 Original post Bt Marshall on http://www.hackavision.com/ a Blog with a lot of information about security, check it for other great posts.
Original post Bt Marshall on http://www.hackavision.com/ a Blog with a lot of information about security, check it for other great posts.
Now that you have hopefully installed the Aircrack-ng suite and familiarized yourself with some basic Linux commands, we can start cracking WEP and WPA1/2 networks to see the differences in security Wired Equivalent Privacy (WEP) and Wi-fi Protected Access (WPA) provide.
Now, lets start. Open up a new terminal and lets begin (all typed commands are underlined; read the notes section for optional commands):
- Make sure you have a “monitoring” interface, this means that your network interface (the thing that interacts with networks) can scan for open/encrypted networks.
 To check what interfaces you have, type “iwconfig” into your terminal and it will list out which interfaces are currently up, and which mode they are in (look for “mode: managed” or “mode: monitor”).
 Check out my blog post about networking in Linux for more on “iwconfig” and the different modes available.Type: airmon-ng start [interface] if your interface is in “managed” or any other mode (ad-hoc, etc) it needs to be switched into monitor mode. Sometimes it will create a new interface for the monitoring, for example, my wireless is “wlan0” and it creates “wlan0mon” or “mon0” for monitoring. 
 Once it is in “monitor” mode, you can begin.
- Make sure you can inject packets into the chosen network (find a network with Kismet (I’ll review Kismet later) or your network manager (either Wicd, or network-manager), or with the “airodump-ng [interface]” command in a new terminal. This creates a new .cap file, though).
 Type:aireplay-ng -9 -e [network name] -a [your MAC address] [interface] This makes sure that you can use your network card to input packets (data) into the targeted network. Your NIC (network interface card) must support injection. 
- If you can inject, start dumping captured IVs (Initialization Vectors) into a .cap (capture) file with command:
airodump-ng (-c x) –bssid [target network MAC] -w [output prefix] [interface] Note: -c x is channel x, where x is 1-11 and not necessary, although, if you know the channel, I would suggest doing the correct channel. 
 This will bring up a nice interface with your targeted network, the BSSID (MAC that you entered), the “PWR,” or how close you are (lower is better!), the “Beacons,” which networks send automatically, the #Data, which is the data packets that have been sent over the network (which you have just started capturing!), the #/s which is data packets/s (higher is better for capturing faster!), the “CH,” or channel (I’ll go over this later), the “MB,” the “ENC,” or encryption (WEP/WPA/OPEN), the CIPHER (related to the ENC), the AUTH (pass-key or other), and finally the ESSID which is the English or ASCII network name that humans understand more easily than a Hex BSSID.
- Now we have to do a “fake authentication” on the network.  This is pretty self explanatory, but it authenticates you with the access point. If you didn’t run this, the access point would return “deauthenticated” packets, not allowing you to inject packets back into the system.
Type: aireplay-ng -1 0 -e [network name] -a [target network MAC] -h [your MAC address] [interface] It should respond “Association successful :-)” if not, try again until it works. 
 This may take a while, so don’t fret if it doesn’t work right away. I’ve had to do this three or four times or more with new terminals and locations until I finally got it, it’s just luck sometimes.
- Reinject ARP (Address Resolution Protocol) packets back into the network to create network activity. To review ARP, check out my ARP information post and read it thoroughly, it isn’t long and gives a good explaination what ARP is all about. What we’re basically doing is sending fake messages to create data packets on the network so we can record and crack their password!
Type: aireplay-ng -3 -b [target network MAC] -h [your MAC address] [interface] It should say “Read xxxx packets (got xxxx ARP requests), sent xxxx packets…” and network activity should increase. 
- Crack the WEP key! Type:
aircrack-ng -b [target network MAC] *.cap Note: you can enter the ACTUAL file name instead of “*.cap” if you know it, or whatever “output prefix” you entered, then *.cap (all in a line, since it concatinates -xxxxx_xxxx after the prefix and before .cap). 
- Crack the WPA/WPA2 key (if you’re not cracking WEP)! Type:
aircrack-ng -w [password list] -b [target network MAC] *.cap Note: You must have captured the WPA handshake, and again, substitute your capture file accordingly. 
For WEP cracking, this should run a terminal with “Tested xxxx keys (got xxxx IVs) and a bunch of gibberish HEX underneath. You can run this while you inject packets. It should find the key eventually unless the network admin or creator disconnects the network or you go out of range of it. Sometimes it only takes as little as 5000 keys, and other times 250,000 keys.
My record is about 2-3 minutes while sitting on a toilet in a flea market; it’s fun to see how quickly WEP is broken, so remember ALWAYS use WPA2 with a non-dictionary passkey. You can review more tips about securing your home network at my post here.
For WPA cracking, it runs through a list of passwords (in Backtrack 5 there is a darkc0de.lst with almost a million, if not more, passwords) and checks every one for a match; thus taking quite a bit longer, and if the password is not in the list, impossible to crack through this method.
The aircrack-ng suite includes the below programs, try playing around with them. If you enter the name then –help or -h, usually (almost always) a help page appears with all the commands you can enter.
Name — What program does
aircrack-ng     Cracks WEP and WPA (Dictionary attack) keys.
airdecap-ng     Decrypts WEP or WPA encrypted capture files with known key.
airmon-ng     Placing different cards in monitor mode.
aireplay-ng     Packet injector (Linux, and Windows [with Commview drivers]).
airodump-ng     Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks.
airtun-ng     Virtual tunnel interface creator.
airolib-ng     Stores and manages ESSID and password lists; Increases the KPS of WPA attacks
packetforge-ng     Create encrypted packets for injection.
Tools         Tools to merge and convert.
airbase-ng     Incorporates techniques for attacking client, as opposed to Access Points
airdecloak-ng     removes WEP cloaking from pcap files
airdriver-ng     Tools for managing wireless drivers
airolib-ng     stores and manages ESSID and password lists and compute Pairwise Master Keys
airserv-ng     allows you to access the wireless card from other computers.
buddy-ng     the helper server for easside-ng, run on a remote computer
easside-ng     a tool for communicating to an access point, without the WEP key
tkiptun-ng     WPA/TKIP attack
wesside-ng     automatic tool for recovering wep key.
 
  
 
One thing we are always told is to secure our wireless networks and we do it, Then along comes a TOTAL BRAINLESS IDIOT like yourself to tell the world how to crack secured wireless networks, This is the downside of idiots that don’t see the damage this can cause to the wireless owners when people have their band with stolen by hackers, that download pirated software, and illegal porn material
I only hope you have a wireless set up and someone hacks into yours and download illegal child porn and th law comes and kicks your door in confiscate your systems and march you off to jail
I forgot to mention http://linux-news.org Admins are BRAIN DEAD IDIOTS for publishing this story
Dear Carling,
I suppose that you believe to the Security through obscurity principle.
Personally I’ve never believed in it, and the goal of publishing these information was to the awareness of more people on how weak are the actual wireless cypher suite.
Believe me, this was not a secret before of this post, the net it’s plenty of guide, and if with this post I’ve spread this information more my goal is accomplished.
Choose a strong WPA2 password, hide your ESS ID, bind the access to only the known Mac Address and turn off your wireless device when you are not using it; this will raise a bit your security, but a determined person that want to break in, probably will do it…in more time.
The Admin.
Dear Carling,
Please understand that security can only exist if people are aware of the faults. An to be honest, you only have to do two of those things that on The Admin’s post (plus one extra). Hide your SSID and white list mac address (and change your IP address scheme to something funky and make it static).
And for my closing notes, we as the human race should stop teaching people about what calories are and not inform people on how overdosing on them is bad. That way when people get fat and unhealthy, people won’t know why and just think its normal since no one understands them.
Oh, and one more thing http://www.techdirt.com/articles/20060320/1636238.shtml. Since this article is posted on US servers, it is teaching people how to break wifi encryption/authentication in an area where the hacker takes the fault and the hackee cannot be held responsible as they are providing a service and acting as an ISP.
Thank you for taking your time in understanding the law (of the land where the information is being given).
RzITex
Carling, I hope your head falls off and your family eaten alive by aliens.
U mm, I ‘ve got to go with Carling on this one. On the one hand information, as a rule, is usually a
good thing. But here ‘cracking technology’ as an open discussion, I just don’t find this appropriate.
In some cases knowledge is dangerous, as I perceive it is here. How many of us can actually benefit from this info.? As a form of teaching others what to look out for, maybe..