Tutorial Aircrack

Test your wifi network security with wep cracking (voir le tuto en français)


In our ages, most of the providers give out protection in there wifi modem.
Unfortunately most of these wifi boxes apply WEP crypting by default if we activate the wireless.
It is likely known that this protection has passed deadline... week and easily crackable. A small hour is enough to crack a 128 bytes WEP key ( packets capture + crack) and barely more for a 256 bytes key with aircrack.
So I give to you a little tutorial that will help test out your wireless network, and most likely convince you to change to WPA crypting. (vidéo crack wep )
Warning, you are only aloud to test out a network with this method if your are the OWNER or if you have a permission of the owner. Hacking is considered breaking a federal law and this tutorial is not meant to help out these purposes, it is simply to sensibilise you to the weekness of your network. I remind to the people who still want to crack their neihboors: YOU NEED AN AUTHORIZATION to crack his network, otherwise, you could be charged or sent to jail.

The tutorial

Aircrack:

To test the security of your network, we will need aircrack designed by Christophe Devine. This program works under windows and linux, but some of the functionality are not available under windows (packet injection for example) That is why we will use a linux bootable cd OS: Whax, this distribution is specialized in intrusion tests. Actually the troppix is (in cases little) more up to date talking about wifi drivers and there utilisation is exactly the same. (These distribution are oriented in WEP cracking, but ubuntu or any other would to the work to)

But not all the cards are supported, basically it depends of the chipset, here is a list of cards who works with aircrack mode monitor (compatible). Another list (fr)

This tutorial was realized with a D-link DWL-G650 (not G650 + !!!) , fortunately My neighbour had a livebox (french wifi modem) and autorized me to crack his WEP on his network.

He authorized it thinking I would not succeed.
It turned out he was wrong, it took me approximately 2 hours to crack it

For private property reasons, all the names of the networks (ESSID) were masked except the ones from where the WEP was cracked, that was only partially hidden.

The BSSID addresses (mac addresses) also have been partially censured, I only shown the first part of the MACS which correspond to the builder of the card.

I repeat if you try to invade a network, you need the authorization from the owner, or you need to be the owner

1:// Whax :

Now we are getting serious.
So you can fully use your card we will use a live cd of linux (me too, I don’t know anything about the penguin)

Get the WHAX distribution here:
Download Whax:

http://files.tutofr.com
ou
http://search.belnet.be/mirror/www.whoppix.net/

MAJ : there are new distributions of live cds specialized in monitoring wifi, like troppix and backtrack that are as good or even better.
You can found all those distro on files.tutofr.com
The functionality is basically identical.
Indeed they all include aircrack and airodump/aireplay

Burn the distrib on a nice cd and put it aside for 2 seconds. On the side I suggest creating a FAT32 partition of 2 or 3 gigs. 
The advantage of FAT32 is that it is readable by windows and linux.
That partition will be used to stock packets captured and the different files necessary to crack the key. That partition is not required, but it is recommended especially if you have low RAM capacity since the capture files would be stock in RAM (no partition).
Also when you have a FAT32 partition you can stop the computer and restart monitoring without losing anything.

WATCH OUT, YOUR PARTITION WILL NOT HAVE THE SAME NAME UNDER LINUX, SO PLACE A FILE THAT YOU WILL RECOGNIZED IN IT.

After booting on Whax you will end up on a login screen (for troppix you only need to chose video card + keyboard language + resolution)
The login is Root and the password is toor, to start the graphical interface, type startx ( you need to type stqrtx since the keyboard will be English, HELL if your reading this ur English =/ so if your stuck with a French keyboard, GET A CLUE 

You will then end up on the Whax interface.

Also, open a shell:

The interface is KDE so it is easy to get used to. (simple click)

Then type in "airmon.sh"to detect the interfaces and select the one that you want to use with the command "airmon.sh start « wifi interface  » " (note that there are no brackets, all though there will be used throughout this whole tutorial)

Here you can see that the card is correctly recognized and that the monitor mode is directly activated. The monitor mode lets us capture packets transiting even the ones that aren’t directed to you. ;) 

And if you already use a linux distribution and you only need to install the aircrack suite: 
Download aircrack airodump, aireplay

2:// Airodump :

Detailed use of fleche airodump windows and fleche linux

Now we will start to scan the wireless networks with airodump (part of the aircrack suite).

We type in the console: "airodump [interface name] [name of the output file] [channel to scan]"

To chose to scan all the channels type in 0

You can add the parameter 1 at the end, to modify the extension of the output file to .ivs rather then .cap, that advantage is that the file does not contain all the packets info but only the IVs, the size is more convenient.
« airodump ath0 out 0 1 »

You need to chose this method if you did not create a FAT32 partition, otherwise you  can have a crash (if not enought RAM)!!!
If you created a FAT32 partition, you should prefer the *.cap

If you created a FAT32 partition you need to place yourself in that partition 

Do « cd .. » to go back to the root. Then "cd mnt" to open the folder that corresponds to the “ my computer “ under windows. 
For my part I type in « cd .. » then « cd mnt/hda6 »

We then find this once airodump launched:

I am in a student residence so there are a lot of people. 

The BSSID column corresponds to the Mac addresses of the access points (AP)
The ESSID colujmn corresponds to the name of the network
(MyWifiNetworw, Wanadoo-xxxx...) 

The first part corresponds to the access points and the second part to the stations ( the computers that are logged in)

The column that interests us is the one that has IVs, those are the files that will allow us to crack the WEP keys.

Here the AP of my friend is the only one where the ESSID is not totally masked. For better performances in the capture of packets, we re lunch airodump chosing only the canal where the AP is (here is 10)

« airodump ath0 out 10 »

To stop the capture and enter commands do Ctrl + C You are also obligated to stop the capture if you want to copy a mac address since the screen refreshes. To copy something simply select with the mouse and right click copy. Idem to paste or use Shift+insert.


For more details on airodump simply type in [airodump] in the console and the help will appear.

There we have stations and one that is connected to the AP that interests us.
BINGO cause the access points have sometimes (and it’s the case of freeboxes) a mac filter called (mode association) and for aireplay we need that mac address, actually we are acting as if we were that computer to have the access to the AP.

As soon as we start getting IVs airodump tells us what type of crypting it is :WEP WPA or OPN.

Now we know that the crypting is WEP, that a station is presently logged, and there is traffic (350 packets for the station in not a lot of time) we are going to launch aireplay, a packet injector to accelerate the traffic and stimulate the IVs sent.

You need to know that to crack a WEP key of a wifi network, it is more convenient that there is a minimum of traffic. By experience the IVs capture is a lot faster, and also they need to be diversified since the crack will need less IVs’s. For example here there is traffic, but unfortunately there wasn’t any after so I had to capt a lot of IVs before finding the key.

3:// Aireplay :

In detail in the fleche aireplay manual

Just like airodump, aireplay is part of aircrack

3.1:// Fake authentication

See the fleche FAQ aireplay -1

To launch aireplay open another console in the same screen with the help of the little icon on top left. You can also rename it with a right click. 
We launch aireplay once without worrying about the bssid of the station :

The parameters are:
“ aireplay -1 0 –e [ Essid ] -a [ Bssid of the AP] –b [ bssid of the AP] –h [ bssid of the station ] [ interface ]” 

"-1 0" corresponds to an attack by fake authentication, the zero is the delay that we authorize for the answer to come in. Here we can see that if we place a dummy mac address the AP refuses us, but if we put the BSSID that airodump gives us it works. 

Some of the AP don’t have any filtering of MAC addresses and you can put any MAC address. Once you have “ association successful “ it is a first victory, basically you are accepted by the access point wifi. 

It is possible that if you don’t capt the signal (if the power is low ) that the authentication is successful and the association is not immediate.

Here the example is small but you can easily have 40 lines :-S

Here is a small scheme that will show you the relations between the parameters of aireplay and the capture of airodump :

The association is not really reliable and if it fails, you can still go through the next step.

3.2:// Packet Injection :

In detail fleche aireplay attack -3

Once the association is good, we relaunch aireplay changing some of the parameters. 

You need to change the first parameter by “-3” that corresponds to an attack by packet injection
Then you need to add the parameter “-x” following a value that corresponds to the number of packets per seconds that aireplay will send. Here it is 600, Depending on the AP signal strength modify the parameter. 

Also, following the capture file (airodump) add in the parameter –r. This parameter indicates in which file read to see if there are ARP’s inside. The ARPS are what will allow us to influence the traffic. 

DON’T FORGET TO PLACE YOURSELF IN THE SAME DIRECTORY 

To avoid to type it all, since the syntax is basically the same then the parameter -1 press the up arrow key to have what you have previously entered.

Aireplay saves ARPS in a file that he makes every time it is launched.
It is underlined in the picture.
That file finds itself in the folder where you lauched aireplay 

It is that file that you then put in the parameter –r if you got ARPS, the ARPS are obtained by reading the file indicated but also by listening the the network, like airodump does. 

Here, we can see that we have an arp.  As soon as we get an ARP aireplay starts sending packets. And normaly if everything is going well, the IVS grow. 
And it is the case, they are growing :D: 

At the sime time, the arps also go up:

Au maximum aireplay garde 1024 ARP.

To give you an idea of the speed for capting IVs’s I did some print full screen, look at the clock.

At 16h25 190 000 IVs
At 16h30 290 000 IVs
At 16h43 650 000 IVs

4:// Aircrack :

In detail in the fleche FAQ

Know that you need approximately 300k IVs for a 64 byte WEP key and about 1 mil for a 128 WEP key, it is pretty fast. 

You should launch Aircrack once you have 300k and if you suppose that the key can be e64 bytes(you should know, its your network) 

For that in the parameters of aircrack, you only need to add –n 64, and aircrack will try to crack the WEP key as if it was a 64 bytes WEP key, even if it is a 128 bytes key. 

Personaly this tuto aimed a 128 bytes key (livebox) so I don’t send it with 64, But since I have approximately 700k ivs, I can start to launch aircrack while the capture of packets is still going on with airodump. 

Open a new shell and launch aircrack.

Don’t forget to place yourself in the folder containing the files of airodump, if you have created a FAT32 partition 

“aircrack –x -0 nameofthecapturefile”

The Parameter –x stops the bruteforcing of the last 2 bytes, it accelerates the crack (normally)

The parameter -0 puts aircrack in color and it’s the only thing it does, but MAN doesn’t it look cool when some ones cracking and you see the matrix like coding in his screen. 

Finaly the last parameter is the name of the capture file of airoduimp, you can also use the syntax “ *.cap “ and “ *.ivs “ to open all the files .cap and .ivs. 
“aircrack –x -0 *.cap *.IVs “ 

Once we have launched aircrack, it shows all the networks that it saw, the crypting, the number of IVs corresponding. You then only need to chose the right number and to launch aircrack 

now it starts to crack the key: 

The capture of airodump keeps going while the aircrack increments automatically all the new IVs and uses them to crack the key.

Now the only thing you need to do is let it run and the WEP key should show in red, if the crack works. Basically it works statically with a vote system counting the Ivs’s, more a byte has votes compared to the other bytes of the same row, more it has chances to be good. 

Unfortunatly for me, the crack dint work even though I had more then enough IVs’s 

I believe it is because there was barely any traffic, maybe even none.

The only thing to do is get more IVs’s 

When you recapture IVs’s, the best thing to do is to wait for the station, get new ARP’s and let Airodump run. 

Personally I let airodump run and relaunched an aireplay removing the –r parameter so that it gets new ARP’s. So when the station reconnects new ARP’s are in movement and I capture them right away re injecting, it’s the best method. 

If your not able to capture ARP let the capture run as long as possible and when a station is connected try an attack per desauthentication it should stimulate the ARP emission.

“ aireplay -0 + the usually ESSID and BSSID parameters ” 

So I left and when I came back I had around 2.6 mil IVs’s, more then enough. 

Relaunching aircrack:


Bingo !!!!

We can see that comparing the 2 images the one where the attack failed and the one where it worked, we find basically the same numbers, which means we only needed new IVs’s.

If it would not work, play with the fudge factor of aircrack adding a –f parameter “-f number between 2 and 10” 
Example:"
aircrack –x -0 *.cap *.ivs –f 4” 

by default the fudge factor is set to 2 
aircrack uses 17 types of attacks created by Korek

You can chose to disable one of them after another if you have a lot of IVs’s but the crack fails
Example:
Aircrack –x -0 *.cap *.ivs –k 4 

We can of course combine with the fudge factor 

If you ever have more then 3 mil IVs’s that you capture with a lot of traffic and the attack still fails there could be many reasons:
-The network changed key, but you should know since you’re the owner.
-The file of capture is corrupted
-Your not too lucky…..

5:// Connection configuration:

Now it is great that you have a key, so WRITE IT DOWN 12 TIMES ON A PIECE OF PAPER. 

Don,t mistake 0 (zeros) for o (O’s) the only possibility are 0 to 9 and A to F since it is hexadecimal. 

Now that we have the WEP key, the only thing missing is the networks (IP plan)
Howeever it is usually useless since most of the networks uses dhcp, it means an automatic IP: Your connected to an access point and we give you an IP. 

You can so try to connect with windows (watch out you need to remove the “ : “ between the parts of the key and if there is a MAC filter, you need to Change your mac address under window or with Whax that has a module of connection.

5.1:// With whax :

To use you first need to put your card on managed mode, for that:
« iwconfig ath0 mode managed »

And if you wish to go back to monitoring for more capture, you only need to type in « iwconfig ath0 mode monitor »

If the ap has a mac address filter change your MAC  with the MAC address of a station that was connected.

MAC change under linux
MAC change under windows


Then to open the assistant go to start menu then chose whax tool/wireless/wireless assistant and configure your network. (if dhcp doesnt work try under windows or go lower to find the ip planof the network 

You can always test with a command like " ping www.google.fr"

5.2://In a shell:

If you are doing it with whax you can do it in the shell mode.

All the parameters of the configuration appear when typing:
« iwconfig ath0 »

Go in managed mode:
« iwconfig ath0 mode managed »

Configur the wep key  :
« iwconfig ath0 key xx :xx :xx :xx :xx :xx »

You can easily combine parameters :
« iwconfig ath0 mode managed key xx :xx :xx :xx :xx :xx »

5.3:// Chang your mac adress:

5.3.1:// Under linux :

If the AP applys a filter of MAC change your adress and replace it with on who is accepted (station on airodump)

First you need to shut down the wifi
Then you change it with
ifconfig ath0 hw ether: XX:XX:XX:XX:XX:XX 

Last step of the activation
Dhcp ath0 

If you have a return of the shell, it works, if it dosnt work try under windows or find the network address

5.3.2:// Under widows :

If you need to change your MAC address then go to
« start/control panel/performance and maintenance/système » Peripherique gestionnary.

Chose the category network cards, chose your card and right click properties. Chose the advance label and you need a category “adresse MAC” or equivalent. Chose Administer locally and put a value in the box. 

You can also use etherchange a small DOS program for windows that does this for you. 
Download etherchange.

Launch it and chose the interface which you wish to change the physicial address and enter the mac address that you want to replace with.

 

6:// Find the network address :

If the network dosnt have a Dhcp or if it isn’t activated, you need to find the plan of address, in most cases it Is 192.168.1.xxx with the access point 192.168.1.1 and the mask under 255.255.255.0 

However there is a fast and easy way to find the ip of the access point with ethereal, a network sniffer. 
 

You need the WEP key to find the IP

Launch ethereal 
«start/WHAX Tools/Sniffers/ethereal »

Configure ethereal to decrypt packets with the WEP key you just found, otherwise you won’t get IP’s.
Do : « Edit/préférences/protocols/IEEE 802.11 »
Configure the wep key, remember to select “assume packets have FCS” 

Do
« capture/options »
Choose (ath0)
Select (capture paquets in promiscuous mode)
Select enable network name résolution

To find only the ones that interest you apply a filter in the filter label

A type of filter “(wlan.bssid == bssid of the AP) && (TCP) works great 

Actually you chose to see only to see the packets sent by TCP and the bssid is the one specified 

Bingo we found the IP 

If you let it run a bit you will confirm the IP and maybe get more info 

For example we see that my friend is using emule

There the work is done, you have the address of the network, the wep key, the mac of the station, only thing you need is to connect (all that for that) If encountering any problem, the support forum is there to help you. still read the tuto

Annexes :

Example of an OPN network 

 

Packet injection under windows  :

There are different software to inject packets under win32

For the ather0s chipset, download commView for wifi 

chipset Prism:

Download airGobbler Packet Generator

 

FAQ

Files :

Links

-Christophe Devine video

Tutoriaux photoshop
© Copyright 2005-2006 Tuto-fr.com par Billyboylindien
Déclaré à la cnil: Dossier n° 1142196
Rc v2.0