【BT wep/wpa crack】

aredfox

大概问题我觉得已经可以定位了。首先bt3是dos启动。我用其它的dos启动盘模拟了这个流程。d600 dos启动可以扫到u盘，可以访问u盘中的文件。t40、300m dos启动，可以扫到u盘，但无法访问u盘中的文件。
这就解释了可以u盘启动（因为找到u盘了）；但boot error（因为没法读到文件）。

ziggler

我理解BOOT ERROR说明不是启动盘。需要重新执行BOOTINSTALL.bat.

ziggler

OS FAT32,u盘格式化成FAT32，制作启动盘，成功。

看来有些问题出在不同的文件格式之间，某一些文件损坏？

ziggler

1.spoonwep其实就是一个建立在aircrack工具包基础上的傻瓜破解工具，省却了不断地在shell中重复输入命令的麻烦，对破解者的技术水平要求不高，但说实话容易把人整成脑残，对技术有更高要求的还是应该从linux上多下下功夫；
2.相关的动画教程我也看了，但在扫描AP时我一般都不选择fixed chanel模式，而就选择默认的chan hopping模式，所有以wep方式加密的AP全都扫出来，然后选power值高的进行破解；
3.此外，根本不用关心是否有客户端，我都统统选择在无客户端下进行破解，这也许是拜了卡王所赐，虚拟连接的成功率几乎是100%，建立连接的速度几乎也是瞬间完成的；
4.注入方式与aircrack包中aireplay-ng命令相对应，
第一个是-3的ARP注入，
第二个是-2的交互注入，
第三个是-4断续注入，
第四个是-5碎片注入。
我的经验是首先选择碎片注入，这个是最快的注入攻击方式，印象中手动破解时密码是在攻击的过程中出现的，但我以前一次也没用过；
其次会尝试选择ARP注入攻击，只要虚拟连接成功而且power值高，这种方式也比较有效和迅速，因为收集到足够的IVS值就可以破解了；
而多数情况下选择交互注入效果最佳，因为这种攻击的注入成功率最高，但缺陷是只对64位加密的成功破解有效，而对128位加密的AP就无解，只见IVS值飙升，不见密码破解。我就遇到一个AP，IVS值飙到80w了，文件大小足有可怕的57mb，还是无济于事。后来，我发现这种注入模式下窗口显示了一行"return modified packets"的字样，数据包经过修正

后返回？难道这种注入模式存在数据包更改的过程？说实话，手动情况下，我一般都很少用-2交互注入攻击的，对这个了解不多，请高手指教。但就是这一瞎猜，让我打定主意用断续注入，以前我基本上都是用这种方式手动破解wep的，但很麻烦，对人的耐心是一种考验，往往出现在写.xor文件时卡住的情形，不得不重新来过，但总体感觉这种方式的可靠性非常高，而且IVS值飙的也非常之快，一般只要能顺利得到.xor文件，就可以认为破解成功在望，因此最后一招就是它了，但一定要有耐心，因为刚开始的IVS值增长很缓慢，按照以前经验这一定是在写.xor文件，果然过了一会儿，IVS值就开始飙升，最后在3w以后成功破解，是一个128位的密码。
5.小结一下，我的经验是如果IVS值超过3w还无法破解就赶快放弃，改变注入方式。
效率最高的是交互攻击（也就是p0841 replay attack），但只对64位wep密码有效，
最稳定的是断续攻击（chopchop & forge attack），尤其对128位或更复杂的wep密码有效，介于二者之间的是碎片注入，但却是首选项，能用这个攻击成功的话就一切ok，
否则再选择交互，最后选择断续，而对ARP我一般都是试试，成了就成了，但不报太多期望，因为手动破解的经验告诉我，这个对power值要求高。
spoonwep破解方式使用心得 - sql_2005的专栏 - CSDN博客 (13 August 2009)
http://blog.csdn.net/sql_2005/archive/2009/03/18/4001633.aspx

ziggler

ARP协议的基本功能就是通过目标设备的IP地址，查询目标设备的MAC地址，以保证通信的进行。 基于ARP协议的这一工作特性，黑客向对方计算机不断发送有欺诈性质的ARP数据包，数据包内包含有与当前设备重复的Mac地址，使对方在回应报文时，由于简单的地址重复错误而导致不能进行正常的网络通信。


    一般情况下，受到ARP攻击的计算机会出现两种现象：
    1.不断弹出"本机的XXX段硬件地址与网络中的XXX段地址冲突"的对话框。
    2.计算机不能正常上网，出现网络中断的症状。


    因为这种攻击是利用ARP请求报文进行"欺骗"的，所以防火墙会误以为是正常的请求数据包，不予拦截。因此普通的防火墙很难抵挡这种攻击。


什么是ARP攻击？ARP攻击是什么意思？|IT168 安全 (13 August 2009)
http://safe.it168.com/a2009/0419/272/000000272643.shtml

ziggler

看来我之前用的不是很恰当，有客户端的时候我用了P0841  REPLAY  ATTACK  。

spoonwep

第一个下拉菜单有4个选项，后面3个都可作为无客户端攻击模式，其中 ：
ARP  REPLAY  ATTACK                （有客户端时用）  ARP注入
P0841  REPLAY  ATTACK               (次次选）         交互接入
CHOPCHOP  &  FORGEATTACK        （次选）   断续接入
FRAGMENTATION  &  FORGE ATTACK  （首选） 碎片注入
第二个下拉菜单有3个选项，其中：
???  LENGTH        (不指定加密位数，首选）
128  BITS  LENGTH （指定128位加密，次次选）
64   BITS  LENGTH  （指定64位加密，次选）
两个下拉菜单右边的 Inj  Rate  是每秒发包数量，选默认的600即可。
选择好2个下拉菜单，点击左边 LAUNCH 按钮 开始自动破解

最快在有客户端（软件显示有勾的一项）时使用第一个ARP  REPLAY  ATTACK本文地址:http://www.anywlan.com/bbs/thread-18033-1-1.html

[ 本帖最后由 ziggler 于 2009-8-13 13:17 编辑 ]

ziggler

I can't seem to capture any IVs !
Possible reasons:
You are standing too far from the access point.
There is no traffic on the target wireless network.
There is some G traffic but you're capturing in B mode.
Something is wrong with your card (firmware problem ?)
By the way, beacons are just unencrypted announcement packets. They're totally useless for WEP

ziggler

Field Description
BSSID MAC address of the access point.
PWR
Signal level reported by the card. Its signification depends on the driver, but
as the signal gets higher you get closer to the AP or the station. If PWR ==
-1, the driver doesn't support signal level reporting.
Beacons
Number of announcements packets sent by the AP. Each access point sends
about ten beacons per second at the lowest rate (1M), so they can usually be
picked up from very far.
# Data
Number of captured data packets (if WEP, unique IV count), including data
broadcast packets.
CH
Channel number (taken from beacon packets). Note: sometimes packets from
other channels are captured even if airodump is not hopping, because of
radio interference.
MB
Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's
802.11b+ and higher rates are 802.11g.
ENC
Encryption algorithm in use. OPN = no encryption, "WEP?" = WEP or higher
(not enough data to choose between WEP and WPA), WEP (without the
question mark) indicates static or dynamic WEP, and WPA if TKIP or CCMP is
present.
ESSID
The so-called "SSID", which can be empty if SSID hiding is activated. In this
case, airodump will try to recover the SSID from probe responses and
association requests.
STATION
MAC address of each associated station. In the screenshot above, two clients
have been detected (00:09:5B:EB:C5:2B and 00:02:2D:C1:5D:1F).

ziggler

How do I change my card's MAC address ?
This operation is only possible under Linux. For example, if you have an Atheros card:
ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up
If it doesn't work, try to eject and re-insert the card.

ziggler

Attack 2: interactive packet replay
This attack allows you to choose a given packet for replaying; it sometimes gives more
effective results than attack 3 (automatic ARP reinjection).
You could use it, for example, to attempt the "any data re-broadcast" attack, which only
works if the AP actually reencrypts WEP data packets:
aireplay -2 -b 00:13:10:30:24:9C -n 100 -p 0841 \
-h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0
You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which
size is either 68 or 86 bytes (depending on the operating system):
aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0
aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0
Attack 3: ARP-request reinjection
The classic ARP-request replay attack is the most effective to generate new IVs, and works
very reliably. You need either the MAC address of an associated client
(00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (00:11:22:33:44:55). You may have to
wait for a couple of minutes, or even longer, until an ARP request shows up; this attack will
fail if there is no traffic.
Please note that you can also reuse ARP requests from a previous capture using the -r
switch.
aireplay -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...
Attack 4: KoreK's "chopchop" (CRC prediction)
This attack, when successful, can decrypt a WEP data packet without knowing the key. It
can even work against dynamic WEP. This attack does not recover the WEP key itself, but
merely reveals the plaintext. However, most access points are not vulnerable at all. Some
may seem vulnerable at first but actually drop data packets shorter that 60 bytes. This
attack requires at least one WEP data packet.
First, we decrypt one packet 1. :
aireplay -4 -h 00:09:5B:EB:C5:2B ath0
Let's have a look at the IP address :
tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
reading from file replay_dec-0627-022301.cap, link-type [...]
IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1
2.
Then, forge an ARP request.
The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2)
must respond to ARP requests. The source MAC must belong to an associated station.
./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap
3.
And replay our forged ARP request :
aireplay -2 -r arp.cap ath0