Full tutorial aircrack-ng crack WEP, WPA-PSK encryption weapon

In fact, the content of the basic knowledge of wireless is still quite many, but because this book focuses on the use of BT4 own tools to explain, if you carefully talk about these peripheral knowledge, this is like to tell the DNS tool also to the DNS server type, working principle and configuration to tell the same, haha, It is estimated that the thickness of the whole book needs to be doubled one or twice times. Well, the basic knowledge of wireless network advice you can refer to my previous in the Black Hand published the "Wireless Hacker Fool Book" A book, will be very helpful.

Well, first of all, the content of this chapter is applicable to all major brands of wireless routers or APS such as Linksys, Dlink, Tplink, Belkin, etc. The contents include WEP encryption and WPA-PSK encryption of the wireless network to solve the actual combat operation.

What is Aircrack-ng

Aircrack-ng is a tool used to crack wireless 802.11WEP and WPA-PSK encryption, which was named Aircrack before November 2005 and was renamed Aircrack-ng after its 2.41 version.

Aircrack-ng mainly uses two types of attack methods for WEP cracking: one is a FMS attack, which is named after the researcher name (Scott Fluhrer, Itsik Mantin, and Adi Shamir) that discovered the WEP vulnerability The other is the Korek attack, which is statistically more efficient than the FMS attack. Of course, the latest version also integrates more types of attack methods. For wireless hackers, Aircrack-ng is an indispensable wireless attack tool, it can be said that a large part of the wireless attack is dependent on it to complete, and for wireless security personnel, Aircrack-ng is also a necessary wireless security detection tools, It can help administrators to check the vulnerability of wireless network password and understand the distribution of wireless network signal, it is very suitable for enterprises to use wireless security audit.

Aircrack-ng (note case) is a wireless attack audit package with a variety of tools, many of which are used in the following sections, as shown in table 1 below for the list of components contained in Aircrack-ng.

Table 1

Component Name	Description described
Aircrack-ng	Mainly used for WEP and WPA-PSK password recovery, as long as airodump-ng collect enough packets, Aircrack-ng can automatically detect the packet and determine whether it can be cracked
Airmon-ng	Used to change the working mode of the wireless card for the smooth use of other tools
Airodump-ng	For capturing 802.11 of data packets for aircrack-ng cracking
Aireplay-ng	In the case of WEP and WPA-PSK password recovery, special wireless network data packets and traffic can be created as needed.
Airserv-ng	You can connect a wireless card to a specific port to prepare for a flexible call when attacking
Airolib-ng	Used for WPA Rainbow table attacks to establish a specific database file
Airdecap-ng	Used to unlock packets in the encrypted state
Tools	Other tools for assistance, such as Airdriver-ng, Packetforge-ng, etc.

Aircrack-ng is already built (download BackTrack4 R2) under BackTrack4 R2, as shown in 2: by selecting "Backtrack"-"Radio Network Analysis" in the menu-"80211"-" Cracking "-" aircrack-ng "to open the Aircrack-ng main program interface. You can also open a shell directly, in the inside directly enter the Aircrack-ng command return can also see Aircrack-ng use parameters help.

Figure 2

Use Aircrack-ng to crack WEP encrypted wireless network

First of all, to crack the use of WEP encrypted content, enabling this type of encryption of the wireless network is often listed as a serious insecure network environment. And Aircrack-ng is the first choice to crack such a powerful weapon of this type of encryption, the steps to crack WEP encryption using the Aircrack-ng suite are as follows.

Step 1: Load the wireless card.

In fact, a lot of new people always start to load the network card when there are some doubts, so we put this basic operation to take a closer look. First, check which network cards are currently loaded, and enter the following commands:

Ifconfig

After the carriage return can see the content as shown in 3, we can see that in addition to eth0, there is no wireless card.

Figure 3

Make sure the USB or PCMCIA wireless card is plugged in correctly, and in order to see if the wireless card is properly connected to the system, enter:

Parameter explanation:

-a displays the status of all network interfaces for the host. Unlike the simple ifconfig command, all adapters connected to the current system network interface can be seen after the-a parameter is added.

As shown in 4, we can see that there is a wireless network card named Wlan0 compared to 3, which indicates that the wireless card has been identified by BackTrack4 R2 Linux.

Figure 4

Now that you've identified it, you'll be able to activate the wireless card next. Note that both wired and wireless network adapters need to be activated, otherwise it is not possible to use drops. This step is equivalent to enabling "Local Area Connection" under Windows, and the non-enabled connection is not available.

As can be seen in 4, there is a wireless network card named Wlan0, OK, enter the following:

Parameter explanation:

Up is used to load the NIC, here we will load the wireless card that has been plugged into the notebook driver. Once the loading is complete, we can use ifconfig again to confirm. As shown in 5, this time, the system has correctly identified the wireless card.

Figure 5

Of course, by entering the Iwconfig view is also possible to drip. This command is dedicated to viewing the wireless card and does not look at all adapters like Ifconfig.

This command is used under Linux to see if there is a wireless card and the status of the current wireless card. As shown in 6.

Figure 6

Step 2: Activate the wireless card to monitor that is the listening mode.

For many small blacks, you should use a variety of sniffer tools to crawl data packets such as passwords. Well, we all know that the network card used for sniffing is to be in monitor mode. The same is true for sniffing on wireless networks.

Under Linux, we use the Airmon-ng tool in the Aircrack-ng suite to implement the following commands:

Parameter explanation:

Start followed by the wireless card device name, here refer to the previous ifconfig display of the wireless network card name;

As shown in 7, we can see the wireless card chip and driver type, on the chipset chip type is marked Ralink 2573 chip, the default driver is Rt73usb, shown as "monitor mode enabled on Mon0", that is, the monitoring mode has been started, The adapter name becomes more mon0 in listening mode.

Figure 7

Step 3: Probe the wireless network and crawl the wireless packets.

After activating the wireless card, we can turn on the wireless packet Capture tool, here we use the Airmon-ng tool in the Aircrack-ng kit to achieve, the specific command is as follows:

However, before the formal capture of the package, it is generally pre-detection, to obtain the current wireless network overview, including the SSID of the AP, MAC address, work channel, wireless client mac and number. Just open a shell and enter the specific command as follows:

Parameter explanation:

Mon0 is a wireless card that has previously loaded and activated the listening mode. As shown in 8.

Figure 8

After the carriage return, you can see similar to 9, here we directly lock the target is the SSID "Tp-link" of the AP, its bssid (MAC) is "00:19:e0:eb:33:66", the working channel is 6, the connected wireless client MAC is " 00:1f:38:c9:71:71 ".

Figure 9

Now that we have seen the target of the test to attack, that is the SSID named Tp-link Wireless router, then enter the command as follows:

Parameter explanation:

--ivs here is set up by filtering, no longer save all wireless data, but only to save the IVS data packets can be used to crack, so as to effectively reduce the size of the saved packets;

-C Here we set the target AP's work channel, through just observation, we want to conduct attack test the wireless router working channel is 6;

-W followed by the name of the file to be saved, where W is the meaning of "write", so enter the name of the file that you want to keep, as shown in 10 I am writing as Longas. So, the small black must note is: Here we set the saved filename is Longas, but the resulting file is not longase.ivs, but longas-01.ivs.

Figure 10

Note: This is because airodump-ng this tool in order to facilitate the next time the call, so to save the file in sequence numbered, so there is more-01 such sequence number, and so on, in the second attack, if using the same file name Longas save, it will Generate a file named Longas-02.ivs, be sure to pay attention oh, do not find it and blame me not to write clearly:) Ah, it is estimated that some friends see here, and will ask at the time of the crack can be used together with these captured packets, of course, as long as you load the file using Longas*.cap, where the asterisk refers to all the prefixes consistent files.

After the carriage return, you can see the interface as shown in 11, which indicates the start of the wireless packet crawl.

Figure 11

Step 4: Use Arprequest injection attacks on target APS

If the wireless client connected to the wireless router/ap is making large-volume interactions, such as using thunder and electric mules for large file downloads, the WEP password can be cracked by simply grasping the packet. But wireless hackers feel that such a wait is sometimes too long, so the use of a call "ARP request" to read the ARP requests, and forged messages re-sent again to stimulate the AP to generate more packets, thus speeding up the process of cracking, this method is called Arprequest injection attacks. The specific input commands are as follows:

Parameter explanation:

-3 refers to the use of ARPREQUESR injection attack mode;

-B followed by the MAC address of the AP, which is the Mac of the AP that we detected earlier in the SSID of Tplink;

-H followed by the MAC address of the client, which is the Mac of the active wireless client we detected earlier;

Finally keep up with the name of the wireless card, here is mon0.

When you enter the carriage, you will see a reading of the wireless data message as shown in 12, where the ARP message is obtained.

Figure 12

After waiting for a moment, once the ARP request message is successfully intercepted, we will see the rapid interaction of a large number of ARP messages as shown in 13.

Figure 13

At this point back to Airodump-ng interface view, in 14 we can see, as the tp-link of the packets bar number in the rapid increase.

Figure 14

Step 5: Open Aircrack-ng and start cracking WEP.

After a certain number of wireless data packets are reached, usually refers to the IVs value of more than 20,000, you can start to crack, if not successfully wait for the data message to continue to crawl and then try several times. Note that it is not necessary to shut down the shell that injected the attack, but to open a separate shell for synchronous cracking. Enter the command as follows:

With regard to the value of IVs, we can see from the interface shown in 15 that the IVs currently accepted has reached more than 15,000, and Aircrack-ng has tried 410,000 combinations.

Figure 15

Then after a short time to crack, you can see such as 16 "KEY FOUND" hint, followed by the 16 binary form, and then the ASCII part is the password, then you can use the password to connect the target AP. In general, it takes at least 10,000 IVs to crack 64-bit WEP, but if you want to ensure the success of the hack, you should capture as many IVs data as possible. For example, the high-strength complex cipher crack shown in 16 successfully relies on more than 80,000 captured IVs.

Figure 16

Note: Because it is a packet capture of the specified wireless channel, there are times when you will see the same scenario as in 17, where up to 4 APs of data are present at the time of the hack, which is common because these APs are all working on a channel. At this point, choose our goal, that is labeled 1, the SSID bit dlink of the packet can be entered 1, enter can start to crack.

Figure 17

See here, maybe some friends will say, these are weak passwords (is too simple password), so it is so easy to crack, the big deal I use more complex password always can it, such as x #87G之类的, even if the use of more complex password, so it is really safe? Hey, look at the password shown in 18:)

Figure 18

As you can see, the password that was cracked in the white box at 18 is already a complex enough password? Let's zoom in and look, as shown in 19, with a 13-bit WEP password with uppercase, lowercase, numeric, and special symbols, after getting enough IVs, it only takes about 4 seconds to hack it!

Figure 19

Now, do you still think your wireless network is safe? Well, it's just the beginning, and we'll look down.

Add:

If you want to capture a packet, not only to capture the content including IVs, but to capture all the wireless packets, but also after the analysis, you can use the following command:

That is, not--ivs filtering, but all capture, so that the captured packets will no longer be longas-01.ivs, but longas-01.cap, please note. The command is shown in 20.

Figure 20

In the same way, the object becomes longas-*.cap when it is cracked. The command is as follows:

After the carriage return, as shown in 21, the password is cracked.

Figure 21

Some friends may ask, where is the direct difference between IVs and cap? In fact, it is very simple, if only to crack, it is recommended to save as IVs, the advantage is that the production of small files and high efficiency. If in order to solve the same time to capture the wireless packet analysis, it is selected as the cap, so that you can make timely analysis, such as intranet IP address, password, of course, the disadvantage is that the file will be relatively large, if in a complex wireless network environment, a short 20 minutes, It is also possible to make the captured packet size exceed 200MB.

As shown in 22, we use the du command to compare the file size captured by the above hack. Can see, Longas-01.ivs only 3088KB, also is 3MB, but Longas-02.cap reached 22728KB, reached 20MB around!!

Figure 22

Use Aircrack-ng to hack WPA-PSK encrypted wireless network

Combining the contents of the above section, the following continues to be BackTrack4 R2 Linux for the environment, to explain the specific steps to crack WPA-PSK encrypted wireless network, detailed below.

Step 1: Upgrade the aircrack-ng.

Earlier in Chapter 1.3 We have covered the detailed steps to upgrade the Aircrack-ng package, and here is the same, if the conditions allow, Aircrack-ng should be upgraded to the latest Aircrack-ng version 1.1. As I have given the detailed steps ahead, I will not repeat it here.

In addition, in order to better identify the wireless network equipment and environment, it is best to upgrade the Airodump-ng Oui Library, first into the Aircrack-ng installation directory, and then enter the command as follows:

Enter, you can see the beginning of the download as shown in 23 hints, wait a moment, this time will be longer, EN, recommended pre-upgrade, do not cramming.

Figure 23

Step 2: Load and activate the wireless card to monitor that is the listening mode.

After entering the BackTrack4 R2 system, load the sequence of the wireless card and the command section, and then enter the following command:

Ifconfig–a View Wireless card status
Ifconfig wlan0 up Wireless card driver
Airmon-ng start Wlan0 activating the NIC to monitor mode

As shown in 24, we can see the wireless card chip and driver type, on the chipset chip type is marked Ralink 2573 chip, the default driver is Rt73usb, shown as "monitor mode enabled on Mon0", that is, the monitoring mode has been started, The adapter name becomes more mon0 in listening mode.

Figure 24

Step 3: Probe the wireless network and crawl the wireless packets.

After activating the wireless card, we can turn on the wireless packet Capture tool, here we use the Airodump-ng tool in the Aircrack-ng kit to achieve, the specific command is as follows:

Parameter explanation:

-C Here we set the target AP's work channel, through observation, we want to conduct attack test the wireless router working channel is 6;

-W followed by the name of the file to be saved, where W is the meaning of "write", so enter the file name that you want to keep, here I write as Longas. So, the small black must note is: Here we set the saved filename is Longas, but the resulting file is not longas.cap, but longas-01.cap.

Mon0 is a wireless card that has previously loaded and activated the listening mode. As shown in 25.

After the carriage return, you can see the interface as shown in 25, which indicates the start of the wireless packet crawl. Next keep this window motionless, notice, don't turn it off. Also open a shell. Proceed to the back of the content.

Figure 25

Step 4: Perform a deauth attack to speed up the cracking process.

And when cracking WEP, here in order to get the entire full packet of WPA-PSK handshake verification required, wireless hackers will send a packet called "Deauth" that will be forced to disconnect the legitimate wireless client connected to the wireless router, at this time, The client will automatically reconnect to the wireless router, and hackers will have a chance to capture the complete packet containing the WPA-PSK handshake verification. Here the specific input commands are as follows:

Parameter explanation:

-0 using Deauth attack mode, followed by the number of attacks, here I set to 1, we can be set according to the actual situation of 10;

-A followed by the MAC address of the AP;

-C followed by the client's MAC address;

When you enter, you will see the display of the Deauth message sent as shown in 26.

Figure 26

At this point back to the Airodump-ng interface view, in 27 we can see the "WPA handshake" in the upper right corner of the prompt, which means to obtain a WPA-PSK password contains 4 of this handshake data message, as for the target AP's Mac, The AP here refers to the wireless router to be cracked.

Figure 27

If we do not see the above hints on the Airodump-ng working interface, we can increase the number of Deauth sent and attack the target AP once again. For example, the value after the 0 parameter is changed to 10. As shown in 28.

Figure 28

Step 5: Start cracking WPA-PSK.

After the successful acquisition of the wireless WPA-PSK authentication data message, you can start to crack, enter the command as follows:

Parameter explanation:

-W followed by a pre-made dictionary, which is the default carrying dictionary under BT4.

After the carriage return, if you capture data that contains multiple wireless networks, you can see multiple SSID occurrences. This means that the wireless data of other APS is intercepted at the same time because of the same channel, because of the small number, it makes no sense to crack. Enter the correct option here, which corresponds to the Mac value of the target AP, and you can start the hack when you enter. As shown in 29, the command input is the case.

Figure 29

By 30 can be seen in the dual-core T7100 of the main frequency +4GB memory crack speed reached near 450k/s, that is, every second to try 450 passwords.

Figure 30

After less than 1 minutes of waiting, we successfully cracked the password. As shown in 31, on the right side of the "KEY FOUND" prompt, you can see that the password has been cracked. Password plaintext is "longaslast", crack speed is about key/s. It would be quicker if you could switch to a 4-core CPU.

Figure 31

Use Aircrack-ng to hack WPA2-PSK encrypted wireless network

For wireless networks with WPA2-PSK encryption enabled, the attack and decryption steps and tools are exactly the same, unlike the WPA CCMP PSK, which is indicated on the interface using Airodump-ng for wireless detection. As shown in 32.

Figure 32

When we use Aireplay-ng for Deauth attacks, we can also obtain a WPA handshake packet and hints, as shown in 33.

Figure 33

Similarly, using aircrack-ng to crack, the command is as follows:

Parameter explanation:

-W followed by a pre-made dictionary file

After more than 1 minutes of waiting, you can see the hint in 34: "KEY found! The WPA2-PSK connection password 19890305 is followed.

Figure 34

Now, you see? Crack WPA-PSK on the hardware requirements and dictionary requirements are very high, so as long as you prepare a number of commonly used dictionaries such as birthdays, 8 digits, such as the crack will increase the success rate of the crack.

Frequently asked questions about wireless cracking using aircrack-ng

Well, the following make some beginners wireless security in the attack may encounter problems, listed to facilitate a friend to the seat:

1. Why is my wireless card not recognized?

A: BT4 supports a lot of wireless network cards, such as the use of Atheros, PRISM2 and Ralink chip wireless card, whether it is PCMCIA or PCI, or USB, support is still very high. Note that BT4 is not all compatible with the chip requirements of the wireless network cards are supported, some of the same model but the hardware firmware version of the different can not, in particular, refer to the Aircrack-ng official website description.

2. Why does the command I enter always prompt for errors?

A: Uh ... Nothing to say, brother, pay attention to the case and the path.

3. Why is it slow to inject attack packets using Airodump-ng arprequest??

A: There are two main reasons:

(1. It is possible that the wireless network card support for these wireless tools is not good, such as a lot of laptop's own wireless network card support is not good;

(2. If it is only in the local experimental environment, it will be because the client and the AP interaction too little, and the ARP injection attack is slow, but if a client many environments, such as commercial bustling area or university science and Technology building, many users use wireless network to surf the Internet, the attack effect will be very significant, A minimum of 5 minutes to crack WEP.

4. Why did the Deauth attack package sent with Aireplay-ng not get the WPA handshake package?

A: There are two main reasons:

(1. It is possible that the wireless network card has poor support for these wireless tools and requires additional driver support;

(2. Is the problem of the wireless access point itself, and some APS will lose their response within a short period of time after the attack, need to restart or wait a few moments to return to normal working condition.

5. Why can't I find the captured cap file?

A: In fact, this is a very crazy problem, although in front of the use of Airodump-ng when the file save, I have explained that the default will be saved as "file name -01.cap" way, but there will still be a lot of too excited to cause the eyes of the small black people complain to find the cracked file.

Well, let me give you an example. For example, when the original capture we named Longas or Longas.cap, but in the Aircrack-ng attack load when using the LS command to see, you will find that the file has become a longas-01.cap, at this time, the file will be cracked to be cracked. If you capture more files, you need to merge them to crack, it is similar to "longas*.cap" such as the name to refer to all the cap file. Here * refers to 01, 02 and other files.

6. Can the WPA handshake file captured under Linux be put under Windows hack?

A: This is possible, not only can import Windows Shell version of the Aircrack-ng hack, but also import Cain tools such as crack. About the hack under Windows I have done in the "Wireless Hacker Fool Book" in the detailed elaboration, here does not tell and BT4 irrelevant content.

"BT4 Linux Hacker Handbook," the first in the domestic BACKTRACK3/4/4R1/4R2/5 under the built-in tools to explain books, applicable to all kinds of BT4 fanatics, BT4 English ability is not strong, BT4 first brother, BT4 otaku female, BT4 deep learning, BT5 transitional expectations, BT3 fans, BT4 wireless hacking enthusiasts, people who despise windows and ... (omitted 1000 words here), a mob struggling to write 6 months, finally come out!

The book a total of 15 chapters, the full manuscript page nearly 600 pages, involving nearly 100 tools, attack and defense operation case 60, from wired to wireless, from scanning to intrusion, from sniffing to PJ, from reverse to forensics, to help the small black from the beginning of a step-BT4 to learn the use of various tools and comprehensive use.

Original: Full tutorial aircrack-ng crack WEP, WPA-PSK encryption Weapon

Full tutorial aircrack-ng crack WEP, WPA-PSK encryption weapon