X

Tags

This will be shown to users with no Flash or Javascript.

Page navigation


Pages home > Tutorials / HowTo´s > Wireless Lan (wlan) > Cracking the WEP with PRISM cards (Includes xdelta how-to)

Cracking the WEP with PRISM cards (Includes xdelta how-to)

First I will show you the different hardware I am using.

  • Compaq R3000 laptop (P4 2.8Ghz laptop with 384Mb of Ram)
  • NetGear MA401 rev. D WIFI card (Prism chipset)

As I will be using a PRISM chipset, this tutorial will be based on those commands. There are different tutorials out on the forums for the different chipsets.


First things first, we need to download the Auditor collection from the web. The following http://new.remote-exploit.org/index.php/Auditor_mirrors will provide you with the collection you will need. (Make sure you download auditor-200605-02-no-ipw2100.iso, regardless of the fact that you don't have the INTEL chipset. Trust me on this one.)


Next we need to use the xdelta patch to get us a current version of the Auditor collection. http://myweb.cableone.net/ksavage/Win32-Auditor-XDelta-Patch-With-Auto-Batch-File.zip will provide you with a version of the xdelta patch that you can use from Windows. Just put all the files in the same directory, then run the enclosed BAT file to create the new ISO. (I used this one and was able to patch it quite easily. You can patch it from Linux, but as most of you are more familiar with Windows I will only explain how to do the patching through that OS)


Now that you have the new ISO containing the patched Auditor set, burn it onto a nice blank CD.


Since I am sure you have used the Auditor set at least once I will not explain how to get into it. If you are not sure how to do that you will need to do some searching in the beginner's section of the forums and learn a little before proceeding.


Because the NetGear MA401 WIFI card doesn't load properly and loads the orinoco_cs bindings, we will need to change the config file to load the proper prism2_cs bindings (I will assume you have installed the Auditor Collection to your hard drive. I am unsure of how to change the setup files while running from the CD). If you do not have this WIFI card, or if you know that you have the proper bindings loaded, you can skip to the next part of the tutorial.


You will need to go into your Hard Drive partition (Usually HDA6), go to the ETC directory, and then into the PCMCIA directory. Once in there you should see a file called config. Once in there do a search for all occurances of 401. The first one we are interested in for our Netgear card looks like this:

card "Netgear MA401RA Wireless Adapter"

version "NETGEAR MA401RA Wireless PC", "Card"

bind "orinoco_cs"

You will need to change the bind from orinoco_cs to prism2_cs. Now it should look like this:

card "Netgear MA401RA Wireless Adapter"

version "NETGEAR MA401RA Wireless PC", "Card"

bind "prism2_cs"

The next one should look like this:

card "NetGear MA401RA"

manfid 0x000b, 0x7300

bind "orinoco_cs"

Once again, change the orinoco_cs to prism2_cs. The last one will be:

card "Netgear MA401RA Wireless Adapter"

version "NETGEAR MA401RA Wireless PC", "Card"

bind "orinoco_cs"

Change the last one to prism2_cs. Now save and close the file. Now when you load your card it will always load the proper prism bindings.


Now that you have changed the bindings for your card, we are ready to switch the drivers. As we will be ejecting the WIFI card, you will not need to restart your computer. The drivers we want to use will be the hostap drivers. The wlanng drivers used to be the drivers to use before the xdelta patch, but now the hostap drivers tend to use better. (I tried forever to use the wlanng drivers, but I was never able to crack the WEP encryption. Once I switched to the hostap drivers I was able to crack WEP with the greatest of ease) The command to switch to the hostap drivers look like this:

root# switch-to-hostap

Now at this time you need to completely remove the WIFI card from the laptop. Once you have done this wait a few seconds and reinsert the card.

Now we are ready to set the WIFI card to monitor mode and activate the card.

<strong>root# iwconfig wlan0 mode monitor</strong> (This command sets the mode to monitor)

<strong>root# iwconfig wlan0 channel XX</strong> (replace the XX with your channel number)

<strong>root# ifconfig wlan0 up</strong> (This turns on your WIFI card)

Now we need to run KISMET. When starting for the first time I created a directory on the main hard drive called KISMET and had the program save the files in that directory. Then when it asked for the filename I kept it at the default filename. Once you've done that you will need to gather the following information:

  • BSSID (The Access Point's MAC Address)
  • ESSID (The name of the Access Point. IE LinkSysRouter)
  • Client's MAC Address


You can do this by first hitting the "m" key (that mutes the annoying sound effects), hit "s" key for the sort menu, then hit "c" to sort by channel. Once you've done that use the arrow keys to highlight your target network. Hit the "Enter" key and from that window you will be able to get the BSSID and ESSID. The type of encryption will also be listed on this page, but you should know that it is using WEP beause you should be practicing on your own network. Wink Anyway, now you will need to look for an associated client. Hit the "c" key to show all clients. Make sure you write down a client's MAC address as you will be needing this information later.


After you have that information make sure you shut down Kismet. (According to the forums I have read you must shut down KISMET before proceeding or the other programs will not function properly. I believe this is true but I have not tested it. There isn't a need for KISMET from this point on anyway so I always just shut it off.)


Now you want to turn on Airodump to start monitoring the network and save all of the captured IV's that have been transmitted.

<strong>root# airodump wlan0 catch 06</strong> (wlan0 is the WIFI card, catch is the name of the file that you 

want to save the packets in, and 06 would be the channel number that your target network is on)

 

Now that you are monitoring the network, you need to start scanning for the ARP requests so you can cause those IV's to go a hell of a lot faster then what they are going up now. So we run:

<strong>root# aireplay -3 -x 600 -b xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy wlan0</strong> (where xx's are the MAC 

and address of your AP, and yy's are your client's MAC address. the -3 is the type of attack, and

the -x 600 is the number of packets per second.)

 

Now that we are watching for the ARP requests we have to make sure the AP is going to generate some. Piece of cake with the following deauth attack:

<strong>root# aireplay -0 1 -a xx:xx:xx:xx:xx:xx wlan0</strong> (where -0 1 is the type of attack, in this case a

deauth attack, and the frequency of the attack in seconds. The -a xx's are the AP MAC address,

and the wlan0 is again our WIFI card)

 

Now that the client should have been booted and will be asking for a reauthentication. Your ARP requests should jump up momentarily. They will only go up to 1024, but that is more then enough for what we need.

After you start getting the ARP requests, your aireplay attack 3 should start saying it is sending packets. As those are being sent your airodump command should be catching at least 100 IV's a second (Mine usually goes up between 200-300 a second). Let that sit and collect at least 600k IV's before you run the next command. Go grab some food or something because it will usually take about 30-40 minutes (at least it does for me). Don't worry about me. I'll wait here....


Alright. You now have over 600k IV's. Told you I'd wait. Anyway, let's take a look at the next command. We now need to crack the capture file created by airodump:

<strong>root# aircrack -e ESSID -f 2 catch.cap</strong> (-e ESSID is where you are going to insert the name of the

AP. IE -e LinkSysRouter. -f 2 is the Fudge Factor. That is how many keys it is willing to try to

get the key. The default factor is 2, but I have it in the command for a reason. I will go into

it in a minute. The last part, catch.cap, is the filename that was created by airodump.)

Now Aircrack should start going through the file and looking for a key. There is a chance that it will say that Aircrack was unable to find a key. This happens from time to time. This is where the Fudge Factor comes in. You will now need to increase the Fudge Factor by 1. The command should look like this:

root# aircrack -e ESSID -f 3 catch.cap

Now aircrack will work a little harder and try more keys. Should it fail again, increase the Fudge Factor to 5, and then 6, and so on. I have only had to go as high as 4 before I got the key, and by then the IV's are close to a million, so it will find the key (or fail) quicker because it will be sure of more of the key. Once you have a million or so IV's it should have the key within seconds.


By this time you should have cracked the key. If you have, then congradulations. If not, then you will need to mess with the -k part of aircrack. I have not had to mess with this, as even when aircrack was not getting the key, just increasing the Fudge Factor was enough for me.


I hope this little blurb was enough for you to crack the WEP encryption. I myself had quite a few problems, so I had to learn the in's and out's of the different programs. Even if this tutorial works for you, you should still experiment with the different parts of the commands we have used. You may find something that works better. Good luck in your hacking and cracking, and keep an eye out for my next tutorial

Author: airman dopey
Source: http://forum.remote-exploit.org/viewtopic.php?t=946

, ,

Last updated 29 October 2009 by darklevel