Home > Linux > Ubuntu, Firesheep, aircrack-ng and WPA

Ubuntu, Firesheep, aircrack-ng and WPA

November 26th, 2010

Introduction
Following some tinkering I’ve been doing with airtun-ng (and a bugfix I made to ticket #667 to support decrypting WPA CCMP AES QoS packets) it is (now) possible to live capture/sniff WPA traffic providing the WPA handshake is observed. In effect this allows firesheep (and sidejacking in general) to work on a WPA (PSK) network.

Step 1: Firesheep
Firstly you need to get firesheep completely setup, this is outside the scope of this guide – there are excellent instructions provided on the infamous github pull request #70. Once firesheep is setup and you’re able to pick an interface you should proceed.

Step 2: aircrack-ng
Now we can move onto patching aircrack-ng to support WPA networks, to do this you need to do do a checkout from svn, patch the code and then compile it yourself.

$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
$ cd aircrack-ng/src
$ wget http://trac.aircrack-ng.org/raw-attachment/ticket/667/ticket-667.patch
$ wget http://trac.aircrack-ng.org/raw-attachment/ticket/74/airtun-ng-wpa.patch
$ patch -p0 < ticket-667.patch $ patch -p0 < airtun-ng-wpa.patch $ sudo apt-get build-dep aircrack-ng $ cd .. $ make

With any luck this should now compile successfully and your new binaries should be located in the src/ directory.

Step 3: Bringing it all together
Now we’re ready to use aircrack to live capture off WPA networks and feed the data into firesheep for analysis…

Open up a terminal and run (change adapter names and substitute values as appropriate):-

$ sudo airmon-ng start wlan0 CHANNEL
$ sudo src/airtun-ng -a BSSID -e ESSID -p WPAPSK mon0

Note: Used airmon-ng from the standard package installed version since I couldn’t find it in svn and didn’t investigate too much/far!

This should start a tap interface on at0 (or similar) on which the decrypted traffic is fed. Now open another console and run (change IP address if it conflicts with your local subnet):-

$ sudo ifconfig at0 10.10.10.10 up

The IP address is needed since in my experience Firesheep appears to require it. Now open up Firesheep, go into preferences, pick the at0 interface and hit the Start Capture button.

Now on your other wireless client.. disconnect and reconnect to the wireless network (so that the WPA handshake can be observed) and login to Facebook research paper help. With any luck Firesheep should see the session and double clicking on that session should access your Facebook account via sidejacking.

If this doesn’t work use wireshark to monitor the traffic on at0 to see if you’re getting any data at all, the eapol packets for the handshake should be visible.

That’s all folks!

Linux , , , ,

  1. DavM
    | #1

    Hi, I have a quick question. I’m trying to do this on a Mac, and I got as far as “sudo apt-get build-dep aircrack-ng” in step 2, but it gives me this error

    Reading Package Lists… Done
    Building Dependency Tree… Done
    E: Sorry, you must put some ‘source’ URIs in your sources.list

    Do you have any idea how I can get past this?

  2. | #2

    Yep – Try doing what it says in this post but changing the “feisty” and “us.” in the URI’s to whatever is applicable to you:-

    http://ubuntuforums.org/showpost.php?p=3123923&postcount=9

  3. DavM
    | #3

    @Kenny Millington
    Thanks for the quick reply!
    How do I know what is applicable to me?

  4. | #4

    Copy what you already have where “us.” is which’ll define your local mirror, possibly… or just leave it as “us.”

    For feisty, see what it says when you run:-

    $ lsb-release -c

  5. DavM
    | #5

    Hmm, that doesn’t work, I’m not very familiar to the command line, i’m using Fink http://www.finkproject.org/doc/users-guide/conf.php so things are a bit different.

  6. | #6

    Then you’re on your own! 😉

  7. DavM
    | #7

    Ha, thanks for your help anyway.

    One more question, I got it setup om my linux machine, where it says

    $ sudo src/airtun-ng -a BSSID -e ESSID -p WPAPSK mon0

    I have to replace just BSSID and ESSID? What is “mon0”?
    I’m getting this after entering that command:

    Interface mon0:
    ioctl(SIOCGIFINDEX) failed: No such device

  8. | #8

    mon0 is the interface name airmon-ng tells you it’s setup as the monitor-mode interface.

  9. Disgruntled Geek
    | #9

    Kenny why are you spoonfeeding these clueless kids? If he can’t determine what his monitor-mode interface is then he is clearly another lame kid trying to look cool by running firesheep on his backtrack virtual machine.

    Don’t support them, they simply don’t want to learn just want to impress even more ignorent kiddies and act the hacker.

    Sickening.

  10. Tom
    | #10

    Awesome job with the WPA patch for airtun-ng. A huge addition to the tool!
    Tested it, and it seems to be working well. Used my home network (TKIP), was able to get decrypted traffic on at0… fired up driftnet and started dumping images from the decrypted network traffic! All in real time… pretty cool 🙂
    On a side note: Driftnet seemed to miss a lot of the images (approx. 75%) that were being transported to my wireless client. Was wondering if the process of decrypting the encrypted frames could possibly loose network packets along the way somewhere(eg. bottleneck, or maybe some frames could not be decrypted). Just thinking aloud… seemed to have a lot better results using drifnet in a wired environments. Any thoughts?

    Anyway, well done Kenny. Exciting stuff 😛

  11. Kenway
    | #11

    @Disgruntled Geek
    Agreed, I’m not the best, but if you have patience with the command line, expect errors and of course you can read, then you can hack.

  12. Rand
    | #12

    Does anybody know where to find these patches to airtun-ng?
    They are no longer available from trac.aircrack-ng.org.

    I can’t believe my eyes when I didn’t find them in 1.2 RC 1.
    I use them years ago to sniff WPA out of the air. Now updated my aircrack suite and oooops 🙁

    Thank you in advance!

  1. No trackbacks yet.