# WEP cracking with FreeBSD



## taz (Jun 12, 2012)

For some time now I have been wanting to be able to crack a WEP protected wireless network with FreeBSD.

There are countless tutorials on web how to do it with Linux and aircrack-ng. And there is a
aircrack-ng port for FreeBSD but aireplay-ng and airodump-ng don't really work "out of the box" (at least not for me, reading this thread http://forums.freebsd.org/showthread.php?t=10042 didn't help either).

Until now the simplest solution for me was BackTrack but since *I* really love FreeBSD and hate "depending" on Linux *I* wanted to figure out a way to do it solely with FreeBSD. My solution is Kismet (net-mgmt/kismet). With it *I* was able to sniff wireless traffic and pass it to aircrack-ng. Kismet can dump raw packets to a file witch is readable by aircrack-ng.

So here is a short "tutorial" how to do it:

Install kismet and aircrack-ng:


```
cd /usr/ports/net-mgmt/kismet && make install clean
cd /usr/ports/net-mgmt/aircrack-ng/ && make install clean
```

Configure Kismet as explained here: http://wiki.freebsd.org/Kismet

Here are the lines I have changed/added:


```
...
ncsource=wlan0:type=radiotap_bsd_ag,name=rum_usb
...
logtypes=pcapdump
...
logtemplate=/path/where/to/save/dumps/%p%n-%D-%t-%i.%l
```

Before we start Kismet we need to put our card in MONITOR mode:

If not already in monitor mode destroy current interface:
[cmd=]# ifconfig wlan0 destroy[/cmd]

Set it to monitor mode:
`#  ifconfig wlan0 create wlandev rum0 wlanmode monitor`
(my wireless card uses rum drivers but yours could use ath or something else depending what chipset your wireless card is based on, run *ifconfig* to find out).

Now start Kismet as root or with sudo and sniff (this could take a while). Kismet will save collected packets every X seconds, this can be set in Kismet's configuration file. Also you just need to log pcapdump files which contain raw packets. After Kismet comes aircrack-ng, so start aircrack-ng and pass Kismet's pcapdump files (yes, we can pass multiple Kismet sessions, aircrack-ng will merge the results).

[cmd=]aircrack-ng -n 64 *.pcapdump[/cmd]
(-n 64 tells aircrack-ng that it's a 64 bit WEP key, omit it if you don't know).

aircrack-ng will show how much IVs are collected for a certain SSID. I cracked my 64 bit WEP key today with ~13000 IVs.

IMPORTANT NOTE:

Kismet basically replaces airodump-ng but do*es* not replace aireplay-ng, so we can't inject/attack and speed up the process of collecting IVs. On a network that has low or zero wireless traffic this is more or less useless but on a network that has a normal wireless activity (browsing, torrents and other stuff your neighbor might do) it's just a matter of time. Fact that we can join Kismet sessions really helps! For example I connected with laptop1 on my AP and started downloading a torrent, browsed a little bit too. On laptop2 *I* had FreeBSD and sniffed traffic with Kismet. I*t* took me ~45 minutes to get enough IVs to crack my WEP key. Wireshark could also be used instead Kismet but didn't experiment with it.

That*'*s all from me, hope this might be of help to someone who is trying to accomplish the same thing as I did but is not an expert in wifi security.


----------

