This tutorial is about cracking a WEP encryption on an access point using an EeePC 900HD. The EeePC, I am currently using has a rtl8187se wireless card that can be put into monitor mode and will do packet injection. When using this model of the EeePC a few things will have to be done to make every work. Unfortunately using the rtl8178se isn’t as easy as using the other models of the rtl8178 series. The card will have to be tricked into monitor. The operating system, I will use to perform the crack is the most popular Back|track 3. The rtl8187se is not supported natively by the Linux operating system. So, it will only be right on how to show you to obtain that and install it properly.

Kane

Since we are starting from scratch we need to get Back|track 3 ready

Since, I do like having XP on the hard drive of the EeePC. I am going to download the USB version of Back|track 3. {Download here} Choose whether you would like to use a USB drive or a SD card, both will work it is just a matter of what you have available. Do make sure that the USB drive and the SD card are larger than 2GB. Extract the .iso file to the SD card in my case since that is what I am going to use. Now to make the SD card bootable, we must go into the boot folder created by the extraction of the .iso and run the bootinst.bat. It may bring up some errors, but continue through them until command prompt asks if the drive letter that is shown in the description is correct. Once, that is shown down check that the drive letter is correct and hit any key and now the SD card is bootable.

Now that we have Back|track 3 ready to go. We can insert the SD card or the USB drive into the EeePC. When the starting the EeePC when the Asus splash screen appears tap “escape.” (I have noticed it is hard to get the boot select menu to appear at times if the quick boot option is enabled in the BIOS disabling the option will give you more time to react.) This should bring up a boot select menu. Select the flash memory you are using and hit “enter”. This should start Back|track 3. You will have an error message appear that the video setting cannot be detected just hit “space” and it will continue on loading. Next you will just need to choose the compiz option to fully load Back|track 3.

Finding drivers for the rtl8187se wireless card

{Download here}

What I did is download the file and extracted the file onto the SD card I am using to load Back|track 3 so I have it available for each use I run Back|track 3. Once loaded into Back|track 3 drag the folder into the root directory for easy access. Just to make it easier as well I changed the folder’s name to rtl.

Now temporarily installing the driver, because on reboot of the machine all changes will be lost since nothing is saved to the flash memory since only read options are available on default.

Open a shell

Type:

cd rtl

exec makedrv – this closes the shell so re-open a new shell

cd rtl

exec wlan0up

Ok now to check if the install was successful in the KDE panel under Internet choose the wireless assistant option and a few wireless networks shall appear.

Finding the network to attack

We will use airodump-ng to survey the area to see what networks have the WEP encryption, but it is necessary to make the card to work with airodump-ng and this is what makes the rtl8187se tricky compared to most cards.

Start with putting the card into monitor mode

airmon-ng start wlan0

airodump-ng wlan0 – (This is going to start surveying the networks that are available and what type of encryption are on these networks. As you probably notice, there are no networks that are showing even though a couple were shown in the wireless assistant. Well we need to trick the card)

In a different shell type:

iwconfig wlan0 mode managed

iwconfig wlan0 essid (any of the networks names the you remember from wireless assistant manager, case sensitive)

crt + c after a list of networks have shown

This may freeze airodump-ng and lock it on one channel try it several times if this is the case, but in airodump-ng the CH (channel) should be searching every channel.

OK, at this time you should have list of available networks with the type of encryptions they have on them. Now pick a network that has WEP encryption this can be found under the ENC column list as WEP.

Things to be remember of the network you have chosen is

BSSID

The channel the network is on

ESSID

Write the down if you have too.

Capturing packets

With the network you have chosen we will use airodump-ng with filters to capture the packets later used in the cracking section. Start by typing:

airodump-ng –c (insert channel here) –w wep –bssid (insert BSSID here) wlan0

Of course we need to trick the card again so in a separate shell:

iwconfig wlan0 mode managed

iwconfig wlan0 essid (Insert ESSID here)

iwconfig wlan0 channel (insert channel here)

So we have set-up airodump-ng to create a file called “wep” that will store our packets used to crack the WEP. The main thing in airodump-ng that we are worried about is the number located in the #data column. When all said and done we want roughly 50,000 to 100,000 collected.

Packet injection

So we need to create lots of activity on the network to make this process go faster, because if no one is on the network using it this could take a very long time. So we can use a method of packet injection that that will create activity on network.

First method will be fake authentication with pack re-injection

We will first need to fake that we are associated with the AP using aireplay-ng we have this option to do so by typing:

aireplay-ng -1 0 –a (insert BSSID here) wlan0

So now in airodump-ng there should be a BSSID “BSSID of AP” associated with the Station “our mac address”.

Now is it is time for the packet re-injection.

airplay-ng -3 –b (insert BSSID here) wlan0

Now basically you are waiting around for an ARP packet to be sent to you. Sometimes this never happens, but it is also monitoring if someone else connects to the network and you will be able to use that authentication packet to for the reinjection. You may have better luck waiting for someone to connect to the network and find better luck.

Second method de-authentication with packet re-injection

Do use this method you must have a client already associated with the AP.

aireplay-ng -0 0 –a (insert BSSID here) –c (mac address of client) wlan0

This is going to de-authenticate the client creating ARP packets for the client to rejoin. Next I like to use re-injection of packets since its fast and more reliable. Open a new shell turn run:

airplay-ng -3 –b (insert BSSID here) wlan0

crt + c the de-authentication shell so re-injection can have full bandwidth and processor.

Cracking the WEP

We will use the file created by airodump-ng.

Aircrack-ng wep-01.cap

Always add -01.cap to the file name or if you use the same name twice use -02.cap and etc.

The key should show if you collected enough packets and the more packets you collect the faster the process will be. Once the line KEY FOUND appears, use the list sequence of letters and numbers without any colons as your password for the network.

Conclusion

This tutorial is not bullet proof. It is mainly to give you an idea or the theory of cracking WEPs. It is also here to help using the rtl8187se cards which can be used very effectively if that is all you have available. See what you can grab from the tutorial and good luck in the field. Also I love my EeePC.