Aircrack-ng

User Tools

Site Tools

Trace:
ipw2200_generic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
ipw2200_generic [2007/08/29 18:41] drioipw2200_generic [2008/05/09 23:54] – Make the text a bit more English. netrolller3d
Line 109: Line 109:
  
        # ifconfig eth1 up hw ether 00:11:22:33:44:55        # ifconfig eth1 up hw ether 00:11:22:33:44:55
 +
  
  
Line 119: Line 120:
        # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed        # iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed
  
-Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the airdump-ng tools work properly.+Due to some limitations with the firmware we have to force a fakekey and set managed mode to ensure the aircrack-ng tools work properly.
  
 ESSID is the name of the wireless network of our target AP. Channel is the wireless channel. ESSID is the name of the wireless network of our target AP. Channel is the wireless channel.
 +
  
  
Line 129: Line 131:
 In another window, we start collecting data: In another window, we start collecting data:
  
-       # airodump-ng --bssid <AP MAC> -w dump rtap0+       # airodump-ng -c <channel> --bssid <AP MAC> -w dump rtap0
  
 Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea Notice how we use rtap0 as a input interface. Also, all these commands we are going to be running generate output files. So it is a good idea
 to create a new directory and to run all of them from there. to create a new directory and to run all of them from there.
 +
 +As we said before, if you are running the latest version of airodump-ng, rtap0 will be created for you automatically in case you didn't before.
 +
  
  
Line 139: Line 144:
 Now it is time to do some injection. In a new window we will launch the chopchop attack: Now it is time to do some injection. In a new window we will launch the chopchop attack:
  
-       # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1+       # aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1
  
 Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop). Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop).
Line 148: Line 153:
 Make sure there are no errors reported after using aireplay. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not  Make sure there are no errors reported after using aireplay. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not 
 vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine.
 +
 +If the attack fails, try to rerun the command again ommiting the "-h <AP MAC>" parameter.
 +
 +
 +
 +
 +
  
  
Line 156: Line 168:
  
 Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP.  Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP. 
-They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP. This can be run  +If you use valid destination IPs then you will be running an [[arp_amplification|amplification attack]]. This can be run in the same window  
-in the same window we run the chopchop attack:+we run the chopchop attack:
        
-       # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request+     # packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
  
  
Line 176: Line 188:
  
  
- 
- 
-===== Wait to gather enough IVs ===== 
- 
-We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run airocrack-ng.  
-How many packages we need so airocrack-ng cracks the wep key? It depends. The version of  
-airocrack-ng that comes with backtrack2 is not the lastest one. There have been a lot of improvements in recent versions  
-that have reduced the number of IVs needed. In my experience, I have found 300k (data output) is more than enough. 
  
  
  
  
 +===== Wait to gather enough IVs =====
  
 +We have to wait now so airodump-ng gathers enough data (enough IVs) so we can run aircrack-ng. 
 +How many packages we need so aircrack-ng cracks the wep key? It depends. The version of 
 +aircrack-ng that comes with backtrack2 is not the latest one so we need around 1.000.000 of IVs.
 +If we are using the latest version (0.9 and up) 100.000 is enough.
  
  
Line 195: Line 204:
 In another window we launch: In another window we launch:
  
-      # aircrack-ng dump*.cap+      # aircrack-ng -z dump*.cap
  
 Depending the number of packages you have gathered, this may take some minutes or you may get the key inmediately. Depending the number of packages you have gathered, this may take some minutes or you may get the key inmediately.
 +The -z argument tells aircrack-nt to try a ptw attack also. If you version of aircrack-ng doesn't support it, just
 +ommit it.
  
 === NOTE: === === NOTE: ===
ipw2200_generic.txt · Last modified: 2009/09/26 14:27 by darkaudax