What It Takes To Get Airsnort Running

The Starting Place

I have my Orinoco card running monitor mode, so the hard part is over. Installing Airsnort was as simple as downloading and untar'ing the source, and doing a ./autogen.sh and a make. Well, actually I had to install everything for X on my system first, because Airsnort uses gtk and runs on top of X, and my box is a telnet-only system. I was planning on putting the box in a back room with a directional antenna pointing out the window, and only checking on it via telnet. But now it looks like I'll have to have a monitor. I started up X, started Airsnort from the command line, and viola, it appeared on the screen. I specified the correct network device, clicked start, and it began capturing packets. Cool. But what about the monitor problem?

Well, X was designed for client-server use, so if I could get an X server running on a Windows PC I could see the Airsnort client. A little google'ing revealed that Cygwin had a free (important) X server for Windows, so I downloaded, installed and started it. I went over to the Airsnort box and set the DISPLAY variable to point to the Cygwin/Windows box, and restarted Airsnort. Now I had Airsnort running on my desktop, and by repeating the process I could get it on my notebook.
One odd thing was that sometimes when I would restart Airsnort it wouldn't see the card, or wouldn't start capturing. If I used iwconfig eth1 monitor 2 9 to put the card into monitor mode by hand it seemed to help. Now it was time to crack WEP.

Generating Traffic

When I first fired up Airsnort I wasn't sure it was running correctly. I could see the packets from different wireless networks, but I wasn't getting any interesting packets, or one or two at the most. I figured maybe I didn't have enough network traffic. I looked in google newsgroups, and found a good way to generate interesting packets:

ping -t -l 64000 ip_address

After a couple days of this, running one ping session during the daytime, I have

packets encrypted packets interesting packets
7759382 3548405 244

I may have a problem, because my linux box only has a 4Gb disk, and it's 78% full. I've been logging all the packets, so I won't have to start over again if I interrupt the session, and the logfile is up to 1.2Gb. I have a spare 8Gb disk, so I'll probably shutdown, install the disk, and restart the capture. There's a "load pcap file" menu item in Airsnort, so I think I can load the file, and then continue to collect packets. You don't have to log packets, so if you were willing to leave the machine running for a while Airsnort could collect only the interesting packets.

My Prediction

The Airsnort FAQ says here that most passwords can be guessed with about 2000 interesting packets. With two days of light activity I am up to 343 packets. (That's different from the number above because I seem to have captured 99 packets in the time it's taken to write this. I'm using a putty (secure telnet) session to edit this html file on the web server, so that may be a good way to generate encrypted and interesting packets.) I should get WEP in no more than six days at the outside, probably much less if I increase the number of ping sessions and leave them running full-time. Watch this space.

Got It!

Holy 802.11b! I just cracked WEP on my home network with 40 bit encryption in 50 minutes! Thanks to a bonehead move on my part (don't mess around with rm -rf * when you're root) I had to completely reinstall linux and pcmcia-cs and Airsnort, and configure everything. It took an hour and a half, and when I was done I started up Airsnort again. I had four ping sessions running on a wireless notebook, as well as whatever traffic I was generating. Here's the numbers:

packets encrypted packets interesting packets
821011 793858 247

I was actually looking at the Airsnort window when the WEP key for my network appeared in the "PW: Hex" field. I would like to try cracking 128-bit WEP, but most of my stuff is 40-bit. Heck, even the Orinoco card I used to do the monitoring is a 40-bit Silver card. Although I have heard that you can flash the Silver cards with the Gold firmware, and make them 128-bit capable. Time to look into that.

Oh, I took the opportunity of having the machine off down for reinstall to put in a 20Gb disk I had lying around. That should be enough for some really big logs.

I've been doing more Airsnort on my network to see if that quick first one was an anomaly. Here's some more numbers.

packets encrypted packets interesting packets
821011 793858 247
1952997 1886992 852
1056523 1001800 584
2005949 1826749 986

I've also been looking into Kismet and Ethereal. Details here.