[Maemo 5] FAS (FRuMMaGe Aircrack Script)
1 Attachment(s)
UPDATE 27/01/11:
I will no longer be working on this script. I have shifted my attention to fAircrack, a complete GUI for Aircrack. Link Here Disclaimer: First things first, this script is only to be used to test your own network security. I am not responsible for: > Damage to your phone > Criminal convictions/fines > Incidents in prison showers involving dropped soap and a tall stranger In other words, use at your own risk and only for legitimate purposes. (And no, desperately needing to check your facebook while in a local internet café without paying is NOT a legitimate purpose) Back when I used Ubuntu as my main OS (before I discovered the N900) I made a very simple shell script to automate many of the functions of the aircrack-ng suite. Since packet injection has now been brought to the N900, (thanks lxp) I have ported it to work in Maemo. I am currently working on a GUI for this, which will be MUCH more user friendly, however this script is still far easier and faster than using aircrack directly (particularly for new users). Features: > Enabling/disabling monitor mode and the package injection drivers > Scanning for APs with airodump > Fake authentication with aireplay > Package injection with aireplay > Decryption with aircrack > Changing mac address (depends on macchanger being installed) As well as wpa specific functions such as: > Deauthenticating clients (for handshake capturing) > Bruteforcing with aircrack using wordlists (wordlists not included) It also is capable of the following functions, but these have not yet been tested extensively since porting: > Chopchop attack > Fragmentation attack > Building a custom ARP from results of frag or chopchop > Bombarding AP with custom ARP. Prerequisites: > bleeding-edge packet injection wifi driver (easy tutorial) > aircrack-ng suite > macchanger (only if you would like to be able to change your mac, which is useful if you cannot authenticate as you can change your mac to match an already authenticated client) Setup: Make sure you save the tar to your MyDocs directory, then follow the following short code line-for-line. Code:
mkdir /home/user/MyDocs/FAS/ IMPORTANT! Switch your xterm font size to 10. If you don't then you will not be able to see the network essids in airodump To run the script, open xterm and type: Code:
cd MyDocs/FAS/ ------------------------------------ WEP ---------------------------------------- WEP/WPA? This tutorial will focus on wep encryption, as wpa will be extremely difficult to break, particularly on a portable device. I will explain why in the FAQ. Setup: Once you open the script you will be greeted with a text based menu with a number of options. Type '1' and then press enter to be taken to the wep menu. From here, type '1' and enter to access the monitor mode screen. From this screen, you will need to activate the package injection drivers and then enable monitor mode (option 3 followed by option 1). Capturing packets: Once back to the main menu choose option 2. This will load airodump in a new window. From here copy or write down the mac address of the target access point and take note of it's channel, then close the window. The script will now ask for the channel, mac and write file. These must be seperated by spaces (the write file can be anything). This will start airodump and start capturing packets, be sure to leave this window open until you are ready to crack the password. Authentication: In order to successfully capture ARP requests (and relay them to the router for packet injection) you must authenticate with the access point. Simply enter the requested information separated by spaces to start the authentication. If the windows closes, just open it again and retry as it will not always authenticate (if you see a line saying something like "AID 1 :-)" then the authentication is successful). Keep this window open Package injection: Now for the fun part. :) From the main menu, select option 4 to begin listening for ACK/ARPs. After a certain amount of time (dependant on how much traffic the access point is currently receiving) you will see the ARP number start to skyrocket! This is what we are looking for. You should see a package injection rate of approximately 500pps! Keep this window open Checking IVs / Decryption: In order to check the current number of captured IVs, from the main menu select option 9. This will open up the window for aircrack. Choose option 1 to open the current cap file. After reading the cap file, it will display the number of IVs. If this number is less than around 50,000 then you may as well close this window and wait until you have captured more. If your luck is good and there is a decent amount of traffic then you should generate 50,000 IVs in around 10-15 minutes. Follow the previous process when enough IVs have been captured to crack the wep key. Don't be alarmed if the aircrack window closes, when the key is found it is saved in a text file in your MyDocs/FAC/keys/ folder. --------------------------------------------------------------------------------- --------------------------------- WPA ---------------------------------------- Enable Monitor Mode In WPA, you do not need to enable the injection drivers, from the first screen press 2 to go to WPA mode. From here, choose option 1 and then 1 again. If you want to switch between WEP and WPA mode, just type either "wep" or "wpa" from the main menu. Scan for AP's Use option 2 from the WPA menu to scan for access points, then enter the channel, mac and write file. Be sure to keep the following window open as you will need it to capture the WPA handshake (see FAQ) Wait or Deauthenticate You are now left with 2 options. In order to capture the handshake and subsequently crack the passphrase, you will need a client to genuinely authenticate with the access point. The options you have are: 1. Wait for a client to connect. 2. Use option 3 from the wpa menu to force a connected client to disconnect and reconnect. It will ask you for the access point mac, the connected client's mac and your interface (wlan0). This step will force the client to perform a new handshake which will be captured. I find this method is successful approximately 50% of the time. Once you have captured the handshake, a message will appear at the top right of your airodump window (to the right of the time and date and above the ESSIDs). Bruteforcing Option 4 from the WPA menu will bring you to the bruteforcing screen. For this step you will need to have copied a wordlist of your choice to your MyDocs/FAS/diction/ directory. From this menu, choose option 3 to list all installed wordlists and enter the name of the one you want to use. Now choose either option 1 (for the current cap) or 2 (to specify another cap). This is very unlikely to work unless the key is something very simple. See the FAQs for more info. ------------------------------------------------------------------------------------ FAQs Q. It keeps asking me for a password. Wtf? A. Make sure you installed the bleeding edge wifi drivers. Part of the installation involves installing a custom version of the v46 power kernel. Q. What's an access point? A. Wireless router. Q. What will I use this for? A. If you don't know the answer to that then you don't need it. Q. Why do I keep receiving deauth packets when authenticating? A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window. Q. Why am I not receiving any ARP packets when trying to perform injection? A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if: > You are not close enough to the access point. > There is no traffic on the access point. I find the number starts rising rapidly as soon as a client connects. Q. I have tried everything, but just cannot inject/authenticate/anything. What gives? A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. This script includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting. Q. Why is WPA so much harder to crack? A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake. However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols. On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations. These wordlists would be thousands of terabytes in their totality. In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password. Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break. ------------------------------------------------------------------------------------ Will add more FAQs when I think of some :p Please post any comments/problems and I will be happy to address them. Have fun :) |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
i just keeps asking me for a password when i am trying to do anything but the 1 option. I am using rootsh. please help
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
At the moment for WPA a just place wordlists in the 'diction' folder, but I also integrated John the Ripper in the Ubuntu version to generate passwords on-the-fly. The N900 really would take an incredibly long time to break WPA but it's useful to capture the handshake, then transfer to a pc for bruteforcing. Just fyi, in order to GUARANTEE to break an 8 digit case-sensitive hexidecimal alphanumeric WPA key your wordlist would need to contain 62771017353866807638357894232076664161023554444640 different passphrases |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Bug: If I enter WPA mode and select 4 for bruteforce, then enter 1 for current cap I'm thrown to the WEP menu.
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
how do i get pass the part where im prompted for password in the window where im gonna scan for AP
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Im dual booting between a v46 kernel and v46 kernel with bleeding edge wifi driver patch.. Does that make a difference? |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
i got this issue:
When i want to Load Injection Driver. users not in the sudoers file This Incident will be reported. Custom wl11251 module loaded (with injection) :) Any step or stuff did i miss??? Thanks P/S: i also successfully installed the wl1251 kernel. Multiboot Normal Power 46 power46-Wl Gingerbread It also asking me password...:confused: |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
great tool this is, ill wait for the GUI personally just to make things esier, but cant wait to try it
Please get GUI on this asap, amazing work |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
amazing work dude but i better wait for the GUI to
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
1 Attachment(s)
i dunno man, i get this 'root is not in the sudoers file' message too, i can manually enable monitor mode and of course power kernel is installed. just the sudo command doesn't work to run arbitrary programs. i'll try to figure out why...
i tried update-sudoers and it didn't help, i attached the sudoers file here in case someone can see the problem. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
*Yawn*
Futile effort. Been around a while and does it with more elegance - https://code.google.com/p/wifite/ |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
I didn't say it was the best, just that it was easier than direct cli for aircrack. I made this just as a bit of fun with Ubuntu and I figured it may help a few users out. To those suffering from the "not in sudoers file" or getting a password prompt, I am sorry but I don't know what it could be. All I know is that it runs fine on my device. Perhaps a search could yeild some results. As soon as a solution is found I will append it to the first post. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
I already searched everything. I didn't want to say it before but I am pretty sure it should not work the way you've coded it on maemo...
This should fix it: http://maemo.org/downloads/product/Maemo5/sudser/ But you should really modify the scripts to not call sudo with every command, just run the whole thing after using sudo gainroot or rootsh. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
such a program like that is awesome. i download mp3s and pics in minutes! but many times it doesnt repsonde |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Eg. mv tst tst2 | sudo gainroot Will work rather well. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
So far as I'm concerned, go FRuMMaGe, good work fella :D can't wait for the GUI. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
sorry for my English.
Thank you very much my friend, is a good tool. I look forward to him GUI |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Sudser saved the day....Now the testing begins...
Thank youuuu |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
thanks for making the effort.
If you want an example of a very good gui, have a look at wepcrackgui, unfortunately written in C#, using mono, so no reuse, apart from the graphics/flows. But the UI is very good, flexible, better than the one from wifite (my opinion). Wifite does only one attack method at a time, wepcrackgui all 4 together. The (IV capture process) time difference might be neglect-able on a busy remote network but on a low volume one it saved me some time :D Wifite might allow more batch style network(s) cracking though, for cracking plenty of 'your own' networks at a time ;) https://sourceforge.net/projects/wepcrackgui/ Good luck, I'm sure there will be testers for it ! |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
pardon me...
If we would like to add to add The Dictionary for the WPA/Wpa2 should be in which/what format? Thanks |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
As far as the sudo command goes, each xterm launched in ubuntu was a child window and retained all directories and permissions of the parent. However in Maemo, each xterm is a completely new entity based in the /home/user directory and as a normal user. I'll try rewriting the code to pipe it through to the sudo gainroot command as suggested earlier. Not in the mood now though, I just found out that my girlfriend of 3 years cheated on me so I am a bit preoccupied |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
I can't authenticate with my AP.. i get authentication failed (code 1). What am i doing wrong?
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Thanks for all your hard work so far. |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Sometimes I can crack a wep in 10 minutes, other times it takes an hour, and other times it just doesnt happen. Edit: Thanks Tiboric, my heads all over the place atm Edit 2: Just out of interest, how many people have succeeded in using this to crack a wep? |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
sorry to hear about the girlfriend thingy! :(
as far for the script.. i was unable to crack wep using ur script as it keep asking me for the password. as far as i understand.. every xterminal window in maemo require individual sudoing right? in your script, can you somehow mention it that when a new window is opened, run root first? thanks for this script though.. amazing thing it is ;) |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
I successfully cracked my WEP key. Quick question: when I start the auth I get the following message
"the interface MAC does not match the specified MAC" I'm using the hwid for wlan0 from ifconfig, is this correct? It still works though! |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
I still haven't, but I think I'm to blame for that at the moment. lol
dam you authentication.... |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
After experimenting with changing my MAC, I still get the message so I guess it's normal behaviour.
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
hmmm it seems that i have power kernel (package name=enhanced linux kernel for power user, uname -a=2.6.28.10power46-wl1) your script keeps asking me for password ?? :confused:
when you got time reply to my question. thanks :) |
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
|
Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
Quote:
Speaking of Macs, don't worry my friend, soon you will be a Mac-daddy and have a slew of ladies comin' to your address! Don't let silly people like her get you down, you deserve better! And you will have the WEP Key to a new lady's heart! in an encryption no other man can crack! Just don't make too much GUI. ;) |
All times are GMT. The time now is 15:48. |
vBulletin® Version 3.8.8