[Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

UPDATE 27/01/11:
I will no longer be working on this script. I have shifted my attention to fAircrack, a complete GUI for Aircrack.

Link Here

Disclaimer:

First things first, this script is only to be used to test your own network security. I am not responsible for:
> Damage to your phone
> Criminal convictions/fines
> Incidents in prison showers involving dropped soap and a tall stranger

In other words, use at your own risk and only for legitimate purposes. (And no, desperately needing to check your facebook while in a local internet café without paying is NOT a legitimate purpose)

Back when I used Ubuntu as my main OS (before I discovered the N900) I made a very simple shell script to automate many of the functions of the aircrack-ng suite. Since packet injection has now been brought to the N900, (thanks lxp) I have ported it to work in Maemo.

I am currently working on a GUI for this, which will be MUCH more user friendly, however this script is still far easier and faster than using aircrack directly (particularly for new users).

Features:

> Enabling/disabling monitor mode and the package injection drivers
> Scanning for APs with airodump
> Fake authentication with aireplay
> Package injection with aireplay
> Decryption with aircrack
> Changing mac address (depends on macchanger being installed)

As well as wpa specific functions such as:
> Deauthenticating clients (for handshake capturing)
> Bruteforcing with aircrack using wordlists (wordlists not included)

It also is capable of the following functions, but these have not yet been tested extensively since porting:
> Chopchop attack
> Fragmentation attack
> Building a custom ARP from results of frag or chopchop
> Bombarding AP with custom ARP.

Prerequisites:

> bleeding-edge packet injection wifi driver (easy tutorial)
> aircrack-ng suite
> macchanger (only if you would like to be able to change your mac, which is useful if you cannot authenticate as you can change your mac to match an already authenticated client)

Setup:

Make sure you save the tar to your MyDocs directory, then follow the following short code line-for-line.
Instructions:

IMPORTANT! Switch your xterm font size to 10. If you don't then you will not be able to see the network essids in airodump

To run the script, open xterm and type:
Now, for those of you who are not familiar with aircrack, I will give a very basic tutorial of how to use this script on a standard wep network. This assumes that you have installed the injection drivers but have not yet activated them.

------------------------------------ WEP ----------------------------------------

WEP/WPA?

This tutorial will focus on wep encryption, as wpa will be extremely difficult to break, particularly on a portable device. I will explain why in the FAQ.

Setup:

Once you open the script you will be greeted with a text based menu with a number of options. Type '1' and then press enter to be taken to the wep menu. From here, type '1' and enter to access the monitor mode screen. From this screen, you will need to activate the package injection drivers and then enable monitor mode (option 3 followed by option 1).

Capturing packets:

Once back to the main menu choose option 2. This will load airodump in a new window. From here copy or write down the mac address of the target access point and take note of it's channel, then close the window.

The script will now ask for the channel, mac and write file. These must be seperated by spaces (the write file can be anything). This will start airodump and start capturing packets, be sure to leave this window open until you are ready to crack the password.

Authentication:

In order to successfully capture ARP requests (and relay them to the router for packet injection) you must authenticate with the access point. Simply enter the requested information separated by spaces to start the authentication. If the windows closes, just open it again and retry as it will not always authenticate (if you see a line saying something like "AID 1 :-)" then the authentication is successful). Keep this window open

Package injection:

Now for the fun part. :) From the main menu, select option 4 to begin listening for ACK/ARPs. After a certain amount of time (dependant on how much traffic the access point is currently receiving) you will see the ARP number start to skyrocket! This is what we are looking for. You should see a package injection rate of approximately 500pps! Keep this window open

Checking IVs / Decryption:

In order to check the current number of captured IVs, from the main menu select option 9. This will open up the window for aircrack. Choose option 1 to open the current cap file.

After reading the cap file, it will display the number of IVs. If this number is less than around 50,000 then you may as well close this window and wait until you have captured more. If your luck is good and there is a decent amount of traffic then you should generate 50,000 IVs in around 10-15 minutes.

Follow the previous process when enough IVs have been captured to crack the wep key. Don't be alarmed if the aircrack window closes, when the key is found it is saved in a text file in your MyDocs/FAC/keys/ folder.

---------------------------------------------------------------------------------

--------------------------------- WPA ----------------------------------------

Enable Monitor Mode

In WPA, you do not need to enable the injection drivers, from the first screen press 2 to go to WPA mode. From here, choose option 1 and then 1 again. If you want to switch between WEP and WPA mode, just type either "wep" or "wpa" from the main menu.

Scan for AP's

Use option 2 from the WPA menu to scan for access points, then enter the channel, mac and write file. Be sure to keep the following window open as you will need it to capture the WPA handshake (see FAQ)

Wait or Deauthenticate

You are now left with 2 options. In order to capture the handshake and subsequently crack the passphrase, you will need a client to genuinely authenticate with the access point. The options you have are:

1. Wait for a client to connect.

2. Use option 3 from the wpa menu to force a connected client to disconnect and reconnect. It will ask you for the access point mac, the connected client's mac and your interface (wlan0). This step will force the client to perform a new handshake which will be captured. I find this method is successful approximately 50% of the time.

Once you have captured the handshake, a message will appear at the top right of your airodump window (to the right of the time and date and above the ESSIDs).

Bruteforcing

Option 4 from the WPA menu will bring you to the bruteforcing screen. For this step you will need to have copied a wordlist of your choice to your MyDocs/FAS/diction/ directory. From this menu, choose option 3 to list all installed wordlists and enter the name of the one you want to use.

Now choose either option 1 (for the current cap) or 2 (to specify another cap).

This is very unlikely to work unless the key is something very simple. See the FAQs for more info.

------------------------------------------------------------------------------------

FAQs

Q. It keeps asking me for a password. Wtf?
A. Make sure you installed the bleeding edge wifi drivers. Part of the installation involves installing a custom version of the v46 power kernel.

Q. What's an access point?
A. Wireless router.

Q. What will I use this for?
A. If you don't know the answer to that then you don't need it.

Q. Why do I keep receiving deauth packets when authenticating?
A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window.

Q. Why am I not receiving any ARP packets when trying to perform injection?
A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if:
> You are not close enough to the access point.
> There is no traffic on the access point.
I find the number starts rising rapidly as soon as a client connects.

Q. I have tried everything, but just cannot inject/authenticate/anything. What gives?
A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. This script includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting.

Q. Why is WPA so much harder to crack?
A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake.

However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols.

On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations.

These wordlists would be thousands of terabytes in their totality.

In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password.

Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break.

------------------------------------------------------------------------------------

Will add more FAQs when I think of some :p

Please post any comments/problems and I will be happy to address them.

Have fun :)

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

i just keeps asking me for a password when i am trying to do anything but the 1 option. I am using rootsh. please help

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Sounds like the sudo command is needing a password from you. Have you installed the bleeding-edge wifi drivers yet? Part of the installation requires you to install the power kernel v46 which will solve this issue

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Are u interested in a fast radix-trie like kart-trie? it's used to build and search a dictionaray in log(k). i have written it in php tough. which language do u prefer?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

You mean for WPA cracking? I've never used php before.

At the moment for WPA a just place wordlists in the 'diction' folder, but I also integrated John the Ripper in the Ubuntu version to generate passwords on-the-fly.

The N900 really would take an incredibly long time to break WPA but it's useful to capture the handshake, then transfer to a pc for bruteforcing.

Just fyi, in order to GUARANTEE to break an 8 digit case-sensitive hexidecimal alphanumeric WPA key your wordlist would need to contain 62771017353866807638357894232076664161023554444640 different passphrases

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Bug: If I enter WPA mode and select 4 for bruteforce, then enter 1 for current cap I'm thrown to the WEP menu.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

how do i get pass the part where im prompted for password in the window where im gonna scan for AP

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

It is because you havent specified a dictionary with option 3. Place your desired wordlists into the MyDocs/FAS/diction/ directory and use option 3 from the bruteforcing menu to specify it.

This shouldn't happen if you have installed the bleeding edge wifi drivers as it requires the installation of power kernel v46 which solves this problem for you

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I have installed the bleeding edge wifi drivers and power kernel v46
Im dual booting between a v46 kernel and v46 kernel with bleeding edge wifi driver patch.. Does that make a difference?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

i got this issue:

When i want to Load Injection Driver.

users not in the sudoers file This Incident will be reported.

Custom wl11251 module loaded (with injection) :)

Any step or stuff did i miss???

Thanks

P/S:

i also successfully installed the wl1251 kernel.

Multiboot
Normal
Power 46
power46-Wl
Gingerbread

It also asking me password...:confused:

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

great tool this is, ill wait for the GUI personally just to make things esier, but cant wait to try it

Please get GUI on this asap, amazing work

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

amazing work dude but i better wait for the GUI to

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I am having the same issue. The load.sh script is running "sudo sh load.sh", but I can't prefix commands with "sudo". I have to run "sudo gainroot" first...


I installed the power46 kernel when I installed this driver (and selected it when I rebooted), but I am still getting this. I take it this script is supposed to be run as user, and it gets root privileges for anything that needs it?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

i dunno man, i get this 'root is not in the sudoers file' message too, i can manually enable monitor mode and of course power kernel is installed. just the sudo command doesn't work to run arbitrary programs. i'll try to figure out why...

i tried update-sudoers and it didn't help, i attached the sudoers file here in case someone can see the problem.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

*Yawn*

Futile effort.

Been around a while and does it with more elegance - https://code.google.com/p/wifite/

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

What does this means?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Well thanks.

I didn't say it was the best, just that it was easier than direct cli for aircrack. I made this just as a bit of fun with Ubuntu and I figured it may help a few users out.

To those suffering from the "not in sudoers file" or getting a password prompt, I am sorry but I don't know what it could be. All I know is that it runs fine on my device. Perhaps a search could yeild some results.

As soon as a solution is found I will append it to the first post.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I already searched everything. I didn't want to say it before but I am pretty sure it should not work the way you've coded it on maemo...
This should fix it:
http://maemo.org/downloads/product/Maemo5/sudser/
But you should really modify the scripts to not call sudo with every command, just run the whole thing after using sudo gainroot or rootsh.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I love it, but so darn slow... i know because its java,

such a program like that is awesome. i download mp3s and pics in minutes!

but many times it doesnt repsonde

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I just ported it from Ubuntu. I tried gainroot before but each seperate xterm windows counts as a new one with no root priviliges

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I found piping to it works.

Eg.

mv tst tst2 | sudo gainroot

Will work rather well.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Sudser fixed the password error for me.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Thats simply the kind of post that turns people from wanting to work and code something into just another "ah **** it, why should I bother" person. Anyone can criticise, but don't simply make it negative, your post was non-value added and worthless.

So far as I'm concerned, go FRuMMaGe, good work fella :D can't wait for the GUI.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

sorry for my English.
Thank you very much my friend, is a good tool.
I look forward to him GUI

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Sudser saved the day....Now the testing begins...

Thank youuuu

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

thanks for making the effort.
If you want an example of a very good gui, have a look at wepcrackgui, unfortunately written in C#, using mono, so no reuse, apart from the graphics/flows.

But the UI is very good, flexible, better than the one from wifite (my opinion). Wifite does only one attack method at a time, wepcrackgui all 4 together.

The (IV capture process) time difference might be neglect-able on a busy remote network but on a low volume one it saved me some time :D

Wifite might allow more batch style network(s) cracking though, for cracking plenty of 'your own' networks at a time ;)

https://sourceforge.net/projects/wepcrackgui/

Good luck, I'm sure there will be testers for it !

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

pardon me...


If we would like to add to add
The Dictionary for the WPA/Wpa2 should be in which/what format?

Thanks

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Any plain text format is fine. I use .lst dictionaries but .txt work just as well.

As far as the sudo command goes, each xterm launched in ubuntu was a child window and retained all directories and permissions of the parent. However in Maemo, each xterm is a completely new entity based in the /home/user directory and as a normal user.

I'll try rewriting the code to pipe it through to the sudo gainroot command as suggested earlier. Not in the mood now though, I just found out that my girlfriend of 3 years cheated on me so I am a bit preoccupied

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I can't authenticate with my AP.. i get authentication failed (code 1). What am i doing wrong?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

WOW that's harsh, sorry dude. she don't appreciate you like we do!

Thanks for all your hard work so far.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

As i said, each AP is different. It probably has mac address filtering on. Try installing macchanger from the repos then use option 10 to change your mac to the same as an already connected client. The airodump window will show you all connected clients and their mac addresses.

Sometimes I can crack a wep in 10 minutes, other times it takes an hour, and other times it just doesnt happen.

Edit: Thanks Tiboric, my heads all over the place atm

Edit 2: Just out of interest, how many people have succeeded in using this to crack a wep?

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

sorry to hear about the girlfriend thingy! :(

as far for the script.. i was unable to crack wep using ur script as it keep asking me for the password. as far as i understand.. every xterminal window in maemo require individual sudoing right? in your script, can you somehow mention it that when a new window is opened, run root first?

thanks for this script though.. amazing thing it is ;)

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I successfully cracked my WEP key. Quick question: when I start the auth I get the following message
"the interface MAC does not match the specified MAC"

I'm using the hwid for wlan0 from ifconfig, is this correct?

It still works though!

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

I still haven't, but I think I'm to blame for that at the moment. lol
dam you authentication....

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

After experimenting with changing my MAC, I still get the message so I guess it's normal behaviour.

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Means the mac you specified in the auth window does not match the actual mac of your interface

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

hmmm it seems that i have power kernel (package name=enhanced linux kernel for power user, uname -a=2.6.28.10power46-wl1) your script keeps asking me for password ?? :confused:
when you got time reply to my question. thanks :)

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

thanks! :)

Re: [Maemo 5] FAS (FRuMMaGe Aircrack Script)
 

Speaking of Macs, don't worry my friend, soon you will be a Mac-daddy and have a slew of ladies comin' to your address!

Don't let silly people like her get you down, you deserve better! And you will have the WEP Key to a new lady's heart! in an encryption no other man can crack!

Just don't make too much GUI.

;)