I wrote and published this last night:
Quote:Set your wireless card into monitor mode.
You need to have a wireless card that supports monitor mode. Monitor mode allows you to listen to all packets instead of only packets intended for you. This is done by creating a virtual interface to act as a second wireless adapter using the same hardware. The tool to automate this is airmon-ng. Please substitute your wireless interface accordingly in the following steps.
Take the interface down:
# ifconfig wlan0 down
Bring the interface back up in monitor mode:
# airmon-ng start wlan0
Test injection capabilities:
# aireplay-ng -9 -e ESSID -a 00:11:22:33:44:55 mon0
- -9 tells aireplay to test injection
- -e is the ESSID of the AP
- -a is the BSSID (MAC Address) of the AP
- mon0 is my interface in monitor mode
Start grabbing IVs:
# airodump-ng --bssid 00:11:22:33:44:55 -w ESSID mon0
ThatÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s all you need to do for a passive attack. Now weÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢ll speed up the process.
- ÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Å“bssid is the MAC Address of the AP
- -w is the prefix for the capture files, I normally use the ESSID
Authenticate with the AP:
One of these will work better than the other depending on your scenario. Choose what works best for you.
# aireplay-ng -1 0 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
If neither of those work MAC filtering may be configured and you will need to spoof your MAC to an existing client. Then you can either move on to the next step masquerading while the client is still up, or sent a deauthenticate packet and try the previous again / wait for the client to reauthenticate and send ARP packets.
# aireplay-ng -1 6000 -o 1 -q 10 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
# aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0
Inject your packets:
Finally, youÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢re associated and not getting sent deauthentication packets. As long as you are associated the AP will respond to your packets. If you lose authentication just perform what you had to do in the previous step. Now weÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢re going to start repeating ARP packets.
# aireplay-ng -3 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
Crack your data:
Once you get about 20,000 you can try to see if you can find the key. You can perform this step while still collecting IVs. First weÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢ll try to crack based on a 64-bit key. Replace ESSID with whatever you put for the -w parameter for airdump previously.
If that doesnÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢t work weÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢ll try for a 128-bit key.
# aircrack-ng -n 64 ESSID*.cap
# aircrack-ng ESSID*.cap
The process to break through WEP can be completly automated and done in a very short period of time. Make sure you secure your network with something more secure. At the time of this article I use WPA2 with a RADIUS backend.
A few additional points that I didn't publish in my article...
- If you can choose between the ieee80211 stack and the mac80211 stack for driver support go with the mac stack.
- A card designed for monitor mode works best. The one in my laptop was ripped out of a wireless router.
- Use more than one device if possible.
There are alternative crack algorithms you can have aircrack use. The default only works with ARP requests but is the fastest. The Korek method is the oldest but works with any data and requires a full packet. There is also a brute force method which always works, you just need to have a lot of time on your hands.
Other injection methods can be used when playing around with aireplay. Repeating broadcasts work best if you are up against MAC filtering. You don't have to associate if you are just relaying broadcast packets.
If you have access to a machine on the network or can wire your machine in you can speed up the ARP collection to grab the key by pinging a non-existent host.
It might take a while to get your first ARP request but they grow exponentially once you get injection started.
There are other ways to get the key which are useful if there is no network activity which I may write an article on here about later.
-- Hope this helps some of you.