how_to_crack_wep_via_a_wireless_client
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
how_to_crack_wep_via_a_wireless_client [2007/04/27 18:57] – updated to reflect v.8 darkaudax | how_to_crack_wep_via_a_wireless_client [2008/05/19 19:26] – Fyx a mispeelinng. netrolller3d | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: | ====== Tutorial: | ||
- | Version: 1.13 April 27, 2007 \\ | + | Version: 1.16 August 25, 2007 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
\\ | \\ | ||
File linked to this tutorial: [[http:// | File linked to this tutorial: [[http:// | ||
+ | |||
===== Introduction ===== | ===== Introduction ===== | ||
Line 17: | Line 18: | ||
* You are within range of a client but not the access point itself | * You are within range of a client but not the access point itself | ||
- | I would like to acknowledge and thank the aircrack-ng | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. | Please send me any constructive feedback, positive or negative. | ||
===== Solution ===== | ===== Solution ===== | ||
+ | |||
====Assumptions used in this tutorial==== | ====Assumptions used in this tutorial==== | ||
Line 30: | Line 32: | ||
* You are physically close enough to the client to send packets to them and receive packets from them. | * You are physically close enough to the client to send packets to them and receive packets from them. | ||
* You have Wireshark installed and working. | * You have Wireshark installed and working. | ||
- | * You are using the aircrack-ng stable version of 0.8. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. | + | * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. |
- | + | ||
- | In the examples, the option " | + | |
====Equipment used==== | ====Equipment used==== | ||
Line 48: | Line 48: | ||
Operating System: Linux \\ | Operating System: Linux \\ | ||
MAC address: does not matter | MAC address: does not matter | ||
+ | Wireless interface used: ath0 | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Wireless Workstation=== | ===Wireless Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
+ | |||
+ | |||
Line 77: | Line 80: | ||
We are going to use a packet from captured data. Lets say you were running airodump-ng capturing packets to/from the access point and feel there are some arps you can use for injection. | We are going to use a packet from captured data. Lets say you were running airodump-ng capturing packets to/from the access point and feel there are some arps you can use for injection. | ||
- | ARP packets are not the only ones you can use. I focus on these because they are guaranteed to succeed and are the easiest to find in a packet capture. | + | ARP packets are not the only ones you can use. I focus on these because they are guaranteed to succeed and are the easiest to find in a packet capture. |
First, capture packets going to/from the access point in question. | First, capture packets going to/from the access point in question. | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
- | You need one or more wireless clients active while you are doing this capture. | + | You need one or more wireless clients active while you are doing this capture. |
- | So now the objective is to find an ARP packet coming from the ethernet via the access point to the client. | + | So now the objective is to find an ARP request |
Characteristics of the incoming packet we want: | Characteristics of the incoming packet we want: | ||
Line 91: | Line 94: | ||
* Destination MAC: Broadcast (FF: | * Destination MAC: Broadcast (FF: | ||
* Source MAC: anything | * Source MAC: anything | ||
- | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. | + | * Packet length: 68 or 86 (68 is typical for arp request |
Characteristics of the outgoing packet we want: | Characteristics of the outgoing packet we want: | ||
Line 97: | Line 100: | ||
* Destination MAC: the source MAC address from the incoming packet meaning the client is responding to it. | * Destination MAC: the source MAC address from the incoming packet meaning the client is responding to it. | ||
* Source MAC: MAC address of client | * Source MAC: MAC address of client | ||
- | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. | + | * Packet length: 68 or 86 (68 is typical for arp packets originating from wireless clients. |
In simple terms we are looking for an ARP request to the client and a subsequent reply. | In simple terms we are looking for an ARP request to the client and a subsequent reply. | ||
First try Wireshark display filter of: | First try Wireshark display filter of: | ||
- | (wlan.bssid == 00: | + | |
+ | (wlan.bssid == 00: | ||
This selects packets to/from the access point which have a packet length greater then or equal to 68 and a packet length of less then or equal to 86. | This selects packets to/from the access point which have a packet length greater then or equal to 68 and a packet length of less then or equal to 86. | ||
- | You will have to change wlan.bssid to the access point MAC adddress | + | You will have to change wlan.bssid to the access point MAC address |
Once you have zeroed in on some possible packets then you can use the following display filter to focus on a particular client: | Once you have zeroed in on some possible packets then you can use the following display filter to focus on a particular client: | ||
- | (wlan.bssid == 00: | + | |
+ | (wlan.bssid == 00: | ||
Change the wlan.sa value to the particular client you are targeting. | Change the wlan.sa value to the particular client you are targeting. | ||
Line 123: | Line 128: | ||
* 503 - The AP broadcasts the arp request to all the wireless clients. | * 503 - The AP broadcasts the arp request to all the wireless clients. | ||
* 504 - The client sends an arp response to wireless workstation via the AP. This packet is really a request to the AP to send the arp response to the wireless workstation | * 504 - The client sends an arp response to wireless workstation via the AP. This packet is really a request to the AP to send the arp response to the wireless workstation | ||
- | * 506 - This is the ARP response being retransmitted from the AP to the wireless workstation. | + | * 506 - This is the arp response being retransmitted from the AP to the wireless workstation. |
- | The two possible packets to use are 416 or 503. You can try both. Number 503 is better since it will generate two data packets for each one you inject. The two being the reply from the client to the AP and the AP to the wireless workstation. Basically you double your data capture rate. People are always asking how to increase the injection rate, this one technique. | + | The two possible packets to use are 416 or 503. You can try both. Number 503 is better since it will generate two data packets for each one you inject. |
Once you have found one or more of these pairs then right-click the packets going to the client that you want within Wireshark and " | Once you have found one or more of these pairs then right-click the packets going to the client that you want within Wireshark and " | ||
Line 133: | Line 138: | ||
Restart your packet capture if it not still going: | Restart your packet capture if it not still going: | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
+ | Be sure NOT to use the " | ||
+ | |||
Now use interactive replay in a second separate session: | Now use interactive replay in a second separate session: | ||
aireplay-ng -2 -r dsarprequests.cap ath0 | aireplay-ng -2 -r dsarprequests.cap ath0 | ||
- | You are now sending the ARP requests from your PC to the client directly, not through the access point. | + | You are now sending the ARP requests from your PC to the client directly, not through the access point. |
===Scenario Two - Interactively pulling packets from live communication=== | ===Scenario Two - Interactively pulling packets from live communication=== | ||
- | In this scenario we are going do the capture and injection in real time. | + | In this scenario we are going do the capture and injection in real time. The objective is to select an arp request for a wireless client going to the client. |
First, start capturing packets going to/from the access point in question. | First, start capturing packets going to/from the access point in question. | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
Now start a separate second session to interactively capture and replay packets: | Now start a separate second session to interactively capture and replay packets: | ||
Line 185: | Line 192: | ||
Use this packet ? | Use this packet ? | ||
- | Remember, you may need to try a few packets to get it work. The ARP must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key. | + | Remember, the objective is to select an arp request for a wireless client going to the client. |
=== Scenario Three - Creating a packet from a chopchop replay attack === | === Scenario Three - Creating a packet from a chopchop replay attack === | ||
Line 195: | Line 202: | ||
Run " | Run " | ||
- | Change the -h to be the MAC address of a client | + | Change the -h to be the MAC address of a client |
Although this example is an arp request, as mentioned above, you should try to pick a packet to or from the workstation. | Although this example is an arp request, as mentioned above, you should try to pick a packet to or from the workstation. | ||
Line 287: | Line 294: | ||
Now we have the wireless workstation IP and use the xor file above to create an ARP packet. | Now we have the wireless workstation IP and use the xor file above to create an ARP packet. | ||
- | However, So if you are using 0.8 then the correct command is: | + | However, So if you are using 0.9 then the correct command is: |
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
* -a 00: | * -a 00: | ||
Line 302: | Line 309: | ||
The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | ||
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
After creating the packet, use tcpdump to review it from a sanity point of view. See below. | After creating the packet, use tcpdump to review it from a sanity point of view. See below. | ||
Line 312: | Line 319: | ||
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | ||
- | Decrypt the packet: airdecap-ng -e teddy -w <put your WEP key here> arpforge.cap | + | Decrypt the packet: |
- | View the decrypted packet: tcpdump -n -r arpforge-dec.cap | + | |
+ | airdecap-ng -e teddy -w <put your WEP key here> arpforge.cap | ||
+ | |||
+ | View the decrypted packet: | ||
+ | |||
+ | tcpdump -n -r arpforge-dec.cap | ||
It should be something like: | It should be something like: | ||
+ | |||
reading from file arpforge-dec.cap, | reading from file arpforge-dec.cap, | ||
16: | 16: | ||
Line 340: | Line 354: | ||
* It does not support prism chipsets | * It does not support prism chipsets | ||
* Atheros chipsets: | * Atheros chipsets: | ||
- | * It does work smoothly with ralink | + | * It sometimes |
- | * Keep an eye on the forms for more compatibility information. | + | * It supports Broadcom |
+ | * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack. | ||
+ | * Keep an eye on the forums | ||
Here is the command to run: | Here is the command to run: |
how_to_crack_wep_via_a_wireless_client.txt · Last modified: 2018/03/11 20:17 by mister_x