Aircrack-ng

User Tools

Site Tools

Trace:
ipw2200_generic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ipw2200_generic [2007/08/29 05:22] drioipw2200_generic [2009/09/26 14:27] (current) – Fixed typos darkaudax
Line 6: Line 6:
    - screen usage example    - screen usage example
    - Different attacks    - Different attacks
-   - More detailed explaination about what we are doing on each step +   - More detailed explanation about what we are doing on each step 
-   - upgrade airo tools from the livecd. +   - upgrade airodump-ng tools from the livecd.
- +
- +
- +
- +
- +
- +
- +
- +
  
 ===== Introduction ===== ===== Introduction =====
  
-This document is based in this [[http://tinyshell.be/aircrackng/forum/index.php?topic=2077.0|post]] you can find in the [[http://tinyshell.be/aircrackng/forum/index.php|forums]].+This document is based in this [[http://forum.aircrack-ng.org/index.php?topic=2077.0|post]] you can find in the [[http://forum.aircrack-ng.org/index.php|forums]].
  
 When I started using the aircrack-ng tools I did not have the  When I started using the aircrack-ng tools I did not have the 
-[[Compatibility_Drivers|best hardware]] for it. I only had an ibm thinkpad t42 that comes with an intel 2200BG card.+[[Compatibility_Drivers|best hardware]] for it. I only had an IBM Thinkpad T42 that comes with an Intel 2200BG card.
 Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device
 driver that we use for controlling our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your driver that we use for controlling our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your
Line 35: Line 26:
   *4 - Configure the wireless parameters using iwconfig.   *4 - Configure the wireless parameters using iwconfig.
   *5 - Collect data with airodump-ng   *5 - Collect data with airodump-ng
-  *5 - Launch the chopchop attack +  *5 - Launch the [[korek_chopchop|chopchop]] attack 
-  *6 - Create the arp request packet +  *6 - Create the ARP request packet 
-  *7 - Send the arp request over and over+  *7 - Send the ARP request over and over
   *8 - Wait to gather enough IVs   *8 - Wait to gather enough IVs
-  *9 - Crack the wep key using aircrack-ng+  *9 - Crack the WEP key using aircrack-ng
  
 Keep in mind that we are going to be running different commands and we will need to check switch between them. Most Keep in mind that we are going to be running different commands and we will need to check switch between them. Most
 documents recommend to start [[http://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/X_Window_core_protocol|Xwindow]] and open then various xterminals. documents recommend to start [[http://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/X_Window_core_protocol|Xwindow]] and open then various xterminals.
 There is another option: [[http://en.wikipedia.org/wiki/GNU_Screen|screen]]. There is another option: [[http://en.wikipedia.org/wiki/GNU_Screen|screen]].
- 
  
 ===== Verify that our ipw2200 card is recognized by the OS (Linux) ===== ===== Verify that our ipw2200 card is recognized by the OS (Linux) =====
Line 64: Line 54:
          ......          ......
  
-That command will list all the pci devices connected to the pci bus. You should see something similar to this when you run it on your machine.+That command will list all the PCI devices connected to the pci bus. You should see something similar to this when you run it on your machine.
 Note I removed most of the output. Note I removed most of the output.
  
Line 73: Line 63:
  
 When I used [[http://www.remote-exploit.org/backtrack.html|backtrack2]] to test this, the rtap0 interface was not created after booting the livecd. When I used [[http://www.remote-exploit.org/backtrack.html|backtrack2]] to test this, the rtap0 interface was not created after booting the livecd.
-We need the rtap0 up and running. That is why we have to reload the device driver again to force it:+We need the rtap0 up and running. We can tell the device driver to create the rtap_iface interface running:
  
-         # rmmod ipw2200 +         # echo > /sys/class/net/eth1/device/rtap_iface
-         # modprobe ipw2200 rtap_iface=+
  
-Okso we have verified that we have an ipw2200 card and that Linux can talk to it.+That's the method I would recommend. Butif you are using the latest version of airodump-ng (we'll use it in the next section) you can 
 +tell the program to create the rtap0 device for you:
  
 +         # airodump-ng -c X rtap0
  
 +We'll talk it in the next section.
 +
 +Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it.
  
 ===== List available networks =====  ===== List available networks ===== 
Line 91: Line 85:
 === NOTE: === === NOTE: ===
 I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0. I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0.
- 
- 
  
 ===== Change the MAC address of our card ===== ===== Change the MAC address of our card =====
  
-This step is optional but it will give us some anonimyty. On a new window:+This step is optional but it will give us some anonymity. On a new window:
  
        # ifconfig eth1 up hw ether 00:11:22:33:44:55        # ifconfig eth1 up hw ether 00:11:22:33:44:55
- 
  
 ===== Configure the wireless parameters ===== ===== Configure the wireless parameters =====
Line 107: Line 98:
        # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed        # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed
  
-Due to a device driver issue we have to force a fakekey to ensure the airdump-ng tools work properly.+Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the aircrack-ng tools work properly.
  
 ESSID is the name of the wireless network of our target AP. Channel is the wireless channel. ESSID is the name of the wireless network of our target AP. Channel is the wireless channel.
- 
- 
  
 ===== Collect data with airodump-ng ===== ===== Collect data with airodump-ng =====
Line 117: Line 106:
 In another window, we start collecting data: In another window, we start collecting data:
  
-       # airodump-ng --bssid <AP MAC> -w dump rtap0+       # airodump-ng -c <channel> --bssid <AP MAC> -w dump rtap0
  
 Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea
 to create a new directory and to run all of them from there. to create a new directory and to run all of them from there.
  
 +As we said before, if you are running the latest version of airodump-ng, rtap0 will be created for you automatically in case you didn't before.
  
 ===== Launch the chopchop attack ===== ===== Launch the chopchop attack =====
Line 127: Line 117:
 Now it is time to do some injection. In a new window we will launch the chopchop attack: Now it is time to do some injection. In a new window we will launch the chopchop attack:
  
-       # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1+       # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1
  
 Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop). Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop).
Line 137: Line 127:
 vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine.
  
- +If the attack fails, try to rerun the command again omitting the "-h <AP MAC>" parameter.
- +
  
 ===== Create the arp request packet ===== ===== Create the arp request packet =====
  
-Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP.  +Now we will create an arp-request packet using the acquired keysteam file. The "-l" and "-k" options are the source IP and destination IP.  
-They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP. This can be run  +If you use valid destination IPs then you will be running an [[arp_amplification|amplification attack]]. This can be run in the same window  
-in the same window we run the chopchop attack:+we run the chopchop attack:
        
-       # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request +     # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
- +
- +
  
 ===== Send the arp request over and over ===== ===== Send the arp request over and over =====
Line 158: Line 143:
  
       # aireplay-ng -2 -r arp-request eth1       # aireplay-ng -2 -r arp-request eth1
- 
- 
- 
- 
- 
- 
  
 ===== Wait to gather enough IVs ===== ===== Wait to gather enough IVs =====
  
-We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run airocrack-ng.  +We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng.  
-How many packages we need so airocrack-ng cracks the wep key? It depends. The version of  +How many packages we need so aircrack-ng cracks the wep key? It depends. The version of  
-airocrack-ng that comes with backtrack2 is not the lastest one. There have been a lot of improvements in recent versions  +aircrack-ng that comes with backtrack2 is not the latest one so we need around 1.000.000 of IVs. 
-that have reduced the number of IVs neededIn my experience, I have found 300k (data output) is enough. +If we are using the latest version (0.9 and up100.000 is enough.
- +
- +
- +
- +
  
 ===== Crack the wep key using aircrack-ng ===== ===== Crack the wep key using aircrack-ng =====
Line 181: Line 155:
 In another window we launch: In another window we launch:
  
-      # aircrack-ng dump*.cap+      # aircrack-ng -z dump*.cap
  
-Depending the number of packages you have gathered, this may take some minutes or you may get the key inmediately.+Depending the number of packages you have gathered, this may take some minutes or you may get the key immediately. 
 +The -z argument tells aircrack-ng to also try the PTW attack. If you version of aircrack-ng doesn't support it, just 
 +omit it.
  
 === NOTE: === === NOTE: ===
-aircrack-ng can be run at the same time airodump-ng is running. This is very interesting because it will  +aircrack-ng can run concurrently with airodump-ng. This is very interesting because it will  
-allow you to check the number of IVs that airodump-ng has gathered. If you think you don't have enough, just +allow you to check the number of IVs that airodump-ng has gathered. You can cancel the execution of aircrack-ng and 
-CTRL + C and wait for more packets to come. +wait for more data to be gathered.
  
-  
ipw2200_generic.1188357767.txt.gz · Last modified: 2007/08/29 05:22 by drio