User Tools

Site Tools


shared_key

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
shared_key [2007/06/25 17:33] darkaudaxshared_key [2010/11/20 23:53] – typo sleek
Line 1: Line 1:
 ====== Tutorial: How to do shared key fake authentication ? ====== ====== Tutorial: How to do shared key fake authentication ? ======
-Version: 1.06 June 252007\\+Version: 1.08 November 72008\\
 By: darkAudax By: darkAudax
  
-File linked to this tutorial: [[http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap|shared.key.authentication.cap]] +File linked to this tutorial: [[http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap|wep.shared.key.authentication.cap]]
  
 ===== Introduction ===== ===== Introduction =====
Line 18: Line 17:
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
  
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org|Aircrack-ng team]] for producing such a great robust tool. +I would like to acknowledge and thank the [[http://trac.aircrack-ng.org/wiki/Team|Aircrack-ng team]] for producing such a great robust tool. 
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Line 31: Line 30:
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
- 
-In the examples, the option "double dash bssid" is shown as "- -bssid" Remember to remove the space between the two dashes when using it in real life. 
  
 ===== Equipment used ===== ===== Equipment used =====
Line 61: Line 58:
 ==== Solution Overview ==== ==== Solution Overview ====
  
-In order to do a shared key fake authentication, you need to have a PRGA (pseudo random genration algorithm) xor file to feed into it.  We will look at the detailed steps to obtain this in a typical scenario.  Then use the PRGA xor file to do a fake authentication.+In order to do a shared key fake authentication, you need to have a PRGA (pseudo random generation algorithm) xor file to feed into it.  We will look at the detailed steps to obtain this in a typical scenario.  Then use the PRGA xor file to do a fake authentication.
  
 Here are the basic steps we will be going through: Here are the basic steps we will be going through:
Line 110: Line 107:
 In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Only the madwifi-ng drivers show the MAC address of the card in the AP field, other drivers do no.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Only the madwifi-ng drivers show the MAC address of the card in the AP field, other drivers do no.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
-To match the frequency to the channel, check out: +To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 .  This will give you the frequency for each channel.
-http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap" tab.  This will give you the frequency for each channel.+
  
 === Troubleshooting Tips === === Troubleshooting Tips ===
Line 122: Line 118:
 Open another console session to capture the PRGA xor file.  Then enter: Open another console session to capture the PRGA xor file.  Then enter:
  
-  airodump-ng -c 9 - -bssid 00:14:6C:7E:40:80 -w sharedkey ath0+  airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w sharedkey ath0
  
 Where: Where:
   *-c 9 is the channel for the wireless network   *-c 9 is the channel for the wireless network
-  *- -bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic.+  *-''''-bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic.
   *-w sharedkey is file name prefix for the file which will contain the PRGA xor data.   *-w sharedkey is file name prefix for the file which will contain the PRGA xor data.
   *ath0 is the interface name.   *ath0 is the interface name.
  
-Beyond the error message shown in the introduction, how do you determine if shared key authentication is required?  In the screen below, notice the "PSK" for the AP under CIPHER.  This means it is using shared key authentication.  This will not show up until a client has successfully associated with the AP.+Beyond the error message shown in the introduction, how do you determine if shared key authentication is required?  In the screen below, notice the "SKA" for the AP under AUTH.  This means it is using shared key authentication.  This will not show up until a client has successfully associated with the AP.
  
     CH  9 ][ Elapsed: 20 s ][ 2007-02-10 16:29      CH  9 ][ Elapsed: 20 s ][ 2007-02-10 16:29 
Line 136: Line 132:
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                                                                                                                                                    
-    00:14:6C:7E:40:80   37 100      197        9    0    11  WEP  WEP    PSK  teddy                            +    00:14:6C:7E:40:80   37 100      197        9    0    11  WEP  WEP    SKA  teddy                            
                                                                                                                                                                                                                                    
     BSSID              STATION            PWR  Lost  Packets  Probes                                                  BSSID              STATION            PWR  Lost  Packets  Probes                                             
Line 142: Line 138:
     00:14:6C:7E:40:80  00:0F:B5:34:30:30   61            7            00:14:6C:7E:40:80  00:0F:B5:34:30:30   61            7       
  
-Once "PSK" appears on the airodump-ng screen, do  file listing and it will look something like:+Once "SKA" appears on the airodump-ng screen like in example above, do  file listing and it will look something like:
  
    sharedkey-01-00-14-6C-7E-40-80.xor  sharedkey-01.cap  sharedkey-01.txt    sharedkey-01-00-14-6C-7E-40-80.xor  sharedkey-01.cap  sharedkey-01.txt
  
-The "sharedkey-01-00-14-6C-7E-40-80.xor" file contains the PRGA xor bits that can be used in a later step to successfully complete the fake authentication.  The sample [[http://download.aircrack-ng.org/wiki-files/other/shared.key.authentication.cap|shared key authentication file]] can be viewed with WireShark to see what the packet exchange looks like.  You can compare this to your own captures to determine if you are missing packets.+The "sharedkey-01-00-14-6C-7E-40-80.xor" file contains the PRGA xor bits that can be used in a later step to successfully complete the fake authentication.  The sample [[http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap|wep.shared key authentication file]] can be viewed with WireShark to see what the packet exchange looks like.  You can compare this to your own captures to determine if you are missing packets.
  
 In real life, you will not likely be that lucky and happen to be sniffing when a wireless client associates with the access point yielding the PRGA xor file.  To obtain the PRGA xor bit file, there are two basic methods: In real life, you will not likely be that lucky and happen to be sniffing when a wireless client associates with the access point yielding the PRGA xor file.  To obtain the PRGA xor bit file, there are two basic methods:
Line 164: Line 160:
 Where: Where:
   * -0 means deauthentication   * -0 means deauthentication
-  * 1 is the number of deauths to send (you can send muliple if you wish)+  * 1 is the number of deauths to send (you can send multiple if you wish)
   * -a 00:14:6C:7E:40:80 is the MAC address of the access point   * -a 00:14:6C:7E:40:80 is the MAC address of the access point
   * -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing   * -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing
Line 173: Line 169:
    11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]    11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]
  
-Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier "airodump-ng -c 9 - -bssid 00:14:6C:7E:40:80 -w sharedkey ath0".+Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier "airodump-ng -c 9 -''''-bssid 00:14:6C:7E:40:80 -w sharedkey ath0".
  
 Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file.  If not, try another deauthentication or against another client. Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file.  If not, try another deauthentication or against another client.
shared_key.txt · Last modified: 2018/03/11 20:19 by mister_x