Step 3 - Find Target WLAN
Now that the card is in monitor mode, we can scan for wireless networks. In real life, someone trying to break into a wireless network usually would have to obtain the information needed. Professionals who do penetration testing of networks describe this attack as a "zero knowledge" attack, for obvious reasons.
We are looking for APs using WEP encryption that have at least one active client connected. The attached client is important, since you'll need the MAC address of a client for the ARP Replay attack that will be used to stimulate traffic later. If the AP doesn't have any attached clients, move on to another.
We'll need three pieces of information in order to capture enough traffic for aircrack to work on:
- MAC address / BSSID of the target AP
- MAC address / BSSID of a STA associated to the target AP
- The channel in use by the target AP and STA
There are many ways to scan for wireless LANs, including the popular Kismet, which is also included in BT2. But as a program separate from the aircrack suite, Kismet has its own WLAN adapter requirements. To keep things simple, we're going to use airodump-ng, which is just fine for what we need to do.
Start airodump-ng by typing:
airodump-ng --ivs --write capturefile ath0
The --ivs option writes only captured IVs (the part of the traffic we need for WEP cracking) to files with the prefix specified by the --write switch "capturefile". Note that those double hyphens (--) are not typos, but the more readable longer form of airodump command switches.
What's an IV?
WEP uses an Initialization Vector (IV) along with the user-entered "shared secret" key to produce a different RC4 key for each encrypted packet.
The reasons why WEP can be cracked boil down to:
- The IV is sent in cleartext, which makes it easily readable.
- The keystream generated by RC4 is slightly biased in favor of certain sequences of bytes.
- The statistics for the first few bytes of output keystream are strongly non-random, "leaking" information about the key.
This command causes airodump to start up scanning all 2.4 GHz channels with the Atheros wireless card (ath0). Figure 4 shows a typical result.
Figure 4: airodump-ng channel scan
Figure 4 shows two APs (in the top group) and two STAs (in the bottom group). One STA (BSSID 00:1A:70:7F:79:F2) is associated to the AP with linksys ESSID (BSSID 00:06:25:B2:D4:19), which you can tell by comparing the BSSIDs (MAC addresses) of Stations and APs. Figure 4 also shows that the linksys AP is using Channel 5.
So, voila, we have the three pieces of information we need!
- MAC address / BSSID of the target AP = 00:06:25:B2:D4:19
- MAC address / BSSID of a STA associated to the target AP = 00:1A:70:7F:79:F2
- The channel in use by the target AP and STA = 5
Write them down or copy and paste them into a text editor window for later use. You can quit airodump-ng for the time being by using Cntrl+C.
Tip: Note the PWR column in the AP group, which is the signal level. If you have a choice of target APs, pick the one with higher PWR number, i.e. with a stronger signal. A stronger signal = faster packet capture.
If the client were active, you would also see an RXQ column, which is a measure of percentage of packets (management and data frames) successfully received over the last 10 seconds. Again, a higher number is better. See the airodump Usage Tips for more information.
NOTE: The airodump-ng capture files will be located in the /root directory (assuming that you didn't change directories after logging in). We chose the --ivs option to avoid running out of space on the BT2 ramdrive and because we don't really need anything else other than the IVs.
You shouldn't have any problems with running out of ramdrive space. But in case you do, you can use the rm command to remove capture files. Note that when using the --ivs switch, the files will have a .ivs filetype.