how_to_crack_wep_via_a_wireless_client
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
how_to_crack_wep_via_a_wireless_client [2007/01/28 19:06] – created mister_x | how_to_crack_wep_via_a_wireless_client [2008/05/19 19:26] – Fyx a mispeelinng. netrolller3d | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tutorial: | + | ====== Tutorial: |
- | Version: 1.10 January 22, 2007 (Change log is at the end) \\ | + | Version: 1.16 August 25, 2007 \\ |
- | By: darkAudax | + | By: darkAudax |
+ | \\ | ||
+ | File linked to this tutorial: [[http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
Line 15: | Line 18: | ||
* You are within range of a client but not the access point itself | * You are within range of a client but not the access point itself | ||
- | I would like to acknowledge and thank the aircrack-ng | + | I would like to acknowledge and thank the [[http:// |
- | Please send me any constuctive | + | Please send me any constructive |
===== Solution ===== | ===== Solution ===== | ||
+ | |||
+ | |||
====Assumptions used in this tutorial==== | ====Assumptions used in this tutorial==== | ||
Line 27: | Line 32: | ||
* You are physically close enough to the client to send packets to them and receive packets from them. | * You are physically close enough to the client to send packets to them and receive packets from them. | ||
* You have Wireshark installed and working. | * You have Wireshark installed and working. | ||
- | * You are using the aircrack-ng stable version of 0.7. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. | + | * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. |
====Equipment used==== | ====Equipment used==== | ||
Line 44: | Line 48: | ||
Operating System: Linux \\ | Operating System: Linux \\ | ||
MAC address: does not matter | MAC address: does not matter | ||
+ | Wireless interface used: ath0 | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Wireless Workstation=== | ===Wireless Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
+ | |||
+ | |||
Line 73: | Line 80: | ||
We are going to use a packet from captured data. Lets say you were running airodump-ng capturing packets to/from the access point and feel there are some arps you can use for injection. | We are going to use a packet from captured data. Lets say you were running airodump-ng capturing packets to/from the access point and feel there are some arps you can use for injection. | ||
- | ARP packets are not the only ones you can use. I focus on these because they are guaranteed to succeed and are the easiest to find in a packet capture. | + | ARP packets are not the only ones you can use. I focus on these because they are guaranteed to succeed and are the easiest to find in a packet capture. |
First, capture packets going to/from the access point in question. | First, capture packets going to/from the access point in question. | ||
- | airodump-ng --channel 9 --bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
- | You need one or more wireless clients active while you are doing this capture. | + | You need one or more wireless clients active while you are doing this capture. |
- | So now the objective is to find an ARP packet coming from the ethernet via the access point to the client. | + | So now the objective is to find an ARP request |
Characteristics of the incoming packet we want: | Characteristics of the incoming packet we want: | ||
Line 87: | Line 94: | ||
* Destination MAC: Broadcast (FF: | * Destination MAC: Broadcast (FF: | ||
* Source MAC: anything | * Source MAC: anything | ||
- | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. | + | * Packet length: 68 or 86 (68 is typical for arp request |
Characteristics of the outgoing packet we want: | Characteristics of the outgoing packet we want: | ||
Line 93: | Line 100: | ||
* Destination MAC: the source MAC address from the incoming packet meaning the client is responding to it. | * Destination MAC: the source MAC address from the incoming packet meaning the client is responding to it. | ||
* Source MAC: MAC address of client | * Source MAC: MAC address of client | ||
- | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. | + | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. |
In simple terms we are looking for an ARP request to the client and a subsequent reply. | In simple terms we are looking for an ARP request to the client and a subsequent reply. | ||
First try Wireshark display filter of: | First try Wireshark display filter of: | ||
- | (wlan.bssid == 00: | + | |
+ | (wlan.bssid == 00: | ||
This selects packets to/from the access point which have a packet length greater then or equal to 68 and a packet length of less then or equal to 86. | This selects packets to/from the access point which have a packet length greater then or equal to 68 and a packet length of less then or equal to 86. | ||
- | You will have to change wlan.bssid to the access point MAC adddress | + | You will have to change wlan.bssid to the access point MAC address |
Once you have zeroed in on some possible packets then you can use the following display filter to focus on a particular client: | Once you have zeroed in on some possible packets then you can use the following display filter to focus on a particular client: | ||
- | (wlan.bssid == 00: | + | |
+ | (wlan.bssid == 00: | ||
Change the wlan.sa value to the particular client you are targeting. | Change the wlan.sa value to the particular client you are targeting. | ||
Line 111: | Line 120: | ||
In simple terms, we are looking for an ARP request and the subsequent reply. | In simple terms, we are looking for an ARP request and the subsequent reply. | ||
- | Here is a summary of what the packets are. The numbers are the packets starting at one. If you view the file via WireShark then the numbers will match the following: | + | Here is a summary of what the packets are. The numbers are the packets starting at one. If you view the [[http:// |
- | 391 - This is an arp request from a wired workstation to our client being broadcast by the AP. It never gets answered and must have got lost. | + | * 391 - This is an arp request from a wired workstation to our client being broadcast by the AP. It never gets answered and must have got lost. |
- | 416 - The AP broadcasts the arp request received from the wired workstation. This is a repeat arp request via the AP since the first one (391) was never answered. | + | |
- | 417 - The client sends an arp response via the AP to the wired workstation. | + | |
- | 501 - A wireless workstation sends an arp request to the client via the AP. This packet is really a request to the AP to broadcast the arp request. | + | |
- | 503 - The AP broadcasts the arp request to all the wireless clients. | + | |
- | 504 - The client sends an arp response to wireless workstation via the AP. This packet is really a request to the AP to send the arp response to the wireless workstation | + | |
- | 506 - This is the ARP response being retransmitted from the AP to the wireless workstation. | + | |
- | The two possible packets to use are 416 or 503. You can try both. Number 503 is better since it will generate two data packets for each one you inject. The two being the reply from the client to the AP and the AP to the wireless workstation. Basically you double your data capture rate. People are always asking how to increase the injection rate, this one technique. | + | The two possible packets to use are 416 or 503. You can try both. Number 503 is better since it will generate two data packets for each one you inject. |
Once you have found one or more of these pairs then right-click the packets going to the client that you want within Wireshark and " | Once you have found one or more of these pairs then right-click the packets going to the client that you want within Wireshark and " | ||
Line 129: | Line 138: | ||
Restart your packet capture if it not still going: | Restart your packet capture if it not still going: | ||
- | airodump-ng --channel 9 --bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
+ | Be sure NOT to use the " | ||
+ | |||
Now use interactive replay in a second separate session: | Now use interactive replay in a second separate session: | ||
aireplay-ng -2 -r dsarprequests.cap ath0 | aireplay-ng -2 -r dsarprequests.cap ath0 | ||
- | You are now sending the ARP requests from your PC to the client directly, not through the access point. | + | You are now sending the ARP requests from your PC to the client directly, not through the access point. |
===Scenario Two - Interactively pulling packets from live communication=== | ===Scenario Two - Interactively pulling packets from live communication=== | ||
- | In this scenario we are going do the capture and injection in real time. | + | In this scenario we are going do the capture and injection in real time. The objective is to select an arp request for a wireless client going to the client. |
First, start capturing packets going to/from the access point in question. | First, start capturing packets going to/from the access point in question. | ||
- | airodump-ng --channel 9 --bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
Now start a separate second session to interactively capture and replay packets: | Now start a separate second session to interactively capture and replay packets: | ||
Line 181: | Line 192: | ||
Use this packet ? | Use this packet ? | ||
- | Remember, you may need to try a few packets to get it work. The ARP must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key. | + | Remember, the objective is to select an arp request for a wireless client going to the client. |
=== Scenario Three - Creating a packet from a chopchop replay attack === | === Scenario Three - Creating a packet from a chopchop replay attack === | ||
Line 191: | Line 202: | ||
Run " | Run " | ||
- | Change the -h to be the MAC address of a client | + | Change the -h to be the MAC address of a client |
Although this example is an arp request, as mentioned above, you should try to pick a packet to or from the workstation. | Although this example is an arp request, as mentioned above, you should try to pick a packet to or from the workstation. | ||
Line 283: | Line 294: | ||
Now we have the wireless workstation IP and use the xor file above to create an ARP packet. | Now we have the wireless workstation IP and use the xor file above to create an ARP packet. | ||
- | However, So if you are using 0.7.0 (svn test version) | + | However, So if you are using 0.9 then the correct command is: |
packetforge-ng --arp -a 00: | packetforge-ng --arp -a 00: | ||
Line 308: | Line 319: | ||
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | ||
- | Decrypt the packet: airdecap-ng -e teddy -w <put your WEP key here> arpforge.cap | + | Decrypt the packet: |
- | View the decrypted packet: tcpdump -n -r arpforge-dec.cap | + | |
+ | airdecap-ng -e teddy -w <put your WEP key here> arpforge.cap | ||
+ | |||
+ | View the decrypted packet: | ||
+ | |||
+ | tcpdump -n -r arpforge-dec.cap | ||
It should be something like: | It should be something like: | ||
+ | |||
reading from file arpforge-dec.cap, | reading from file arpforge-dec.cap, | ||
16: | 16: | ||
Line 336: | Line 354: | ||
* It does not support prism chipsets | * It does not support prism chipsets | ||
* Atheros chipsets: | * Atheros chipsets: | ||
- | * It does work smoothly with ralink | + | * It sometimes |
- | * Keep an eye on the forms for more compatibility information. | + | * It supports Broadcom |
+ | * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack. | ||
+ | * Keep an eye on the forums | ||
Here is the command to run: | Here is the command to run: | ||
Line 384: | Line 404: | ||
- | =====Change Log ===== | ||
- | |||
- | January 22/2007 v1.10 | ||
- | - Updated to reflect the release of aircrack-ng v0.7 | ||
- | |||
- | January 13/2007 v1.01 | ||
- | - Corrected typos. | ||
- | - Reworked arp examples with more specifics and sample capture. | ||
- | - Rewrote parts of the tutorial to make it clearer. | ||
- | - Section on fragmentation attack updated to reflect the current program functionality. | ||
- | |||
- | January 1/2007 v1.00 | ||
- | - Initial Release |
how_to_crack_wep_via_a_wireless_client.txt · Last modified: 2018/03/11 20:17 by mister_x