This is a howto for hacking wireless networks secured with 64 or 128 bit WEP keys, discovering hidden SSID’s and spoofing (faking) MAC addresses with the Linksys WRT54G aand OpenWRT firrmware I also tried to give background info where needed.
When To Use This Howto
You should use this howto if you fit the following profile:
- You are a Windows User that is not afraid of installing alternative firmware on his or her by OpenWRT supported router. OpenWRT is a lean and mean version of Linux targetted for routers. If you are, try to buy a Wireless Network card that's supported by Aircrack for Windows.
- This Howto is specifically written for the WRT54G 3.1 router, lots of steps can be used for other routers as well.
- If you already have a Linux on your desktop, chances are that you can just install aircrack on that box.
- You have a Windows Computer with a network card that is incompatible with Aircrack-ng or Kismet (check if your card has native support, or if it has support using a Wildpackets driver. Here's is cool tool to check which chipset your card has. Note: in general there's no USB support.
General notes
- You should be able to execute all steps in this howto exactly as written out here if you have a Linksys WRT54G 3.1 Router (see the sticker at bottom of Router).
- I tried to crack networks nearby for demonstration purposes. You should always ask for consent from your neighbours in order to do this.
- This howto describes how to install the OpenWRT Whiterussian firmware. This firmware doesn’t support Airoplay-ng on the WRT54G’s Broadcom Wireless Chipset! This means packet injection won’t be available and you have to wait days instead of minutes before you can crack a key.
- Maybe Kamikaze, a newer version of OpenWRT that is still being improved, supports aeroplay on the WRT54G’s Broadcom BCM53xx chipset. However, I couldn’t be sure that Kamikaze firmware was compatible, so I didn’t try it. If somebody can confirm that it works, and even better, that it supports aeroplay, please leave a message. As far as I could find out other firmware for the WRT54G (like DD-WRT) also doesn’t support Aircrack-ng.
- Flashing your router can result in bricking up your router. If this happens: try to set up a LAN client to a static ip in the range of 192.168.0.x. Most simple way to recover is connecting to WRT54G's tftp daemon just after booting up. So, get a tftp client to logon to 192.168.0.1 (192.168.0.1 is the IP of the router before the firmware has initialized) just after the router boots and upload the original firmware from Linksys . By using the command: tftp -i 192.168.0.1 put <firmware>.bin
tftp is also a standard package in Vista Business. See this site for more detailed info about tftp. - If you follow this tutorial, your router isn't usable as an access point any more (until you reconfigure it).
The Game Plan
Wep is cracked by assembling IV packets send out by an access point. An IV package gives a little bit of info about the WEP key used. If you assemble enough IV's, you can use Aircrack to retrieve the key used. There's no way of telling if a key is 64 or 128 bit, so you must check for both lengths. Start with 64 bit, as this will be found faster (few minutes).
Airodump-ng is the crucial program that will run on the router to listen to AP's, it puts the IVS sniffed in IVS files. These files will can analyzed by Aircrack for windows. Or by Aircrack on the WRT, but because of the lack of storage on the WRT I used Windows to do the cracking. Also, my Windows CPU is faster that the one in the WRT (WRT runs on a 200 MHz CPU)
To get airodump working, we're going to install OpenWRT on the router and install Aircrack-ng, Kismet Client and Server. Kismet is usefull for unveiling hidden SSID's and client macadresses. The router must be set up in client mode so it can listen to networks.
Software needed
- Aircrack-ng 0.9.x for Windows – for cracking dump / IV files
- Macshift for Windows– for chanching your adapters MAC address
- OpenWRT-wrt546-jffs2.bin – to use as the WRT54G firmware
- Putty – Windows – A SSH Client for interaction with OpenWRT
- WinSCP – Windows – For easy file transfer from the router
The following packages on OpenWRT will be installed
- Aircrack-ng 0.5.x on OpenWRT – for capturing Wireless traffic and assembling IV packets
- Kismet Server on OpenWRT – for discovering hidden SSID, MAC Addresses of client and capturing IV packets.
- Kismet Client on OpenWRT – for analyzing Kismet Server files
- WL - tool for configuring the wireless network client
- Packages that the packages mentioned depend on.
Flash the WRT54G
First we’re going to flash the WRT. Make sure you have a LAN connection to the WRT54G. Use the exact firmware mentioned (OpenWRT-wrt54g-jffs2.bin). You can flash the router by using the Web Interface offered by the current firmware on the router. I flashed to OpenWRT from the web interface of alternative firmware ported from Sveasoft. You can also use tfp to flash the router.
Once done, the IP address of the router should be the same as it was before the flash, and you can visit it through the OpenWRT web interface. After logging in the first time you must set a password and reboot your system. After the reboot the router has formatted the filesystem into read/write mode. You should then also be able to login through SCP and SSH by using root as username combined with your password.
Set up the WRT54G in client mode
This section is copied from this site and edited where needed.
Remove the Firewall
The default firewall on OpenWRT provides some basic inbound firewalling and NAT on the WAN interface. I turned it off to prevent unwanted blocking in any way.
chmod 644 /etc/init.d/S45firewall
Set Hostname
Optionally, you can also set the hostname of the WRT:
nvram set wan_hostname=MyWrt
Network Configuration
Setup WAN Port
The WAN Port is the port at the back of the WRT that has Internet written above the port. It's a port like the rest, but it's in a separate VLAN.
At this point, I configured the WAN port with a valid IP address on my home network, to me to complete the configuration, and to give the WRT internet access via my network (for installing additional packages).
To configure the WAN (vlan1 interface) port, I used the following:
nvram set wan_proto=static
nvram set wan_ipaddr=192.168.3.2
nvram set wan_netmask=255.255.255.0
I wanted to avoid using a 192.168.0.x IP address, as this might conflict with a gateway I could possibly obtain from a DHCP server on my connected Windows Box from a cracked AP later on.
On my Windows Vista Box I set up ICS and changed the IP address of my LAN adapter to 192.168.3.1
Set a default gateway and DNS server:
nvram set wan_gateway=192.168.3.1
nvram set wan_dns=192.168.3.1
Commit the changes, and reboot:
nvram commit
reboot
The WAN port was then connected to my network card, and I could telnet to the WRT on the IP address I had given to the WAN interface.
Remove Bridge
The default OpenWrt configuration has the wireless interface bridged with the LAN ports. To allow routing and firewalling between these interfaces, the bridge needs to be be removed. At the same time, we'll also rename the LAN ports to vlan0:
nvram set lan_ifname=vlan0
nvram unset lan_ifnames
nvram is a tool to configure and add settings to control your router. Use this to see all the settings available:
nvram show | more
Setup LAN Interface
Now that the bridge has been removed, the LAN interface (vlan0) can be configured with a static IP address:
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.3.3
nvram set lan_netmask=255.255.255.0
Setup Wireless Interface
Similarly, the wireless interface (eth1) can be configured:
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=192.168.3.100
nvram set wifi_netmask=255.255.255.0
nvram set wifi_gateway=192.168.3.1
nvram set wifi_dns=192.168.3.1
Rather than relying on the WRT to use decide which antenna socket to use, we'll force it to only use the main antenna socket, located next to the power socket (-1=auto, 0=main, 1=aux, 3=diversity):
nvram set wl0_antdiv=0
Note that the antenna designations have changed in the various versions of the WRT. For earlier WRT54G/WRT54GS models, -1=auto, 0=main (next to power socket), 1=aux (next to reset button), 3=diversity.
Starting with WRT54G v2.0 and WRT54GS V1.1 these are reversed 0=main (next to reset button) and 1=aux (next to power jack).
Wireless Client Configuration
Set Client Mode
The wireless mode of the WRT can be set to ap (access point mode), sta (station/client mode), or wet (wireless ethernet bridge, ie, bridged client). As we're using it as a routed client, the mode gets set as follows:
nvram set wl0_mode=sta
When using sta or wet mode, you also need to specify if ad-hoc or infrastructure/managed mode is being used, with 0 used to specify ad-hoc mode, and 1 for managed mode:
nvram set wl0_infra=1
Set the ESSID
The ESSID of the wireless network to connect to needs to be specified:
nvram set wl0_ssid=SGNet
Save and Reboot
Before continuing, commit all changes, and reboot the WRT:
nvram commit
reboot
After the WRT has rebooted, verify that the configuration changes have been successfully applied. I connected to a normal LAN port from this point on instead of the WAN Port.
Testing Wireless Connectivity
Test your connection with a utility called wl. Check if it's already installed, otherwise Install wl using
ipkg install wl
ipkg is a tool the download packages from online repositories. If you don't have a internet connection on your WRT, you can upload the packages manually to your router using WinSCP.
If the package needed is is not found, change the packages repository URL in the following file. I used WinSCP to do stuff like this, since I'm used to visual navigation. So:
- browse to the file /etc/ipkg.config
- Edit and append the following line at the start of the file:
src whiterussian http://downloads.openwrt.org/backports/rc5
- Comment out the line of the existing src by putting a # in front of the line
- Save the file and again type ipkg install wl
Once installed, you can use wl to list all the wireless networks that are visible to your WRT, using
wl scan; sleep 1; wl scanresults
Assuming there is at least one wireless network visible, you should see output similar to
SSID: "SGNet"
Mode: Managed RSSI: -83 dBm noise: -94 dBm Channel: 13
BSSID: 00:0C:F1:96:C9:BD Capability: ESS
Supported Rates: [ 1(b) 2(b) 5.5(b) 11(b) ]
You can also use wl to join any wireless network, using
wl join SGNet
Package List
Assuming your WRT can access the internet, get it to update its ipkg database, and then retrieve a list of the available packages:
ipkg update
ipkg list
I updated the existing packages, it's consumed some extra space on the router, and I'm not sure if it was necessary.
Note: if you type
ipkg list_installed
You can see what packages are currently installed.
Re-configure WAN Port
The WAN port isn't required, and hence was configured for on-site administration, to provide a way to locally access the WRT for configuration, if required.
nvram set wan_proto=static
nvram set wan_ipaddr=192.168.1.1
nvram set wan_netmask=255.255.255.0
nvram unset wan_gateway
nvram unset wan_dns
Save and Test
These changes must be committed, and the WRT was rebooted to test the new configuration:
nvram commit
reboot
Install the cracking tools
Now install aircrack-ng, kismet client and server onto your WRT! Dependencies are installed automatically if needed.
Type:
ipkg install aircrack-ng
ikpg install kismet-server
ipkg install kismet-client
Check this if the packages are not found.
Remote Storage
The OpenWRT /tmp directory has 8 MB available for IV files. That’s not too much, so it would be nice to mount a Windows Share in OpenWRT. Unfortunately that did not work out for me. Here’s what I tried:
- Set up CIFS on White Russian. According to different fora I found, nobody succeeded in doing this.
- Set up a NFS in Windows Vista. OpenWRT is able to mount a NFS share. Since my Windows computer ran vista I tried to set up a NFS server through Cygwin. Cygwin has a learning curve of itself. Although I got everything up and running after trial and error, I couldn’t mount the NFS Share even in Cygwin and basically gave up on that.
The good news is that I found out that the 8 MB of storage is not too bad after all. If you download the IVS file from the /tmp directory every day or two, an delete it after that, airodump won’t run out of storage needed for the IVS files.
Running aircrack programs
From the aircrack-ng package on OpenWRT we’re going to use just one program: airodump-ng
Start this program by typing:
wl monitor 1
ifup prism0
airodump-ng --ivs --write wep out 7 prism0
Airodump doesn’t seem to listen to all options mentioned above very well. The options given should force airodump in just monitoring Wireless channel 7, in my case, it monitored every channel. Airodump will place the ivs output file in the /tmp directory.
You should so a output windows like this (I anonymized data)
Amount of IV needed
According to different fora, and the aircrack tool, about 250.000 packets are needed for a 64 bit wep key. I was able to crack two networks with less than 100.000 IV’s. Guess I was lucky. I read on different fora’s you need about 1 million IV’s to crack a 128 Bit key. Haven't tested that yet. I captured between 2000 and 5000 IVS an hour from WEP secured networks. So, you'll need anywhere between 2-7 days to crack a 64 bit WEP key without packet injection.
Crack the key with the help of the IV files
I used WinSCP to transport the IVS file to my Windows machine. After that I restarted airodump and got rid of the als IVS file on the WRT54G to prevent running out of space. In my case I needed to do this every 48 hours.
Aircrack-ng 0.9.x GUI in Windows offers the possibility to assemble input from many IVS and CAP/dump files.
After retrieving IVS files, follow these steps:
- In Windows start op Aircrack-ng GUI in the BIN directory.
- Select the IVS by choosing browse and selecting them.
- Choose 64 Bit, Choose Launch.
- Select the target network (check the .txt file associated with the IVS file for the SSID name)
- Wait a bit, in my case keys were found within 10 minutes or not at all.
- If necessary, retry with 128 Bit.
If you’re lucky you now have the key and you can login to the network. Cracking a 64 bit key should only last a few minutes. I can't give you data on 128 Bit.
Note: if I start Aircrack, my wireless network looses connection, quite odd.
Mac address spoofing and discovering hidden SSIDs
But what if you have the WEP key, and you cannot login to the network yet? Try changing your MAC address in that of a client that's already connected. In the .txt file associated with the IVS you can find some macaddresses of clients.
Kismet can help you get more information.
- Use Winscp to navigate to /etc/kismet/kismet.conf and choose edit.
- Now find the section File types to log. You can either log noting or choose to log dump files.
- You can use these dump files in aircrack, but they consume a lot of space.
- I’m not sure if I edited something in this file to make sure the dump file was stored in /tmp.
Now: open a SSH shell with Putty and type:
kismet_server
Open another SSH shell and type
kismet_client
Use the h commando after starting up the client to see all the options. If the server has run for a little while you’ll see hidden SSID showing up.
The cool thing is that Kismet will also tell the brand of the AP’s router. Now you can check if the default password has not been changed. Which was the case in three AP’s near to me.
Cool additional resources
Aircrack video. Mind you, not all steps shown are equal to the one described here.
RemotFileSystemHowTo. Didn't work out for me, but it should be possible.
Cygwin NFS Server HowTo. Again, good tutorial, but didn't work out for me.
That’s all there is to it! Hope you find my information useful!