8c:d0:70:ec
-1 3 = Attack type of “Fake Authenticate” and the 3 represents how many times 1-100 3 is a suitable number.
-a = Mac address of the access point as shown by airodump same value as entered into the “BSSID” in the first command.

All going well you will see “Association successful :-)”

Now to perform a ARP replay attack which captures a ARP packets and sends it over and over to generate traffic on the access point. Modify your command so it looks like this

aireplay mon0 -3 -b 00:1c:8c:d0:70:ec
-3 = Attack type (ARP Replay).
-b = Mac address of the access point as shown by airodump same value as entered into the “BSSID” in the first command and same as “a” in the previous command.

Give it some time and all going well you will start to see the “Data” figure from the aircrack window start to increase.

Once that begins its just a matter of time before it’s cracked, you can start cracking the file right away even while data is still begin collected. Open yet a third console and run

aircrack-ng crackme
“crackme” is the path and or file name you used in the aircrack “-w” parameter

The password will not be recovered until enough data has been collected, it will automatically retry once the data increases.

Watch the video if you are unclear