A. SCOPE

This tutorial is intended for users with little or no experience with linux or wifi. The folks over at remote-exploit have released Backtrack

Get it Remote-Exploit.org - Supplying offensive security products to the world

a tool which makes it ridiculously easy to access any network secured by WEP encryption. This tutorial aims to guide you through the process of using it effectively.
Required Tools
You will need a computer with a wireless adapter listed here
Download Backtrack and burn its image to a CD
B. OVERVIEW

BACKTRACK is a bootable live cd with a myriad of wireless and tcp/ip networking tools. This tutorial will only cover the included kismet and aircrack-ng suite of tools.

Tools Overview
Kismet - a wireless network detector and packet sniffer
airmon - a tool that can help you set your wireless adapter into monitor mode (rfmon)
airodump - a tool for capturing packets from a wireless router (otherwise known as an AP)
aireplay - a tool for forging ARP requests
aircrack - a tool for decrypting WEP keys
iwconfig - a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in monitor mode which is essential to sending fake ARP requests to the target router
macchanger - a tool that allows you to view and/or spoof (fake) your MAC address

Glossary of Terms
AP: Access Point: a wireless router
MAC Address: Media Access Control address, a unique id assigned to wireless adapters and routers. It comes in hexadecimal format (ie 00:11:ef:22:a3:6a)
BSSID: Access Point MAC address
ESSID: Access Points Broadcast name. (ie linksys, default, belkin etc) Some AP’s will not broadcast their name but Kismet may be able to detect it anyway
TERMINAL: MS-Dos like command line interface. You can open this by clicking the black box icon next to the start key in backtrack
WEP: short for Wired Equivalency Privacy, it is a security protocol for Wi-Fi networks
WPA: short for WiFi Protected Access. a more secure protocal than WEP for wireless networks. NOTE: this tutorial does not cover cracking WPA encryption

Since Backtrack is a live CD running off your cdrom, there is nowhere that you can write files to unless you have a linux partition on your hard drive or a usb storage device. Backtrack has some NTFS support so you will be able to browse to your windows based hard drive should you have one, but it will mount the partition as “read-only”. I dual boot windows and ubuntu on my laptop so I already have a linux swap partition and a reiserfs partition. Backtrack had no problem detecting these and mounting them for me. To find your hard drive or usb storage device, just browse to the /mnt folder in the file manager. Typically a hard drive will appear named something like hda1 or hda2 if you have more than one partition on the drive. Alternately hdb1 could show if you have more than one hard disk. Having somewhere to write files that you can access in case you need to reboot makes the whole process a little easier.
C. DISCLAIMER

Hacking into someone’s wireless network without permission is probably against the law. I wouldn’t recommend doing it. I didn’t break into anyone else’s network while learning how to do this .
D. IMPLEMENTATION

STEP 1
Monitoring Wireless Traffic With Kismet

Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like “Hit ctrl+esc to change bios settings”. Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear. Type startx to start KDE (a ‘windows’ like workspace for linux).

Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack->Wireless Tools -> Analyzers ->Kismet. Alternatively you can open a Terminal and type:

kismet

Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely ‘ath0?, and sit back as kismet starts detecting networks in range.

NOTE: We use kismet for two reasons.

1. To find the bssid, essid, and channel number of the AP you are accessing.

2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point?) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically.



While kismet detects networks and various clients accessing those networks you might want to type ’s’ and then ‘Q’ (case sensitive). This sorts all of the AP’s in your area by their signal strength. The default ‘autofit’ mode that kismet starts up in doesn’t allow you much flexibility. By sorting AP’s by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP’s that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.)

Select the AP (access point) you want to access. Copy and paste the broadcast name(essid), mac address(bssid), and channel number of your target AP into a text editor. Backtrack is KDE based so you can use kwrite. Just open a terminal and type in ‘kwrite’ or select it from the start button. In Backtrack’s terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually.
airmon-ng -h
for more help with this

STEP 2
Collecting Data With Airodump

Open up a new terminal and start airodump so we can collect ARP replies from the target AP. Airodump is fairly straight forward for help with this program you can always type “airodump-ng -h” at the command prompt for additional options.

airodump-ng ath0 -w /root/belkin 9 1

Breaking down this command:
ath0 is my wireless card
-w tells airodump to write the file to
/root//belkin
9 is the channel 9 of my target AP
1 tells airodump to only collect IVS - the data packets with the WEP key
STEP 3
Associate your wireless card with the AP you are accessing.

aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
-1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing
aireplay-ng -h
0 specifies the delay between attacks
-e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names
-a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP
-h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0
ath0 at the end is my wireless adapters device name in linux
STEP 4
Start packet injection with aireplay

aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0
NOTES:
-b requires the MAC address of the AP we are accessing.
-h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address.
macchanger -s ath0
if packets are being collected at a slow pace you can type
iwconfig ath0 rate auto
to adjust your wireless adapter’s transmission rate. You can find your AP’s transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M.

As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren’t many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key.

If you get a message like this:

Notice: got a deauth/disassoc packet. Is the source MAC associated ?

Just reassociate with the AP following the instructions on step 3.
STEP 5
Decrypting the WEP Key with Aircrack

Find the location of the captured IVS file you specified in step 2. Then type in a terminal:

aircrack-ng -s /mnt/hda2/home/belkin_slax_rcu-03.ivs

Change /mnt/hda2/home/belkin_slax_rcu-03.ivs to your file’s location

Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn’t find a key almost immediately, just sit back and wait for more data packets.

If you get approx. 4,000 packets and ur desperate try wep_crack it works faster most the time

When you first boot up the new Backtrack 4, you may have noticed something slightly different. So what is this “Start BackTrack Forensics” option about?
Live CDs and Forensics

For a long time now, Linux Live CDs have been very useful for forensic acquisition purposes in instances where for one reason or another you can’t utilize a hardware write blocker. When configured not to automount drives, and a little bit of know how, a Linux Live CD can be a wonderful software write blocker. For a Linux live CD to be considered for this purpose however, it is of the utmost importance that the use of the live CD in no way alters any data in any manner. In the past, this ruled out the use of Backtrack for forensic purposes. Backtrack would automount available drives and utilize swap partitions where available. This could cause all sorts of havoc, changing last mount times, altering data on disk, and so on. Well, no longer! The Backtrack 4 Live CD has incorporated changes to allow a boot mode which is forensically clean. This is great news, as with Backtrack being such a popular live CD, a copy can often be found close at hand.
How?

So, lets have the scoop. Forensic people are often detail oriented and very conservative, so how do we know it is safe to use? Well, first off the Backtrack 4 Live CD is based off of Casper, and contains no filesystem automount scripts at all. The system initialization scripts have been altered in the forensic boot mode so that Backtrack 4 will not look for or make use of any swap partitions which are contained on the system. All those scripts have been removed from the system.
Verification

To test this functionality, we have tested this boot mode with multiple hardware configurations. For each test, we took a before MD5 snapshot of the system disks, booted BT4 in forensic boot mode, verified no file systems were mounted and swap was not in use, did a number of activities on the system, then shut the system back down and took an after MD5 snapshot. In comparing the two MD5 snapshots, in every case they were a match, demonstrating no changes on the disks has been made. So, can you trust Backtrack 4 for your forensic purposes? Well, not until you verify it as well! Just like any forensic tool, its negligent to just take someone else’s word that any tool works properly. Its up to you to independently verify the tool before you use it. We expect your results will match ours, and you will find Backtrack 4 is a great addition to you tool set. (And, if your results find a problem, please let us know ASAP and include details as to how you conducted your testing. As, that would be a real problem.)
Usage

When you utilize Backtrack for forensics purposes, be sure you don’t let it go through an unattended boot. Default boot for Backtrack is standard boot mode, which will use swap partitions if they are present. There is a nice long delay however, so you will have plenty of time to select the proper boot mode. Also, please remember, this is a Linux distribution. It is highly suggested that you become familiar with Linux before use this, or any other Linux Live CD for any forensic purpose. Also, be sure to check out the additional forensic tools added to Backtrack 4. We have concentrated on the addition of imaging and triage tools, but if you find that one of your favorite utilities is not in place please let us know so we can look into having it added.

Follow the basic install instructions here to get BackTrack installed in a VMware machine.

1. Log into BackTrack. To install the VMWare drivers, the kernel source and headers need to be in place. By default in the BackTrack 4 final release, the kernel (denoted by {version} ) is configured and ready. However in some cases, you might need to make sure you have the latest kernel sources by typing in:
apt-get update apt-get install linux-source cd /usr/src tar jxpf linux-source-{version}.tar.bz2 ln -s linux-source-{version} linux cd linux zcat /proc/config.gz > .config make scripts make prepare
2. Now that your kernel sources and headers are in place, run the “Install VMWare tools” for the specific guest VM.
3. Mount the VMWare tools virtual cd, copy over the VMWare tools package and run the installer:
mount /dev/cdrom3 /mnt/cdrom cp /mnt/cdrom/VMwareTools-{version}.tar.gz /tmp/ cd /tmp/ tar zxpf VMwareTools-{version}.tar.gz cd vmware-tools-distrib ./vmware-install.pl
4. Complete the VMWare tools installation as required. Run “fix-splash” to reintroduce the green framebuffer console. Reboot.

This method of getting a live install to a USB drive is the simplest available using Unetbootin. Note that we will format the USB drive and erase its contents.

1. Plug in your USB Drive (Minimum USB Drive capacity 2 GB)
2. Format the USB drive to FAT32
3. Download Unetbootin from http://unetbootin.sourceforge.net/
4. Start Unetbootin and select diskimage (use the backtrack-final ISO)
5. Select your USB drive and click “OK” for creating a bootable BackTrack USB drive
6. Log into BackTrack with the default username and password root / toor.