Hi all. Before the start of the course prepared a translation of an interesting article for you.
Today's guide will walk you through the basics to get started with the package. Aircrack-ng. Of course, it is not possible to provide all the necessary information and cover every scenario. So be prepared to do your homework and do research on your own. On and there are many additional tutorials and other useful information.
Although it does not cover all the steps from start to finish, the guide details work with Aircrack-ng.
Hardware setup, Aircrack-ng installation
The first step in ensuring the correct operation Aircrack-ng on your Linux system is patching and installing the appropriate driver for your network card. Many cards work with multiple drivers, some of them provide the necessary functionality to use Aircrack-ng, others do not.
I think it's redundant to say that you need a network card that is compatible with the package Aircrack-ng. That is, hardware that is fully compatible and can implement packet injection. With a compatible network card, you can hack into a wireless access point in less than an hour.
To determine which category your card belongs to, see the page . Read if you don't know how to handle the table. However, this will not stop you from reading the guide, which will help you learn something new and make sure of certain properties of your card.
First, you need to know what chipset is used in your network card and what driver you need for it. You need to determine this using the information from the paragraph above. In chapter you will find out which drivers you need.
Installing aircrack-ng
The latest version of aircrack-ng can be obtained from , or you can use a penetration testing distribution such as Kali Linux or Pentoo which has the latest version Aircrack-ng.
To install aircrack-ng refer to .
Basics of IEEE 802.11
Okay, now that we're all set, it's time to stop before we get started and learn a few things about how wireless networks work.
The next part is important to understand in order to be able to figure out if something does not work as expected. Understanding how it all works will help you find the problem, or at least describe it correctly so that someone else can help you. This is where things get a little tricky, and you might want to skip this part. However, hacking wireless networks requires a little bit of knowledge, so hacking is a little more than just typing one command and letting aircrack do it all for you.
How to find a wireless network
This part is a brief introduction to managed networks that work with Access Points (APs). Each access point sends about 10 so-called beacon frames per second. These packages contain the following information:
- Network name (ESSID);
- Whether encryption is used (and what encryption is used, but note that this information may not be true just because the access point reports it);
- What data rates are supported (in MBit);
- What channel is the network on.
It is this information that is displayed in the tool that connects specifically to this network. It is displayed when you allow the card to scan networks using iwlist <interface> scan
Each access point has a unique MAC address (48 bits, 6 pairs of hexadecimal numbers). It looks something like this: 00:01:23:4A:BC:DE. Each network device has such an address, and network devices communicate with each other using them. So it's kind of like a unique name. MAC addresses are unique and no two devices have the same MAC address.
Connecting to the network
There are several options for connecting to a wireless network. In most cases, Open System Authentication is used. (Optional: if you want to learn more about authentication, .)
Open System Authentication:
- Requests access point authentication;
- The access point responds: OK, you are authenticated.
- Requests access point association;
- The access point responds: OK, you are connected.
This is the simplest case, but problems arise when you don't have permissions because:
- WPA/WPA2 is used and you need APOL authentication. The access point will refuse in the second step.
- The access point has a list of allowed clients (MAC addresses) and will not allow anyone else to connect. This is called MAC filtering.
- The access point uses Shared Key Authentication, which means you need to provide the correct WEP key in order to connect. (See section to learn more about it)
Simple sniffing and hacking
Network discovery
The first thing to do is find a potential target. The aircrack-ng package for this has , but you can use other programs such as, for example, .
Before searching for networks, you must put your card into what is called "monitoring mode". Monitor mode is a special mode that allows your computer to listen for network packets. This mode also allows injections. We will talk about injections next time.
To put the network card into monitoring mode, use :
airmon-ng start wlan0So you will create another interface and add to it "my". So, wlan0 will wlan0mon. To check if the network card is in monitor mode, run iwconfig and see for yourself.
Then, run to search for networks:
airodump-ng wlan0monIf airodump-ng will not be able to connect to the WLAN device, you will see something like this:
jumps from channel to channel and shows all access points from which it receives beacons. Channels 1 to 14 are used for 802.11 b and g standards (in the US, only 1 to 11 are allowed; in Europe, 1 to 13 with some exceptions; in Japan, 1 to 14). 802.11a operates on the 5GHz band, and its availability varies across countries more than on the 2,4GHz band. In general, known channels start at 36 (32 in some countries) through 64 (68 in some countries) and 96 through 165. You can find more information on channel availability on Wikipedia. In Linux, allowing/denying transmission over certain channels for your country is taken care of by ; however, it must be configured accordingly.
The current channel is shown in the upper left corner.
After a while there will be access points and (hopefully) some clients associated with them.
The top block shows the discovered access points:
bssid
access point mac address
pwr
signal quality when a channel is selected
pwr
signal strength. some drivers don't report it.
beacons
the number of received beacons. if you do not have a signal strength indicator, you can measure it in beacons: the more beacons, the better the signal.
date
number of data frames received
ch
the channel on which the access point operates
mb
access point speed or mode. 11 is pure 802.11b, 54 is pure 802.11g. values ββbetween the two are a mixture.
enc
encryption: opn: no encryption, wep: wep encryption, wpa: wpa or wpa2, wep?: wep or wpa (not clear yet)
essid
network name, sometimes hidden
The bottom block shows discovered clients:
bssid
mac-address with which the client is associated with this access point
station
client's mac address
pwr
signal strength. some drivers don't report it.
packages
number of data frames received
probes
network names (essids) that this client has already tried
Now you need to monitor the target network. It must have at least one client connected to it, as cracking networks without clients is a more advanced topic (see section ). It must use WEP encryption and have a good signal. You may want to change the position of the antenna to improve signal reception. Sometimes a few centimeters can be decisive for signal strength.
In the example above, there is a network 00:01:02:03:04:05. It turned out to be the only possible target, since the client is connected to it only. She also has a good signal, so she is a good target for practice.
Sniffing Initialization Vectors
Because of channel hopping, you will not capture all packets from the target network. Therefore, we want to listen on only one channel and additionally write all the data to disk so that later we can use it for hacking:
airodump-ng -c 11 --bssid 00:01:02:03:04:05 -w dump wlan0mon Using the parameter -Ρ you select a channel, and the parameter after -w is the prefix for network dumps written to disk. Flag βbssid together with the MAC address of the access point, limits the receipt of packets to one access point. Flag βbssid only available in new versions airodump-ng.
Before cracking WEP, you will need 40 to 000 different Initialization Vectors (IVs). Each data packet contains an initialization vector. They can be reused, so the number of vectors is usually slightly less than the number of packets captured.
So you have to wait to capture 40k to 85k data packets (with IV). If the network is not busy, this will take a very long time. You can speed up this process by using an active attack (or a replay attack). We will talk about them in the next part.
Break
If you already have enough intercepted initialization vectors, which are stored in one or more files, you can try to crack the WEP key:
aircrack-ng -b 00:01:02:03:04:05 dump-01.cap MAC address after flag -b is the BSSID of the target, and dump-01.cap is the file containing the captured packets. You can use multiple files, just add all the names to the command or use a wildcard character, for example dump*.cap.
More information about parameters , output and usage you can get from .
There is no limit to the number of initialization vectors needed to crack a key. This is because some vectors are weaker and lose more key information than others. Usually these initialization vectors are mixed with stronger ones. So if you're lucky, you might be able to crack a key with just 20 IVs. However, this is often not enough Aircrack-ng may run for a long time (a week or more in case of high error) and then tell you that the key cannot be cracked. The more initialization vectors you have, the faster a hack can happen and usually does it in a few minutes or even seconds. Experience shows that 40 - 000 vectors are enough for hacking.
There are more advanced access points that use special algorithms to filter out weak initialization vectors. As a result, you will not be able to get more than N vectors from the access point, or you will need millions of vectors (eg 5-7 million) to crack the key. You can what to do in such cases.
Active attacks
Most devices don't support injection, at least not without patched drivers. Some only support certain attacks. Talk to and look at the column aireplay. Sometimes this table does not provide up-to-date information, so if you see the word "NO" in front of your driver, don't get upset, but rather look at the driver's home page, in the driver mailing list at . If you've successfully replayed with a driver that isn't on the supported list, feel free to suggest changes on the Compatibility Matrix page and add a link to the quick start guide. (You need to request a wiki account on IRC for this.)
First you need to make sure that packet injection really works with your network card and driver. The easiest way to check is to conduct a test injection attack. Please make sure you pass this test before proceeding. Your card must be able to inject in order for you to complete the following steps.
You will need the BSSID (MAC address of the access point) and ESSID (network name) of an access point that does not filter on MAC addresses (such as your own) and is in the available range.
Try to connect to the access point using :
aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:01:02:03:04:05 wlan0mon Value after -Π° will be the BSSID of your access point.
The injection worked if you see something like this:
12:14:06 Sending Authentication Request
12:14:06 Authentication successful
12:14:06 Sending Association Request
12:14:07 Association successful :-)If not:
- Double-check the correctness of the ESSID and BSSID;
- Make sure that MAC address filtering is disabled on your access point;
- Try the same on another access point;
- Make sure your driver is properly configured and supported;
- Instead of "0" try "6000 -o 1 -q 10".
ARP replay
Now that we know that packet injection works, we can do something that will greatly speed up the interception of initialization vectors: the injection attack .
main idea
In simple terms, ARP works by broadcasting a request to an IP address, and the device at that IP address sends back a response. Because WEP doesn't protect against replay, you can sniff a packet and send it over and over again as long as it's valid. Thus, you just need to intercept and replay the ARP request sent to the access point in order to create traffic (and get initialization vectors).
lazy way
First, open a window with airodump-ng, which sniffs traffic (see above). airplay-ng ΠΈ airodump-ng can work simultaneously. Wait for the client to appear on the target network and start the attack:
aireplay-ng --arpreplay -b 00:01:02:03:04:05 -h 00:04:05:06:07:08 wlan0mon-b points to the target BSSID, -h to the MAC address of the connected client.
Now you need to wait for the ARP packet to be received. Usually you need to wait a few minutes (or read the article further).
If you're lucky, you'll see something like this:
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...If you need to stop playing, you don't have to wait for the next ARP packet, you can simply use the previously captured packets with the parameter -r <filename>
When using ARP injection, you can use the PTW method to crack the WEP key. It significantly reduces the number of required packages, and with them the time to crack. You need to capture the complete packet with airodump-ng, that is, do not use the option β--ivsβ when executing the command. For Aircrack-ng use βaircrack -z <file name>β
If the number of data packets received airodump-ng stops increasing, you may need to decrease the playback speed. Do it with a parameter -x <packets per second>
Aggressive way
Most operating systems flush the ARP cache when disconnected. If they need to send the next packet after reconnecting (or just use DHCP), they send an ARP request. As a side effect, you can sniff the ESSID and possibly the keystream during the reconnect. This is useful if your target's ESSID is hidden or if it uses shared-key authentication.
Let it be airodump-ng ΠΈ airplay-ng work. Open another window and run :
Here -a is the BSSID of the access point, -Ρ The MAC address of the selected client.
Wait a few seconds and ARP replay will work.
Most clients try to reconnect automatically. But the risk of someone recognizing this attack, or at least paying attention to what is happening on the WLAN, is higher than with other attacks.
More tools and information about them, you .
Source: habr.com