Day: May 28, 2009

Messing with WEP – Part II

This is where it gets fun. In this part, we’ll set our wireless interface to monitor mode, and we’ll start sniffing some packets and dumping the captures into a file for further analysis.

To start, we have to list the available wireless interfaces to the system. Hopefully your card is compatible and has a driver already loaded. Let’s fire up Konsole (a terminal application), which is the third icon from the bottom-left, and we’ll type:

iwconfig
picture-21

This will throw us back the list of wireless interfaces. iwconfig is similar to ifconfig, and easy to remember because of the single letter change.
Once we determined that our wireless card is there, and what it’s name is, we’ll set it into monitor mode by running:

airmon-ng start wlan0

Obviously, replace wlan0 for whatever your interface name is.
After we set the card in monitor mode, we’ll be given an alternate interface name usually in the form of mon[x]. We’ll be using that interface to sniff packets.
Next, let’s do a short site survey to see what’s really around us. We’ll run airodump-ng to do this as follows:

airodump-ng mon0

picture-4

This will give us the list of AP’s and stations close to us, and if your card supports it, a signal strength and receive quality indicator. It’s best that your receive quality is close to 100, as this will help when injecting packets later on…
If you see, the Channel keeps varying, this is because we’re surveying the entire spectrum for available networks. Once we find the one we’d like to peek into, it’s very important to lock the card in that channel so we can listen to the maximum number of packets.
Let’s lock the card into channel 1 so we can hear that AP better… we do that by using iwconfig again:

iwconfig wlan0 channel 1

And then let’s see the results:

airodump-ng –channel 1 mon0

Hopefully now there will be beacons more often (which are useless, but good indicator that we have signal, the faster they flow the better).
We’ll set the proper airodump-ng parameters so we lock to a specific Channel, specific AP (or BSSID), and we write the captured IV’s into a file that we can use…

airodump-ng –ivs –write /root/capture –bssid 00:12:17:05:92:5D –channel 1 mon0

By doing this, we’ll start listening to ALL network traffic going and coming out of that specific AP. If the network is pretty active, we should see the “#Data” counter go up, which is exactly what we want. The more “Data” the faster we can get that WEP key.
Just to give you an idea, it’s very unlikely you’ll get far with anything less than 50000 IV’s (“Data”). This is why on the next section I’ll go over how to inject packets to generate fake traffic and get that Data counter up to something usable in minutes.