1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WEP cracking with FreeBSD

Discussion in 'Howtos and FAQs (Moderated)' started by taz, Jun 12, 2012.

  1. taz

    taz New Member

    Messages:
    99
    Likes Received:
    0
    For some time now I have been wanting to be able to crack a WEP protected wireless network with FreeBSD.

    There are countless tutorials on web how to do it with Linux and aircrack-ng. And there is a
    aircrack-ng port for FreeBSD but aireplay-ng and airodump-ng don't really work "out of the box" (at least not for me, reading this thread http://forums.freebsd.org/showthread.php?t=10042 didn't help either).

    Until now the simplest solution for me was BackTrack but since I really love FreeBSD and hate "depending" on Linux I wanted to figure out a way to do it solely with FreeBSD. My solution is Kismet (net-mgmt/kismet). With it I was able to sniff wireless traffic and pass it to aircrack-ng. Kismet can dump raw packets to a file witch is readable by aircrack-ng.

    So here is a short "tutorial" how to do it:

    Install kismet and aircrack-ng:

    Code:
    cd /usr/ports/net-mgmt/kismet && make install clean
    cd /usr/ports/net-mgmt/aircrack-ng/ && make install clean
    
    Configure Kismet as explained here: http://wiki.freebsd.org/Kismet

    Here are the lines I have changed/added:

    Code:
    ...
    ncsource=wlan0:type=radiotap_bsd_ag,name=rum_usb
    ...
    logtypes=pcapdump
    ...
    logtemplate=/path/where/to/save/dumps/%p%n-%D-%t-%i.%l
    
    
    Before we start Kismet we need to put our card in MONITOR mode:

    If not already in monitor mode destroy current interface:
    # ifconfig wlan0 destroy

    Set it to monitor mode:
    # ifconfig wlan0 create wlandev rum0 wlanmode monitor
    (my wireless card uses rum drivers but yours could use ath or something else depending what chipset your wireless card is based on, run ifconfig to find out).

    Now start Kismet as root or with sudo and sniff (this could take a while). Kismet will save collected packets every X seconds, this can be set in Kismet's configuration file. Also you just need to log pcapdump files which contain raw packets. After Kismet comes aircrack-ng, so start aircrack-ng and pass Kismet's pcapdump files (yes, we can pass multiple Kismet sessions, aircrack-ng will merge the results).

    aircrack-ng -n 64 *.pcapdump
    (-n 64 tells aircrack-ng that it's a 64 bit WEP key, omit it if you don't know).

    aircrack-ng will show how much IVs are collected for a certain SSID. I cracked my 64 bit WEP key today with ~13000 IVs.

    IMPORTANT NOTE:

    Kismet basically replaces airodump-ng but does not replace aireplay-ng, so we can't inject/attack and speed up the process of collecting IVs. On a network that has low or zero wireless traffic this is more or less useless but on a network that has a normal wireless activity (browsing, torrents and other stuff your neighbor might do) it's just a matter of time. Fact that we can join Kismet sessions really helps! For example I connected with laptop1 on my AP and started downloading a torrent, browsed a little bit too. On laptop2 I had FreeBSD and sniffed traffic with Kismet. It took me ~45 minutes to get enough IVs to crack my WEP key. Wireshark could also be used instead Kismet but didn't experiment with it.

    That's all from me, hope this might be of help to someone who is trying to accomplish the same thing as I did but is not an expert in wifi security.