Notices

UPDATE 27/01/11:
I will no longer be working on this script. I have shifted my attention to fAircrack, a complete GUI for Aircrack.

Link Here

Disclaimer:

First things first, this script is only to be used to test your own network security. I am not responsible for:
> Damage to your phone
> Criminal convictions/fines
> Incidents in prison showers involving dropped soap and a tall stranger

In other words, use at your own risk and only for legitimate purposes. (And no, desperately needing to check your facebook while in a local internet café without paying is NOT a legitimate purpose)

Back when I used Ubuntu as my main OS (before I discovered the N900) I made a very simple shell script to automate many of the functions of the aircrack-ng suite. Since packet injection has now been brought to the N900, (thanks lxp) I have ported it to work in Maemo.

I am currently working on a GUI for this, which will be MUCH more user friendly, however this script is still far easier and faster than using aircrack directly (particularly for new users).

Features:

> Enabling/disabling monitor mode and the package injection drivers
> Scanning for APs with airodump
> Fake authentication with aireplay
> Package injection with aireplay
> Decryption with aircrack
> Changing mac address (depends on macchanger being installed)

As well as wpa specific functions such as:
> Deauthenticating clients (for handshake capturing)
> Bruteforcing with aircrack using wordlists (wordlists not included)

It also is capable of the following functions, but these have not yet been tested extensively since porting:
> Chopchop attack
> Fragmentation attack
> Building a custom ARP from results of frag or chopchop
> Bombarding AP with custom ARP.

Prerequisites:

> bleeding-edge packet injection wifi driver (easy tutorial)
> aircrack-ng suite
> macchanger (only if you would like to be able to change your mac, which is useful if you cannot authenticate as you can change your mac to match an already authenticated client)

Setup:

Make sure you save the tar to your MyDocs directory, then follow the following short code line-for-line.
Instructions:

IMPORTANT! Switch your xterm font size to 10. If you don't then you will not be able to see the network essids in airodump

To run the script, open xterm and type:
Now, for those of you who are not familiar with aircrack, I will give a very basic tutorial of how to use this script on a standard wep network. This assumes that you have installed the injection drivers but have not yet activated them.

------------------------------------ WEP ----------------------------------------

WEP/WPA?

This tutorial will focus on wep encryption, as wpa will be extremely difficult to break, particularly on a portable device. I will explain why in the FAQ.

Setup:

Once you open the script you will be greeted with a text based menu with a number of options. Type '1' and then press enter to be taken to the wep menu. From here, type '1' and enter to access the monitor mode screen. From this screen, you will need to activate the package injection drivers and then enable monitor mode (option 3 followed by option 1).

Capturing packets:

Once back to the main menu choose option 2. This will load airodump in a new window. From here copy or write down the mac address of the target access point and take note of it's channel, then close the window.

The script will now ask for the channel, mac and write file. These must be seperated by spaces (the write file can be anything). This will start airodump and start capturing packets, be sure to leave this window open until you are ready to crack the password.

Authentication:

In order to successfully capture ARP requests (and relay them to the router for packet injection) you must authenticate with the access point. Simply enter the requested information separated by spaces to start the authentication. If the windows closes, just open it again and retry as it will not always authenticate (if you see a line saying something like "AID 1 :-)" then the authentication is successful). Keep this window open

Package injection:

Now for the fun part. From the main menu, select option 4 to begin listening for ACK/ARPs. After a certain amount of time (dependant on how much traffic the access point is currently receiving) you will see the ARP number start to skyrocket! This is what we are looking for. You should see a package injection rate of approximately 500pps! Keep this window open

Checking IVs / Decryption:

In order to check the current number of captured IVs, from the main menu select option 9. This will open up the window for aircrack. Choose option 1 to open the current cap file.

After reading the cap file, it will display the number of IVs. If this number is less than around 50,000 then you may as well close this window and wait until you have captured more. If your luck is good and there is a decent amount of traffic then you should generate 50,000 IVs in around 10-15 minutes.

Follow the previous process when enough IVs have been captured to crack the wep key. Don't be alarmed if the aircrack window closes, when the key is found it is saved in a text file in your MyDocs/FAC/keys/ folder.

---------------------------------------------------------------------------------

--------------------------------- WPA ----------------------------------------

Enable Monitor Mode

In WPA, you do not need to enable the injection drivers, from the first screen press 2 to go to WPA mode. From here, choose option 1 and then 1 again. If you want to switch between WEP and WPA mode, just type either "wep" or "wpa" from the main menu.

Scan for AP's

Use option 2 from the WPA menu to scan for access points, then enter the channel, mac and write file. Be sure to keep the following window open as you will need it to capture the WPA handshake (see FAQ)

Wait or Deauthenticate

You are now left with 2 options. In order to capture the handshake and subsequently crack the passphrase, you will need a client to genuinely authenticate with the access point. The options you have are:

1. Wait for a client to connect.

2. Use option 3 from the wpa menu to force a connected client to disconnect and reconnect. It will ask you for the access point mac, the connected client's mac and your interface (wlan0). This step will force the client to perform a new handshake which will be captured. I find this method is successful approximately 50% of the time.

Once you have captured the handshake, a message will appear at the top right of your airodump window (to the right of the time and date and above the ESSIDs).

Bruteforcing

Option 4 from the WPA menu will bring you to the bruteforcing screen. For this step you will need to have copied a wordlist of your choice to your MyDocs/FAS/diction/ directory. From this menu, choose option 3 to list all installed wordlists and enter the name of the one you want to use.

Now choose either option 1 (for the current cap) or 2 (to specify another cap).

This is very unlikely to work unless the key is something very simple. See the FAQs for more info.

------------------------------------------------------------------------------------

FAQs

Q. It keeps asking me for a password. Wtf?
A. Make sure you installed the bleeding edge wifi drivers. Part of the installation involves installing a custom version of the v46 power kernel.

Q. What's an access point?
A. Wireless router.

Q. What will I use this for?
A. If you don't know the answer to that then you don't need it.

Q. Why do I keep receiving deauth packets when authenticating?
A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window.

Q. Why am I not receiving any ARP packets when trying to perform injection?
A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if:
> You are not close enough to the access point.
> There is no traffic on the access point.
I find the number starts rising rapidly as soon as a client connects.

Q. I have tried everything, but just cannot inject/authenticate/anything. What gives?
A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. This script includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting.

Q. Why is WPA so much harder to crack?
A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake.

However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols.

On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations.

These wordlists would be thousands of terabytes in their totality.

In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password.

Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break.

------------------------------------------------------------------------------------

Will add more FAQs when I think of some

Please post any comments/problems and I will be happy to address them.

Have fun

i just keeps asking me for a password when i am trying to do anything but the 1 option. I am using rootsh. please help

Sounds like the sudo command is needing a password from you. Have you installed the bleeding-edge wifi drivers yet? Part of the installation requires you to install the power kernel v46 which will solve this issue

Are u interested in a fast radix-trie like kart-trie? it's used to build and search a dictionaray in log(k). i have written it in php tough. which language do u prefer?

You mean for WPA cracking? I've never used php before.

At the moment for WPA a just place wordlists in the 'diction' folder, but I also integrated John the Ripper in the Ubuntu version to generate passwords on-the-fly.

The N900 really would take an incredibly long time to break WPA but it's useful to capture the handshake, then transfer to a pc for bruteforcing.

Just fyi, in order to GUARANTEE to break an 8 digit case-sensitive hexidecimal alphanumeric WPA key your wordlist would need to contain 62771017353866807638357894232076664161023554444640 different passphrases

Bug: If I enter WPA mode and select 4 for bruteforce, then enter 1 for current cap I'm thrown to the WEP menu.

how do i get pass the part where im prompted for password in the window where im gonna scan for AP

It is because you havent specified a dictionary with option 3. Place your desired wordlists into the MyDocs/FAS/diction/ directory and use option 3 from the bruteforcing menu to specify it.

This shouldn't happen if you have installed the bleeding edge wifi drivers as it requires the installation of power kernel v46 which solves this problem for you

I have installed the bleeding edge wifi drivers and power kernel v46
Im dual booting between a v46 kernel and v46 kernel with bleeding edge wifi driver patch.. Does that make a difference?

i got this issue:

When i want to Load Injection Driver.

users not in the sudoers file This Incident will be reported.

Custom wl11251 module loaded (with injection)

Any step or stuff did i miss???

Thanks

P/S:

i also successfully installed the wl1251 kernel.

Multiboot
Normal
Power 46
power46-Wl
Gingerbread

It also asking me password...