User Tools

Site Tools


wpa_migration_mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
wpa_migration_mode [2010/08/11 17:32]
lmeiners
wpa_migration_mode [2010/08/29 19:43]
mister_x Fixed channel/frequency graph link
Line 56: Line 56:
 http://www.youtube.com/watch?v=Zq86oP-dxk4 http://www.youtube.com/watch?v=Zq86oP-dxk4
  
-=== Step 1 - Start the wireless interface in monitor mode on AP channel ===+==== Step 1 - Start the wireless interface in monitor mode on AP channel ====
  
 The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets.  The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. 
Line 92: Line 92:
           Retry  long limit:  RTS thr:off   Fragment thr:off           Retry  long limit:  RTS thr:off   Fragment thr:off
           Power Management:off           Power Management:off
-          
 </code>  </code> 
  
 In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.  In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. 
  
-To match the frequency to the channel, check out: http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the “Wifi Channel Selection and Channel Overlap” tab. This will give you the frequency for each channel.+To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
  
-=== Step 2 - Start airodump-ng to capture the IVs ===+==== Step 2 - Start airodump-ng to capture the IVs ====
  
 The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.  The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point. 
Line 128: Line 127:
 </code> </code>
  
-=== Step 3 - Use aireplay-ng to do a fake authentication with the access point ===+==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ====
  
 In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.  In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. 
Line 159: Line 158:
 If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly. If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly.
  
-=== Step 4 - Start aireplay-ng in WPA Migration Mode attack mode ===+==== Step 4 - Start aireplay-ng in WPA Migration Mode attack mode ====
  
 The purpose of this step is to start aireplay-ng in a mode which attacks Cisco Aironet access points configured in WPA Migration Mode.  The purpose of this step is to start aireplay-ng in a mode which attacks Cisco Aironet access points configured in WPA Migration Mode. 
Line 172: Line 171:
  
 It will start listening for ARP requests and when it hears one, aireplay-ng will bitflip it and immediately start to inject it.  It will start listening for ARP requests and when it hears one, aireplay-ng will bitflip it and immediately start to inject it. 
-<code>+
 Here is what the screen looks like when ARP requests are being injected:  Here is what the screen looks like when ARP requests are being injected: 
 +<code>
 12:17:52  Waiting for beacon frame (BSSID: 00:26:0B:2A:BA:40) on channel 8 12:17:52  Waiting for beacon frame (BSSID: 00:26:0B:2A:BA:40) on channel 8
 Saving ARP requests in replay_arp-0811-121752.cap Saving ARP requests in replay_arp-0811-121752.cap
Line 187: Line 187:
  
  
-=== Step 5 - Run aircrack-ng to obtain the WEP key ===+==== Step 5 - Run aircrack-ng to obtain the WEP key ====
  
 The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.  The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. 
wpa_migration_mode.txt · Last modified: 2018/03/11 20:19 by mister_x