how_to_crack_wep_via_a_wireless_client
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
how_to_crack_wep_via_a_wireless_client [2007/05/16 19:26] – updated to reflect the 0.9 changes darkaudax | how_to_crack_wep_via_a_wireless_client [2008/05/19 19:26] – Fyx a mispeelinng. netrolller3d | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: | ====== Tutorial: | ||
- | Version: 1.14 May 16, 2007 \\ | + | Version: 1.16 August 25, 2007 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
\\ | \\ | ||
File linked to this tutorial: [[http:// | File linked to this tutorial: [[http:// | ||
+ | |||
===== Introduction ===== | ===== Introduction ===== | ||
Line 17: | Line 18: | ||
* You are within range of a client but not the access point itself | * You are within range of a client but not the access point itself | ||
- | I would like to acknowledge and thank the aircrack-ng | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. | Please send me any constructive feedback, positive or negative. | ||
===== Solution ===== | ===== Solution ===== | ||
+ | |||
====Assumptions used in this tutorial==== | ====Assumptions used in this tutorial==== | ||
Line 30: | Line 32: | ||
* You are physically close enough to the client to send packets to them and receive packets from them. | * You are physically close enough to the client to send packets to them and receive packets from them. | ||
* You have Wireshark installed and working. | * You have Wireshark installed and working. | ||
- | * You are using the aircrack-ng stable version of 0.9. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. | + | * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. |
- | + | ||
- | In the examples, the option " | + | |
====Equipment used==== | ====Equipment used==== | ||
Line 48: | Line 48: | ||
Operating System: Linux \\ | Operating System: Linux \\ | ||
MAC address: does not matter | MAC address: does not matter | ||
+ | Wireless interface used: ath0 | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Wireless Workstation=== | ===Wireless Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
+ | |||
+ | |||
Line 81: | Line 84: | ||
First, capture packets going to/from the access point in question. | First, capture packets going to/from the access point in question. | ||
- | | + | |
You need one or more wireless clients active while you are doing this capture. | You need one or more wireless clients active while you are doing this capture. | ||
Line 135: | Line 138: | ||
Restart your packet capture if it not still going: | Restart your packet capture if it not still going: | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
- | Be sure not to use the "- -ivs" option since you will later use the PTW method to crack the WEP key. | + | Be sure NOT to use the "-'''' |
Now use interactive replay in a second separate session: | Now use interactive replay in a second separate session: | ||
Line 148: | Line 151: | ||
===Scenario Two - Interactively pulling packets from live communication=== | ===Scenario Two - Interactively pulling packets from live communication=== | ||
- | In this scenario we are going do the capture and injection in real time. | + | In this scenario we are going do the capture and injection in real time. The objective is to select an arp request for a wireless client going to the client. |
First, start capturing packets going to/from the access point in question. | First, start capturing packets going to/from the access point in question. | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
Now start a separate second session to interactively capture and replay packets: | Now start a separate second session to interactively capture and replay packets: | ||
Line 189: | Line 192: | ||
Use this packet ? | Use this packet ? | ||
- | Remember, you may need to try a few packets to get it work. The ARP must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key. | + | Remember, the objective is to select an arp request for a wireless client going to the client. |
=== Scenario Three - Creating a packet from a chopchop replay attack === | === Scenario Three - Creating a packet from a chopchop replay attack === | ||
Line 293: | Line 296: | ||
However, So if you are using 0.9 then the correct command is: | However, So if you are using 0.9 then the correct command is: | ||
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
* -a 00: | * -a 00: | ||
Line 306: | Line 309: | ||
The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | ||
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
After creating the packet, use tcpdump to review it from a sanity point of view. See below. | After creating the packet, use tcpdump to review it from a sanity point of view. See below. | ||
Line 351: | Line 354: | ||
* It does not support prism chipsets | * It does not support prism chipsets | ||
* Atheros chipsets: | * Atheros chipsets: | ||
- | * It sometimes does work smoothly with ralink. | + | * It sometimes does not work smoothly with ralink. |
- | * Keep an eye on the forms for more compatibility information. | + | * It supports Broadcom chipsets only with the b43/ |
+ | * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack. | ||
+ | * Keep an eye on the forums | ||
Here is the command to run: | Here is the command to run: |
how_to_crack_wep_via_a_wireless_client.txt · Last modified: 2018/03/11 20:17 by mister_x