c



SEO, Scripting and Politics


  

 

 
February 12th, 2007 ‡ Linux, wifi



 is tutorial is intended for user¶s wit little or no experience wit linux or wifi.  e folks over
atremote-exploit ave released ³Backtrack´ a tool w ic makes it ridiculously easy to access any
network secured by WEP encryption.  is tutorial aims to guide you t roug t e process of using it
effectively.

c 

Ñ You will need a computer wit a wireless adapter listed ere

Ñ Download Backtrack and burn it¶s image to a CD

 c !

"c
" is a bootable live cd wit a myriad of wireless and tcp/ip networking tools.  is tutorial
will only cover t e included kismet and aircrack-ng suite of tools.

##  

Ñ " $ ± a wireless network detector and packet sniffer

Ñ
$ ± a tool t at can elp you set your wireless adapter into monitor mode (rfmon)
Ñ
$% ± a tool for capturing packets from a wireless router (ot erwise known as an AP)
Ñ
%
± a tool for forging ARP requests
Ñ

 ± a tool for decrypting WEP keys
Ñ &  ± a tool for configuring wireless adapters. You can use t is to ensure t at your
wireless adapter is in ³monitor´ mode w ic is essential to sending fake ARP requests to t e
target router
Ñ $
'
 ± a tool t at allows you to view and/or spoof (fake) your MAC address


 &$
 Ñ 
Access Point
a wireless router
Ñ ·

Media Access Control address, a unique id assigned to wireless adapters and
routers. It comes in exadecimal format (ie 00

ef



a3
a)
Ñ !(
Access Point¶s MAC address
Ñ !(
Access Point¶s Broadcast name. (ie linksys, default, belkin etc) Some AP¶s will not
broadcast t eir name but Kismet may be able to detect it anyway
Ñ c·!)*
MS-Dos like command line interface. You can open t is by clicking t e black box
icon next to t e start key in backtrack
Ñ 
s ort for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
Ñ 
s ort for WiFi Protected Access. a more secure protocal t an WEP for wireless
networks. NOE
t is tutorial does not cover cracking WPA encryption

Since Backtrack is a live CD running off your cdrom, t ere is now ere t at you can write files to
unless you ave a linux partition on your ard drive or a usb storage device. Backtrack as some
NFS support so you will be able to browse to your windows based ard drive s ould you ave one,
but it will mount t e partition as ³read-only´. I dual boot windows and ubuntu on my laptop so I already
ave a linux swap partition and a reiserfs partition. Backtrack ad no problem detecting t ese and
mounting t em for me. o find your ard drive or usb storage device, just browse to t e /mnt folder in
t e file manager. ypically a ard drive will appear named somet ing like da or da
if you ave
more t an one partition on t e drive. Alternately db could s ow if you ave more t an one ard
disk. Having somew ere to write files t at you can access in case you need to reboot makes t e
w ole process a little easier.

(!
*!·c

Hacking into someone¶s wireless network wit out permission is probably against t e law. I wouldn¶t
recommend doing it. I didn¶t break into anyone else¶s network w ile learning ow to do t is.

(!·*·)!)

+

·   
&&  '" $ 

Place t e backtrack CD into your cd-rom drive and boot into Backtrack. You may need to c ange a
setting in your bios to boot from cd rom. During boot up you s ould see a message like ³Hit ctrl+esc to
c ange bios settings´. C anging your first boot device to cdrom will do t e trick. Once booted into
linux, login as root wit username
root password
toor.  ese are t e default username and
password used by backtrack. A command prompt will appear. ype startx to start KDE (a µwindows¶
like workspace for linux).

Once KDE is up and running start kismet by clicking on t e start key and browsing to Backtrack-
>Wireless ools -> Analyzers ->Kismet. Alternatively you can open a erminal and type

kismet

Kismet will start running and may prompt you for your wireless adapter. C oose t e appropriate
adapter, most likely µat 0ƍ, and sit back as kismet starts detecting networks in range.

) $& 
 

. o find t e bssid, essid, and c annel number of t e AP you are accessing.

. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does t is by
creating a VAP (virtual access point?) or in ot er words, instead of only aving at 0 as my
wireless card it creates a virtual wifi0 and puts at 0 into monitor mode automatically. o find
out your device¶s name just type

iwconfig

W ic will look somet ing like t is

W ile kismet detects networks and various clients accessing t ose networks you mig t want to type
µs¶ and t en µQ¶ (case sensitive).  is sorts all of t e AP¶s in your area by t eir signal strengt .  e
default µautofit¶ mode t at kismet starts up in doesn¶t allow you muc flexibility. By sorting AP¶s by
signal strengt you can scroll t roug t e list wit t e arrow keys and it enter on any AP you want
more information on. (side note
w en selecting target AP keep in mind t is tutorial only covers
accessing ost AP¶s t at use WEP encryption. In kismet t e flags for encryption are Y/N/0. Y=WEP
N=Open Network- no encryption 0= ot er
WPA most likely.) Furt er reading on Kismet is
available ere.

Select t e AP (access point) you want to access. Copy and paste t e broadcast name(essid), mac
address(bssid), and c annel number of your target AP into a text editor. Backtrack is KDE based so
you can use kwrite. Just open a terminal and type in µkwrite¶ or select it from t e start button. In
Backtrack¶s terminal to copy and paste you use s ift+ctrl+c and s ift+control+v respectively. *
#
 $ 
#  

% $ $ You can also use airmon to do
t is manually. airmon-ng -h for more elp wit t is

,

 (

 ' $% 

Open up a new terminal and start airodump so we can collect ARP replies from t e target AP.
Airodump is fairly straig t forward for elp wit t is program you can always type ³airodump-ng - ´ at
t e command prompt for additional options.
airodump-ng at 0 -w /mnt/ da
/ ome/ryan/belkin_slax_rcu 9

Breaking down t is command

Ñ
'- is my wireless card

Ñ ^ tells airodump to write t e file to
/mnt/ da
/ryan/belkin_slax_rcu
Ñ m is t e c annel 9 of my target AP
Ñ + tells airodump to only collect IVS ± t e data packets wit t e WEP key

.

  
 '' 

  

aireplay-ng - 0 -e belkin -a 00




33

 - 00
fe



33
f
e at 0

Ñ ^+ at t e beginning specifies t e type of attack. In t is case we want fake aut entication wit
AP. You can view all options by typing aireplay-ng -h
Ñ - specifies t e delay between attacks
Ñ ^ is t e essid tag. belkin is t e essid or broadcast name of my target AP. Linksys or default
are ot er common names
Ñ ^
is t e bssid tag(MAC address). 00




33

 is t e MAC address of t e target AP
Ñ ^' is your wireless adapters MAC addy. You can use macc anger to view and c ange your
mac address. macchanger -s ath0

Ñ
'- at t e end is my wireless adapters device name in linux

/

%
 0  '
%

aireplay-ng -3 -b 00




33

 - 00
fe



33
f
e at 0

)

Ñ ^ requires t e MAC address of t e AP we are accessing.

Ñ ^' is your wireless adapters MAC addy. You can use macc anger to view and c ange your
mac address. macchanger -s ath0
Ñ if packets are being collected at a slow pace you can typeiwconfig ath0 rate auto to
adjust your wireless adapter¶s transmission rate. You can find your AP¶s transmission rate in
kismet by using t e arrow keys up or down to select t e AP and itting enter. A dialog box will
pop up wit additional information. Common rates are M or M.

As aireplay runs, ARP packets count will slowly increase.  is may take a w ile if t ere aren¶t many
ARP requests from ot er computers on t e network. As it runs owever, t e ARP count s ould start
to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate
wit t e ap via step 3.  ere is no need to close t e open aireplay terminal window before doing t is.
Just do it simultaneously. You will probably need somew ere between
00-00k IV data packets for
aircrack to break t e WEP key.

!& 
$
 '  

üotice: got a deauth/disassoc packet. Is the source MAC associated ?

Just reassociate wit t e AP following t e instructions on step 3.

1
( % '"  ' 
 

Find t e location of t e captured IVS file you specified in step
.  en type in a terminal

aircrack-ng -s /mnt/ da
/ ome/belkin_slax_rcu-03.ivs

C ange /mnt/ da
/ ome/belkin_slax_rcu-03.ivs to your file¶s location

Once you ave enoug captured data packets decrypting t e key will only take a couple of seconds.
For my AP it took me 380k data packets. If aircrack doesn¶t find a key almost immediately, just sit
back and wait for more data packets.
If t is guide doesn¶t fully answer your questions you can always refer to t e forums at remote-
exploit.org