Aircrack-ng Toolbox

Official website: http://www.aircrack-ng.org/, it is a WiFi-related tools, you can do some injections, grab packets, crack WiFi and so on. There are a lot of different packages inside.

In addition, http://blog.csdn.net/qq_28208251/translated a part of the content of the official website, translation can, good.

The following knowledge may be useful:

1. The wireless card can work in multiple modes. It is common to have master,managed,ad-hoc,monitor and other modes. For master mode, it is mainly used for wireless access point APs to provide wireless access services and routing capabilities. Managed mode is used to connect with the wireless AP, in this mode we can make wireless access to the Internet. Monitor mode is primarily used to monitor traffic inside the wireless network and to check for network and troubleshooting. The Ad-hoc mode can be used in cases where two hosts are required for direct connection, so that the hosts are connected in the same way as peers.

2. In general, the phone WLAN, BSSID is actually no line by the MAC address. Generally, ESSID can also be considered as SSID, WiFi network name.

SSID = Service Set IDentifier
BSSID = Basic Service Set IDentifier
Essis = Extended Service Set IDentifier

Airmon-ng tool: Allows the network card to switch between manged and monitor.

How to use:

1. Display the current interface status without any parameters

Airmon-ng

2. Turn on the monitor state or deactivate; The channel entry is optional, which indicates which channel to listen to, and if not overtime, it can listen to all channel.

Airmon-ng <start|stop> <interface name> [channel]           # such as: Airmon-ng start Wlan0 One

Use the Iwlist command to view the channel that the interface listens on. For example: View mon0: command: Iwlist mon0 channel.

3. Verification can affect the process of aircrack-ng work Networkmaneger, or verification and killing of networkmaneger processes affecting aircrack-ng.

Airmon-ng <check|check kill>

It is highly recommended to stop these processes when using the Aircrack-ng kit.

Finally, how do we get back to the original state when we finish the task?

1. Stop the listening state by Airmon-ng stop <interface name>.

2. Start the Networkmaneger service we killed by using service Network-manager start.

Aireplay-ng command:

Aireplay-ng is a tool for injecting frames. Its main function is to generate data traffic, which will then be used to aircrack-ng the WEP and WPA/WPA2 keys. Most drivers require patches to support packet injection, see here to install the driver.

The types of attacks currently supported by Aireplay-ng are as follows:

• Attack 0: Decommissioning authentication attacks
• Attack 1: Forged authentication attack
• Attack 2: Interactive injection attacks
• Attack 3:ARP Request Packet replay attack
• Attack 4:chopchop Korek Attack
• Attack 5: Fragment interleaving attack
• Attack 6:cafe-latte attack
• Attack 7: Customer-facing fragmentation attacks
• Attack 8:WPA Migration Mode
• Attack 9: Packet injection testing

With the man aireplay-ng, you can see the usage of its related parameters. The basic parameters are:

Filter option: Used to control packets in addition to the parameters of all attacks except de-authenticate attacks and forged authentication attacks. The common options are –b.

• -B Bssid:ap (access point) MAC address
• -D Dmac: Destination MAC Address
• -S SMAC: source MAC Address
• -M Len: Minimum packet length
• -N len: Maximum packet length
• -U type:frame control, type field
• -V subt:frame control, subtype field
• -T Tods: Control frame to destination address
• -F Fromds: Control frame starting from destination address
• -W ISWEP: Control frame containing WEP data

Replay option: When injecting (injecting or Replay) packets, it is often used for the following options (usually in part, not all).

• -X Nbpps: Sets the number of packets sent per second
• -P Fctrl: Set the information contained in the control frame (16 binary)
• -A BSSID: Set the access point MAC address
• -C Dmac: Set the destination MAC address (destination MAC addresses)
• -H SMAC: Set the source MAC address (Sourse MAC addresses)
• -E Essid: In a false authentication attack, set the access point name. When the access point is not hidden, it can be omitted, in turn, it will attack the hidden access point. (for Fakeauth attack or injection test, it sets target AP SSID.) This was optional when the SSID was not hidden.)
• -j:arpreplay Attack:inject Fromds Pkts

• -G value:change Ring buffer size (default:8)

• -K ip:set destination IP in fragments

• -L Ip:set Source IP in fragments

• -O npckts:number of packets per burst (-1)

• -Q sec:seconds between Keep-alives (-1)

• -y prga:keystream for shared key auth

• "-B" or "–bittest": Bit rate test (applies only to test mode)

• "-D":d isables AP detection. Some modes would not proceed if the AP beacons are not heard. This disables this functionality.

• "-F" or "–fast": chooses first matching packet. For test mode, the It just checks basic injection and skips all other tests.

• "-R" DISABLES/DEV/RTC usage. Some Systems experience lockups or other problems with RTC. This disables the usage.

Source Options:

• Iface: Capturing packets from a specified network card
• -R file: Gets the packet from the specified pcap file.

Attack 0: Unlock authentication attacks

The role of this attack can be to disconnect the client that is already connected to the AP. Use –0 <count> or –deauth <count> to represent this attack, where count indicates the number of disconnected authentications sent, and if 0, indicates that it is being sent continuously.

For example:

aireplay-ng-0 1-a 00:14:6c:7e:40:80-c 00:0f:b5:34:30:30 mon0

Parameters: The first two parameters are: –0 <count> or –deauth <count>. -0 is indicated as a de-authentication attack. 1 indicates the number of disconnected authentications sent.

-A: Indicates the MAC address of the access point set (see Replay option)

-C: Indicates that we want to disconnect the certified client's MAC. When we omit it, we attack all of the authenticated client.

Mon0: The name of my interface (interface name).

such as output:

sudo aireplay-ng--deauth 0-a d4:ee:07:2e:02:d8-c 20: A9:9b:2e:3d:a7 mon021:15:29 Waiting forBeacon Frame (BSSID:D4:EE:07:2E:02:D8) on channel 621:15:30 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [12|54ACKs]21:15:30 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [13|60ACKs]21:15:31 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [46|61ACKs]21:15:31 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|57ACKs]21:15:32 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [3|57ACKs]21:15:32 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [5|57ACKs]21:15:33 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [24|65ACKs]21:15:33 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [33|63ACKs]21:15:34 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|61ACKs]21:15:35 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|60ACKs]21:15:35 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [1|63ACKs]21:15:36 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [1|63ACKs]21:15:36 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|62ACKs]21:15:37 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|59ACKs]21:15:37 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|62ACKs]21:15:38 sending directed Deauth. Stmac: [20:a9:9b:2e:3d:a7] [0|60 ACKs]

For directed Deauthentications, Aireplay-ng sends out a total of $ packets for each deauth you specify. Packets is sent to the AP itself and packets is sent to the client.

So, the last side of the list represents the replies from the client and the AP respectively. At the end of the day, the client will not reply because the connection is disconnected.

Attack 1: Forge authentication attacks

With a fill.

Airodump command: Is used to grab the bag.

IVs can be collected for the purpose of cracking WEP but now there are basically no routers with WEP encryption. You can also grab a handshake bag. It has a lot of options and can get the relevant help document through the Man ariodump command, too much.

 # The following sections indicate the meanings of each abbreviation

BSSID: The  MAC address of the access point, in the client section, "(  not associated)" means that the client is not connected to any access point. In this non-connected state, it will always search the access point PWR     NIC feedback signal level, its value is driven, but the closer to the access point or base station, the signal value will become greater. If the PWR of the access point is -1, the driver does not support the signal level, and if the PWR on some station is-1, it means that the NIC can receive the packet from the access point, but it exceeds the transmission range of the network card.

This means that we can only listen to 1/2 of the information exchange. If all station is-1indicates that the driver does not support the display signal level RXQ: Receive quality, expressed as a percentage of packets successfully received in the last 100 seconds beacons: The number of announcement messages issued by the access point, approximately 10 bulletins per second for each access point (at the lowest rate of 1M), So they usually collect data when they are far apart: The number of packets captured (in the case of WEP, the number of different IV), including the data broadcast packet/s: Number of packets received per second in the last 10 seconds Ch: Wireless channel (obtained from Beacon Packet), note: Even if the channel is fixed, sometimes a packet of other channels is captured, at this time the MB due to radio interference: the maximum speed supported by the access point. If the MB=11, is 802.1b, if mb=22, is 802.1b+, the higher is 802.1g. A decimal point, such as 54, supports a short preamble, and an E after 11 indicates that the network supports QOSENC: Represents the encryption algorithm used. OPN means no encryption, "WEP? "Indicates that it is not sure whether it is WEP or WPA/WPA2;WEP represents a static or dynamic Wep,tkip or ccmp representation wpa/Wpa2cipher: Detected cipher system, one of CCMP,WRAP,TKIP,WEP,WEP40 and WEP104. Although not required, TKIP is commonly used for wpa,ccmp used in WPA2. When the key index is greater than 0 o'clock, WEP40 is displayed. (40-bit, the index can be 0-3; 104 Bits, the index needs to be 0) AUTH: The authentication protocol used. GMT (WPA/WPA2 uses a separate authentication server), the SKA (WEP shared key), PSK (wpa/WPA2 Pre-shared key), or OPN (WEP open authentication) ESSID: Wireless network name. Also called "SSID", if SSID stealth mode is turned on, this entry is empty. In this case, the Airodump-ng attempts to recover ssidstation by probing responses and associated requests: each connected or attempting to connect to the user's MAC address, the bssid of the user who is not connected to the access point is " notassociated "Lost: Number of packets lost in the last 10 seconds packets: Number of packets sent by the user probes: The name of the wireless network that the user probed, and if it is not connected then it is the network name that the user is trying to connect to

For example: Now I'm going to grab a bag:

Airodump-ng--bbssid 00:14:6c:7a:41:20-w mypackage mon0#  --bbssid: Mac that indicates the AP to crawl # - w: Indicates the name of the catch packet mypackage#  mon0:: The name of my listener interface

Then, your package is saved in your current directory.

Aircrack-ng command: Used to crack the password.

Aircrack-ng is a 802.11 wep and WPA/WPA2-PSK hack program. For the crack WPE encryption, we do not have to control, because, now almost no WEP encryption. For WPA/WPA2 shared keys, only the dictionary is compared to this one method. SEE2 can greatly accelerate this long process of alignment. When you crack WPA/WPA2, you need a four-time handshake packet as input. For WPA, 4 packages are required to complete a full handshake, but aircrack-ng only needs two of them to start working.

You can see its rib file through man aircrack-ng.

As an example:

sudo aircrack-ng-a wpa-w dictionary_simple.txt a-01.cap

I grabbed a bag of a-01.cap, and then used a simple dictionary: dictionary_simple.txt. Then, cracked, the final result is as follows:

Aircrack-ng 1.2 beta3                                    [00:00:06] 10116 keys tested (1551.04 k/s)                               123456789 ]                         Master Key     3C F8 F3 E5 6A A9 AE A3 5D 7B EF B1 F0                                           (EE) 98 E0 4C 0A 1 a 7E 5A 01 71< c9>                         Transient Key  F7 8B DB CA 3F A5 A6 4E A5 (                                          0F CB C7) A4 $4 6C 4 a                                          , 1 a 4F, 8E, and BD, 9E EB DA B7   

                                         0B 5C D9 6F 9C DE 5B C0 CF 45

                        EAPOL HMAC     2E 5F 0F 9E B4 7E BD CA D1 E2                                                            

Finally, a run package software under Windows: EWSA faster than this, it can be accelerated with the graphics card.

Aircrack-ng Toolbox