Aircrack-ng

User Tools

Site Tools

Trace: madwifi-ng
newbie_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
newbie_guide [2009/08/14 18:35] – use dokuwiki internal links mister_xnewbie_guide [2009/09/26 19:52] – Fixed typos darkaudax
Line 15: Line 15:
 Needless to say, you need a wireless card which is compatible with the aircrack-ng suite.  This is hardware which is fully compatible and can inject packets.  A compatible wireless card can be used to crack a wireless access point in under an hour. Needless to say, you need a wireless card which is compatible with the aircrack-ng suite.  This is hardware which is fully compatible and can inject packets.  A compatible wireless card can be used to crack a wireless access point in under an hour.
  
-To determine to which category your card belongs to, see [[compatibility_drivers|hardware compatibility page]]. Read [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]] if you don't know where to look in this table.  It still does not hurt to read this tutorial to build your knowledge and confirm your card attibutes.+To determine to which category your card belongs to, see [[compatibility_drivers|hardware compatibility page]]. Read [[compatible_cards|Tutorial: Is My Wireless Card Compatible?]] if you don't know where to look in this table.  It still does not hurt to read this tutorial to build your knowledge and confirm your card attributes.
  
 First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph.  The [[compatibility_drivers#drivers|drivers section]] will tell you which drivers you need for your specific chipset.  Download them and then get the corresponding patch from http://patches.aircrack-ng.org. (These patches enables the support for injection.) First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph.  The [[compatibility_drivers#drivers|drivers section]] will tell you which drivers you need for your specific chipset.  Download them and then get the corresponding patch from http://patches.aircrack-ng.org. (These patches enables the support for injection.)
Line 148: Line 148:
 ^ PWR          | Signal strength. Some drivers don't report it  | ^ PWR          | Signal strength. Some drivers don't report it  |
 ^ Beacons      | Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality | ^ Beacons      | Number of beacon frames received. If you don't have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality |
-^ Data         | Number of data frames recieved   |+^ Data         | Number of data frames received   |
 ^ CH           | Channel the AP is operating on   | ^ CH           | Channel the AP is operating on   |
 ^ MB           | Speed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture  | ^ MB           | Speed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture  |
Line 242: Line 242:
 Now you have to wait for an ARP packet to arrive. Usually you'll have to wait for a few minutes (or look at the next chapter). Now you have to wait for an ARP packet to arrive. Usually you'll have to wait for a few minutes (or look at the next chapter).
  
-If you were successfull, you'll see something like this:+If you were successful, you'll see something like this:
  
   Saving ARP requests in replay_arp-0627-121526.cap   Saving ARP requests in replay_arp-0627-121526.cap
Line 253: Line 253:
 When using the arp injection technique, you can use the PTW method to crack the WEP key.  This dramatically reduces the number of data packets you need and also the time needed.  You must capture the full packet in airodump-ng, meaning do not use the "-''''-ivs" option when starting it.  For [[aircrack-ng]], use "aircrack -z <file name>". (PTW is the default attack in 1.0-rc1.) When using the arp injection technique, you can use the PTW method to crack the WEP key.  This dramatically reduces the number of data packets you need and also the time needed.  You must capture the full packet in airodump-ng, meaning do not use the "-''''-ivs" option when starting it.  For [[aircrack-ng]], use "aircrack -z <file name>". (PTW is the default attack in 1.0-rc1.)
  
-If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received contiously again. Better positioning of your antenna usually also helps.+If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x <packets per second> option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps.
  
 ==== The aggressive way ==== ==== The aggressive way ====
  
-Most operating sytems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.+Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.
  
 Keep your airodump-ng and aireplay-ng running. Open another window and run a [[deauthentication]] attack: Keep your airodump-ng and aireplay-ng running. Open another window and run a [[deauthentication]] attack:
newbie_guide.txt · Last modified: 2018/11/21 23:31 by mister_x