Introduction.
I was interested in wireless security since I have read some articles in “Xakep” magazine several years ago. They were saying “Most wireless networks are vulnerable and can be cracked within a day”. It was quite embarrassing that such a security threat can exist and really wanted to check whether it was true or not. Those years I did not not have any piece of needed experience. The task to crash test WEP stayed in my mind for years. Recently I have tried it.
Disclaimer.
All material is presented for educational purposes only. Do not apply this material’s guidelines in real life on real networks. Especially the ones, which do not belong to you.
This in not a how-to. This is a description of my experience. I do not guarantee, that process and steps, described here, will be applicable in your case and that it will work for you as well as it worked for me. I am not in charge of your failures.
System used.
I have used HP laptop with Intel 3945 wifi card installed, powered by fedora 10.
Preparation
As a first step, we need to install and configure wireless driver and patch it properly to enable all types of attacks. As long, as I had Intel 3945 device, I needed iwl3945 (Not ipw3945) drivers. This is a cutting edge driver package and evolves on a daily basis. I would recommend some stable version, but you can try the latest build. I have downloaded and unpacked it.
As a next step, It needed to be to patched properly. I have downloaded correct patch, corresponded to my kernel from here. And applied it to the package. Next step is compiling the driver. After it is neede to check whether it works, or not. Run:
modprobe iwl3945
If there is no output, it means, iwl was successfully loaded as a kernel module. Make sure, that you have blacklisted your previous wifi driver. At this point it is better to reboot the system.
At last, we need to install airckrack-ng, and its dependencies, such as libnl and iw, which are needed for successful entering into monitoring mode.
Data collection
So, now it’s needed to collect some data about targets to attack. At first, we are entering monitoring mode:
airmon-ng check kill wlan0
This point is very important. If command completed successfully, it outputs something like “monitoring mode was enables on interface mon0”. Only of command was successful, we can proceed. If airmon-ng returned an error, we made mistake in prior steps, so the need to be redone. Also, one more important note. Since we ran airmon-ng, we have to work with mon0 interface instead of wlan0. Now we run
airodump-ng -i -w -u 1 –showack –berlin 5 mon0
And look and move around. looking for appropriate target to crack. When appropriate target found, set airodump to the same channel as target and re-run it:
airodump-ng -i -w –channel <victim_channel> -u 1 –showack –berlin 5 mon0
Now my PC and victim’s PC are set to the same channel and all IV’s are written on my disk. But there are not many IV’s flying around. There is a need to speed up a process. To do it, we open two new root terminals and running:
aireplay-ng -1 3 -e “<victim’s ssid>” -x 3 -o 3 -h <my MAC> -c <victim’s MAC> -j mon0
aireplay-ng -3 -o 3 -x 10 -e ” <victim’s ssid> ” mon0
It is a combination of two attacks. First one will identify you as authorized client, connected to the hot spot. It will enable us communicate with a hot spot. Second one will send ARP requests to the hot spot, what will cause AP to reply with ARP packets, containing IV. Probably, it is needed to play with a speed of attack. We need to stay in the attack mode unless about 20000 IV’s will be collected.
Crack
When needed amount of IV’s is captured, we need to run aircrack-ng on our capture file. something like:
airckrack-ng <name_of_capture_file>
or
airckrack-ng <name_of_capture_prefix>*
if there were several attempts to sniff packets. Get your key, or continue sniffing. Cheers.