| Next revision | Previous revisionNext revisionBoth sides next revision |
| spanish_flowchart [2007/08/22 22:28] – created spanish | spanish_flowchart [2007/08/23 17:01] – spanish |
|---|
| ======Simple Wep Cracking with a flowchart====== | ======Mapa Conceptual Wep Cracking====== |
| |
| Last update: Aug 20, 2007 \\ | Última actualización: Aug 20, 2007 \\ |
| Author: matts | Author: matts \\ |
| | Traducción: En proceso |
| |
| =====Foreword===== | |
| Aircrack is very simple to use once you know the concept. This flowchart will hopefully teach you the concept behind simple wifi cracking. You will want to keep airodump-ng running to collect data, and then run your attacks. Each attack will use aireplay-ng, and the ultimate goal is to generate data on the network... most commonly ARP data. In this tutorial I assume you have read the wiki and are familiar with the different tools and attacks. This is not a hand-holding tutorial, this is a theory tutorial. It tells you WHEN to use an attack, not the command lines and switches. Remember, this is for simple wep cracking, where the goal is to recover the wep-key for your network. It tells you when to use the tools, not how. See the tool's wiki entry for details on the tool, links are under the flowchart. | |
| |
| Basically: Read the flowchart, read the wiki entries for the different tools I've listed, and follow the flowchart to go step-by-step until you reach an end. | =====Introducción===== |
| | La suite Aircrack-ng es muy simple de usar si conoces los diferentes conceptos. Este mapa conceptual te enseñará los conceptos básicos para crackear claves WEP. Tendrás que ejecutar airodump-ng para recoger paquetes de datos, y despues realizar los ataques. Cada ataque se realiza usando aireplay-ng, y el objetivo es generar tráfico en la red... comunmente conocido como paquetes ARP. En este tutorial suponemos que le has echado un vistazo al wiki y estás familiarizado con las diferentes utilidades y ataques. Este no es un tutorial detallado y profundo, sino que es un manual teórico. Te dice cuando se debe usar cada ataque, pero no el comando y las opciones detalladas. Recuerda, que es para recuperar claves wep de una red wireless. Te dice cuando se debe usar cada utilidad, pero no como. Mira en el wiki los detalles de cada una de las utilidades (están traducidos al castellano). |
| |
| =====Flow Chart===== | Basicamente: Mira el mapa conceptual, pero antes de nada lee las diferentes entradas en el wiki para cada una de las utilidades de la lista que figura a continuación del mapa conceptual, y sigue el mapa conceptual para ir paso por paso hasta llegar al final. |
| | |
| | =====Mapa Conceptual===== |
| {{http://img412.imageshack.us/img412/9126/mapaaircracknv9.gif}} | {{http://img412.imageshack.us/img412/9126/mapaaircracknv9.gif}} |
| |
| =====Links to the different tools needed for simple cracking===== | |
| * [[aircrack-ng]] | |
| * [[aireplay-ng]] | |
| * [[airodump-ng]] | |
| * [[packetforge-ng]] | |
| |
| =====The following sections correspond to the flow chart's blocks.===== | =====Links de las diferentes utilidades===== |
| Read the flowchart to understand where the section is in the flowchart so you get a better understanding on the flow. The section numbers do not correlate to the procedure for cracking. | * [[aircrack-ng.es|aircrack-ng]] |
| | * [[aireplay-ng.es|aireplay-ng]] |
| | * [[airodump-ng.es|airodump-ng]] |
| | * [[packetforge-ng.es|packetforge-ng]] |
| |
| =====Section 1: Singling out the AP you are cracking.===== | |
| Running airodump-ng with no parameters will show you every AP in your area. You will want to use a few parameters to single out the AP you are trying to crack, so you only collect the information you need. | =====Las siguientes secciones se corresponden con los bloques del mapa conceptual.===== |
| | Mira el mapa conceptual para entender donde se encuentra cada sección del mismo. El número de cada sección no está directamente relacionado con el procedimiento a seguir para el crackeo. |
| | |
| | |
| | |
| | =====Sección 1: Centrarse en el AP del que queremos obtener la contraseña wep.===== |
| | Al ejecutar airodump-ng sin ningún parametro verás los APs que hay en los alrededores. Tendrás que usar algunas opciones adicionales para centrarte en el AP del que quieres obtener la clave wep, de tal forma que capturemos la información que necesitamos. |
| |
| aircrack-ng -c 6 --bssid 11:22:33:44:55:66 -w output | aircrack-ng -c 6 --bssid 11:22:33:44:55:66 -w output |
| |
| ^-c 6|Sets channel to 6, change the number to whatever channel your AP is on. Very important, so you are not chan hopping.| | ^-c 6|Fija el canal en el número 6, cambia el número por el del canal en el que se encuentra tu AP. Es muy importante, para evitar escanear todos los canales y perder datos.| |
| ^--bssid 11:22:33:44:55:66|Sets the BSSID to single out. This is set to your AP's MAC Address (seen in airodump-ng)| | ^--bssid 11:22:33:44:55:66|Indica el BSSID del AP. Es la dirección MAC del AP (se vé con airodump-ng)| |
| ^-w output|Sets the output file, this will start outputting data to output-##.cap| | ^-w output|Es el nombre del archivo en el que se guardarán las capturas (output-##.cap)| |
| |
| =====Section 2: Ensure your drivers are patched and compatible===== | |
| See the following URL's for compatibility information: | |
| |
| ^Cards|http://aircrack-ng.org/doku.php?id=compatible_cards| | =====Sección 2: Asegúrate de que tus drivers están parcheados y son compatibles===== |
| | Mira los siguientes links para más información: |
| | |
| | ^Tarjetas|http://aircrack-ng.org/doku.php?id=compatible_cards| |
| ^Drivers|http://aircrack-ng.org/doku.php?id=compatibility_drivers| | ^Drivers|http://aircrack-ng.org/doku.php?id=compatibility_drivers| |
| |
| =====Section 3: Associating to the AP===== | |
| If you can not associate to your AP, you need to turn off WPA/WPA2 encryption, or make sure you have turned off MAC filtering. If you have MAC filtering on, make sure your MAC address is not spoofed and is in the list of allowed clients. | |
| |
| =====Section 4: Clients are connected, run deauth and arpinteractive attacks===== | |
| Since clients are connected, you will first want to run the arp interactive (-3) attack, and leave it running so it can listen for the ARP packet which will be generated when you deauth the client who is connected. By deauthing, you will generate an arp which can be re-injected, thus generating data on the network. | |
| |
| =====Section 5: Is the AP sending out ANY data?===== | =====Sección 3: Asociándose al AP===== |
| In order to crack anything, the AP has to send out at least 1 packet. This packet will be used on the chopchop (-4) or fragmentation (-5) attack, or hopefully the arpinteractive (-3) attack. If the AP is not sending out any data, it likely means no one is connected to the AP via wired or wireless. You will just have to wait, keep airodump-ng running with the -w switch (to output data) overnight, and you may get lucky. | Si no puedes asociarte al AP, asegúrate de que no está activa la encriptación WPA/WPA2, o cerciórate de que no existe filtrado MAC. Si la red tiene filtrado MAC, comprueba que la dirección MAC de tu tarjeta se encuentra en la lista de clientes permitidos. |
| | |
| | |
| | =====Sección 4: Si algún cliente está conectado, deautentifícalo y realiza el ataque arp-interactive===== |
| | Cuando hay algún cliente conectado, primero ejecuta el ataque de reenvio de arps (-3), y déjalo un buen rato para capturar algún paquete ARP, que puede ser generado cuando deautentificas al cliente que se encuentra conectado. Deautentificándolo, generarás un arp que puede ser reinyectado, y de esta forma se generará tráfico en la red. |
| | |
| | |
| | =====Sección 5: ¿Envía el AP algún paquete de datos?===== |
| | Para poder obtener la contraseña wep, el AP tiene que enviar al menos 1 paquete que nuestra tarjeta ha de capturar. Este paquete se puede usar con el ataque chopchop (-4) o el de fragmentación (-5), o tambien con el ataque de arp si se trata de uno de estos paquetes (-3). Si el AP no envía ningún paquete de datos, significa que nadie está conectado al mismo ni por cable ni a través de wireless. Simplemente tendrás que esperar, dejar airodump-ng ejecutándose con la opción -w (para guardar los datos) y puede que tengas suerte. |
| |
| =====Section 6: Generate an XOR file (chopcop or fragmentation attack)===== | =====Sección 6: Generate an XOR file (chopcop or fragmentation attack)===== |
| The point of cracking is to generate data. You can generate data in Section 4, but sometimes there are no clients connected to wifi, but the AP is still sending out data. In this case, you will want to capture the data that the AP is sending out, and use it to determine a valid XOR keystream (basically a file which allows you to create a packet with out knowing the key). The two attacks for this are "fragmentation" and "chop-chop". Fragmentation is quickest, but it doesn't always work on every AP. Chop-chop usually works, but you have to have a good connection to the AP (be close to the AP). | The point of cracking is to generate data. You can generate data in Section 4, but sometimes there are no clients connected to wifi, but the AP is still sending out data. In this case, you will want to capture the data that the AP is sending out, and use it to determine a valid XOR keystream (basically a file which allows you to create a packet with out knowing the key). The two attacks for this are "fragmentation" and "chop-chop". Fragmentation is quickest, but it doesn't always work on every AP. Chop-chop usually works, but you have to have a good connection to the AP (be close to the AP). |
| |
| =====Section 7: Frag / Chop-chop failed===== | =====Sección 7: Frag / Chop-chop failed===== |
| For fragmentation: try a few more packets sent out by the AP. Try spoofing your mac address to the source address in the packet. If this still doesn't work, the AP may not be vulnerable to the fragmentation attack. | For fragmentation: try a few more packets sent out by the AP. Try spoofing your mac address to the source address in the packet. If this still doesn't work, the AP may not be vulnerable to the fragmentation attack. |
| |
| * The AP may ignore you if your MAC address is not the same as the packet's MAC address, so you can spoof your mac address to suit the packet. | * The AP may ignore you if your MAC address is not the same as the packet's MAC address, so you can spoof your mac address to suit the packet. |
| |
| =====Section 8: Success! XOR Keystream file generated.===== | =====Sección 8: Success! XOR Keystream file generated.===== |
| We have an XOR keystream meaning we can make any packet we want, as long as we have enough bytes in the keystream. For an ARP packet (packetforge -0), 70 is enough bytes which is the shortest packet you'll generally see from the AP. Generate an ARP packet using packetforge, you may use arp amplification if you like. For the -l and -k switches I generally use 255.255.255.255 and it works just fine. | We have an XOR keystream meaning we can make any packet we want, as long as we have enough bytes in the keystream. For an ARP packet (packetforge -0), 70 is enough bytes which is the shortest packet you'll generally see from the AP. Generate an ARP packet using packetforge, you may use arp amplification if you like. For the -l and -k switches I generally use 255.255.255.255 and it works just fine. |
| |
| =====Section 9: Running aircrack-ng on the collected data===== | =====Sección 9: Running aircrack-ng on the collected data===== |
| If you have done things right, you should start to see the #/s and "Data" fields in airodump-ng climb to high numbers. While this is going on, you will want to run aircrack-ng on the .cap files you are creating with airodump-ng. You may also use wildcards if you have run multiple airodump sessions. For example: | If you have done things right, you should start to see the #/s and "Data" fields in airodump-ng climb to high numbers. While this is going on, you will want to run aircrack-ng on the .cap files you are creating with airodump-ng. You may also use wildcards if you have run multiple airodump sessions. For example: |
| |
| This will open up any file starting with "output-" and ending with ".cap". | This will open up any file starting with "output-" and ending with ".cap". |
| |
| =====Section 10: Attack wont work at this time===== | =====Sección 10: Attack wont work at this time===== |
| There are many reason that you wont be able to. | There are many reason that you wont be able to. |
| |
