The original tutorial is available
here.
A beginner's use of the aircrack suite
Intro/rambling
I've chosen to write this because I'm tired of going over the same material and waiting for people to do the required reading to fill in the gaps. Why else do you get documentation like this?
It is important to understand that within a wifi-network traffic is much more public than on a wired network. Data is transmitted in all directions, not through narrow channels. So some form of encryption/privacy control was needed, and it came as WEP (Wired Equivalency Protocol, this should be all old news). WEP did the equivalent of making it difficult to connect to a wireless access point, though not impossible as you will inevitably find out. The technical details about the flaws in WEP are not covered here. This article will cover how to utilize the aircrack suite developed by Christophe Devine and KoreK. The suite contains several tools that are vital to various stages of cracking the WEP key. This article will cover the airodump, aireplay, and aircrack tools. Let's get started.
What you will need
* 1 copy of BackTrack Beta 1
* 1 Atheros** or Prism2/2.5/3 wifi card (the injection card)
* 1 other wireless card, any type (the target card)
* Computers for both of the above cards (If you can get it working with one, good for you. If not, find a
consenting friend and use theirs)
* 1 wireless router supporting the frequencies of the cards (i.e. 802.11a, 802.11b or 802.11g)
* A location (ideally lab setting) where you can operate without disturbing other APs
* Patience, luck, persistence
** A note about Netgear WG511T cards and the Backtrack Beta 1. Currently there are issues with injection, either a faulty patch or kernel issues. Hopefully this will be fixed with the new kernel release. Other functions should be alright, though.
Update: TheGreatVirus has written a
great tutorial on how to get injection working properly with stubborn Atheros cards (requires
HD install). I have tested this with my own WG511T and injection worked properly.
Checking for Injection
Look at this thread for notes on how to confirm proper injection, had to be a new thread.
The Setup (and a little thinking)
In order to crack a WEP key you must have a large number of encrypted packets to work with. This is an unavoidable requirement if you wish to be successful. The best way to get a large number of packets is to perform an ARP request reinjection attack (otherwise known as attack -3). In order to do this attack and get results there must be a client already authenticated with the AP, or about to connect to the AP.
So, with this in mind, let's get things organized. The following conditions should be in set:
* The target client should be booted and authenticated with the AP. Confirm this however you'd like (i.e. google something).
* The injection client (with the Atheros or Prism card) should be booted into BackTrack, use startx to start the GUI once logged in as root.
* The card on the injection client should be placed into monitor mode. You can do this with the command "iwconfig DEVICNAME mode monitor", or you can start kismet and it will be done for you.
* The Access Point should be configured to use WEP, whatever keylength you'd like (keep in mind that longer keys require more data packets).
Moving right along, you will need the following information in an easy to reach place. I like to put it into an open text file for simple copy/paste moments. If you can cat | grep | awk it, then you shouldn't be here.
1. AP MAC address
2. Target client MAC address
3. AP BSSID
4. Target client ESSID
You can find these by using Kismet or starting airodump.
The Good Stuff; Or, How I Do That?
Now that you have everything set up (or not, you lazy bum) let's get it on. For the next few sections you will need to use Konsole or XTerm or whatever console emulator you like to input the commands. I'll try to be gentle.
Once again, we'll start with some thinking. Encrypted packets are not beacons, neither are they "packets". They are identified within airodump as "Data", and in previous versions as "IVs" (which stands for Initialization Vectors). They represent packets collected that can be used to crack the WEP key. This means that they were encrypted by the AP before being transmitted and can be subjected to various statistical attacks, but we'll get into that later. Let's get our packet capture on.
Starting Airodump
Type the following command into the console (Remember, you card should already be in monitor mode):
* airodump DEVICE dump CHANNEL 1
Where DEVICE is the name of your wifi card and CHANNEL is the channel of the AP. The 1 (one) on the end tells airodump to only save IVs to the file. This will also change the suffix for the capture file from .cap to .ivs. You should now be looking at the airodump interface. You should be seeing your own AP and the associated client if you have everything set up correctly. Notice how the beacons go up faster than the data packets? Let's do something about that.
Using Aireplay
Aireplay is used to inject packets in order to increase the selection of crackable data. It has five seperate attacks, but today we will just be using the -0 (deauthentication) and -3 (ARP replay injection) attacks.
When a wireless client (any wireless client) attempts to obtain an IP from the AP it sends an ARP request (several, in this case, because radio signals don't always make it). This request is recieved by the AP which then consults some rules and, if the packet meets those rules, it sends an ARP reply to the client. Due to the nature of the request, these replys are encrypted, which makes them ideal for cracking. Unless the router has limits on the number of ARP requests allowed then the replys can be broadcast several hundred times per second.
However, since our client is already authenticated, it isn't likely to be sending out many more ARP requests. It is possible to do it manually but for the sake of the article we'll do it the hard way.
Deauthentication
If the wireless client is suddenly disconnected then it will automatically try and re-obtain their IP in the form of severl ARP requests**. The -0 attack will effectively kick the client off the network and force it to reauthenticate. Set up the following attack in a new console but do not run it yet.
* aireplay -0 10 -a APMAC -c CLIENTMAC DEVICE
Where APMAC is your APs MAC address, CLIENTMAC is the client MAC address, and DEVICE is the device name. Let's set up the next attack.
** It should be noted that windows clients are more likely to spew forth ARP packets when they are deauthed than linux clients.
ARP injection
Before setting off the deauth attack we need to set up aireplay to listen for the ARP request so it can rebroadcast the packet and generate traffic. Type the following command into a new console, but don't run it:
* aireplay -3 -b APMAC -h CLIENTMAC -x 500 DEVICE
Follow the same naming scheme as above. This command tells the program to listen for an ARP request coming from the clients MAC address and directed at the APs MAC address, then broadcast that request 500 times per second from your Atheros or Prism card.
Using the attacks
Run the -0 attack, then immediatly after run the -3 attack. Feel free to write a script to do this for you. You should see the -3 command output how many ARP requests it recieved then display how many have been transmitted. With any luck, the number in the Data column on airodump should be increasing at a high rate. You may need 250,000 packets to crack a short WEP key, and up to 2,000,000 for a longer one if you aren't lucky.
Breaking the key
Once you start generating packets you can start aircrack on breaking them. Aircrack can work even as the packets are being collected, so you can run it during the -3 attack. There are many options you can use to fine tune the cracking process, they are available
here. However, you can try this command if you really want to (remember that for this test we named the capure file dump.ivs):
* aircrack -a 1 -b APMAC dump.ivs
This command tells aircrack that it is trying to break a WEP key, reading from the dump.cap file, using only packets coming from the target AP MAC address. This command is a very basic implementation of aircrack and will take a long time to crack even a simple key. I recently cracked my own 40 bit WEP key with 250,000 packets using two different commands. My first command was similar to the one above. My second command looked something like this:
* aircrack -a 1 -i 1 -n 64 -m CLIENTMAC -b APMAC dump.ivs
On a Pentium M 1.3 Ghz laptop with 512 Mb of RAM the first command ran for 3 hours without finding a match. The second command cracked it in 20 minutes. These aren't intended as test results but merely a comparison of cracking time when more arguments are given. I had the oppertunity to test these different commands on a P4 3.2 Ghz system with gobs of ram. The first command took several hours to crack a 40 bit key, while the second command managed to do it in less than one second. Think about it.