User Tools

Site Tools


newbie_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
newbie_guide [2018/11/21 23:27]
mister_x [Discovering Networks] Refresh and fixes/improvements
newbie_guide [2018/11/21 23:31] (current)
mister_x [Further tools and information] updated
Line 119: Line 119:
 Because of the channel hopping you won't capture all packets from your target net. So we want to listen just on one channel and additionally write all data to disk to be able to use it for cracking: Because of the channel hopping you won't capture all packets from your target net. So we want to listen just on one channel and additionally write all data to disk to be able to use it for cracking:
  
-  airodump-ng -c 11 --bssid 00:​01:​02:​03:​04:​05 -w dump rausb0+  airodump-ng -c 11 --bssid 00:​01:​02:​03:​04:​05 -w dump wlan0mon
  
 With the -c parameter you tune to a channel and the parameter after -w is the prefix to the network dumps written to disk.  The "​-''''​-bssid"​ combined with the AP MAC address limits the capture to the one AP.  The "​-''''​-bssid"​ option is only available on new versions of airodump-ng. With the -c parameter you tune to a channel and the parameter after -w is the prefix to the network dumps written to disk.  The "​-''''​-bssid"​ combined with the AP MAC address limits the capture to the one AP.  The "​-''''​-bssid"​ option is only available on new versions of airodump-ng.
Line 151: Line 151:
 Try to connect to your AP using [[aireplay-ng]]:​ Try to connect to your AP using [[aireplay-ng]]:​
  
-  aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:​01:​02:​03:​04:​05 ​rausb0+  aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:​01:​02:​03:​04:​05 ​wlan0mon
  
 The value after -a is the BSSID of your AP. The value after -a is the BSSID of your AP.
Line 185: Line 185:
 Wait for a client to show up on the target network. Then start the attack: Wait for a client to show up on the target network. Then start the attack:
  
-  aireplay-ng --arpreplay -b 00:​01:​02:​03:​04:​05 -h 00:​04:​05:​06:​07:​08 ​rausb0+  aireplay-ng --arpreplay -b 00:​01:​02:​03:​04:​05 -h 00:​04:​05:​06:​07:​08 ​wlan0mon
  
 -b specifies the target BSSID, -h the MAC of the connected client. -b specifies the target BSSID, -h the MAC of the connected client.
Line 200: Line 200:
 the -r <​filename>​ option. the -r <​filename>​ option.
  
-When using the arp injection technique, you can use the PTW method to crack the WEP key.  This dramatically reduces the number of data packets you need and also the time needed. ​ You must capture the full packet in airodump-ng,​ meaning do not use the "​-''''​-ivs"​ option when starting it.  For [[aircrack-ng]],​ use "​aircrack -z <file name>"​. (PTW is the default attack ​in 1.0-rc1.)+When using the ARP injection technique, you can use the PTW method to crack the WEP key.  This dramatically reduces the number of data packets you need and also the time needed. ​ You must capture the full packet in airodump-ng,​ meaning do not use the "​-''''​-ivs"​ option when starting it.  For [[aircrack-ng]],​ use "​aircrack -z <file name>"​. (PTW is the default attack)
  
 If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps. If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps.
Line 210: Line 210:
 Keep your airodump-ng and aireplay-ng running. Open another window and run a [[deauthentication]] attack: Keep your airodump-ng and aireplay-ng running. Open another window and run a [[deauthentication]] attack:
  
-  aireplay-ng --deauth 5 -a 00:​01:​02:​03:​04:​05 -c 00:​04:​05:​06:​07:​08 ​rausb0+  aireplay-ng --deauth 5 -a 00:​01:​02:​03:​04:​05 -c 00:​04:​05:​06:​07:​08 ​wlan0mon
  
 -a is the BSSID of the AP, -c the MAC of the targeted client. -a is the BSSID of the AP, -c the MAC of the targeted client.
  
-Wait a few seconds and your arp replay should start running.+Wait a few seconds and your ARP replay should start running.
  
-Most clients try to reconnect automatically. But the risk that someone recognizes this attack or at least attention is drawn to the stuff happening on the WLAN is higher +Most clients try to reconnect automatically. But the risk that someone recognizes this attack or at least attention is drawn to the stuff happening on the WLAN is higher than with other attacks.
-than with other attacks.+
  
  
  
 ====== Further tools and information ====== ====== Further tools and information ======
-[[https://​www.tuto-fr.com/​tutoriaux/​crack-wep/​aircrack-ng.php|Tutorial in french for aircrack-ng]] [[https://​www.tuto-fr.com/​en/​tutorial/​tutorial-crack-wep-aircrack.php|or in english]]+ 
 +More tutorials can be found on [[tutorial|this page]].
newbie_guide.1542839227.txt.gz · Last modified: 2018/11/21 23:27 by mister_x