Packet capture with Airodump
Figure 4: Airodump usage
(click image to enlarge)
As amazingly fast as aircrack is, it still needs a sufficient number of "interesting" packets to work on in order to crack a WEP key. As we noted earlier, packet capture is done by airodump, which creates a file of captured data for aircrack. Let’s see how it’s done.
You can use either computer, but we’ll stick with Auditor-A. Open the shell and type in the following commands:
|Commands for setting up airodump iwconfig wlan0 mode monitor iwconfig wlan0 channel THECHANNELNUM cd /ramdisk airodump wlan0 cap|
- Replace THECHANNELNUM with the channel number of your Target WLAN
- The /ramdisk directory is where the capture data will be stored
If there are many wireless access points close by, you may want to use attach the MAC address of your target AP to the end of the airodump command like so:
airodump wlan0 cap1 MACADDRESSOFAP
This will instruct airodump to write only the packets of the target AP to the capture file.
You can exit out of Airodump by typing Control-C. Typing ls -l will list the contents of the directory. Notice the size of the capture file which has the extension of .cap. If packets were successfully captured, the file size should be a few kB or so after a few seconds of capture. Note that if Airodump is stopped and restarted with the same parameters, the new capture file will appended to the previous one. You may want to make separate files by naming the first file cap1, the next, cap2 and so on.
Collecting IVs with Airodump
Figure 5: Watch the IV count go up
(click image to enlarge)
While airodump is running, you should see the MAC address of your AP listed under BSSID on the left side of the window. You should also see the Packet count and IV count (Initialization Vector) going up. This is due to normal Windows network traffic that is generated even if you aren’t surfing the web or checking your email. So you will see the IV count rise by a few IVs after a while. If you start surfing the web on the TARGET computer, you should see that each new webpage raises the IV count in airodump.
We aren’t interested in the Packet count, because doesn’t help us with WEP cracking and many of the packets will be beacons coming from the AP. (Most APs send out ten beacons a second by default and you will see that reflected in the packet count in airodump.) The IV count is the important number to watch for since you will need to capture around 50,000 to 200,000 IVs in order to crack a 64 bit WEP key and for a 128 bit key, you will need around 200,000 to 700,000 IVs!