Notices


Reply
Thread Tools
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1121
Originally Posted by Mr Wolf View Post
Just curious to know, if possible : what are the commands used by fAircrack?
I use these commands on Xterminal (from my past use of Aircrack ):

/home/user/MyDocs/wl1251-maemo/binary/compat-wireless # sh load.sh
(Load Bleeding-edge wl1251 drivers)
Yes, fAircrack implements this on the Monitor Tab using the Enable Injection button.

Originally Posted by Mr Wolf View Post
airmon-ng stop ath0
airmon-ng start wlan0
(Put wireless interface in monitor mode)
No, fAircrack uses ifconfig, iwconfig commands to put wlan0 into monitor / managed mode.
Code:
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode Monitor
sudo ifconfig wlan0 up
Originally Posted by Mr Wolf View Post
airodump-ng -c [canal] mon0
(Show all available networks on a specific canal)

aireplay-ng -1 0 -e [AP ESSID] -a [AP BSSID] -h [N900 MAC Address] mon0
(Make a false authentication)

aireplay-ng -3 -b [AP BSSID] -h [N900 MAC Address] mon0
(Perform ARP Request Attack)

airodump-ng -c [canal] --bssid [AP BSSID] -w [capture] mon0
(Capture IV packets and write them to file)

aircrack-ng -z [capture*.cap]
(Find the key)

However, write these commands on the Nokia N900 is quite a pain in the a...

fAircrack is a must have application!!!
fAircrack uses for capture
Code:
sudo airodump-ng --channel X --bssid BSSID --write FILE wlan0
for deauthentication
Code:
sudo aireplay-ng -0 10 -a BSSID wlan0
for authentication
Code:
sudo aireplay-ng -1 5 -q 10 -a BSSID -h MYMAC wlan0
for injection
Code:
sudo aireplay-ng -3 -b BSSID -h MYMAC wlan0
for interactive injection (since v0.46)
Code:
sudo aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b BSSID -h MYMAC wlan0
to crack WEP key using PTW
Code:
aircrack-ng -l KEYFILE CAPFILES
to crack WEP key using Korek (since v0.47)
Code:
aircrack-ng -K -l KEYFILE CAPFILES
to crack WPA key using wordlist
Code:
aircrack-ng -a 2 -w WORDLIST -l KEYFILE CAPFILES
to crack WPA key using airolib-ng database (since v0.46)
Code:
aircrack-ng -r LIBDBASE -l KEYFILE CAPFILES
to search for APs and clients
Code:
sudo airodump-ng -w FILE wlan0
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)

Last edited by StefanL; 2012-01-23 at 12:54.
 

The Following 3 Users Say Thank You to StefanL For This Useful Post:
Estel's Avatar
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#1122
Originally Posted by StefanL View Post
for interactive injection (since v0.46)
Is it typo, or have I missed update? Your signature also list 0.45 as latest version. If 0.46 is available, could You please provide link and changelog?
---

As for test, I'll gladly do it after returning home

/Estel
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!
 

The Following User Says Thank You to Estel For This Useful Post:
Mr Wolf's Avatar
Posts: 84 | Thanked: 22 times | Joined on Nov 2011 @ Italy
#1123
Originally Posted by Estel View Post
I may be totally wrong here, but AFAIK, they're not - due to increased power usage, while associated to AP and in standby mode. The fix for it would require osso-something, that is now waiting to get released in CSSU-Testing.

AFAIK (again), kernel-power just provide those drivers (for now, as later, they may be used by default), so they can be loaded without keeping them in some folder - isn't Cleven doing it this way?

Anyway, I've tested it a second ago, and while Monitor mode work without loading injection drivers, injection itself doesn't (surprise ). It starts, but doesn't inject anything, even when requirements (MAC from allowed list, ARP catched etc) are meet. No problem with Injection drivers under same conditions.

/Estel

// Edit

It may be worth to mention, that I've found how to finally *properly* fix a eons-old bug with icon. Just put faircrack.png it into '/usr/share/icons/hicolor/48x48/apps', then, in .desktop file, modify line icon=faircrack (*without* .png).

All the trick is that default icon path is '/usr/share/icons/hicolor/48x48/apps', so desktop looks there, unless specified otherwise (via icon path or something) in .desktop file.

This way, icon is displayed properly in desktop, but also in menu etc. I've fixed *every* program with wrong .desktop file and icon location on my device, this way.

One reminder - reboot is *mandatory* after this, or you'll be fooled by "no-icon". There are ways to restart things, but they don't work reliably (sometimes works, sometimes doesn't), so before You conclude "it doesn't work" - and switch it back to full icon path - reboot device.

/Estel
Ok... I've just tried: if I don't load Bleeding-edge driver first, I can't inject, too.
__________________
I'm Winston Wolf, I solve problems
 

The Following 2 Users Say Thank You to Mr Wolf For This Useful Post:
Mr Wolf's Avatar
Posts: 84 | Thanked: 22 times | Joined on Nov 2011 @ Italy
#1124
Originally Posted by StefanL View Post
Yes, fAircrack implements this on the Monitor Tab using the Enable Injection button.


No, fAircrack uses ifconfig, iwconfig commands to put wlan0 into monitor / managed mode.
Code:
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode Monitor
sudo ifconfig wlan0 up
fAircrack uses for capture
Code:
sudo airodump-ng --channel X --bssid BSSID --write FILE wlan0
for deauthentication
Code:
sudo aireplay-ng -0 10 -a BSSID wlan0
for authentication
Code:
sudo aireplay-ng -1 5 -q 10 -a BSSID -h MYMAC wlan0
for injection
Code:
sudo aireplay-ng -3 -b BSSID -h MYMAC wlan0
for interactive injection (since v0.46)
Code:
sudo aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b BSSID -h MYMAC wlan0
to crack WEP key
Code:
aircrack-ng -l KEYFILE CAPFILES
to crack WPA key using wordlist
Code:
aircrack-ng WORDLIST -l KEYFILE CAPFILES
to search for APs and clients
Code:
sudo airodump-ng -w FILE wlan0
Many thanks!
I've just noticed a thing: shouldn't it be:

aireplay-ng -1 0 -e [AP ESSID] -a [AP BSSID] -h [N900 MAC Address] wlan0

I mean, you must specify AP ESSID (name)?

I wrote once in Aircrack forum (look at the bottom):
http://forum.aircrack-ng.org/index.p...=3309.msg18601
asking why it was necessary specify network name, and they answered me it was part of the standards.
In fact, if ESSID is hidden, you must find it, first.
__________________
I'm Winston Wolf, I solve problems
 
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1125
Originally Posted by Estel View Post
Is it typo, or have I missed update? Your signature also list 0.45 as latest version. If 0.46 is available, could You please provide link and changelog?
---

As for test, I'll gladly do it after returning home

/Estel
Is not out yet (Update: check my sig ), there are a few tweaks I am looking at before publishing it. Anyhow, attached screenshot shows my system (KP49) put into monitor mode using airmon-ng start wlan0 and then running sudo aireplay-ng mon0 --test. All this without loading the bleeding edge drivers; seems like injection is working straight from kernel power. Let me know how your tests go. So beats me at the moment why all you guys need to load the bleeding edge drivers, on my system I have always had them in a different directory to the recommended ones, so that part has never worked for me, but I have always happily injected since KP46. Of course, I might be completely blindsided by the obvious, so am happy to hear from other people's experience.

Edit:When you run your test, make sure that it is from a freshly restarted unit. The way the injection drivers work is you replace kernel modules with the injection ones and then put back the plain vanilla drivers afterwards (so if you run KP that has the injection modules already included, you would be downgrading your system ).
Attached Images
 
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)

Last edited by StefanL; 2012-01-15 at 08:43.
 

The Following User Says Thank You to StefanL For This Useful Post:
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1126
Originally Posted by Mr Wolf View Post
Many thanks!
I've just noticed a thing: shouldn't it be:

aireplay-ng -1 0 -e [AP ESSID] -a [AP BSSID] -h [N900 MAC Address] wlan0

I mean, you must specify AP ESSID (name)?

I wrote once in Aircrack forum (look at the bottom):
http://forum.aircrack-ng.org/index.p...=3309.msg18601
asking why it was necessary specify network name, and they answered me it was part of the standards.
In fact, if ESSID is hidden, you must find it, first.
Your link is not working for me (fixed it - seems rather old, I guess, things have changed since 2008); and on a personal note, all APs etc are uniquely identifyable by their BSSID, but not their ESSID, hence I am guessing the BSSID method should be more reliable in identifying a particular unit (why use the two identifiers for the same thing?). Anyway, the command seems to work as is, I switched to using BSSIDs rather than ESSIDs to avoid the headache with APs with spaces and other special characters (ie. I spent a lot of time on this, just read back a few hundred posts or so ). I am happy for any testing and feed-back though, so thanks for your time. I have not yet tested for hidden ESSIDs discovery, still on my list. Edit:ESSID is only required for cracking, where the ESSID is part of the salt for the hashes, so that is another explanation, why the ESSID is not required for this case.
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)

Last edited by StefanL; 2012-01-15 at 08:46.
 

The Following 3 Users Say Thank You to StefanL For This Useful Post:
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1127
Latest update V 0.46 is finally attached below. In summary; this update has some more ui tweaks, fixes the new John version bug, adds interactive injection, adds cracking of WEP caps from multiple capture sessions, adds airolib-ng functions. Details as follows:

1) Added option for WPA decryption using user selectable airolib-ng generated database to speed up cracking U (This produces a rate of 2000 pwd/sec, compared to the John option 20 pwd/sec and word list option of also 20 pwd/sec on my set-up, this represents 100x improvement in the brute forcing step of checking the handshake against a known dictionary entry. However, the time it takes to produce this pwd database PMK pair is significant).
2) Added LibDb Tab to the Decrypt Tab to provide interface to airolib-ng functionality, specifically the following options:
--batch (WARNING: This may take a long time to finish +12hrs for 450k password file and 1 ESSID PMK calcs)
--clean all
--verify
--import essid (both user entered and from cap file name)
--import passwd (both user entered and from one per line password file)
This option creates the airolib-ng database pwddb in the diction subdirectory of the FAS directory.
3) Added interactive injection as per ssjtoma.
4) Minor UI update on the Monitor Tab now all buttons line up at the bottom.
5) Fixed use of John to be compatible with latest repository version of John.1.7.8 (also described here and here); previous version was John.1.7.7 jumbo (Note: APs with spaces currently don't work).
6) Minor UI change added display of AP signal strength on AP screen.
7) Minor UI change on Monitor Tab now Monitor Mode buttons are disabled if the wlan connection on the N900 is disabled and program will not hang anymore.
8) Enabled WEP crack of cap files from multiple session captures, ie. all APESSID-0x.cap files will now be used for cracking of WEP key, so no need to capture 50k ivs in a single session anymore.

Install version 0.3 from post no 1. in this thread (or any other working version), then apply my update. As per usual, make a back-up copy of the files to be replaced (Main.py, FAS.py, getinfo.sh, scan.sh, getmacmanaged.sh, getmacmonitor.sh, wepcaplist.sh, wpacaplist.sh, keylist.sh, john.sh), copy the archive to the FAS directory on your N900 and extract within xterm in the FAS directory.
Code:
tar -xzvf faircrack0.46.tar.gz
Enjoy

Note: Reaver and Walsh will be added in a future release, at the moment I am waiting for these tools to mature on my setup.

Note 2: Added screenshots to show new functionality / changes to previous version.
Attached Images
    
Attached Files
File Type: gz faircrack0.46.tar.gz (12.6 KB, 181 views)
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)

Last edited by StefanL; 2012-01-16 at 09:14. Reason: Update Info
 

The Following 5 Users Say Thank You to StefanL For This Useful Post:
Estel's Avatar
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#1128
I must admit, that I thought You've ceased development of fAircrack, and was almost ready to end eternal duality of aircrack frontends on my device, uninstalling fAircrack in favor of "last man standing" Cleven. I know, shame on me - I hope honesty will help gaining excuse

Then, You've popped-up 0.46, bundled with amazing (especially, as for 0.01 version change) set of updates, including long-awaited features like interactive injection. Bang, fAircrack is back on game!

while catching up with Cleven as per features, fAircrack got unique advantage - I've caught myself, that I'm fire'ing fAircrack (even per older, less feature-complete version) more often than cleven, when it goes to "quick" things, like monitoring clients in neighborhood, broadcasting deauth, or just enabling/disabling monitor mode/injection - for one simple reason, fAircrack start up *much* faster. So fast, that even writing it by hand in terminal is slower, especially, when in move.

StefanL, Really - don't you think it's a high time to put it into repos? also, it's FOSS, so you can drop "disclaimer" tab without much regret. If You only can provide output from compiling enviroment - faircrack.tar.gz (code), faircrack.changes, and faircrack.dsc, i can push it to the repos for You, then, immediately, pass a maintainership status to You (yes, I've finally moved my a** and learned how to go through autobuilder).

fAircrack *really* deserves to be available through the repos. Trust me, many, many people would be happy - it have been few days since i uploaded TrueCrypt to repos, but it was already downloaded much more times, than when it was sitting *for months* in TMO thread (easily searchable) and some non-repos related site. Not to mention number of correct bug reports, constructive feature ideas, etc.

/Estel
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!

Last edited by Estel; 2012-01-14 at 23:42.
 

The Following 2 Users Say Thank You to Estel For This Useful Post:
Estel's Avatar
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#1129
I've tested interactive injection - works like a charm. Was able to collect 70000 IVs in few minutes. aireplay-ng proposed correct packet after a 40 seconds or so. Also, using this method, package injection rate is higher - while collecting and resending at the same time, it fluctuate between 400-480. Interactive is on constant 499-500 ratio (capped somewhere, or what?)
---

So, now feature requets:

1. Would it be possible to add management of replay-*.cap files, that are created while injecting (both normal, interactive, or just capturing arp)? After some time of usage, they're trashing a lotta hell of space (be it bytes or just names) in place where they're saved, require manual deletion.

2. If we're talking about replay-*.cap management, would it be possible to allow using already saved ones against network? Would require listing them, and, after selecting one, a button to inject with it (could, for example, inject the network that is currently captured via airodump-ng).

3. minor thing - it seems that default time for "scan" set to 5 seconds is a little to low - most of the times it's not enough to even properly scan whole 1-13 channel range. I think that 10 seconds is good thing for default (personally, I almost always use 15 sec, but it's for, ekhm, 'debugging' purposes).

4. You probably knew that I would aks about it - what about reaver/walsh support?

/Estel

// Edit

Either I'm having 'bad luck', or there is something wrong with our implementation of interactive injection. As I wrote before, it succeed @ creating Ivs (data, when looking @ airodump-ng), and those IVs are accepted by aircrack-ng, I can't crack relatively short WEP pass (I always use the same for tests). It failed with 70 000 IV's, and was failing every time up to 160 000 IVs now. I'm still trying, but during many cracking attempts, I've never encountered such situation. I suspect that, for some reasons, capture IVs are wrong (airodump-ng capturing N900's crafted and injected ARP's, instead of those from AP itself, or what?)
---

Confirming - despite having <500 000 IVs, aircrack-ng is unable to crack this wep. It seems, that IVs generated by using our automatic interactive injection are utterly useless, due to some bug.
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!

Last edited by Estel; 2012-01-15 at 00:57.
 

The Following 2 Users Say Thank You to Estel For This Useful Post:
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#1130
Sometimes you will get false IVS. Not sure if router defence or just bad luck. Try getting 250K in few sessions, that helped in one such case for me. You're getting 500ivs/sec??? What ap power/cpu speed are you running?
 
Reply

Tags
aircrack, aircrack-ng, epicfacepalm, pen testing, rtfm dude!


 
Forum Jump


All times are GMT. The time now is 01:32.