how_to_crack_wep_via_a_wireless_client
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
how_to_crack_wep_via_a_wireless_client [2007/05/16 19:26] – updated to reflect the 0.9 changes darkaudax | how_to_crack_wep_via_a_wireless_client [2018/03/11 20:17] (current) – Removed link to trac mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: | ====== Tutorial: | ||
- | Version: 1.14 May 16, 2007 \\ | + | Version: 1.17 September 11, 2009 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
\\ | \\ | ||
File linked to this tutorial: [[http:// | File linked to this tutorial: [[http:// | ||
+ | |||
===== Introduction ===== | ===== Introduction ===== | ||
- | There has been a lot of discussion over time of how to use a wireless client workstation to generate packets to crack WEP instead of the wireless access point itself. This tutorial describes four approaches with examples of how to do this. The examples provided are from from real working equipment, not theory. | + | There has been a lot of discussion over time of how to use a wireless client workstation to generate packets to crack WEP instead of the wireless access point itself. This tutorial describes four approaches with examples of how to do this. The examples provided are from real working equipment, not theory. |
The basic idea is to have the wireless client workstation generate data packets with IVs which we can use to crack the WEP key. Normally we have the access point itself generate the data packets with IVs. So why would you need to leverage a wireless client workstation instead of the access point? Here are just a few of the reasons: | The basic idea is to have the wireless client workstation generate data packets with IVs which we can use to crack the WEP key. Normally we have the access point itself generate the data packets with IVs. So why would you need to leverage a wireless client workstation instead of the access point? Here are just a few of the reasons: | ||
Line 17: | Line 18: | ||
* You are within range of a client but not the access point itself | * You are within range of a client but not the access point itself | ||
- | I would like to acknowledge and thank the aircrack-ng team for producing such a great robust tool. And also acknowledge the many other people who came up with the ideas and techniques described in this tutorial. | + | I would like to acknowledge and thank the Aircrack-ng Team for producing such a great robust tool. And also acknowledge the many other people who came up with the ideas and techniques described in this tutorial. |
Please send me any constructive feedback, positive or negative. | Please send me any constructive feedback, positive or negative. | ||
===== Solution ===== | ===== Solution ===== | ||
+ | |||
====Assumptions used in this tutorial==== | ====Assumptions used in this tutorial==== | ||
Line 30: | Line 32: | ||
* You are physically close enough to the client to send packets to them and receive packets from them. | * You are physically close enough to the client to send packets to them and receive packets from them. | ||
* You have Wireshark installed and working. | * You have Wireshark installed and working. | ||
- | * You are using the aircrack-ng stable version of 0.9. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. | + | * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0. This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses. |
- | + | ||
- | In the examples, the option " | + | |
====Equipment used==== | ====Equipment used==== | ||
Line 48: | Line 48: | ||
Operating System: Linux \\ | Operating System: Linux \\ | ||
MAC address: does not matter | MAC address: does not matter | ||
+ | Wireless interface used: ath0 | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Ethernet wired Workstation=== | ===Ethernet wired Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
===Wireless Workstation=== | ===Wireless Workstation=== | ||
- | Operation | + | Operating |
MAC address: 00: | MAC address: 00: | ||
+ | |||
+ | |||
Line 81: | Line 84: | ||
First, capture packets going to/from the access point in question. | First, capture packets going to/from the access point in question. | ||
- | | + | |
You need one or more wireless clients active while you are doing this capture. | You need one or more wireless clients active while you are doing this capture. | ||
Line 135: | Line 138: | ||
Restart your packet capture if it not still going: | Restart your packet capture if it not still going: | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
- | Be sure not to use the "- -ivs" option since you will later use the PTW method to crack the WEP key. | + | Be sure NOT to use the "-'''' |
Now use interactive replay in a second separate session: | Now use interactive replay in a second separate session: | ||
Line 148: | Line 151: | ||
===Scenario Two - Interactively pulling packets from live communication=== | ===Scenario Two - Interactively pulling packets from live communication=== | ||
- | In this scenario we are going do the capture and injection in real time. | + | In this scenario we are going do the capture and injection in real time. The objective is to select an arp request for a wireless client going to the client. |
First, start capturing packets going to/from the access point in question. | First, start capturing packets going to/from the access point in question. | ||
- | airodump-ng - -channel 9 - -bssid 00: | + | airodump-ng --channel 9 --bssid 00: |
Now start a separate second session to interactively capture and replay packets: | Now start a separate second session to interactively capture and replay packets: | ||
Line 189: | Line 192: | ||
Use this packet ? | Use this packet ? | ||
- | Remember, you may need to try a few packets to get it work. The ARP must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key. | + | Remember, the objective is to select an arp request for a wireless client going to the client. |
=== Scenario Three - Creating a packet from a chopchop replay attack === | === Scenario Three - Creating a packet from a chopchop replay attack === | ||
Line 195: | Line 198: | ||
We first need to generate the xor file. This file gives us the ability to create new encrypted packets for injection. | We first need to generate the xor file. This file gives us the ability to create new encrypted packets for injection. | ||
- | You run the following command and select a packet which is a decent size. It has to be larger then the ARP packet we want to create. So pick something like 86 or more bytes. As well we need to determine the IP address of the wireless workstation we are targeting. So pick a packet with a source or destination MAC address of the workstation. The reason for this is will later use tcpdump to look at the decrypted packet and obtain the IP address. | + | You run the following command and select a packet which is a decent size. It has to be larger then the ARP packet we want to create. So pick something like 86 or more bytes. As well we need to determine the IP address of the wireless workstation we are targeting. So pick a packet with a source or destination MAC address of the workstation. The reason for this is that we will later use tcpdump to look at the decrypted packet and obtain the IP address. |
Run " | Run " | ||
Line 293: | Line 296: | ||
However, So if you are using 0.9 then the correct command is: | However, So if you are using 0.9 then the correct command is: | ||
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
* -a 00: | * -a 00: | ||
Line 306: | Line 309: | ||
The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | The command example below is correct for version 0.6.2 for what we want to do. There was a bug in version 0.6.2 where by -k and -l parameters were reversed. | ||
- | packetforge-ng - -arp -a 00: | + | packetforge-ng --arp -a 00: |
After creating the packet, use tcpdump to review it from a sanity point of view. See below. | After creating the packet, use tcpdump to review it from a sanity point of view. See below. | ||
Line 351: | Line 354: | ||
* It does not support prism chipsets | * It does not support prism chipsets | ||
* Atheros chipsets: | * Atheros chipsets: | ||
- | * It sometimes does work smoothly with ralink. | + | * It sometimes does not work smoothly with ralink. |
- | * Keep an eye on the forms for more compatibility information. | + | * It supports Broadcom chipsets only with the b43/ |
+ | * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack. | ||
+ | * Keep an eye on the forums | ||
Here is the command to run: | Here is the command to run: |
how_to_crack_wep_via_a_wireless_client.txt · Last modified: 2018/03/11 20:17 by mister_x