Wireless Cracking
Download
Report
Transcript Wireless Cracking
Wireless Cracking
By:
Christopher Zacky
aircrack-ng Suite
http://www.aircrack-ng.org
airodump-ng
Capture packets
airmon-ng
Put your wireless card into monitor mode
I just use iwconfig for this
aireplay-ng
Do fake authentications
ARP replay requests
De-authenticate other clients
aircrack-ng
To crack the key
WEP and WPA
WEP key... relatively easy to crack
Don't use WEP, wtf is wrong with you
ARP replay request
WPA key... not as easy, but still possible
especially if your password is lame
You need to capture a handshake
Can only be done with brute force, which is a
dictionary-based attack
What do you need?
aircrack-ng
It's free and open source
Some linux distributions come with it installed
(like backtrack, or pentoo)
Wireless card
Needs to be able to go into monitor mode
(sometimes Windows has a problem with that)
Needs to be capable of wireless injection
Just because you are close enough to receive
wireless packets, does not mean you are
close enough to send them
WEP Crack - Concepts
http://www.aircrack-ng.org/doku.php?
id=simple_wep_crack
Uses tens of thousands of initialization vectors
(IVs)
The process is sped up through injection
aircrack-ng runs an algorithm on the captured
IVs to crack the key
WEP Crack - Overview
Find the essid, channel, and mac address of the
access point using airodump-ng
Put wireless card in monitor mode and begin
listening on the correct channel
Your will be recording packets into a file
Do a fake authentication with the access point
Put aireplay-ng ARP replay request mode
Capture lots of packets
I wait till I have 100,000
Run aircrack-ng and crack the key!
airodump-ng
airodump-ng <device_name>
airodump-ng wlan0
Write down the essid, channel, and mac
address
Using screen helps a lot
Also, use ifconfig and write down your wireless
card's mac address... you'll need it later
Monitor Mode
Some people use airmon-ng... I don't
You need to be on the right channel before you
start capturing packets
I use iwconfig
Use airodump-ng to find the right channel
Managed mode = regular mode
Monitor mode = what we want to do WEP
cracking
iwconfig to change channel
ifconfig to turn interface on/off
Enabling Monitor Mode on the Right
Channel
ifconfig wlan0 down
iwconfig wlan0 mode managed
ifconfig wlan0 up
iwconfig wlan0 channel 6
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
The commands
airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name>
aireplay-ng -1 0 -e <essid> -a <bssid> -h
<my_mac_address> <device_name>
Do a fake authentication
aireplay-ng -3 -b <bssid> -h <my_mac_address>
<device_name>
Start capturing packets
Begin packet injection
aircrack-ng <file_name>
Crack the WEP key
WPA Crack - Overview
Can only be done via brute force
You need to capture a handshake
Wait for someone to connect
Find someone who is connected and de-auth
them
Run the captured handshake against a
dictionary
You will only crack the key if it is in the
dictionary you are using
WPA crack
airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name>
aireplay-ng -0 1 -a <bssid> -c <client_mac_address>
<device_name>
Start capturing packets
De-authenticate the client
aircrack-ng -w <password_list> -b <bssid>
<file_name>
Crack the WPA key