WEP cracking with FreeBSD

Would you like to share some of your solutions for certain problems? Tips or tricks? Post here. All new topics are automatically moderated.

WEP cracking with FreeBSD

Postby taz » 12 Jun 2012, 00:58

For some time now I have been wanting to be able to crack a WEP protected wireless network with FreeBSD.

There are countless tutorials on web how to do it with Linux and [FILE]aircrack-ng[/FILE]. And there is a
[FILE]aircrack-ng[/FILE] port for FreeBSD but [FILE]aireplay-ng[/FILE] and airodump-ng don't really work "out of the box" (at least not for me, reading this thread http://forums.freebsd.org/showthread.php?t=10042 didn't help either).

Until now the simplest solution for me was BackTrack but since I really love FreeBSD and hate "depending" on Linux I wanted to figure out a way to do it solely with FreeBSD. My solution is Kismet ([port]net-mgmt/kismet[/port]). With it I was able to sniff wireless traffic and pass it to [FILE]aircrack-ng[/FILE]. Kismet can dump raw packets to a file witch is readable by [FILE]aircrack-ng[/FILE].

So here is a short "tutorial" how to do it:

Install [FILE]kismet[/FILE] and [FILE]aircrack-ng[/FILE]:

Code: Select all
cd /usr/ports/net-mgmt/kismet && make install clean
cd /usr/ports/net-mgmt/aircrack-ng/ && make install clean


Configure Kismet as explained here: http://wiki.freebsd.org/Kismet

Here are the lines I have changed/added:

Code: Select all
...
ncsource=wlan0:type=radiotap_bsd_ag,name=rum_usb
...
logtypes=pcapdump
...
logtemplate=/path/where/to/save/dumps/%p%n-%D-%t-%i.%l



Before we start Kismet we need to put our card in MONITOR mode:

If not already in monitor mode destroy current interface:
[cmd=]# ifconfig wlan0 destroy[/cmd]

Set it to monitor mode:
[cmd=#] ifconfig wlan0 create wlandev rum0 wlanmode monitor[/cmd]
(my wireless card uses [FILE]rum[/FILE] drivers but yours could use [FILE]ath[/FILE] or something else depending what chipset your wireless card is based on, run [FILE]ifconfig[/FILE] to find out).

Now start Kismet as root or with [FILE]sudo[/FILE] and sniff (this could take a while). Kismet will save collected packets every X seconds, this can be set in Kismet's configuration file. Also you just need to log [FILE]pcapdump[/FILE] files which contain raw packets. After Kismet comes [FILE]aircrack-ng[/FILE], so start [FILE]aircrack-ng[/FILE] and pass Kismet's [FILE]pcapdump[/FILE] files (yes, we can pass multiple Kismet sessions, [FILE]aircrack-ng[/FILE] will merge the results).

[cmd=]aircrack-ng -n 64 *.pcapdump[/cmd]
([FILE]-n 64[/FILE] tells [FILE]aircrack-ng[/FILE] that it's a 64 bit WEP key, omit it if you don't know).

[FILE]aircrack-ng[/FILE] will show how much IVs are collected for a certain SSID. I cracked my 64 bit WEP key today with ~13000 IVs.

[color="Red"]IMPORTANT NOTE:[/color]

Kismet basically replaces [FILE]airodump-ng[/FILE] but does not replace [FILE]aireplay-ng[/FILE], so we can't inject/attack and speed up the process of collecting IVs. On a network that has low or zero wireless traffic this is more or less useless but on a network that has a normal wireless activity (browsing, torrents and other stuff your neighbor might do) it's just a matter of time. Fact that we can join Kismet sessions really helps! For example I connected with laptop1 on my AP and started downloading a torrent, browsed a little bit too. On laptop2 I had FreeBSD and sniffed traffic with Kismet. It took me ~45 minutes to get enough IVs to crack my WEP key. Wireshark could also be used instead Kismet but didn't experiment with it.

That's all from me, hope this might be of help to someone who is trying to accomplish the same thing as I did but is not an expert in wifi security.
User avatar
taz
Junior Member
 
Posts: 93
Joined: 09 Apr 2010, 17:56

Return to Howtos & FAQs (Moderated)

Who is online

Users browsing this forum: No registered users and 0 guests