ipw2200_generic
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ipw2200_generic [2007/08/29 01:39] – drio | ipw2200_generic [2009/09/26 14:27] (current) – Fixed typos darkaudax | ||
---|---|---|---|
Line 6: | Line 6: | ||
- screen usage example | - screen usage example | ||
- Different attacks | - Different attacks | ||
- | - More detailed | + | - More detailed |
- | - upgrade | + | - upgrade |
+ | ===== Introduction ===== | ||
+ | This document is based in this [[http:// | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ===== Introduction ===== | ||
When I started using the aircrack-ng tools I did not have the | When I started using the aircrack-ng tools I did not have the | ||
- | [[Compatibility_Drivers|best hardware]] for it. I only had an ibm thinkpad t42 that comes with an intel 2200BG card. | + | [[Compatibility_Drivers|best hardware]] for it. I only had an IBM Thinkpad T42 that comes with an Intel 2200BG card. |
Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device | Most of the wep attacks require to inject some packets in the network in order to speed up the process of gathering IVs. In order to do that, the device | ||
- | driver that we use for our card has to support injection. This [[newbie_guide|tutorial]] explains you how to compile and install modules in your | + | driver that we use for controlling |
linux box. Installing linux in my box was not an option so I decided to use the [[http:// | linux box. Installing linux in my box was not an option so I decided to use the [[http:// | ||
- | Luckily for me, the backtrack team has already | + | Backtrack comes already |
- | + | ||
- | This document is based in this [[http:// | + | |
Here are the basic steps we will be going through: | Here are the basic steps we will be going through: | ||
Line 33: | Line 26: | ||
*4 - Configure the wireless parameters using iwconfig. | *4 - Configure the wireless parameters using iwconfig. | ||
*5 - Collect data with airodump-ng | *5 - Collect data with airodump-ng | ||
- | *5 - Launch the chopchop attack | + | *5 - Launch the [[korek_chopchop|chopchop]] attack |
- | *6 - Create the arp request packet | + | *6 - Create the ARP request packet |
- | *7 - Send the arp request over and over | + | *7 - Send the ARP request over and over |
*8 - Wait to gather enough IVs | *8 - Wait to gather enough IVs | ||
- | *9 - Crack the wep key using aircrack-ng | + | *9 - Crack the WEP key using aircrack-ng |
- | Keep in mind that we are going to be running different commands and we will need to check their input between them. Most | + | Keep in mind that we are going to be running different commands and we will need to check switch |
- | documents recommend to start [[http:// | + | documents recommend to start [[http:// |
- | That is fine, but there is another option: [[http:// | + | There is another option: [[http:// |
===== Verify that our ipw2200 card is recognized by the OS (Linux) ===== | ===== Verify that our ipw2200 card is recognized by the OS (Linux) ===== | ||
Line 61: | Line 54: | ||
| | ||
- | That command will list all the pci devices connected to the pci bus. You should see something similar to this when you run it on your machine. | + | That command will list all the PCI devices connected to the pci bus. You should see something similar to this when you run it on your machine. |
- | Note I removed most of the output | + | Note I removed most of the output. |
- | Now, since you have an intel 2200BG base card, linux should have autoloaded the ipw2200 device driver for you: | + | Now, since you have an intel 2200BG base card, Linux should have autoloaded the ipw2200 device driver for you: |
# lsmod | grep ipw2200 | # lsmod | grep ipw2200 | ||
Line 70: | Line 63: | ||
When I used [[http:// | When I used [[http:// | ||
- | That is why we have to reload | + | We need the rtap0 up and running. We can tell the device driver to create |
- | # | + | # |
- | # modprobe ipw2200 rtap_iface=1 | + | |
- | Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it. | + | That's the method I would recommend. But, if you are using the latest version of airodump-ng (we'll use it in the next section) you can |
+ | tell the program | ||
+ | # airodump-ng -c X rtap0 | ||
+ | We'll talk it in the next section. | ||
+ | |||
+ | Ok, so we have verified that we have an ipw2200 card and that Linux can talk to it. | ||
===== List available networks ===== | ===== List available networks ===== | ||
Line 88: | Line 85: | ||
=== NOTE: === | === NOTE: === | ||
I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0. | I am assuming that linux mapped your wireless card under eth1. Most likely you have an ethernet card under eth0. | ||
- | |||
- | |||
===== Change the MAC address of our card ===== | ===== Change the MAC address of our card ===== | ||
- | This step is optional but it will give us some anonimyty. On a new window: | + | This step is optional but it will give us some anonymity. On a new window: |
# ifconfig eth1 up hw ether 00: | # ifconfig eth1 up hw ether 00: | ||
Line 103: | Line 98: | ||
# iwconfig eth1 essid < | # iwconfig eth1 essid < | ||
- | We don't know the wep key of our target yet. This wouldn' | + | Due to some limitations with the firmware |
- | driver issues this has to be done to ensure the airdump-ng tools work properly. | + | |
ESSID is the name of the wireless network of our target AP. Channel is the wireless channel. | ESSID is the name of the wireless network of our target AP. Channel is the wireless channel. | ||
- | |||
===== Collect data with airodump-ng ===== | ===== Collect data with airodump-ng ===== | ||
Line 113: | Line 106: | ||
In another window, we start collecting data: | In another window, we start collecting data: | ||
- | # airodump-ng --bssid <AP MAC> -w dump rtap0 | + | # airodump-ng |
Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea | Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea | ||
- | to create a new directory and to run all of them on it. | + | to create a new directory and to run all of them from there. |
+ | As we said before, if you are running the latest version of airodump-ng, | ||
===== Launch the chopchop attack ===== | ===== Launch the chopchop attack ===== | ||
Line 123: | Line 117: | ||
Now it is time to do some injection. In a new window we will launch the chopchop attack: | Now it is time to do some injection. In a new window we will launch the chopchop attack: | ||
- | # aireplay-ng -4 -a <AP MAC> -h 00: | + | # aireplay-ng -4 -a <AP MAC> -h 00: |
Note the modifier "-i rtap0." | Note the modifier "-i rtap0." | ||
Line 133: | Line 127: | ||
vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. | vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. | ||
- | + | If the attack fails, try to rerun the command again omitting the "-h <AP MAC>" | |
- | + | ||
===== Create the arp request packet ===== | ===== Create the arp request packet ===== | ||
- | Now we will create an arp-request packet using the aquired | + | Now we will create an arp-request packet using the acquired |
- | They can be any valid IP. The destination | + | If you use valid destination |
- | in the same window we run the chopchop attack: | + | we run the chopchop attack: |
- | # packetforge-ng -0 -a <AP MAC> -h 00: | + | # packetforge-ng -0 -a <AP MAC> -h 00: |
- | + | ||
===== Send the arp request over and over ===== | ===== Send the arp request over and over ===== | ||
- | Finally we will send our newly created arp-request packet over and over. After this step you should see the " | + | Finally we will send our newly created arp-request packet over and over. After this step you should see the " |
- | terminal (airodump). If the data doesn' | + | were we had airodump-ng running. If the data doesn' |
# aireplay-ng -2 -r arp-request eth1 | # aireplay-ng -2 -r arp-request eth1 | ||
- | |||
- | |||
- | |||
- | |||
- | |||
===== Wait to gather enough IVs ===== | ===== Wait to gather enough IVs ===== | ||
- | We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run airocrack-ng. | + | We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng. |
- | You may be wonder how many packages we need in order to run airocrack-ng. It depends. The version of | + | How many packages we need so aircrack-ng cracks the wep key? It depends. The version of |
- | airocrack-ng that comes with backtrack2 is not the lastest | + | aircrack-ng that comes with backtrack2 is not the latest |
- | it doesn' | + | If we are using the latest version |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
===== Crack the wep key using aircrack-ng ===== | ===== Crack the wep key using aircrack-ng ===== | ||
Line 175: | Line 155: | ||
In another window we launch: | In another window we launch: | ||
- | # aircrack-ng dump*.cap | + | # aircrack-ng |
- | Depending the number of packages you have gathered, this may take some minutes or you may get the key inmediately. | + | Depending the number of packages you have gathered, this may take some minutes or you may get the key immediately. |
+ | The -z argument tells aircrack-ng to also try the PTW attack. If you version of aircrack-ng doesn' | ||
+ | omit it. | ||
=== NOTE: === | === NOTE: === | ||
- | aircrack-ng can be run at the same time airodump-ng | + | aircrack-ng can run concurrently with airodump-ng. This is very interesting because it will |
- | allow you to check the number of IVs that airodump-ng has gathered. | + | allow you to check the number of IVs that airodump-ng has gathered. |
- | CTRL + C and wait for more packets | + | wait for more data to be gathered. |
- |
ipw2200_generic.txt · Last modified: 2009/09/26 14:27 by darkaudax