Generate 10 Digit Phone Numbers using Crunch in Backtrack

Phone numbers are some of the most commonly used passwords for WEP/WPA encrypted wireless networks. Several ISP’s use them as default passwords for their routers for easy to remember access.  By creating a list of every possible phone number combination with a specific area code, generally your own area code, it will give you quick access to most wireless networks using a dictionary attack. Using crunch built into Backtrack 5R2, you can quickly generate every possible number combination beginning with a specified area code.

Applications > BackTrack > Privilege Escalation > Password Attacks > Offline Attacks > crunch

Use the following command

./crunch 10 10 -t 123%%%%%%% -o /root/123.txt

Explanation of command.  10 refers to the number of characters. The -t command allows you to specify a pattern where only the @’%^ characters will change, in this case the %. The 123 is where the area code will go followed by 7 % characters. The -o is for output and can be saved anywhere. Make sure to save it as a .txt file. This will only take a few seconds and will say 100% when finished. Now you can load these in Gerix and bruteforce WPA.

Note: Most cities have multiple area codes. To combine multiple files into one just do a ‘cat 123.txt 456.txt 789.txt >> all.txt’

WEP Cracking in Backtrack 5 using Gerix

I’m creating several posts at once, and I’ll be adding screen shots shortly, bear with me.

Boot up to Backtrack 5 R2. You’ll need a laptop with a wireless card that supports monitor mode and packet injection.

Applications >BackTrack > Exploitation Tools > Wireless Exploitation Tools > WLAN Exploitation > gerix-wifi-cracker-ng

Note [At the bottom of Gerix, you will see the current actions taking place, so if something goes wrong you can see exactly what it is]

With Gerix open, go to the Configuration Tab.

You should see your interface marked as wlan0. Select it, and click the button below labeled Enable/Disable Monitor Mode.  The card will now be in Monitor mode.

At this point, you can also click the Set random MAC address to spoof your MAC address.

Click on the interface labeled mon0 so it’s highlighted.  Underneath that, you will see a button to Rescan Networks. Click this to search for SSID’s.

Select the desired WEP network SSID.

Click the WEP tab. Click Start Sniffing and Logging. You should see the BSSID MAC loaded as well as the PWR (Signal Strength) and other data.  Keep this window open.

Click Performs a test of injection AP to ensure your card is able to inject packets. You will get a message stating “Injection is working!”. You can close this window.

For this demonstration we will use WEP Attacks (no-client). Click the button labeled as such.

Under Fragmentation attack, click Associate with AP using fake auth. In the bottom data viewer window, you will see it read “Fake authentication with mon0”

Click Fragmentation attack button. Once it finds a packet, it will prompt to “Use this packet ?” Type Y for yes.

Click Create the ARP packet to be injected on the victim access point.

Click Inject the created packet on victim access point. Type Y in this box also.  Keep this window open.

Go to the Cracking tab, and under WEP Cracking, click the Aircrack-ng – Decrypt WEP password button. You will be watching here for the number of IV’s. (got 10,000 IVs)

You will generally need about 10,000 – 20,000 IVs to decrypt the password and sometimes less. This can take 30 seconds to a couple minutes depending on the amount of wireless traffic. You can safely close this window, and click the button again to reopen it when it has enough IV’s.

The key will be displayed in this window when complete.

Home made 14db gain Antenna

A good friend of mine made this antenna. I am not taking credit for it, however I will take credit for assisting him in the design and answering all of his questions at 3AM. >:o  He doesn’t have a website so I agreed to post it to mine.


“Hi everyone, Just to clarify first, this has been built to achieve maximum d/l speed on the Telstra Next G network. Australia. But it will also work for any service on the same frequency. They are :

NextG uplink to the tower … 839.8MHz
NextG downlink to your computer … 884.8MHz


So I started with what I had in the shed. An old Tv antenna .. has to have an outer circumference of 10mm to achieve this desired feed. I used Inch and a half PVC Box for my main beam which I had laying around.”


This is what I started with:

Used a square to keep the holes as perfectly aligned as I could. I done this around to the other side and drilled each side separately so I didn’t elongate the holes.


Put these 2 holes in so I could slot the bolts through easily to attach the coax.

Side view. I am happy that they are reasonably straight. If you are a few mm’s off Its okay, don’t scrap it an start again. If you are a shitty driller and do it at 45 degrees, you will have a problem.

Double checked to make sure they were joined properly and got the desired reading of 0.00. At this point, joining the drive element, Get a multi meter and check the Ohms, or resistance. This is crucial to make sure you have it all joined properly.


Finished!   Here is the end, what it should look like.


I got a bit pedantic and used some verniers to measure the 10mm tubing to make sure, and then used a 25/64 drill bit (9.9mm) provided a very nice tight fit. I used a blue plastic wall plug for the joiner also.


So after using Google earth and its ruler function to determine the correct line of sight to point my new antenna, After I had a rough idea and picked out a landmark, I went into town ( I am aproxx 27k from town and the tower ) to make sure what was near and noticeable, when I got home I used a high powered rifle scope to pick out the landmark ( I was within 10 degrees ) Pointed the antenna there, run a test … from ethernet and my wireless network. The difference was amazing. See below.


This was before with the standard BP3-EXT Modem.

This is with the antenna installed and pointed at the right tower.

With this gain I know I can tune it better as I am using RG58/U Cable @ 21metres. Research showed me, 10m RG58/U 50ohm cable @ 850Mhz = 4.61dB loss. So, I can make this better and cut my length in half.


The antenna design I chose after a lot of research was from With the extra cable it equates to a 35% loss. So it is what I will work on.

If anyone wants anymore details, I’m sure the mods here can grab me and let me know.

I have to say some thanks to people you will not know, but, they helped with design, dimensions, frequency tracking, so thanks AudioNut, StraitVodka, Wahroonga Farm.