Monday, December 29, 2008

How to hack a WEP encrypted network with Windows Vista

This is the original article below, however I have also added this article to my how to site. The link is below, it is the full article and additional comments.

How to Hack a WEP Encrypted wireless network on Windows Vista


I wanted to try and crack a wireless network and after a week or so of trying I finally got it. I did not find a good resource on the net for Vista users so I decided to write my own tutorial, let me know what you think.

Hello, I know there are a lot of tutorials out there for how to crack a WEP encryption but being a vista user it took me a long time and a lot of clicking to get all of the information I needed and all of the files and programs so I am making this tutorial for Windows Vista users on how to hack or crack a WEP encrypted wireless network on Windows Vista, enjoy. Please read everything as it is all important.

First you can only use this method to crack a WEP encrypted network. WEP has been replaced by WPA encryption which is stronger but can still be cracked, just not as easily. To find out if the network you want to crack is WEP encryption, simply view the wireless networks in the Connect to a network box and hold your mouse over the network of choice. A little box will tell you the encryption. If it say WEP - good we can proceed, if it says anything else this tutorial wont help.


First to understand what you will be doing. You will be using a program to capture packets and then use another program to analyze those packets and crack the key, thus allowing you to have access to their network. To capture packets (data from the network we are trying to crack) you must have the program running on your computer and you must capture about 200 000 or more IV packets (a special type of packet). I will show you how to capture the correct type of packets.


Also ONLY certain types of wireless cards can actually capture wireless packets. In order to capture packets your wireless card must be able to go into monitor mode, not every driver or every wireless card supports monitor mode. In most cases you will have to download a special driver designed for your wireless card to put it into monitor mode. I had to purchase a new wireless card because mine was not supported. The program you will be using has a list of supported wireless cards and comes with the drivers needed (Lucky you)

Ok, down to business. First the program you need to capture packets can be downloaded from this link http://www.tamos.com/download/main/ca.php


Next the program to analyze the packets and finger out the password can be downloaded from my own site. I got it to work for windows vista and then zipped it all into a folder for you. To get this to run all you have to do is extract it, open the aircrack folder, then open the bin folder, then double click on Aircrack-ng GUI.exe. Here is the download link UPDATE: I no longer have the file, all you have to do is follow the instructions on this page http://wirelessdefence.org/Contents/Aircrack-ng_WinInstall.htm and then continue on with this tutorial. If someone wants to send me the folder after they have done everything and hve aircrack working with windows and then send it to me that would be great, then I will upload it again.


Now for the dirty work, keep in mind this could take a few days to capture enough packets. First install the Commview for Wifi program. You do this by extracting the setup file from the file we downloaded earlier (ca6.zip) Then double click setup.exe and follow the prompts. When Commview opens for the first time it has a driver installations guide. This replaces the old driver with a newer, better, and more improved version! Hooray. Follow the prompts to install your new driver and now we are ready to capture. If everything has gone as planned when you open Commview for Wifi the little play button in the top left corner will be blue. If it is not blue the driver has not been installed properly. Moving on…


Click the blue button in the top left corner and then click Start Scanning. Commview for Wifi now starts scanning each channel looking for data that is being sent. It will list each network it finds. Now click each host until you find the name of the network key you are trying to find. Now select the appropriate channel (my network is broadcasting on channel 6 so I will start capturing all data on channel 6) Click capture.

Commview for Wifi is now capturing all the packets being sent over channel 6. Once Commview for Wifi collects enough packets aircrack can analyze them and crack the wireless key. The thing is, you only need certain packets, and if you collect too many unneeded packets aircrack may get confused. To help make things easier follow the next few steps.


First of all we only want packets from one host, not all of them. As you can see from my screenshot below I am collecting packets from 7 different network. (see screenshot below)A few are WPA encrypted so they and a few are WEP. I really only want to collect data being sent from one network, so in order to do this all you have to do is right click on the wireless network you want to crack and select copy mac address.

Now click on the rules tab. On the left side under simple rules click MAC Addresses. For action select Capture, and for Add Record select both. Now click inside the entry form box and hit ctrl+v (to paste the mac address) or right click and select paste. Now hit add MAC Address.
What we just did is make a rule so that Commview for Wifi will only capture packets coming from a certain MAC Address (the one we want) Great almost done.

Now to make things even easier for Aircrack you only want to capture DATA packets. There are 3 types to select from Management packets, Data Packets and Control Packets. We only want Data packets because that is where the information is that Aircrack needs to crack the wireless encryption passkey. Simply select the D, and unselect the M and the C.

Now Commview for Wifi is only capturing Data Packets. To be more specific Commview for Wifi is only capturing Data Packets to and from a specific MAC address. Now that everything is set up to capture the right types of packets we should start saving the logs.

You have to save all of the packets into a log for Aircrack to analyze them. You can set Commview for Wifi to save them automatically, or just save them yourself periodically. It is a good idea to have them auto save because it splits them into nicely sized logs, and if you accidentally close Commview for Wifi they will save and you wont lose all your packets! To do that just go to the logging tab and enable auto saving. You can change the settings if you would like (I recommend increasing the maximum directory size to something like 100000).

And now we wait… We have to capture over 200 000 IV packets. Because we set up some rules most of the packets we capture will be IV packets (these are a certain type of Data packet with information used to crack the wireless key). It took me about 4 days to capture enough packets, but I was not running Commview for Wifi non stop. If you are close to the network and there is heavy traffic, it may only take you a few hours. Ok what do you do now?
Alright, so now 200 000 packets (or more) later we are ready to crack the WEP wireless key. First lets converts all of the log files to .cap format (shown in screenshot below) When I cracked my first WEP key with this method I had 4 log files and about 220 000 packets.Go to wherever you have your log files saved and double click to open it. Now click on file -> Export Logs -> Tcpdump Format

Save it as 1.cap do the rest of your logs, saving them in sequential order 1.cap, 2.cap, 3.cap etc.
Now that you have all of your log files saved in .cap format lets open Aircrack. Open the aircrack folder (wherever you extracted it) then open the Bin folder, now double click Aircrack-ng GUI.exe. Aircrack will open, click the choose button and navigate to where you have your log files saved. To select all of your log files ( saved in .cap format) Hold down CTRL and click each file, Then hit open.
Now click launch, Aircrack shows you all of the different BSSID’s that it captured data from and assigns an index number to each one, then it asks you Index number of target network? You want to enter the number of the network you want to crack. Mine is called CrackMePlease so I am selecting 15.
Enter the index number and then press enter, if you have enough IV’s then it should give you the WEP key. If not go back and capture more and try again.

That’s all, it worked for me. Learning all of this by myself it took me about 2 weeks total to figure this all out but I was gathering info from all over the place and getting a lot of dead ends. This was the method I found that worked for me. There are other ways to do this, but I found this one the easiest. If you have a linux or Mac there are probably different ways and maybe easier, but for anyone on a Windows Vista machine this seems to be the best and maybe only way to crack a WEP encrypted network. You can also crack WPA encrypted networks with the same program but I have been unsuccessful so far. Anyways I have used this method to crack 2 networks, but I chose not to use them for surfing the net because in Australia they don’t have unlimited bandwidth like back in Canada so I would feel bad for using other peoples bandwidth and making them have to pay for it. Well that’s it feel free to leave your comments if you have something to say. I would love to hear feedback and maybe if you know about some other methods or cool things I could learn just message me or leave a comment and let me know about it.

Jeremy

LIKE THIS ARTICLE - BUY SOME SHIT SO I CAN MAKE MONEY

Plus Nerdy shirts has some really funny shirts! Check them out by clicking the Transformers, Robots in disguise link below! or just Click Here

61 comments:

Jeremyinc said...

Hey, looking forward to getting some feedback

David said...

That's the way :) Just need to nail down WPA and you'll be away to the races anywhere ;)

Anonymous said...

thanks for that, hope it will work for me too.

whitehat2009 said...

Found myself over here thanks to your comment on my own blog. Appreciate it.

You are right - WEP cracking is a LOT easier and faster on Linux thanks to aircrack-ng and the ability to do packet injection. On Windows, since packet injection is currently not possible, the attack will take a long time, and you are assuming that someone is actually connected to the network you are trying to crack. On Linux, it is possible to perform a fast crack even when no clients are connected.
Nevertheless, I can see the appeal in a Windows-based crack for those who are new to the scene.

As for WPA, no real progress has been made; the protocol is essentially secure, especially considering that it supports high-security ciphers such as AES.

Anonymous said...

wow sounds comlicated , but half way there, i think i have to print off and study

Jeremyinc said...

Yeah it's not a bad idea to print it, or save it to your computer. My brother just used this tutorial and got it working. After he got it though he said, hey that's pretty easy once you get your head around it.

Anonymous said...

for the win

Anonymous said...

Hey all .. This is very nice .. But .. I've got a problem ..

Well, I followed this site very exactly, and got the drivers running on my wirelesscard. But when I start scanning with CommView, it doesn't find any access points? How can this be? My router is only like 2 meters away -.- .. CommView supports 802.11b/g, right?

Hope you can help ;)

~Nicolai

Anonymous said...

#"¤%%"¤ ... Don't tell me I need to have dual (monitoring + connectivity) mode on my wirelesscard to find any access points? ..

Anyway, I'm off, going zZzZZ .. Gotta go to school in 3 hours -.- .. Hope someone will help ..

~Nicolai

Jeremyinc said...

Yes Commview supports 802.11b/g

As far as I know as long as your wireless card can go into monitor mode you are fine. Most Atheros cards work. I had to buy a card that worked though as the one in my laptop was not supported. The only thing I could think of is that the driver did not install correctly. Try re-installing the drivers. Let me know what happens

Anonymous said...

The driver is correctly installed. And the program works fine. But just can't find anything when i scan. My wireless card is:"Intel(R) PRO/Wireless 3945ABG Network Connection". When I looked at "http://www.tamos.com/products/commwifi/adapterlist.php" then I found a * beside my listed card. That's for technical notes. It says:"

Intel PRO/Wireless 2200BG and 2915ABG Mini PCI Adapters

CommView for WiFi drivers for these adapters have the following limitations:

* They are for 32-bit Windows versions only.
* They cannot be used in dual (monitoring + connectivity) mode. These are monitoring-only drivers.
* Packet injection using Packet Generator is not possible.
* These drivers discard packets with bad CRC, so you will not be able to see broken packets and have CRC statistics.

If these capabilities are important to you, please obtain a different fully-functional b/g or a/b/g adapter supported by CommView for WiFi. "

As I understand, my card can go into monitoring mode? Then it should work, right?

But as it say, no connectivity for my card, and it true cuz I have no internet.

Anonymous said...

Oh, I just discovered when i had posted ... My card isn't supported .. lol .. ~fail~ ..

Nvm guys, I'll be back when i get another mini pci card ..

Jeremyinc said...

haha, yeah having the right equiptment always helps. That's why I mention it early in the Tutorial!

henry said...

first,i wanna say thank you for ur great tutorial , i have a problem when i want to save my packet. When i put the mac address , commview stop sending the packet. there is no packet on the tabel. is it because the wireless owner not using their computer? sorry for my bad english . thank you

Jeremyinc said...

It could be because they are not using their computer yes. My brother had this problem, a lot more data packets get sent while they are on the internet. Try fooling around with different mac addresses and let me know what happens.

Anonymous said...

Hey, how long did it take you, to crack the WEP-key in Aircrack, when you had 200k packets?

Anonymous said...

How come your .cap files fill less than 200kb ? I've got one with 1135kb, but not even near 5000 IV's in it? ..

Jeremyinc said...

Aircrack had the password in about 5 seconds.

my .cap files are small because I am just using those screenshots as examples. Yours should be bigger

Anonymous said...

thx ur tutorial helped me understand commview a lil better, and most important the autosaving i wasent able to find it. thx alot

Anonymous said...

hi jeremy,

I want to know why my laptop had experienced a system crash when i'm trying to open CommView for Wifi(after I downloaded and installed from your site).

It's display a blue windows with system crash report.

I had follow exactly your step but when i'm tring to open the CommView for WiFI the system had crash.

i'm using a Broadcom 802.11g network adapter.

Had i'm replaced the wrong network adapter??

Please Help me.......

thanks...

Anonymous said...

I want to ask you why my network adapter in the device manager list had a yellow icons under it ???????

Jeremyinc said...

Try upgrading to windows 7 haha, Not to sure why it's crashing??

jimmy said...

This is good, found the commview for wifi 6.0(CRACKED) for XP, and use my other computer with windows 7 beta version, works really good.
thanks this blog really helpt me after some days research on google HOW TO CRACK WEP IN WINDOWS. lol.

The Air Wizard said...

WoW ! Love this ! i just need to know how to do a WPA DX i began to hate people who intall a WPA! ! ! ! ! !

Anonymous said...

Just to add something to the tutorial. Packet injection with Commview is possible, so there is a way to inject for faster packet capture. And of course packet injection only works with a STATION active. Thanks

Anonymous said...

Any idea how I can use my Intel 5300 wireless card in my laptop to achieve this?

I don't think it is supported by commview...

Anonymous said...

DUDE, your like my hero!lol, dude u r freakin awesome!! it worked 100%! thx!

Anonymous said...

I didn't succeed in opening the site http://www.howtovideos.ca/images/aircrackVista.rar.what must i do next?

Anonymous said...

I tried opening the site http://www.howtovideos.ca/images/aircrackVista.rar. but says "window can't open the file,that window needs to know what program I want to use in opening the file". Can some one help me out? Jeremy if u're there please help me out.

Anonymous said...

Hey it's jeremy. You have to save the file to your computer and it is zipped with winrar. To open it you need to download winrar which is a program everyone should have if they download a lot of stuff.

Anonymous said...

this is for jimmy. his post February 4, 2009 4:50 PM . Where did you find "commview for wifi 6.0(CRACKED) for XP"

Anonymous said...

well im going to see if i can buy one of those dlink network cards and follow your instructions , hope it all works , im running windows vista business , any thing i should know before i but a network card ?

Anonymous said...

ok i bought a NETGEAR (WPN 511) rangemax wirless pc card and still had a few problems i really dont think i know what im doing have you got a web site to show me step by step instryctions on how to go about it ?....

Shawn W. said...

go here to find some card to work with commview for wifi

http://www.oxfordtec.com

Anonymous said...

"Anonymous said...

Just to add something to the tutorial. Packet injection with Commview is possible, so there is a way to inject for faster packet capture. And of course packet injection only works with a STATION active. Thanks
March 5, 2009 10:32 AM "

how do you do that? it will be help a lot to capture packets faster..

Anonymous said...

hey do have to have more than one .cap file or can you just have it ssaved as one file

subske said...

nice post have been wondering if software was available on Vista as most solutions to this problem require a Linux distro.

Anonymous said...

help when i select the capture data packets, i dont see any packet info on commview. when i stop capture and try to save data packets i get no data packet info, what am i doing wrong? please some help....

Anonymous said...

how can u check wat kind of card u have??

Anonymous said...

hi im using a broadcom 802.11g wireless card and when i update it, and then load up comview my computer goes into a blue-screen and it comes up with a system crash report any help ??
thanks.

Anonymous said...

The aircrackvista.rar link is dead...

Canadain Hacker said...
This comment has been removed by a blog administrator.
Anonymous said...

could you re-upload aircrackvista.rar? i'd love to get started on this. thanks!

Jeremyinc said...

Your an idiot Canadian Hacker. Just write your own tutorial instead of claiming you wrote this one to get more traffic to your site... fail

Anonymous said...

Very nice, had to figure some things out, but it worked! Saved me the AirPcap!!!

Anonymous said...

hmmm.. autosave doesn't appear to be working. I left CommView on all night and the nodes tab claims that I captured 1,095,55 packets containing 130,717,108 bytes. I checked the LOGS folder and nothing! Then I simply saved what was available and it stated 313 IVs. I also noticed that the network I was interested in had changed MAC addresses over night. Any insight?

Anonymous said...

okay, got it working. It's going to take me like 4 days to get enough. I get about 45000 a day. That's okay, I can wait. How do I do this injection business? Do I need two wireless adapters?

Jeremyinc said...

No you can acutally do packet injection with the programs used in the tutorial. Not to sure how though but my brother figured it out after following this tutorial. That's a bit of extra curricular activity

Anonymous said...

Hey i'm having trouble with this. Installed commview and the drivers and got the little blue "play" button pushed it and it started scanning and has been for over an hour and no networks have shown up. My card is supported according to the commview site but it's a Dell Wireless 1395 WLAN mini-card. Any help would be awesome!

kboutsider

Anonymous said...

i have a question...how do we know how many packets, or how many IV packets we have?

Anonymous said...

Hello ,
I Downloaded Commview
And It Worked .
But It Doesnt Recognise My Card
My Card Is : Atheros AR5008 Wireless Network Adapter
It Is Compatible
Please Help
Thanks Jeremyinc

Anonymous said...

Ar5009 **

Anonymous said...

just wanted you to know, that at 70 years old and still learning, i would never had got this right if not for your input. fantastic tutorial. first time i had such an easy time with a new project. worked out great. thank you -- eric

Anonymous said...

Great writeup. I've never tried this before and may have done it, except...My Rockland N3 type N usb wifi adapter is compatible and picks up signals great.

To clarify about the overall process, this technique only monitors packets (doesn't inject) so it's slower but should not mess up other APs.

I seem to get a million packets in a half day, but maybe only 21 type iv. I have the mac rule on and am only saving data packets. I wonder why so few type iv? How can I verify after an hour or so that I am getting very few type iv? I can't seem to get autolog to actually save anything, even though a million packets have been acquired. I wonder if this is because of ony 21 type iv?

Of course with only 21 type iv, aircrack won't crack it, but when I tried, it tried and come up with what I think are 5 possible wep codes. However, none of them worked. I wonder if the two wep networks I've tried to crack are simply not transmitting enough type iv?

Anonymous said...

I have caputured about 300000 packets and i still have no logs...whats wrong????????

Anonymous said...

fantastic many thanks worked really well.

Anonymous said...

Great tutorial. Still works after all this time.

redballoon said...

Thank you so much! I had been searching everywhere on how to crack WEP but my built in adapter wasn't supported by the program I was recommended to use. YOUR GUIDE IS SALVATION.

Anonymous said...

Many thanks for the tutorial :) but i am having a problem here i cant see my log files. i checked it in the directory of LOGS in C:/Program files/CommView/LOG

i am still recieving packets i got more than 200,000 packets as u told in the tutorial i think it is not storing them in the LOG tab auto saving is ON maximum directory size is 2048mb avg log file size 5 SAVE AND MANAGE is on All PACKETS IN BUFFER... Kindly help me in this regard thanks a lot. :)

Anonymous said...

the way I understand the Logging stuff is that the program will automatically store log files when the file will have a avg. size at ~5MB of data.
So I changed avg log file size to 1MB and wait for the data to be saved automatically.

Anyone who knows how could we find out how many iv's have we captured?

Jeremyinc said...

When I did it I set my log files to save 100 000 packets each, then when I had about 4 log files filled I knew I had enough packets to crack the networl