Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me! 🙂

“...crack a WEP enabled access point within a couple of minutes. 3 minutes to be exact.”

That Digg article piqued our curiosity in high school. My friend and I read about how the FBI publicly demonstrated a successful wireless network crack in a minuscule amount of time. Inspired, we obtained a laptop and searched around our neighborhood for WEP encrypted wireless networks. Our plan was to show these local folks how easy it was to acquire their WEP key. Then, we would convince them that we were good, hirable technicians who could upgrade their WiFi WEP encryption scheme to WPA. We spent literally three days practicing, trying to crack our own network with Windows tools. But in the end, our plan never materialized. Why? We were too “n00b” for Linux.

Crippled Windows Users

I'll say it once and I’ll say it again, “I hate being a Windows user.” I hold great respect for computer hackers who are quick to grasp other operating systems, like Linux and OS X, without a problem. But I, having been weaned on Windows since the day I touched a computer, have a hard time operating those unfamiliar user interfaces … or lack thereof. I mean, more than half of Linux is in the shell command line!

Aircrack-ng Win32 Binary Port

Many users like myself have a hard time integrating with the computer hacker world. Most programs are written for *nix operating systems. Only when a kind, talented soul takes pity on us Windows amateurs and ports the code to Win32, are we able to use that software.

At the time, that Win32 software was almost non-existent for my friend and me. Even today, wireless network penetration software is still in the Linux stage. The main software suite, Aircrack-ng, is just barely supported in Windows. When I tried the Windows port, it was slow, it did not accept my drivers, and it crashed numerous times. Basically, the Win32 aircrack-ng suite was pretty unusable and unstable.

Virtualization Solution

Finally, I decided to just try aircrack-ng in Linux. I bought some equipment and ran the Backtrack Live-on-CD Linux Distribution. After reading up on numerous Linux and aircrack-ng documentation, I was finally able to crack my home network!

While I was writing about hacking the Windows Vista and t-mobile free Wireless Internet authentication (which is not no longer relevant) with VMWare, I had an epiphany. The same technique I used with VMware could also be applied to aircrack-ng! I tried it out and after a lot of trial and error, I cracked my home network once again. This time it was in Windows!

Frequently Asked Questions

So how did I do this? Before you begin my tutorial, I suggest you read this FAQ for background information.

• Why aircrack-ng? Aircrack-ng is the most popular wireless cracking suite. Because of that, it is the most compatible with different types of hardware, it offers more forum support, and it is on the cutting edge of the latest WiFi hacking techniques.
• What are the main elements in cracking a wireless network?
  Airodump-ng: Gather “special” “faulty” data necessary to crack a network.
  Aireplay-ng: Stimulate the base AP station to generate the “special” data for aireplay-ng.
  Aircrack-ng: Take the data from airodump-ng and, with statistical or brute-force dictionary analysis, crack the key/PSK.
• Why is Windows inherently unable to crack wireless networks? Special (mostly unavailable) patched drivers are required to use these programs.
• What about the Peek Driver? First of all, the Peek Driver is special software written by the WildPakets AiroPeek, sort of a wireless network version of Wireshark/Ethereal. The bad thing about the Peek Driver is that it only allows you to read packets. Essentially, you can only use airodump-ng and aircrack-ng. Theoretically, you can crack a wireless network with only these two programs but it is very difficult, drawn out, and plain inefficient. Without the speeding aid of aireplay-ng, cracking a wireless network may take days. Aireplay-ng helps inject packets and manipulate the wireless network.
• Why does the Peek Driver not support aireplay-ng? This is because aireplay-ng requires the network card to be in a special state called “Monitor Mode.” In normal operation, the network interface is in “Managed Mode.” The Windows NDIS API (Network Driver Interface Specification) does not support any extensions for wireless monitor mode. Therefore, the only drivers that allow WiFi cards to be in monitor mode are in Linux.
• I’ve heard of Windows tools that support packet injection. I have too. But I also heard that they cost upwards of $300 and they are not nearly as fast as aireplay-ng.
• So then … there still is a way to use aireplay-ng in Windows with your hack? Yes. Basically, you run Backtrack as a virtual machine in VMWare Player. Since VMWare supports passthrough USB, the Backtrack virtual machine can directly access a compatible USB wireless network adapter. Note that my method will only work with a USB adapter since the only passthrough that virtual machine programs support is with the USB interface, not PCI, miniPCI, PCMCIA, PC Card, Express Card, etc.
• So, I won’t need to know Linux commands and I will be presented with that familiar, friendly user interface that I am accustomed to in Windows? Heavens no! If you read the answer above, you know you will still be using Linux … in Windows. This is just a convenience of not having to switch between reboots. You will still be unable to avoid the obscure Linux shell commands!

Hardware

Let’s just cut to the chase. There is no reason to continue if you don’t even own the correct hardware. I’m sorry, but there is no workaround for this. I’m a frugal person and I tried doing this the frugal way. It just doesn’t work. If you’re not willing to open your wallet, I would stop reading now.



In my research and tests on compatible network adapters, there is only one with the least quirks and the least breakage for this operation. Get the Alfa USB AWUS036S Network Adaptor with the threaded RP-SMA antenna connector. USB WiFi adapters with antenna connections are almost impossible to find. Usually you have to solder and mod the circuitry of another adapter to gain this functionality. Save yourself some trouble and just purchase this one.

Data Alliance

Now, if you could only find where to buy this elusive piece of equipment. I found mine at DataAlliance, an online/eBay store managed by a man name George Hardesty. If you know of any other worthy store, please comment at the end of this post.

Hardesty supplies most of my wireless networking needs. His inventory is the most cutting edge (and cheapest) that I have come across. Take a look at his store. It includes one of the most comprehensive resources I’ve read on wireless networking. Nevertheless, don’t be tempted to purchase the high-powered Alfa USB AWUS036H WLAN Adapter. I’ve used it … twice! It breaks easily and it is noisy. Additionally, “high powered” isn’t always a good thing. The chipset amplifies noise interference. Therefore, the TX/RX signal gets distorted. You could also be waving a flag to the FCC to smack down a fine, especially if you are using a high-gain antenna. Worse case scenario, you’ll give yourself leukemia. We already have enough EMI as it is with computers and cell phones.

Procedure

1. Download the latest version ISO image of the BackTrack Security Penetration Linux Distribution.
2. Install the VMWare Player. You may want to read the review in my other blog, the freeware review.
3. Download QEMU and create a *.vmdx hard drive of at least 4 GB. For the lazy, the command is
   PLAIN TEXT - CLICK TO REMOVE NUMBERS
   CODE:

   1. “qemu-img create -f vmdk linux_HDD.vmdk 4G”
4. Use a *.vmx configuration file like this one and run it. You may have to tweak a couple of customizations to get it to work. The most important thing is that you enable USB passthough with “usb.present = "TRUE".”
   PLAIN TEXT - CLICK TO REMOVE NUMBERS
   CODE:

   1. config.version = "8"
   2. virtualHW.version = "4"
   3.  
   4. uuid.location = "56 4d e3 cc a7 d5 15 0e-b2 c7 d5 2a f9 74 97 d0"
   5. uuid.bios = "56 4d e3 cc a7 d5 15 0e-b2 c7 d5 2a f9 74 97 d0"
   6.  
   7. uuid.action = "create"
   8. checkpoint.vmState = ""
   9.  
   10. displayName = "BackTrack"
   11. annotation = ""
   12. guestinfo.vmware.product.long = ""
   13. guestinfo.vmware.product.url = ""
   14.  
   15. guestOS = "other26xlinux"
   16. numvcpus = "1"
   17. memsize = "256"
   18. paevm = "TRUE"
   19. sched.mem.pshare.enable = "TRUE"
   20. MemAllowAutoScaleDown = "TRUE"
   21.  
   22. MemTrimRate = "-1"
   23.  
   24. nvram = "nvram"
   25.  
   26. svga.maxWidth = "800"
   27. svga.maxHeight = "600"
   28.  
   29. mks.enable3d = "FALSE"
   30. vmmouse.present = "TRUE"
   31.  
   32. tools.syncTime = "TRUE"
   33. tools.remindinstall = "FALSE"
   34.  
   35. isolation.tools.hgfs.disable = "FALSE"
   36. isolation.tools.dnd.disable = "FALSE"
   37. isolation.tools.copy.enable = "TRUE"
   38. isolation.tools.paste.enabled = "TRUE"
   39. gui.restricted = "FALSE"
   40.  
   41. ethernet0.present = "TRUE"
   42. ethernet0.connectionType = "nat"
   43. ethernet0.addressType = "generated"
   44. ethernet0.generatedAddress = "00:0c:29:74:97:d0"
   45. ethernet0.generatedAddressOffset = "0"
   46.  
   47. usb.present = "TRUE"
   48. usb.generic.autoconnect = "TRUE"
   49.  
   50. sound.present = "FALSE"
   51.  
   52. ide0:0.present = "TRUE"
   53. ide0:0.fileName = "disk.img"
   54. ide0:0.deviceType = "disk"
   55. ide0:0.mode = "persistent"
   56. ide0:0.redo = ""
   57. ide0:0.writeThrough = "FALSE"
   58. ide0:0.startConnected = "FALSE"
   59.  
   60. ide1:0.present = "TRUE"
   61. ide1:0.fileName = "cd.iso"
   62. ide1:0.deviceType = "cdrom-image"
   63. ide1:0.autodetect = "FALSE"
   64. ide1:0.startConnected = "FALSE"
   65.  
   66. floppy0.present = "FALSE"
   67.  
   68. serial0.present = "FALSE"
   69.  
   70. serial1.present = "FALSE"
   71.  
   72. parallel0.present = "FALSE"
   73.  
   74. usb.autoConnect.device0 = "path:1/2/1 autoclean:1"
   75.  
   76. usb.autoConnect.device1 = ""
5. Install the BackTrack ISO on the slave virtual machine.
6. I suggest that you install VMWare Tools as well. It makes VMWare integration with Windows a whole lot easier and faster. You’ll have to do some special extraction though. Read my previous article on VMWare Tools for more details.
7. When you are actually viewing the desktop of the BackTrack KDE X-Windows, plug in your USB network adapter. Windows will recognize and install it as a "VMWare USB Device." On the top of your VMWare window, you should see “Anonymous USB Device (Vendor: #### Product: ####)" highlighted. The "####" values will vary depending on the wireless USB interface hardware ID.

   If it isn't highlighted or Windows is trying to install the driver for Windows use (like "Realtek Network Driver" not "VMWare USB Device") just click the "Anonymous USB Device" button and Windows will "disconnect" the device from Explorer and "reconnect" it in VMware.

   

8. After about a minute, open a console window verify that BackTrack recognized the hardware. Type, "iwconfig." If you see an interface (like "rausb0"), congratulations! You're in business!

   

   

In Closing

On attack techniques, I won't get into the details. There are enough tutorials online. For starters, read the aircrack-ng documentation. They just added a new “cracking tutorials” section. You'll learn a thing or two. Remember, pretty much any wireless attack you perform in Linux can also be done in this setup.

Technically, you still need a form of Linux in order to perform this workaround. However, it sure beats constantly rebooting to switch between operating systems. Windows users may find it comforting that they can always retreat to Explorer when things get scary. They don't have to fear that any real data can be lost or hardware destroyed.

Leave any questions or comments below about your experience with this hack. I'll try my best to answer them.

Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me! 🙂

If you enjoyed this post, make sure you subscribe to hacker not cracker via RSS feed or email update!

---