wpa_migration_mode
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wpa_migration_mode [2010/08/11 17:32] – lmeiners | wpa_migration_mode [2018/03/11 20:19] (current) – Removed link to trac mister_x | ||
---|---|---|---|
Line 13: | Line 13: | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | I would like to acknowledge and thank the [[http:// | + | I would like to acknowledge and thank the Aircrack-ng team team for producing such a great robust tool, and darkAudax for writing the tutorials which we used as a basis. |
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 56: | Line 56: | ||
http:// | http:// | ||
- | === Step 1 - Start the wireless interface in monitor mode on AP channel === | + | ==== Step 1 - Start the wireless interface in monitor mode on AP channel |
The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. | The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. | ||
Line 92: | Line 92: | ||
Retry long limit: | Retry long limit: | ||
Power Management: | Power Management: | ||
- | |||
</ | </ | ||
In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | ||
- | To match the frequency to the channel, check out: http://www.rflinx.com/help/calculations/# | + | To match the frequency to the channel, check out: http://www.cisco.com/en/US/ |
- | === Step 2 - Start airodump-ng to capture the IVs === | + | ==== Step 2 - Start airodump-ng to capture the IVs ==== |
The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point. | The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point. | ||
Line 128: | Line 127: | ||
</ | </ | ||
- | === Step 3 - Use aireplay-ng to do a fake authentication with the access point === | + | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== |
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. | In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. | ||
Line 159: | Line 158: | ||
If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly. | If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly. | ||
- | === Step 4 - Start aireplay-ng in WPA Migration Mode attack mode === | + | ==== Step 4 - Start aireplay-ng in WPA Migration Mode attack mode ==== |
The purpose of this step is to start aireplay-ng in a mode which attacks Cisco Aironet access points configured in WPA Migration Mode. | The purpose of this step is to start aireplay-ng in a mode which attacks Cisco Aironet access points configured in WPA Migration Mode. | ||
Line 172: | Line 171: | ||
It will start listening for ARP requests and when it hears one, aireplay-ng will bitflip it and immediately start to inject it. | It will start listening for ARP requests and when it hears one, aireplay-ng will bitflip it and immediately start to inject it. | ||
- | < | + | |
Here is what the screen looks like when ARP requests are being injected: | Here is what the screen looks like when ARP requests are being injected: | ||
+ | < | ||
12: | 12: | ||
Saving ARP requests in replay_arp-0811-121752.cap | Saving ARP requests in replay_arp-0811-121752.cap | ||
Line 187: | Line 187: | ||
- | === Step 5 - Run aircrack-ng to obtain the WEP key === | + | ==== Step 5 - Run aircrack-ng to obtain the WEP key ==== |
The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. | The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. |
wpa_migration_mode.txt · Last modified: 2018/03/11 20:19 by mister_x