AirSnort Installation
AirSnort ONLY works with Prism2 cards! Assuming you have one of these, and a *bsd installation, you must have the following available to build AirSnort:
 System source code
bsd-airtools source-mods
AirSnort source
Before you can run AirSnort, you will need to patch your kernel with the source modifications provided in the bsd-airtools package. Please read source-mods/README and get your system patched before proceeding.
Assuming everything went well, AirSnort can now be built. This makes two executables, 'capture' and 'crack.' If everything went well, the section "Running AirSnort" is right for you. If anything failed, (predictably,) consult the appropriate package's documentation.
Screenshots
Running AirSnort
The first thing to be done to crack 802.11b is to get unmodified encrypted packets. This can be done by putting the card in a mode which gathers all wep packets with their 802.11b frame header intact. This mode is known as procframe mode and it can be entered by running 'dopromisc.sh,' which is in the scripts directory. The channel in the script defaults to channel 6, but you may wish to change it if the network you are analyzing is on a different channel.
By default, dopromisc.sh is configured to run on a netbsd system, if you are using a different BSD OS, you will want to comment the netbsd line in dopromisc.sh and uncomment your corresponding OS's line for the script to function properly.
If you want to configure the nic by hand, you will want to run the following depending on your OS (assuming you want to sniff channel 9):
NetBSD:
wiconfig wi0 -p1
wiconfig wi0 -f9
wiconfig wi0 -F1
wiconfig wi0 -P0
ifconfig wi0 up
OpenBSD:
wicontrol wi0 -p1
wicontrol wi0 -f9
wicontrol wi0 -F1
wicontrol wi0 -P0
ifconfig wi0 up
FreeBSD:
wicontrol -i wi0 -p1
wicontrol -i wi0 -f9
wicontrol -i wi0 -F1
wicontrol -i wi0 -P0
ifconfig wi0 up
If the card is now in procframe mode, you can now run 'capture.' The parameters to capture are simple, the -c switch presents a display of its progress, which is updated every second. The second, required parameter is a filename, which is where the captured packets are stored. If you are running capture in curses mode, the most important parameter is "Interesting Packets." An interesting packet is one in which the second byte of the IV is FF.
At intervals, you will probably wish to try and crack the password with the data you have gathered. You can simply run the command 'crack' on the file generated by capture. It is intended that capture be run on one terminal, while crack on another, once enough packets have been gathered.
The number of interesting packets needed to perform a successful crack depends on two things; luck and key length. Assuming that luck is on your side, the key length is the only important factor. For a key length of 128 bits, this translates to about 1500 packets. For other key lengths, assume 115 packets per byte of the key.
The only parameter to the crack program is the breadth of the tree search. For a discussion of the algorithm, and how it affects runtime, and statistics, see the section "AirSnort Theory."
In any case, if the crack program believes it has a correct password, it checks the checksum of a random packet. If this is successful, the correct password printed in ASCII and Hex. If it is unsuccessful, an error message is printed, which will soon become painfully familiar to anyone who uses AirSnort for any extended period of time.
|
|
