This tutorial aims to help you understand how to crack the wireless network and enhance your network security. Do not use it for illegal purposes.
In addition, there are too many ways on the Internet to know who you are. Do not think that no one will find you using others' AP.
Here is a detailed tutorial on how to use bt3 backtrack 3 to crack the WEP of a wireless network.
First
Http://wiki.remote-exploit.org/index.php/HCL:Laptops
Make sure your laptop can do this at this location.
All new features are compatible.
Next, confirm that your wireless network adapter is compatible.
Http://wiki.remote-exploit.org/index.php/HCL:Wireless
Then download the required bt3:
Http://wiki.remote-exploit.org/index.php/Main_Page
Personal suggestion:
If you want to play around or on a desktop, you can download the CD version because it takes a short start time.
If it is a laptop with a large hard disk, you can download the USB Version.
USB:
Http://www.remote-exploit.org/bt3b141207.rar.torrent
Http://backtrack.mjdupree.com/bt3b141207.rar
Ftp://bt3.aircrack-ng.org/bt3b141207.rar
After downloading, you can install it in a boot-able USB flash drive or directly drop it onto the hard disk. Later I will explain how to use the hard disk to start it directly.
----------------- How to change to a boot disk --------------------
The optical disk version is ready after burning.
The USB version can be decompressed to the root directory of a USB flash drive.
Bt3 and boot folders.
Open a DOS window pointing to your USB disk directory, such as H disk.
--- Run ---
H: + press ENTER
CD boot
Bootinst. bat
Follow the prompts to confirm that you are operating in the directory of your USB flash drive. Then OK.
Insert a USB flash drive to start the instance upon restart. If you have any questions, make sure that the USB flash drive is enabled on your computer and put it in the first startup Item (ThinkPad can specify to exclude a startup Item. Please check)
Or press and hold F12 at startup and select USB flash drive to start.
Although there are many ways to enable a hard disk, we recommend
The DOS Startup method is to first get a DOS boot, such as a mousedos, which can be installed by a fool to enable the computer to enter the pure DOS state. Then, in the case of DOS, enter
The boot directory decompressed on the hard disk contains a DOS directory, and then you can execute bt3.bat.
We recommend that you run smartdrv.exe before executing bt3.bat.
To speed up the startup. (Smartdrv.exe 98 is included in the attachment)
TIPS: DOS Startup does not automatically enter the graphic interface. You can edit
Config file:
You only need to add the following sentence in config:
Autoexec = xconf; KDM
You can.
By the way, I modified the autoexec. BAT file of mousedos and added:
Smartdrv.exe
D:
CD boot
CD DoS
Bt3.bat
In this way, the startup directly enters the graphic interface.
At this time, bt3 is all in the memory, that is to say, in the system, any changes to the desktop and configuration will not be recorded, so if you want to record documents, please do not put on the desktop.
----------- Crack -------------
The following is the Cracking Process
WEP cracking
1) ifconfig-
2) airmon-ng start wifi0 6
3) airodump-ng -- IVS-W name-C 6 ath1
4) aireplay-ng-1 0-e ap_essid-A ap_mac-H xxxxxxxxxx ath1
-1 is-one
5) aireplay-ng-5-B ap_mac-H xxxxxxxxxx ath1
6) packetforge-ng-0-A ap_mac-H xxxxxxxxxx-K packet 255.255.255-l
255.255.255.255-y fragment-XXXXX-XXXXXX.xor-W mrarp
7) aireplay-ng-2-r mrarp-x 1024 ath1
8) aircrack-ng-N 64-B ap_mac name-01.ivs
I provide a sample file for download.
The following is a one-to-one explanation: (to run these commands, you must open the terminal window. You can use Ctrl + c
Copy from a text file, and then SHIFT + insert and paste it into the terminal window)
1) ifconfig-
This command is used to find the MAC address of your wireless network card. Please record it for backup.
2) airmon-ng start wifi0 6
This command is used to place your wireless network card on the monitor
Mode, which is similar to the effect of an AP. Therefore, you can capture others' packets.
Among them, wifi0 is for the wireless network card in my computer, generally this should be the first ifconfig
-The a command can be seen.
6 after wifi0
Is the channel of the AP to be cracked. If you do not know, you can find
The second is the penultimate picture under the internet.
A wireless network tool that can be used to view the channels of the AP to be cracked ).
After the command is run successfully, you will see a prompt that displays ath1 (if you are
If the wireless network card of athoes is used, the others may be different, but generally XXX1 is used)
This is your Nic code used for cracking
In short, this command places your wireless network card in monitoring mode and specifies the monitoring channel.
If you find that the channel is wrong, it doesn't matter. Just run it again, but at this time, it may become
Ath2... ath3 and so on, but it seems that it can run up to three times, and then it will fail.
3) airodump-ng -- IVS-W name-C 6 ath1
This command is critical. After you run it, all the APs for this channel will be listed.
6 indicates the channel to be monitored. It must be the same as that in the second command,
Ath1 is the alias that appears in step 2.
After this command is run, it displays a lot of content. A brief introduction:
Bssid: Actually the MAC address of the AP.
PWR: the AP signal size. Generally, it is less than 10, which is troublesome. packet loss is serious and difficult to crack.
Rxq: Interference size
Beacons
# Data:
This is important because it receives a special packet that can be used to crack. If it remains unchanged, it indicates that there is no client connection, and it may be difficult to crack it. If the other party has a large file to download, the hop speed is very fast, and enough packets can be cracked in 10 minutes. If the hop speed is very slow, some special methods are needed to crack the attack.
Ch: Channel
MB: the network connection speed is 54 MB.
ENC, cipher, auth
These are encryption methods. We will only discuss
If you show what wpa tkip is, you can only crack the password. I think it is not very promising.
Essid:
This is the name of the AP. If it is a Chinese character, it seems that there will be problems. Therefore, Essid in Chinese can be used to prevent other users from cracking attacks.
After a while, the following will show which clients are connected to which APs, for some MAC address encryption, it is easy to simulate the MAC of the other client to cheat in, so do not simply trust the MAC restriction function.
This window is open. You do not need to close it. You need to open a terminal window again for subsequent commands.
4) aireplay-ng-1 0-e ap_essid-A ap_mac-H xxxxxxxxxx ath1
At the beginning of this step, we will do some real cracking work, mainly for those clients that only connect and have no traffic. This AP, # data growth is very slow, it usually takes a long time to obtain enough packets (generally, a 5-bit password requires about 10000 packets, and more passwords are required ....) In this case
Aireplay-ng came forward. As the name suggests, this software is replay, that is, simulating packet sending.
First, explain the command:
-E ap_essid is the Essid you need to crack after-E, such as the TP-LINK,
Linksys: case sensitive.
-A ap_mac is-
Then add the MAC address of the AP you want to crack, and you can see it in step 3 bssid. No: Oh.
-H xxxxxxxxxx is after-h, add the MAC address of your wireless network card,
In the first step, you can get it.
Ath1, as explained above.
Example:
Aireplay-ng-1 0-e TP-LINK-A 001900123456-H 001900345678 ath1
Here is a small suggestion. You can record all the above commands in a file and replace XXXXXXXX with the MAC address of your Nic, in this way, you do not need to enter your MAC address every time. Copy can be used every time
Paste, which can effectively prevent confusion between 1 and L, O and 0.
This command uses a spoofing method to connect to the AP. Therefore, if the network signal is poor, the operation may fail.
If successful, the successful:> is displayed. Otherwise, make the signal strength greater than 10.
5) aireplay-ng-5-B ap_mac-H xxxxxxxxxx ath1
After the previous success, we need to collect the required data packets for simulation and cracking.
The required data packet is # data. If
# Data is always 0, which may be very troublesome. The best case is that # data is growing slowly.
Explain
-B ap_mac is the MAC address of the AP to be cracked. You can find the bssid in step 3.
-H xxxxxxxxxx is the MAC address of your Nic.
Ath1 is the same as above .....
The execution of this command is related to # data package. If # data
If no value is added, the command is executed until a # data package is captured.
After the capture, the program will ask if you need to use this package to simulate attacks. Answer Y.
If the attack succeeds, the attack is successful. The failure is often caused by poor signals,
If the attack fails (the packet is often caught due to a problem), the program retries n times, or automatically starts to capture the package again and continues.
After successful completion, a file name: fragment-XXXXX-XXXXXX.xor will be displayed
This file name. XXXXX contains numbers and is a file. It will be used immediately.
This step is the most likely to fail. Keep the signal better.
6) packetforge-ng-0-A ap_mac-H xxxxxxxxxx-K packet 255.255.255-l
255.255.255.255-y fragment-XXXXX-XXXXXX.xor-W mrarp
Step 6: There are many parameters. Here is an explanation:
-A ap_mac is the MAC address of the AP to be cracked,
-H xxxxxxxxx is the MAC address of your wireless network adapter.
The fragment-XXXXX-XXXXXX.xor is the file name shown in step 5.
This step will soon be completed, showing what the generated file to mrarp is, in fact, the preparation process for cracking the package.
7) aireplay-ng-2-r mrarp-x 1024 ath1
This step is not correct. You can modify the parameters.
Ath1 is the name of your wireless network card
1024
Attack Speed. 1024 is the maximum value. If your wireless network card is not minipci, we recommend that you set it
512, so it is not easy to crash.
When this step starts, you will see
# Data is growing at a rapid speed of 200 records per second. We only need to wait.
8) we can open a new terminal window when # data reaches
When there are 10000, you can test and crack the password. Many passwords can be around 10000 # Even if data is generated
Run in the new window:
Aircrack-ng-N 64-B ap_mac name-01.ivs
To explain,
-B ap_mac: the MAC address of the AP of the other side
Name-01.ivs is actually a file automatically generated in step 3,
If you run step 3 multiple times, you may generate multiple name-XX.ivs files,
You can look at the corresponding folder (in the first folder icon on the desktop) and find the largest XX file that you are currently using.
After running, if you are lucky, the cracked password will be displayed and
The corresponding assic code. If it is not a standard assic code, it is a string of numbers.
In bad luck, this program will continue to wait for more # data. When it arrives, it will re-calculate the password.
However, I have also tried to calculate the number of 0.3 million # data, which is really amazing.
Summary:
This tutorial only applies to WEP
Password cracking, and it is best to have the authenticated client connection on this AP, if not, some AP (such as TP-LINK) can be cracked, some may not be able to crack.
This tutorial also provides a method to simulate MAC addresses to crack Mac restrictions.
If you need your AP to be hard to crack, we recommend that you:
1) The WPA encryption method and the password that cannot be guessed by the dictionary are basically reliable.
2) If only WEP encryption is supported, try to hide it.
SSID method, which increases the difficulty of cracking
3) If only
If WEP is encrypted, you can consider using a Chinese name as the SSID.
4) When cracking, you may choose frequently-used channels, such as Channel 6,
When the third step shows the channel, your AP will also be listed. When the first target fails, hackers will often choose the second target that is easy to start,
However, if you choose,
4. For these strange channels, Hackers tend to be too reluctant to re-enter the monitoring mode of the channel, and you will be able to escape. However,
Some low-cost APS tend to Optimize Channel 6, which has the strongest signal... this is no way.
5) change your password if you have time :)
Note: after connecting to the network, you can manage the AP and perform some optimization. Generally, the AP password may be the WEP password.
I tried the latest version of hard drive for Ubuntu the other day.
Heron (the resolute Heron), and tested the WEP cracking. Write it for a bit.
First of all, I declare that there are too many tutorials and experiences on the internet, and I have succeeded by referring to the practices on the Internet. Therefore, I will not detail the process here, but I will only mention the difficulties and solutions I have encountered.
There are several methods to crack WEP:
1. Linux + wireless network adapter + driver working in monitor mode +
Cracking software (aircrack, etc.); [first choice]
2. Windows + newer drivers (in listening mode) + packet capture software (omnipeek) +
WEP cracking software (such as winaircrack and aircrack-ng for Win );
3. Windows + commview driver + wireless Nic supported by driver +
The software for cracking is airowizard, which adds a good interface for aircrack-ng and integrates the commview driver. It is difficult to download the software from the Internet because the defendant, this project has been stopped, but as long as you find it, it can always be downloaded. I have airowizard
1.0 Beta revision 250. Leave an email if you want it;
4. Windows + USB wireless Nic + VMware + backtrack 3 ISO;
5. Directly engrave a wireless network card supported by live CD + CD with WEP cracking software.
Note: The first method is the best and most flexible, and can be cracked in windows. If you are using Intel
For the 3945abg Nic, I advise you to use Linux: although Intel's new drivers support passive listening, they do not support active attacks. If you can find an AP with high traffic, you can try it. Otherwise, you will catch a full-day package, and you will not be able to crack the 64-bit WEP.
Airowizard seems to be the next good method for windows, but you look at the commview driver Nic support list will be disappointed: http://www.tamos.com/products/commwifi/adapterlist.php
However, the software interface airowizard is really good. If you have enough WEP packages, you may be bored with the aireplay, airodump, and aircrack commands. If you only need a good GUI, this is a good choice.
The fourth method requires a USB wireless network card, and the Linux Command is still required after VMware is used into the system.
The fifth method is the quickest way, but make sure that the CD has your NIC Driver. Otherwise, you will have a CD that will never be used in the future.
I tried 2, 3, and 5, but both failed. 2 was successful, but I was not patient with the packet capture. The following is a brief introduction to 1.
When there are too many threads, there are too many threads, too many threads.
When there are too many threads, there are too many threads, too many threads
When there are too many threads, there are too many threads, too many threads.
Ubuntu 8.04 Lts hard disk installation:
We recommend that you use a hard disk instead of a CD. Because the Linux version is updated too quickly, it will be useless after several months.
I used wingrub + ubuntu8.04 alternative.
CD, install 8.04, you may encounter livecd startup failure, then try adding "all_generic_ide" in grub
Floppy = off
Irqpoll "may be fine. If the disk is started, press F6 first and then enter the parameter.
I used ubuntu8.04 live at the beginning.
CD, no driver for life and death, no kernel parameters have been tried, no use, and later changed to alternative
CD can be installed. The ghost knows why ......
Wingrub is easy to use. Be sure to install it in "boot. ini" and install alternative.
The CD should be down from the Internet
Vmlinuz and initrd files. There are a bunch of online tutorials. You just need to search for one.
When there are too many threads, there are too many threads, too many threads.
When there are too many threads, there are too many threads, too many threads
When there are too many threads, there are too many threads, too many threads.
WEP cracking: I only have one local library, so I only know that the Intel 3945abg Nic can do this:
1. After talking about this, the most important thing is the driver. No driver can do anything. aircrack-ng also has a driver support list, fortunately, Intel series NICs are supported. However, the hard drive is iwl3945, which is not supported by aircrack! If you try to run the airodump command, you will find an error. If you need to install the ipwraw driver, you will find it on the Internet. I have installed a version of, which can be used normally;
2. Make & make install
& Makeinstall_ucode (firmware, firmware), refer to readme (note that you should first build
Optional values );
3. Install aircrack-ng and use apt-Get In ubuntu to search for it. This is really convenient.
4. the following commands are most basic for the official start of cracking:
Modprobe-r ipw3945 uninstall ipw3945 driver
In the Intel folder of ipwraw, run./load to load the ipwraw driver.
Airodump-ng wifi0: View information about all wireless networks, including Essid and bssid.
Airodump-ng-W out-B x: X wifi0
Then run aireplay-ng with a new terminal. This is the essence of aircrack.
Aircrack-ng
Out-01.cap, aircrack is very intelligent, can run with airodump-ng at the same time, select the AP you want to crack as prompted on the line.
When there are too many threads, there are too many threads, too many threads.
When there are too many threads, there are too many threads, too many threads
When there are too many threads, there are too many threads, too many threads.
It's too easy to crack WEP. It may take several hours for you to crack it for the first time (I spent several days ......), However, if you are proficient in cracking a 64-bit WEP, 5 minutes will be enough, and 128-bit will be handled in about 10 minutes.
Can WPA be cracked ?? I have also found a lot of materials in this area, but the only method I can find is bruteforce.
Attack (brute-force cracking) is a password attempt. It is easy to find weak passwords. It depends on a good password dictionary file, the aircrack-ng computing speed is about several hundred kb/s, but it requires a complete handshake, so you need to use it with aireplay. I tried it several times, all of them are not cracked. In short, WPA is much safer than WEP.
Over. just steal the Internet. Don't do anything bad!
BTW: The aircrack-ng website seems to have been gfwed, so you can find a foreign proxy.
Method 2 for cracking WPA Encryption
WPA is a standard-based and interoperable WLAN Security Enhancement solution that greatly enhances the data protection and access control levels of existing and future wireless LAN systems. WPA is derived from the IEEE802.11i standard being developed and will maintain forward compatibility with it. If the deployment is appropriate, WPA ensures that the data of WLAN users is protected and only authorized network users can access the WLAN Network.
If you have read my basic 1, I won't be so arrogant here. I wrote the command directly. If you haven't read it, you can read it. I am reading this article.
Article address: http://www.china-wifi.com/forum/read.php? Tid = 612
Command:
I want to collect AP data packets with 6 channels and save the data as Meimei, while the interface of my Nic is ATH0.
Quote:
./Airodump ATH0 Meimei 6
Then use the dictionary for brute force cracking.
Dictionary download: http://www.openwall.com/wordlists
There is a free, paid dictionary, 0.4 million Password
Quote:
./Aircrack-a 2-B 00: 23: 1f: 55: 04: BC-W/path/to/wordlist
Of course, the chance of success with the dictionary is big or small.
Then we use aireplay for ARP injection and cracking.
Quote:
./Aireplay-3-B <AP MAC address>-H <client MAC address> ATH0
Interactive Packet Attack
Quote:
Aireplay-2-B <AP Mac>-H <client Mac>-N 100-P 0841-C
FF: FF ATH0
You can also use fake authentication to crack
Quote:
./Aireplay-1 30-e '<Essid>'-A <bssid>-H <fake mac> ATH0
If yes
Quote:
23:47:29 sending authentication request
23:47:29 authentication successful
23:47:30 sending Association Request
23:47:30 Association successful
If the filter fails, the target user may use Mac filtering.
In this case, you need to find a MAC address that can be authenticated to cheat.
Deauthentication attack
Force a connected client to be disconnected, and then impersonate the other party to connect to the AP
Quote:
Aireplay-0 5-A <AP Mac>-C <client Mac> ATH0
And then use the dictionary to crack it.
I personally understand that it has more encryption than WEP.
