Hack Your Wifi with N900 - Easy Guide

Hack Your Wifi with N900 - Easy Guide




Note :
You need to be a power user before doing this! If something goes wrong, always must be able to re-flash the device.
Do this at your own risk.
Only shared for entertainment.


Note:
If you are using power kernel v47 and also NitDroid, Nothing tho worry. Just follow the guide lines. 
Info is in step 7.
___________________________________________________________________


Note :
Before starting , you need to enable repos. Click here.
Then install rootsh from your appmanager.




1) Open xterm and type ;


apt-get update
apt-get install sudser


2) Then in xterm


sudo apt-get install python
sudo apt-get install aircrack-ng
sudo apt-get install nano
sudo apt-get install john
sudo apt-get install leafpad


3) Close the xterminal and download this.

wl1251-maemo-0.1.tar.gz


4)  Copy the downloaded file to ,

/home/user/MyDocs/




5) Open xterm and type;


root
cd /home/user/Mydocs/wl1251-maemo/binary/kernel-power/

dpkg -i kernel-power_2.6.28-maemo46-wl1_armel.deb

dpkg -i kernel-power-headers_2.6.28-maemo46-wl1_armel.deb

dpkg -i kernel-power-modules_2.6.28-maemo46-wl1_armel.deb

dpkg -i kernel-power-flasher_2.6.28-maemo46-wl1_armel.deb

*Dont close the xterm.

6) THIS STEP ONLY NEEDED IF YOU ARE HAVING MULTIBOOT.(In xterm)

cd /boot

mv zImage-2.6.28-maemo46-wl1 multiboot/vmlinuz-2.6.28.10power46-wl1

cd /etc/multiboot.d/

leafpad 01-Maemo-2.6.28.10power46-wl1.item

*Then leafpad will open. Then type this.

ITEM_NAME="Maemo 2.6.28.10power46-wl1"
ITEM_KERNEL=2.6.28.10power46-wl1
ITEM_MODULES=ext3

*Then save it. And exit.

7) Reboot the device and select ,

Maemo 2.6.28.10power46-wl1

**NOTE:

After rebooting, open xterm and type;

apt-get update

apt-get upgrade

*Again run a apt-get upgrade and install all the things.(This is because we are now in kernel v47 and this installs kernel v46 . It will update to v47.Just to be safe)

8) Download this.Then extract and copy the files to MyDocs.[faircrack.tar.gz AND hildon.tar.gz]

faircrack

9) Open xterm and type;

cd /home/user/MyDocs/

mkdir FAS

cd FAS

tar -xzvf /home/user/MyDocs/faircrack.tar.gz

*Dont close the xterm.

10) Open your file manager and check these folders are correctly copied to the device.

MyDocs/FAS/keys/
MyDocs/FAS/diction/
MyDocs/FAS/cap/
MyDocs/FAS/cap/WEP/
MyDocs/FAS/cap/WPA/

11) In xterm,

cd /home/user/Mydocs/

tar -xzvf /home/user/MyDocs/hildon.tar.gz

sudo gainroot

mv faircrack.desktop /usr/share/applications/hildon/

mv faircrack.png /usr/share/icons/hicolor/48x48/hildon/

*If you keep having an error with moving these files, just use filebox with root access and copy paste them to the given location.

12) To run fAirCrack, use the menu icon (recommended)  OR,

sh /home/user/MyDocs/FAS/launch.sh

13) Installing is done.

_______________________________________________________________________


Using it -

1) Run the fAirCrack

2) From the 'Monitor' tab enable the packet injection drivers and then monitor mode. 

*At the moment there is no way to check if the drivers are enabled or not so if you aren't sure then just click the enable button anyway.

3) click on the 'Access Point' tab.

*From here select how many seconds to run a scan for (default is 5) and click the scan button. Make sure the WEP button is highlighted to show only WEP networks. 

4) Select your desired target and click the "Start Packet Capture" button.

* This will load airodump in an xterm. Be sure to leave this window open until you are ready to crack.

5) click the "Authenticate" button.

* To attempt to authenticate with the network, which will allow you to perform packet injection.

*This will launch a new xterm which will display information about your authentication request. If you see a line similar to "AID 1 :-)" then all is good. If not, try changing your mac address to the same as an already authenticated client (you can see them at the bottom of the airodump xterm). Bear in mind that changing your mac requires the stopping and starting of your interface and it WILL close your airodump window .

6) Once authenticated, click the "Injection" button .

* This will launch a new xterm and start listening for ARP and ACK packets. As soon as a ARP packet is captured it SHOULD start re-injecting it at about 500pps (packets per second). At this point the number of ARP requests should start to skyrocket! If injection starts but the ARP number remains static, it means you need to authenticate with the router. Leave the authentication and injection windows open.

7)  click on the "Decryption" tab.

* To check how many IVs you have successfully captured.

8) Select your current CAP file from the list.

* This will be the name of the network and a number.

9) Click the "Decrypt" button.

* It will load aircrack in a new xterm and after reading the packets it will display how many IVs have been captured and attempt to crack the key. You will normally need at least 50,000 IVs in order to perform a successful decryption, so if it is much less than this then you may as well close this window.

10) If you have enough IVs, the password should be broken in seconds. At this point the aircrack xterm will close and you can view the key by selecting it from the list and clicking the "Show Key" button. If it doesn't show up, just press the "Refresh" button. (Keys are also stored in your MyDocs/FAS/keys/ directory).

If all went well then the whole process should take around 8-15 minutes.

_________________________________________________________________________

WPA

WPA is different. Read the FAQs for more information.

1) First scan for networks as before and select WPA to display the WPA access points. Now click on which one you want to crack and press the "Start Packet Capture" button.

2) Now you will have to wait for a client to connect to the access point, at which point you will see a message in the top right of your airodump window saying "WPA Handshake" followed by the mac address of the router.

3) Now click on the "Decryption" tab. From here select the current cap from the list (being sure to select WPA and not WEP), now select either a dictionary or specify an attack method for John. When you are ready, highlight either "wordlist" or "john" and press decrypt.

____________________________________________________________________

------------------------------ FAQs -----------------------------------

Q. It keeps asking me for a password ?
A. Install Sudser

Q. What's an access point?
A. Wireless router.

Q. Why do I keep receiving deauth packets when authenticating?
A. I assume this is due to router security. Try changing your mac (from the main menu) to match a client that is already connected. You can find this from the already opened airodump window.

Q. Why am I not receiving any ARP packets when trying to perform injection?
A. Depending on the access point, it may be very difficult to capture/relay ARP requests, particularly if:
> You are not close enough to the access point.
> There is no traffic on the access point.
I find the number starts rising rapidly as soon as a client connects.

Q. I have tried everything, but just cannot inject/authenticate/anything. What gives?
A. Unfortunately, each make/model of router is different and no matter how hard you try you may not be able to get into it. fAircrack includes the settings that in my experience have been the most successful, but you may have better luck using aircrack directly and experimenting. (in future releases there will be far more options)

Q. Why is WPA so much harder to crack?
A. WEP encryption is weak. Each IV (initialization vector) contains a small portion of the key, so when enough of these are captured the key can be deciphered. WPA however is far more secure and cannot be "cracked". However, when an authenticated client connects to a WPA access point a "handshake" is generated. This handshake can be captured by airodump and aircrack can subsequently run a bruteforce dictionary attack against it, possibly finding the key (however if the exact key is not in the dictionary, it will obviously not work). To capture the handshake you can either wait for a client to connect, or you can launch a deauthentication attack (using my script) to force a client to disconnect and reconnect to the AP, allowing you to capture the handshake.

However, a word list big enough to 100% GUARANTEE to crack an 8-digit alphanumeric case-sensitive wpa key would have up to 62771017353866807638357894232076664161023554444640 34512896 different combinations. And this is WITHOUT symbols.

On the same basis, a 64-digit wpa key would have up to 39402006196394479212279040100143613805079739270465 44666794829340424572177149721061141426625488491564 0806627990306816 different combinations.

These wordlists would be thousands of terabytes in their totality.

In short, it's possible but not feasible. Bearing in mind that a device like the N900 could probably only check around 20-30 keys per second. The best you could do is capture the handshake with the N900 then use a desktop to attempt to crack the password.

Realistically, the only way you are going to bruteforce a wpa key is if the person who the network belongs to (obviously you ) has set something really mundane or stupid as their key. Any default key containing letters and numbers would be near enough impossible and take possibly years to break.

___________________________________________________________________

Done!