A. SCOPE
This tutorial is intended for user’s with little or no experience with linux or wifi. The folks over at remote-exploit have released “Backtrack” a tool which makes it ridiculously easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.
Required Tools
- You will need a computer with a wireless adapter listed here
- Download Backtrack and burn it’s image to a CD
B. OVERVIEW
BACKTRACK is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.
Tools Overview
- Kismet - a wireless network detector and packet sniffer
- airmon - a tool that can help you set your wireless adapter into monitor mode (rfmon)
- airodump - a tool for capturing packets from a wireless router (otherwise known as an AP)
- aireplay - a tool for forging ARP requests
- aircrack - a tool for decrypting WEP keys
- iwconfig - a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP requests to the target router
- macchanger - a tool that allows you to view and/or spoof (fake) your MAC address
Glossary of Terms
- AP: Access Point: a wireless router
- MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
- BSSID: Access Point’s MAC address
- ESSID: Access Point’s Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
- TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
- WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
- WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption
Since Backtrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a linux partition on your hard drive or a usb storage device. Backtrack has some NTFS support so you will be able to browse to your windows based hard drive should you have one, but it will mount the partition as “read-only”. I dual boot windows and ubuntu on my laptop so I already have a linux swap partition and a reiserfs partition. Backtrack had no problem detecting these and mounting them for me. To find your hard drive or usb storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.
C. DISCLAIMER
Hacking into someone’s wireless network without permission is probably against the law. I wouldn’t recommend doing it. I didn’t break into anyone else’s network while learning how to do this .
D. IMPLEMENTATION
STEP 1
Monitoring Wireless Traffic With Kismet
Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear. Type startx to start KDE (a ‘windows’ like workspace for linux).
Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:
kismet
Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0′, and sit back as kismet starts detecting networks in range.
NOTE: We use kismet for two reasons.
1. To find the bssid, essid, and channel number of the AP you are accessing.
2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point?) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device’s name just type:
iwconfig
Which will look something like this:
While kismet detects networks and various clients accessing those networks you might want to type ’s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here.
Select the AP (access point) you want to access. Copy and paste the broadcast name(essid), mac address(bssid), and channel number of your target AP into a text editor. Backtrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In Backtrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for more help with this
STEP 2
Collecting Data With Airodump
Open up a new terminal and start airodump so we can collect ARP replies from the target AP. Airodump is fairly straight forward for help with this program you can always type “airodump-ng -h” at the command prompt for additional options.
airodump-ng ath0 -w /mnt/hda2/home/ryan/belkin_slax_rcu 9 1
Breaking down this command:
- ath0 is my wireless card
- -w tells airodump to write the file to
/mnt/hda2/ryan/belkin_slax_rcu - 9 is the channel 9 of my target AP
- 1 tells airodump to only collect IVS - the data packets with the WEP key
STEP 3
Associate your wireless card with the AP you are accessing.
aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
- -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing
aireplay-ng -h - 0 specifies the delay between attacks
- -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
- -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0 - ath0 at the end is my wireless adapters device name in linux
STEP 4
Start packet injection with aireplay
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
-
NOTES:
- -b requires the MAC address of the AP we are accessing.
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0 - if packets are being collected at a slow pace you can type
iwconfig ath0 rate autoto adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.
As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.
If you get a message like this:
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Just reassociate with the AP following the instructions on step 3.
STEP 5
Decrypting the WEP Key with Aircrack
Find the location of the captured IVS file you specified in step 2. Then type in a terminal:
aircrack-ng -s /mnt/hda2/home/belkin_slax_rcu-03.ivs
Change /mnt/hda2/home/belkin_slax_rcu-03.ivs to your file’s location
Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.
If this guide doesn’t fully answer your questions you can always refer to the forums at remote-exploit.org
Great tutorial!
Hey, great stuff. Is there somewhere I can download this with the pictures embedded in it and all that?
I added a print this post option. You might want to print the images seperately.
WOW.. trust me i have been to thousands of forums and read post but this is by far the most detailed tutorial so far. It looks like you are using ubuntu which is great, I dual boot with windows as well. I am going to use BackTrack to perform this lab test at home as it comes with more security tools. I love ubuntu soon as i change my video card and figure out the dual boot. ATI are pain in the ass.
Thanks Guanji
I do use Ubuntu on my laptop normally, and i took some of the snapshots from within it. I used backtrack to do the real work though, which is packet injection. I need to update this to work with backtrack 2.0. I should have it done over the weekend.
Hey you dont have to update the computer when it loads do you? i know there are dependencies so maybe i would need a lan connection? Right now i use an air card for my laptop but im trying to do this on my desktop which is connectionless..
Great how-to! Let me just mention that, in BT2 you can also start Kismet with “start-kismet-ng”. This auto configures kismet.conf and runs Kismet.
Thanks Tony, I still haven’t had time to test out BT2. Im looking forward to it. The improved support for usb wireless devices should definitely make it more useful for beginners.
yeah.. wep crackin’s easy. you just made it even simpler.
great guide, very direct and easy to understand.
does this back track have a driver for intel /PRO wireless network device or not ?? because it doesn’t feel my wireless device , i do not know why and what i can do to fix this ?
the list of compatible wireless adapters can be found here:
http://backtrack.offensive-security.com/index.php?title=HCL:Wireless
Hey, great guide, Ryan!
I’ve been doing a lot of googling, and this is the best one I’ve found so far!
Ryan, thanks for the tutorial but i am having some problems with mine working. it seems like u are a Linux Master and i was wondering if u could help me out. i think my problem is my internet card. i am using the internal one out of my mac book. i just wanted to know what you thought. thanks
Haha, well thanks, but I am definitely NOT a linux master. It sounds like your card is likely the culprit. The best thing to do is see if your card is on the list of supported cards. If it isn’t, your card won’t be able to do the packet injection necessary for this tutorial to be of any help.
Hey there, Great tutorial… I have backtrack 2 and I can’t tell if my card is compatable. I have an Atheros AR5BMB5 (According to the underside of my Acer aspire 9300 laptop)
Any ideas,… I mean is that the actual name of my card? as I can’t find any mention of it on the compatability list on madwifi
Hi benjab, your card should be using the atheros chipset which *should* work. Good Luck and let me know!
Hi ,
I just tryed your tutirial and after this line i get an error :
unknow command.
airodump-ng ath0 -w /mnt/hda2/home/ryan/belkin_slax_rcu 9 1
I am working from the cd .
Hmm not sure… maybe the backtrack 2.0 live cd uses regular airodump and not airodump-ng…
you could try
airodump ath0 -w /path/filename
good luck!
Hey Ryan, I love this tutorial, its just detailed enough without being condescending. I’m using backtrack 2 and the commands are quite different (but I’ve figured them out accordingly) so everything seems to be working well, but the IVS collection is slow as hell (100 IVS packets in 45 mins, even though reading and sending packets moves quite fast). I’m using an older Proxim card (the Gold a/b 8460-05) but it’s not on the list, so I’m wondering if you think that may be my problem. Everything seems to work, but it would literally take days to collect enough of the packets I need. Also, I’m cracking my own connection, so it’s in an optimal environment.
And Gozzy, you need you change it up to this:
‘airodump-ng –ivs -w /root/Desktop/ (whatever channel number) ath0′
–ivs tells it only to save the ivs packets, the directory will save it to your desktop and the channel is whatever channel you’re working on. It’s a lot different from backtrack 1.
Hi Justin,
Ya, this tutorial definitely needs an update… To ask the obvious question: Are you using packet injection with aireplay? Because if you aren’t then it stands to reason that your IV packet collection would be extremely slow. With aireplay spamming arp requests to the access point your IV collection should go very fast. 5-10 minutes max.
EDIT: after re-reading your comment, I think packet injection is failing. I would suspect your card is indeed the problem.
Yeah, Backtrack 2.0 uses very different command line options, it was very frustrating.
Also, for some reason I can’t run aireplay, it says cannot execute binary file for some reason… why would it do that? it also does that with standard linux commands like vi or nano stuff like that, weird.
Hi!
I’m new for BT, I have a little problem. When BT starts, I type in name and pass, after then I type : startx
and it says:
-bash: bt: command not found
Can you help me ?
Thx a lot!
Hi Joe & Andrew
Are you guys running it off of the live cd? I’m not really sure what’s going on. You might try the forums over at remote-exploit.org.
Kismet is not where the above instructions say it is, and when I go into a Konsole and type “kismet,” I get an error message. I have tried BT2 on both live CD and installed to hard disk. This distro is head and shoulders above all others for running wifi cards, so I am frustrated not to be able to put it to work.
Alf: I believe BT2 uses kismet-ng not kismet at the command line. You can also use start-kismet-ng to automatically configure your wireless card to run in monitor mode. Hope that helps
hi there, thank you great great tut ..just one ques …when i start the live cd from my brother dell laptop it works just fine ..but when i try to start it from my 2Gh AMD hp pavilion laptop it frezz
after the boot word comes then i click enter then you see 2 lines getting initialized after that nothing happens just blank screen any idea
thanks much …….