«
»

Tutorial: How to Crack WEP on a Mac

By jorel314


cc photo by sara b.

UPDATE (01/26/09 @ 8:03 pm):
For Windows instructions, see this comment.

On an earlier post, I mentioned I recently cracked a WEP protected network. There are many tutorials on this topic. Here’s a method that worked for me which doesn’t require you to use the command line.

For this tutorial, I’ll be using a MacBook. It’s a MB062LL/A running Mac OS X 10.5.5 to be exact, but this method should work with any x86 Mac running Leopard with an AirPort card.

Overview

  1. Find Available Wireless Networks
  2. Get Gear
  3. Boot Backtrack
  4. Use kismet
  5. Use SpoonWep

Find Available Wireless Networks

To find available wireless networks…

  1. Click the AirPort Icon
  2. Click each network that has a lock icon next to it
  3. Make note of the networks that require a WEP password

If you don’t see any WEP networks, try moving your computer to a different location for more networks to scan until you find one.

Get Gear

You will need the following…

You can download BackTrack here. I downloaded the CD Image named “bt3-final.iso” and burned it to a CD.

To Burn the BackTrack 3 ISO File…

  1. In Finder, right-click the downloaded “bt3-final.iso” file
  2. Choose “Open With”
  3. Click “Disk Utility”
  4. In Disk Utility, click “bt3-final.iso”
  5. Click the “Burn” icon
  6. Insert a blank CD and wait for it to be recognized
  7. Click “Burn”

You should now have a BackTrack 3 live CD.

The MacBook’s Airport Card that I’m using can’t be used with BackTrack to crack WEP. Instead, I used a USB WiFi adapter. You can find a list of compatible ones here.

I chose the Hawking HWUG1. You can buy one online at Newegg. If you’d rather buy locally, you can pick one up at BestBuy.

Boot BackTrack

  1. Insert BackTrack 3 Live CD
  2. Restart Mac
  3. When you hear the chime, hold down the “c” key until BackTrack starts to automatically boot. It’ll play a sound when it’s done loading.
  4. Connect the USB WiFi Adapter

Use kismet

  1. Click the blue KDE icon on the bottom-left of the screen
  2. Choose “Backtrack” then “Radio Network Analysis” then “80211″ then “All” then click “Kismet”
  3. Select network device (“rausb0″ for the Hawking HWUG1) and click “OK”.
  4. After kismet lists available networks, press the “s” key then the “w” key to group the WEP networks together. You should see the WEP networks you noted earlier.
  5. Navigate to the WEP network you want to crack first and press “enter”. You should now see the network’s details.

Use SpoonWEP

  1. Click the KDE icon again then choose “Backtrack” then “Radio Network Analysis” then “80211″ then “All” then click “SPoonWep”
  2. You should now have both the kismet and SpoonWep windows showing
  3. In SpoonWep, enter the “Victim Mac” by typing the “BSSID” address you see from the kismet window
  4. Click “CHOOSE A CARD”
  5. Click your card (“RAUSB0″ for the Hawking HWUG1)
  6. Check the “Ath” box
  7. Match the “Channel” with the one from the kismet window
  8. Set the “Inj Rate” to “1000″
  9. Click “LAUNCH”
  10. “Currently” should say “Nothing” then “ASSOCIATING” then “ATTACKING then “GATHERING ARP”. After “Captured” reaches “20000 IV S” it should say “Cracking WEP”
  11. Make note of the resulting WEP Key for that particular network
  12. In kismet, press the “q” key to get back to the network list. Repeat the steps for as many WEP protected networks you want.
  13. Disconnect the USB WiFi Adapter
  14. Restart the comptuer

Congratulations, now you can enter the WEP key (without the colons) as the password for the wireless networks.

Some WEP protected networks take less than 5 minutes to crack. If the first WEP network you try takes too long, try moving on to another one.

Please comment if this method worked for you, or if you know an easier way. At a later date, I’ll try to put up a video tutorial.

~~~~

- More of my tutorials (feed)
- Alpha Nerd (feed)

Tags: , , , , , , , , , , , ,

This entry was posted on December 13, 2008 at 11:09 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

51 Responses to “Tutorial: How to Crack WEP on a Mac”

  1. House Call: WEP Cracking « jorel314 Says:
    December 13, 2008 at 11:13 am

    [...] House Call: WEP Cracking Published November 8, 2008 Uncategorized Tags: backtrack, crack, hwug1, kismet, mesh, spoonwep, wep, wifi Update on 12/13/08 @ 11:12 am: Tutorial: How to Crack WEP on a Mac [...]

  2. sara b. Says:
    December 14, 2008 at 4:37 am

    thank you for choosing my picture! And thank you for citing my name!

    sara

  3. andy Says:
    December 26, 2008 at 2:49 am

    does laptop works out? i need a laptop hacking programme..! pls inform me

  4. jorel314 Says:
    December 26, 2008 at 4:43 pm

    @andy

    I’m not sure I understand your question. Could you please rephrase?

  5. Rick Says:
    January 4, 2009 at 10:13 pm

    none of the compatible wireless adapters in the list say theyre compatible with MAC..

    how can i know if they will work or not?

  6. jorel314 Says:
    January 6, 2009 at 11:43 am

    Using the BackTrack LiveCD, you are bypassing Mac OS X, so the wireless adapter you choose needs only to be compatible with Linux which the LiveCD is based on. Hope that helps.

  7. vinod Says:
    January 6, 2009 at 8:57 pm

    Any tutorail on windows xp

  8. jorel314 Says:
    January 6, 2009 at 11:41 pm

    @vinod

    To find available wireless networks on Windows, you can click the wireless network icon on the bottom right of the screen. It should bring up a list of wireless networks in range, so you can see which ones are WEP protected.

    After you download the BackTrack ISO file, you can burn it to a CD using InfraRecorder. You can find instructions for burning an ISO with InfraRecorder here…

    https://help.ubuntu.com/community/BurningIsoHowto

    Booting from a CD differs on different Windows computers. Some will boot up the CD automatically. Others, you have to change a setting in the BIOS to boot from a CD. Check your computers manual on how to enter the BIOS settings.

    After you get the BackTrack live CD to boot, the instructions are exactly the same as the rest of the tutorial.

  9. MattDC Says:
    January 23, 2009 at 12:04 pm

    Was wondering if you knew what might be causing my wsdunp window not to initialize. I’m running the same hardware as you, and I can’t find anything about that specific problem. Thanks.

  10. jorel314 Says:
    January 23, 2009 at 12:54 pm

    @MattDC

    Are you booting up the live CD with the USB adapter already plugged in? I remember it would only work if I let BackTrack boot up all the way, and then plug the USB adapter in afterwards.

    I also tried using the .iso within virtualbox, so I wouldn’t need a physical CD, but that wasn’t working for me either.

    Other than that, I’m not too sure what the problem might be.

  11. shroom911 Says:
    January 25, 2009 at 12:15 pm

    please help …
    in trying to load the bt3 iso from restart .
    i’ve copyed the iso to dvd ,left it in the computer, restarted , held down the ‘c’ key after the chime an all it dose is nothing ,,,,,? i really dont under stand why its not starting up the bt3 iso …

  12. jorel314 Says:
    January 25, 2009 at 5:37 pm

    @shroom911

    My guess would be…

    1) You burnt the .iso as a data disc instead of creating an exact copy of the bootable disc.

    or

    2) The Mac you are using is a PowerPC instead of an Intel.

    or

    3) There are errors on the disc. Try burning it at a lower speed.

  13. shroom911 Says:
    January 25, 2009 at 8:52 pm

    you were right i burned a data copy ..
    but now i have a new problem . after bt3 loads it asks me to login with a password … it say up top to use ( root ) then for the password use some other word that i cant remember .. but they dont work ?? am i doing some thing wrong ?
    thx for ur help

  14. jorel314 Says:
    January 26, 2009 at 7:03 pm

    @shroom911

    When I load the BackTrack CD, it doesn’t ask for a password.

    It sounds like it’s loading into a command line instead of the KDE desktop.

    In the screen where you can select the mode it boots into, try selecting “BT3 Graphics mode (VESA KDE)” instead of the default.

  15. Nyia Says:
    January 27, 2009 at 6:08 am

    hello i was wondering if anyone knows how to hack wi-fi on an ipod touch if anyone finds out my email is nyia_kiuan@yahoo.com thank your help is greatly appreciated

  16. Dan Says:
    February 14, 2009 at 4:48 am

    @shroom911: login name is root, pw is toor. After type startx to get into the shell.

    @jorel314: followed your instructions but cannot get spoonwep to work – it just says “Gathering ARP” forever. everything works fine in terminal though.

  17. Dan Says:
    February 14, 2009 at 5:13 am

    Actually, I just now got it working if you issue the following after you obtain the bssid & channel from airodump-ng:

    ifconfig rausb0 down
    modprobe -r rt73
    modprobe rt73

    Hope this helps!

  18. andrew Says:
    February 17, 2009 at 7:03 pm

    Thanks for the tips.

    I can’t get kismet to launch.

    I get the following error:
    Please configure at least one packet source. Kismet will not function if no packet sources are defined in kismet.conf or on the command line.

    I am not advanced enough to figure out which commands to use to get it launched. Any advice and do you know why you didn’t run into this problem?

  19. Dan Says:
    February 22, 2009 at 1:36 pm

    @Andrew – not 100% sure. Kismet automatically recognized my usb adapter (RT73). If you run “ifconfig” from a terminal window do you see your wireless adapter listed?

  20. bala Says:
    March 14, 2009 at 4:12 am

    how i will creck wep key pls help me iam useing windows xp

  21. Johan Says:
    March 28, 2009 at 4:12 pm

    Does not work, can not boot gives error

  22. jorel314 Says:
    March 31, 2009 at 11:27 am

    @Nyia
    I don’t think it’s currently possible to receive packets from a secured network to crack WEP on an iPod touch.

    @Dan
    Thanks for your helpful comments.

    @Andrew
    If you are using a USB adapter, make sure you plug it in after BackTrack fully starts. Kismet won’t see the USB adapter if your USB adapter is already plugged in when you boot from the CD.

    @bala
    See this comment for Windows instructions…
    http://jorel314.wordpress.com/2008/12/13/tutorial-how-to-crack-wep-on-a-mac/#comment-325

    @Johan
    I’m thinking you burnt the .iso file as a data file which wouldn’t create a bootable disc. Try using ISO Recorder to burn the .iso correctly.
    http://isorecorder.alexfeinman.com/isorecorder.htm

  23. rubuncrack Says:
    April 1, 2009 at 7:51 am

    hi
    everthing seems to work right up to the point where in spoonwep, i press launch is ays nothing, then attacking then gathering arp but never seems to get past this point. does it normally take a long time to get to the next command which is captured?

  24. jorel314 Says:
    April 1, 2009 at 2:53 pm

    @rubuncrack

    It usually goes rather quickly. When it doesn’t seem to go, it’s usually because I’m too far from the access point I’m trying to crack. Try cracking your own router first to make sure your setup is functioning correctly.

  25. rubuncrack Says:
    April 2, 2009 at 4:27 am

    hi jorel
    this doesnt seem to be working either. it still gets stuck at the gathering arp point. is there another program like spoonwep i could use? on bt3 there are numerous “cracking” programs like airsnort etc… also, i have a new macbook pro but when the cd boots, it run goes through a lot of code on screen then says there was an error. it says im using an invalid boot device eg ssci (or something like that) i have had the same cd working on my pc laptop. is it a certain version of bt3 for mac? u=you said that you had it running on yours. i downloaded from the link you supplied at the top of this thread.

  26. jorel314 Says:
    April 3, 2009 at 3:36 pm

    @rubuncrack

    It works fine on my macbook. I just used it the other day.

    I don’t know of any other tools that are as easy to use as spoonwep.

    Here are some tutorials that may help you out though…
    http://www.aircrack-ng.org/doku.php?id=tutorial

  27. Johan Says:
    April 5, 2009 at 11:09 am

    Still not working getting this error: Fatal Error BT3 data not found, this should never happen press ctrl+alt+delete to reboot,
    I burned the backtrack.iso as described, have intel mac??

  28. rubucrack Says:
    April 5, 2009 at 11:38 am

    im getting the same message as johan. fatal error etc… did you burn the iso onto a dvd? keeps telling me im using a wrong boot device on my mac.

  29. jorel314 Says:
    April 5, 2009 at 12:24 pm

    I’ve burned the iso to a cd-r and also a dvd-r. They both work.

    Try reading this thread…
    http://forums.remote-exploit.org/showthread.php?t=18570&highlight=Fatal+Error

    Looks like others are having similar problems. They say running the vmware version works fine in fusion. You can get fusion here…

    http://thepiratebay.org/torrent/4398730/VMWare_Fusion_2.0_Final

  30. rubuncrack Says:
    April 6, 2009 at 9:59 am

    @ johan,
    i managed to get bt3 booted on my mac book pro osx. first burn the image to a disk, the get a usb flash drive, download the bt3 usb file, install on flash drive. boot mac from cd, with usb stick in the usb port. when it get to the “fatal error” part it should boot from usb drive. my problem now is that my new macbook pro has its two usb ports right next to each other, not allowing two wide usb devices to be plugged in at the same time, and you need to have both usb stick and usb wireless stick in at the same time!!! bloody problems driving me mad!! maybe a usb multi port is the solution…… let me know if you have any luck.

    @jorel
    on your mac are you using a usb wireless stick or did you manage to get the built in card from your mac to work in bt3?

  31. jorel314 Says:
    April 7, 2009 at 10:34 am

    @rubuncrack

    I’m using a Hawking HWUG1 wirless usb adapter.

  32. aldoala Says:
    April 9, 2009 at 5:08 pm

    I have a big problem with backtrack. I was able to get into it and login but I have absolutly no access to the internet. I am using linksy router with wpa encryption. Please tell me if i need to change it to wep. I do not know how to access the internet and its been very frustrating. I am using an atheros AR5007 card in my vaio laptop. Please HeLP

  33. aldoala Says:
    April 9, 2009 at 5:11 pm

    Sorry forgot to add that when I type ifconfig in the konsole it says i have local loopback with address of 127.0.0.1 and mask 255.0.0.0. UP LOOPBACK RUNNING MTU: 16436

  34. zomfghaxx Says:
    April 13, 2009 at 4:40 am

    hey guys, first time poster, im a nub. Though i could help tho with the problem of how it keeps sayin “gathering arp”. have u tried pressing the deauth button? I think it can deauthenticate and issue a new arp request, resulting in a return arp (the packet you need). give it a shot.

  35. Madmax Says:
    May 17, 2009 at 12:19 pm

    Hi guys,
    same for me, can’t pass the “gathering arp” step, tried several things to get through, no way, if anyone finds something satisfying…

    cya

  36. Am I doing it right? « jorel314 Says:
    June 14, 2009 at 7:16 pm

    [...] My most viewed post is “Tutorial: How to Crack WEP on a Mac“. [...]

  37. gabol Says:
    July 7, 2009 at 10:11 am

    how long is too long? when should i move on to the next network(so to speak)?

  38. jorel314 Says:
    July 7, 2009 at 1:38 pm

    @gabol

    I usually move on to the next network if it takes longer than 20 minutes.

  39. Weekly Digest for August 22nd | The WebZappr Says:
    August 22, 2009 at 9:22 am

    [...] Shared Tutorial: How to Crack WEP on a Mac « jorel314 [...]

  40. Eric Says:
    August 29, 2009 at 12:49 pm

    The fact that it freezes on GATHERING ARP is very annoying. I have tried all the steps suggested here in the comments, but no luck. I am running Backtrack3. I’ve heard that there is a Backtrack4 out. Have there been any relevant changes in that one ?

  41. Michaele334 Says:
    September 7, 2009 at 1:48 am

    Here is the new version from backtrack, it is backtrack 4 pre, i found a very god install howto.
    look here:
    http://backtrack.1rss.de
    i hope you can read this one, the have screenshots and a pdf file, so you can download this one.
    the works perfekt for me.
    i hope you like it.

    Ciao

  42. jorel314 Says:
    September 8, 2009 at 12:32 pm

    I’ve heard of another automated WEP cracking tool. It’s called WEPBuster. I haven’t tried it myself though.

    http://code.google.com/p/wepbuster/

  43. Krestic Says:
    October 5, 2009 at 12:09 pm

    Hi. What if start few windows of spoonWep? Let say 2. Will it find the key double slower? Or it will work just fine with many windows running at the same time?

  44. Krestic Says:
    October 5, 2009 at 12:17 pm

    Or where can I see how much is processor loaded?

  45. jorel314 Says:
    October 6, 2009 at 10:27 am

    @Krestic

    You’ll need more than one compatible wifi device to be able to run multiple sessions of spoonwep at the same time I believe.

  46. OSX.4 Says:
    October 16, 2009 at 4:20 pm

    do you know how to do it with OSX.4 or any version earlier than leopard

  47. jorel314 Says:
    October 16, 2009 at 4:35 pm

    @OSX.4

    You should be able to boot from the BackTrack LiveCD from any intel based Mac.

  48. tiro04 Says:
    October 21, 2009 at 11:47 am

    Hi guys, I have a problem. I followed all the instructions concerning the CD burning and downladed the right file (i think so at least…) (bt3-final.iso). I burned it according your instruction.

    Then restart my computer, press c, get a first screen, then a lot of lines going on and then i get a message like “Fatal error occured – BT3 data not found” they tell me I might be using a old pcmcia tool or something..

    I’m really not a crack in computers so I don’t understand what could be wrong.. Any help would be great :)!

    As for my computer, I have a MacBook (1st aluminium generation, from October 2008) – Mac OS X 10.5.8 (9L31a)

    I have Bootcamp installed and Windows Vista as well, I had to install it for school, so it might be because of that? or not?

    Thank you very much for your time and help!

  49. jorel314 Says:
    October 28, 2009 at 4:33 pm

    @tiro04

    I haven’t seen an error like that before. Maybe, try redownloading and burning the iso again. Or test it on another computer to see if it’s the disc or your computer causing the error.

  50. joe smith Says:
    December 2, 2009 at 1:17 am

    Please can you help me.
    I have used Backtrak3 and cracked the wep kep at 100% but when the i put in the key without colons it connects but with limited access. I have changed my mac address to one that is on the list but still the same “connected with limited access” I cannot access the router to configure it. But i thought that as long as i have the allowed mac address on the router and the 100% correct wep key i should be fine. Please tell m what else i can do. I have tried to crack other wep enabled connections and so far have 40% sucess. ie. cracked 2 so far

  51. jorel314 Says:
    December 2, 2009 at 3:24 pm

    @joe smith

    Maybe whomever’s router you are connected to didn’t pay their internet bill.

Leave a Reply