fhydan

Hello everyone,

I'm working on a class project and need to sniff the WEP encrypted wireless packets from a device. I need to do this to implement E-R-A's attack on WEP. The problem, however, is that I can't figure out how to get the encrypted packets. I can sniff the device easily if I have it in monitor mode. However, does monitor mode use channel hopping? If so, does it do that while maintaing integrity of packets captured across different channels?. In any case, I need to also inject packets at the same time, so monitor mode will not do. If I set my device to managed mode and set the bssid and channel appropriately, however, I am no longer able to sniff the device.

I realize there is software out there that does what I am trying to do, such as the aircrack suite. I looked at the code but could not figure out how they do it, and so I thought I'd post here. Hopefully someone can help me.

Thank you for the help.

NovaMage

I have done such a thing before. It is one of those "very platform, adapter, operating system, architecture" dependent things, but i will tell you all the details, so you don't miss a thing, and adjust my experiences to fix your particular problem.

Most commands here require root privileges. So, run everything as root with sudo or log in the terminal as root with sudo su.

First thing up, set monitor mode. I will use wlan0 as the wireless interface for the example.

In my case, i installed the aircrack suite 1.0. My laptop's wireless chipset is Atheros AR928X. From linux 2.6.27+, it comes with ath9k driver by default. I downloaded the compat-wireless-2009-05-11, then compiled and installed it(make && make install ...etc).

Instead of ath9k, i used athload madwifi to load the madwifi drivers. After this, i shut down the wlan0 interface (ifconfig wlan0 down), and then run airmon-ng check to find out problematic processes. I kill them all(kill pid).

Next i run airmon-ng start wlan0 channel, where channel is the channel you want to sniff. So far, you should be able to see all wireless packets, and perhaps inject test packets using aireplay-ng -9 mon0. I used madwifi drivers cause i need to be able to inject, and when i ran a test using ath9k with aireplay-ng -9 mon0, there was an immediate kernel panic( pc frozen). But with madwifi it should work fine.

For some reason, sometimes, although doing all that, i could not inject, I solved it by enabling wlan0 in monitor mode alongside mon0. Simply, used iwconfig wlan0 mode monitor, followed by ifconfig wlan0 up. After this, i could do both things with ease through the mon0 interface: sniff packets, and inject packets with aireplay -9 mon0.

I have libpcap 0.8 installed. I don't know much C or C++. I am a Java Programmer. So i used the JNetPcap 1.2 RC5 library to wrap around the libpcap library. There is a function named isInjectSupported() and isSendPacketSupported() in the Pcap class of the java library, both return boolean, and tell you if you can inject/send packets over that interface. I checked the methods on mon0 (created as described earlier) and both values return true. After that, i use sendPacket() or
inject() method (whichever works) and pass them a byte array for the transmitted packet. Soon after, the sent packet shows in wireshark, in both the mon0 interface and the wlan0 interface. But, there is a limitation: the radio layer packet header must be correct, or it won't get through wlan0. It will still appear in mon0 capture in wireshark, but not in wlan0(it won't be transmitted, cause it's a malformed packet). Don't know for sure why it works that way (in Ethernet, you can send malformed packets at anytime), but i guess its ok anyway.

If you don't know java, check how does the jnetpcap wrapper c code do that using the underlying libpcap library.
If you do know java, i highly recommend using jnetpcap, along with anything else you need to accomplish your objective ( like a packet decoding framework, such as JNetStream ), cause you will save time for sure.

You can hop between channels using airodump mon0. It will automatically capture packets hopping between channels. If you want to see them in wireshark, just open wireshark, but let airodump opened for channel hopping. Alternatively, you can do a shell script that changes the interface's channel, with iwconfig mon0 channel channel.

#EDIT:# Regarding integrity, they keep integrity. But since your Wireless NIC can only capture on one channel at any given time, you might lose some packets due to channel hopping. You should listen only on one channel if you are interested in capturing all packets within the channel

Hope this helps you.