Differences

This shows you the differences between two versions of the page.

--- ipw2200_generic [2007/08/29 01:39] – drio
+++ ipw2200_generic [2008/05/09 23:54] – Make the text a bit more English. netrolller3d
@@ Line 8: / Line 8: @@
    - More detailed explaination about what we are doing on each step
    - upgrade airo tools from the livecd.
@@ Line 18: / Line 19: @@
 ===== Introduction =====
+This document is based in this [[http://tinyshell.be/aircrackng/forum/index.php?topic=2077.0|post]] you can find in the [[http://tinyshell.be/aircrackng/forum/index.php|forums]].
 When I started using the aircrack-ng tools I did not have the
 [[Compatibility_Drivers|best hardware]] for it. I only had an ibm thinkpad t42 that comes with an intel 2200BG card.
 Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device
-driver that we use for our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your
+driver that we use for controlling our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your
 linux box. Installing linux in my box was not an option so I decided to use the [[http://www.remote-exploit.org/backtrack.html|backtrack2]] livecd.
-Luckily for me, the backtrack team has already compiled and installed the necessary drivers in the livecd.
+Backtrack comes already with the necessary drivers compiled and ready to be use directly from the cd.
-This document is based in this [[http://tinyshell.be/aircrackng/forum/index.php?topic=2077.0|post]] you can find in the [[http://tinyshell.be/aircrackng/forum/index.php|forums]].
 Here are the basic steps we will be going through:
@@ Line 39: / Line 41: @@
   *9 - Crack the wep key using aircrack-ng
-Keep in mind that we are going to be running different commands and we will need to check their input between them. Most
+Keep in mind that we are going to be running different commands and we will need to check switch between them. Most
-documents recommend to start [[http://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/X_Window_core_protocol|Xwindow]] and open then various Xterminals there.
+documents recommend to start [[http://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/X_Window_core_protocol|Xwindow]] and open then various xterminals.
-That is fine, but there is another option: [[http://en.wikipedia.org/wiki/GNU_Screen|screen]]. I would recommend you to go for this second option.
+There is another option: [[http://en.wikipedia.org/wiki/GNU_Screen|screen]].
 ===== Verify that our ipw2200 card is recognized by the OS (Linux) =====
@@ Line 62: / Line 69: @@
 That command will list all the pci devices connected to the pci bus. You should see something similar to this when you run it on your machine.
-Note I removed most of the output and I just show you the intel 2200.
+Note I removed most of the output.
-Now, since you have an intel 2200BG base card, linux should have autoloaded the ipw2200 device driver for you:
+Now, since you have an intel 2200BG base card, Linux should have autoloaded the ipw2200 device driver for you:
          # lsmod | grep ipw2200
@@ Line 70: / Line 77: @@
 When I used [[http://www.remote-exploit.org/backtrack.html|backtrack2]] to test this, the rtap0 interface was not created after booting the livecd.
-That is why we have to reload the device driver again to force the rtap loading:
+We need the rtap0 up and running. We can tell the device driver to create the rtap_iface interface running:
-         # rmmod ipw2200
+         # echo 1 > /sys/class/net/eth1/device/rtap_iface
-         # modprobe ipw2200 rtap_iface=1
+That's the method I would recommend. But, if you are using the latest version of airodump-ng (we'll use it in the next section) you can
+tell the program to creat the rtap0 device for you:
+         # airodump-ng -c X rtap0
+We'll talk it in the next section.
 Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it.
@@ Line 96: / Line 109: @@
        # ifconfig eth1 up hw ether 00:11:22:33:44:55
 ===== Configure the wireless parameters =====
@@ Line 103: / Line 120: @@
        # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed
-We don't know the wep key of our target yet. This wouldn't be necessary if we were using another wireless chipset. Due to a device
+Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the aircrack-ng tools work properly.
-driver issues this has to be done to ensure the airdump-ng tools work properly.
 ESSID is the name of the wireless network of our target AP. Channel is the wireless channel.
@@ Line 113: / Line 131: @@
 In another window, we start collecting data:
-       # airodump-ng --bssid <AP MAC> -w dump rtap0
+       # airodump-ng -c <channel> --bssid <AP MAC> -w dump rtap0
 Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea
-to create a new directory and to run all of them on it.
+to create a new directory and to run all of them from there.
+As we said before, if you are running the latest version of airodump-ng, rtap0 will be created for you automatically in case you didn't before.
@@ Line 123: / Line 144: @@
 Now it is time to do some injection. In a new window we will launch the chopchop attack:
        # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1
 Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop).
@@ Line 132: / Line 153: @@
 Make sure there are no errors reported after using aireplay. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not
 vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine.
+If the attack fails, try to rerun the command again ommiting the "-h <AP MAC>" parameter.
@@ Line 140: / Line 168: @@
 Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP.
-They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP. This can be run
+If you use valid destination IPs then you will be running an [[arp_amplification|amplification attack]]. This can be run in the same window
-in the same window we run the chopchop attack:
+we run the chopchop attack:
-       # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
+     # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
@@ Line 149: / Line 178: @@
 ===== Send the arp request over and over =====
-Finally we will send our newly created arp-request packet over and over. After this step you should see the "Data" begin to rise quickly back in the first
+Finally we will send our newly created arp-request packet over and over. After this step you should see the "Data" begin to rise quickly back in the window
-terminal (airodump). If the data doesn't change (usually between 80 and 350 per second) then something is wrong.
+were we had airodump-ng running. If the data doesn't change (usually between 80 and 350 per second) then something is wrong.
       # aireplay-ng -2 -r arp-request eth1
@@ Line 159: / Line 188: @@
-===== Wait to gather enough IVs =====
-We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run airocrack-ng.
-You may be wonder how many packages we need in order to run airocrack-ng. It depends. The version of
-airocrack-ng that comes with backtrack2 is not the lastest one. The latest version cracks wep faster and
-it doesn't need that many packages. The version that comes with backtrack2 needs around 300k packages.
+===== Wait to gather enough IVs =====
+We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng.
+How many packages we need so aircrack-ng cracks the wep key? It depends. The version of
+aircrack-ng that comes with backtrack2 is not the latest one so we need around 1.000.000 of IVs.
+If we are using the latest version (0.9 and up) 100.000 is enough.
@@ Line 175: / Line 204: @@
 In another window we launch:
-      # aircrack-ng dump*.cap
+      # aircrack-ng -z dump*.cap
 Depending the number of packages you have gathered, this may take some minutes or you may get the key inmediately.
+The -z argument tells aircrack-nt to try a ptw attack also. If you version of aircrack-ng doesn't support it, just
+ommit it.
 === NOTE: ===
-aircrack-ng can be run at the same time airodump-ng is running. This is very interesting because it will
+aircrack-ng can run concurrently with airodump-ng. This is very interesting because it will
-allow you to check the number of IVs that airodump-ng has gathered. If you think you don't have enough, just
+allow you to check the number of IVs that airodump-ng has gathered. You can cancel the execution of aircrack-ng and
-CTRL + C and wait for more packets to come.
+wait for more data to be gathered.