Saturday, January 12, 2008

Preparing for and using Airodump

As usual, before we start using airodump we must make preparations. If you have airodump running still from last post, press Ctrl-C to stop it. The next step will not work correctly if airodump is running.

Okay, we ran airodump and found our target AP (Access Point). I am going to use one of the connections shown in the snapshot from last post. If you take a look, there's a connection (which happens to be my own connection, but that's irrelevant) that is named 07B402920894 as shown in the ESSID column. That's the one I'm going to 'hack' into.

If you look again, you'll see that the BSSID (or the MAC) is 00:12:0E:63:78:A7. You'll also notice that the AP is on channel 6, which is very important for us to know. The power is 47, which is good enough for our purposes. The Encryption (ENC) is WEP, which is what we need it to be. There seems to be no data coming over the network, which means that without injection, we can wait a month for enough data to crack the network key. Who has patience, so let's inject.

At the prompt in Konsole

Type : iwconfig rausb0 channel 6

Again, please substitute rausb0 with your network interface name. This puts out network card on the same channel as the AP, so that we can inject to it.


Now Type : airodump-ng --ivs --channel 6 --write firsthack rausb0

The only changes from last time is that I added --channel 6 (or -c 6) to have airodump only collect on channel 6. You may not need it since we set the channel with iwconfig, but it's good practice anyway.

You chould now see your connection and any other connections on channel 6. Being that it's running only on channel 6, you may even pick up connections that didn't show up last time. This is what my screen looks like now:



If the data amount is rising nicely, then you have a active connection, and depending on the activity, you may have enough data in half an hour, or a couple of hours. Most connections use a 40 bit key which is 10 digits long. I have found that I can usually crack that with about 10000 IVs, sometimes needing up to 30000 IVs. I don't enjoy waiting so long to crack the key, so I'm going to have to inject. If you like waiting, fell free to do so. If not, in the next post we'll start the injection process using aireplay.

4 comments:

crazy8 said...

When I run this all seems to work fine, but I notice that the channel keeps jumping all over the place rather than locking into the channel I specify in the command. Any ideas how to correct this?
Thanks

Miss Take said...

Did you do the previous command, i.e.iwconfig rausb0 chaanel 6

crazy8 said...

Maybe I missed that I know I did it in the past times but it seems to be working perfectly know. Thanks

Keep up the great work here

crazy8 said...

Sorry I made a mistake. I was looking at the wrong AP. I couldnt see the the ESSID of my routers in the terminal so I was looking at my unsecure linksys and not my secure D-Link that I use for this kind of stuff. Anyway the channel was locked to the router (but whats with the numbers on the right top side of the terminal jumping around?) Well the data packets that were increasing were from my unsecure router. So why wouldnt the data packets rise on the secure one?
If cards matter I use an internal Broadcom in my hp laptop and I also have a Hawking Technology USB wifi device.

Any ideas?