UPDATE (01/26/09 @ 8:03 pm):
For Windows instructions, see this comment.
On an earlier post, I mentioned I recently cracked a WEP protected network. There are many tutorials on this topic. Here’s a method that worked for me which doesn’t require you to use the command line.
To find available wireless networks…
- Click the AirPort Icon
- Click each network that has a lock icon next to it
- Make note of the networks that require a WEP password
If you don’t see any WEP networks, try moving your computer to a different location for more networks to scan until you find one.
You will need the following…
- BackTrack 3 Live CD
- Compatible USB WiFi Adapter
You can download BackTrack here. I downloaded the CD Image named “bt3-final.iso” and burned it to a CD.
To Burn the BackTrack 3 ISO File…
- In Finder, right-click the downloaded “bt3-final.iso” file
- Choose “Open With”
- Click “Disk Utility”
- In Disk Utility, click “bt3-final.iso”
- Click the “Burn” icon
- Insert a blank CD and wait for it to be recognized
- Click “Burn”
You should now have a BackTrack 3 live CD.
The MacBook’s Airport Card that I’m using can’t be used with BackTrack to crack WEP. Instead, I used a USB WiFi adapter. You can find a list of compatible ones here.
I chose the Hawking HWUG1.
- Insert BackTrack 3 Live CD
- Restart Mac
- When you hear the chime, hold down the “c” key until BackTrack starts to automatically boot. It’ll play a sound when it’s done loading.
- Connect the USB WiFi Adapter
- Click the blue KDE icon on the bottom-left of the screen
- Choose “Backtrack” then “Radio Network Analysis” then “80211” then “All” then click “Kismet”
- Select network device (“rausb0″ for the Hawking HWUG1) and click “OK”.
- After kismet lists available networks, press the “s” key then the “w” key to group the WEP networks together. You should see the WEP networks you noted earlier.
- Navigate to the WEP network you want to crack first and press “enter”. You should now see the network’s details.
- Click the KDE icon again then choose “Backtrack” then “Radio Network Analysis” then “80211” then “All” then click “SPoonWep”
- You should now have both the kismet and SpoonWep windows showing
- In SpoonWep, enter the “Victim Mac” by typing the “BSSID” address you see from the kismet window
- Click “CHOOSE A CARD”
- Click your card (“RAUSB0″ for the Hawking HWUG1)
- Check the “Ath” box
- Match the “Channel” with the one from the kismet window
- Set the “Inj Rate” to “1000”
- Click “LAUNCH”
- “Currently” should say “Nothing” then “ASSOCIATING” then “ATTACKING then “GATHERING ARP”. After “Captured” reaches “20000 IV S” it should say “Cracking WEP”
- Make note of the resulting WEP Key for that particular network
- In kismet, press the “q” key to get back to the network list. Repeat the steps for as many WEP protected networks you want.
- Disconnect the USB WiFi Adapter
- Restart the comptuer
Congratulations, now you can enter the WEP key (without the colons) as the password for the wireless networks.
Some WEP protected networks take less than 5 minutes to crack. If the first WEP network you try takes too long, try moving on to another one.
Please comment if this method worked for you, or if you know an easier way. At a later date, I’ll try to put up a video tutorial.