Writeups

• how to crack
  • http://www.smallnetbuilder.com/content/view/30114/98/ (WEP)
    http://www.smallnetbuilder.com/content/view/30278/98/ (WPA)
  • http://aircrack-ng.org/doku.php?id=simple_wep_crack (WEP)
    lots of other tutorials (WEP, WPA)
  • http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks (WEP, WPA)
• Wireshark is absolutely still useful, even though parts of the data is encrypted

Key steps (circa Feb 2008)

• buy an Atheros chipset card (or anything else supported by madwifi-ng) (~$25-50)
• download the BackTrack LiveCD, burn it, and boot into it (though there are other LiveCDs that include madwifi-ng as well)
• get the MadWifi-ng drivers up and working in monitor mode
• use aircrack-ng to list available networks; select the most useful network
• use aircrack-ng to try to brute-force of dictionary-attack the password of that network; if failed, go back to select another network

Getting madwifi-ng up and working with monitor mode

• run lsmod | grep ath_pci to make sure the madwifi kernel module is loaded (the madwifi userland tools should also be available)
• ifconfig ath0 down (repeat for any other madwifi-related interfaces: ath1, wifi0, ....)
• airmon-ng start wifi0
• run iwconfig to confirm one of the desired interfaces (eg. ath0, ath1, wlan0?) mentions "Mode:Monitor"
• optionally, you can also go through the trouble of running an injection test to make sure everything is absolutely working

Use the aircrack-ng suite to probe networks

• list available access points using airodump-ng
  (discussion with myself: Hey, wow, the AP with the best signal is coincidentally the one with the lowest security. Hey, wait! That's my access point! /me runs off to fix it)
• choose the one that's most likely to be crackable
  • WEP = super easy
  • WPA/WPA2 PSK = sometimes possible
  • WPA/WPA2 Radius / enterprise = NOT SUPPORTED by aircrack-ng

Wireshark display filters

• prism.channel.data == 6 — only include packets sucked up while we're monitoring channel 6 (NOTE: you need something in the background to be constantly rotating through the channels (eg. Kismet or airodump-ng) while you're capturing packets in Wireshark)
• wlan.fc.subtype != 8 — remove beacon packets
• wlan.fc.type_subtype != 4 — remove probe requests
• wlan.fc.type_subtype != 5 — remove probe responses
• wlan.fc.type_subtype == 32 — data packets only (same as wlan.fc.type == 2 && wlan.fc.subtype == 0)

Side-project: Is it possible to create a Wireshark display-filter for the specific packets I'm looking for?

• Kismet, client type = "T" ("To DS"): wlan.flags & 1
• Kismet, client type = "E" ("Established"): ??
• WPA-PSK initial association handshake: ??

Personal notes

• BackTrack likes to make available 16:10 modes ONLY. Blech. Alledgedly you can fix this by editing /etc/X11/xorg.conf, and then doing Logout>EndSession, but I haven't been able to get it to work.

TODO

1. buy an Atheros chipset card, per Aircrack-NG's suggestion (the TRENDnet TEW-443PI is reasonable for home-scanning... it's not optimal for wardriving, but then again, most PCMCIA cards don't have a decent detachable antenna)
2. get aircrack-ng working
3. locate and connect to at least two nearby networks that 1) I can connect to, 2) that's on Comcast cable, and 3) that I can read the SNMP data off of
   • TODO: run the "chop chop" and "fragmentation" attacks to see if I can get an XOR keystream file created for essid="2WIRE484" (that's running WEP but has no clients)
   • TODO: continue running Kismet, see if I can ever see anyone associating to the WPA/WPA2 APs nearby
   • if recurring manual scanning isn't enough to draw conclusions: set up some software that logs service problems in my cable modem and neighbors' cable modems, and allows me to compare the results
   • (optionally) go further, and try to quantify the extent that Comcast is throttling different connections based on what traffic is going over the various ones