Aircrack-ng
0. What is Aircrack-ng?
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that
can recover keys once enough data packets have been captured.
It
implements the standard FMS attack along with some optimizations like
KoreK attacks, as well as the all-new PTW attack, thus making the
attack much faster compared to other WEP cracking tools. In fact,
Aircrack-ng is a set of tools for auditing wireless networks.
You can download the debian package of aircrack-ng from this link.
1. Check Access Points and Ad-Hoc cells in range
The command iwlist is used to
display important information from wireless network interfaces.
We will use this command to obtain a list of Access Points and Ad-Hoc cells in range, and a whole
bunch of information about them (ESSID, Quality, Frequency, Mode...).
iwlist wlan0
scan
From the output we can identify the type
of
encryption of each network, so this is definitely the first step
of our way.
2. Prepare the wireless LAN
interfaces
You should always start by confirming that your wireless card can
inject packets.
If you have a ralink chipset, and you need the RT63usb driver,
download this
driver (do not use the one in Debian because you will not be
able to inject packets!).
Compile it and install it following the simple instructions in the
Readme file. Load the driver with:
modprobe rt73
It is good to have two wireless LAN interfaces up and running.
Now we are ready for the first test: the injection test. We must set
our cards to monitor mode and
to the desired channel with airmon-ng prior to running any of
the tests.
3. Monitor Mode
First step: to put the interface into monitor
mode, first right-click on the network icon in Gnome and
de-select "Enable Networking" (i.e. so networking is disabled).
It is very important to stop all connection managers prior to using the
aircrack-ng
suite. In general, disabling “Wireless” in your network manager should
be enough but sometimes you have to stop them completely. It can be
done with:
airmon-ng
check kill
We make sure all cards are off by
sudo iwconfig
If some device (i.e, mon3 ) is working we stop it with
airmon-ng stop
mon1
We start now both cards in a certain channel (i.e., channel 11) (in my
case, for misterious reasons, I have to start wlan1 prior to wlan0 to
avoid problems in the injection tests):
sudo airmon-ng
start wlan0 11
sudo airmon-ng
start wlan1 11
As we can see from the messages on the screen, wlan0 becomes mon0 and wlan1 becomes mon1.
mon0 and mon1 are the names to be used fron
now on.
4. Injection test
This is a basic test to determine if a card successfully supports
injection:
aireplay-ng -9
mon0
You can check a hidden SSID or check a specific SSID with the following
command:
aireplay-ng
--test -e teddy
If Airodump-ng shows APs but they don't respond: The injection test
uses broadcast probe requests. Not all APs respond to broadcast probe
requests.
So the injection test may fail because the APs are ignoring the
broadcast packets.
As well, you quite often can receive packets from APs further away then
your card can transmit to.
So the injection test may fail because your card cannot transmit far
enough for the AP to receive them.
In both cases, try another channel with multiple APs. Or try the
specific SSID test described above.
5. Airodump-ng
Airodump-ng is used for packet capturing of raw 802.11 frames and is
particularly suitable for collecting WEP IVs for the intent of using
them with aircrack-ng.
Additionally, airodump-ng writes out several files containing the
details of all access points and clients seen. For instance we can try:
sudo
airodump-ng --output-format
csv --write csv mon0
to get such kind of information.
6. Using aireplay-ng to
deauthenticate the wireless client
It is as simple as this:
aireplay-ng -0
1 -a
00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
where -a indicates the MAC address of the AP and -c the MAC address of
the client or station "under attack".
7. Changing the MAC address
It is useful to know how to change the MAC address of our card. In
order to see all
interfaces detected by your systemas well as their MAC addresses
and hardware names type the following command:
sudo ip addr
Here is sample output:
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft
forever
2: eth0: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 4c:22:d0:b8:78:ae brd ff:ff:ff:ff:ff:ff
3: wlan0: mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:19:7e:53:8c:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.18/24 brd 192.168.1.255 scope global
wlan0
inet6 fe80::219:7eff:fe53:8ca3/64 scope link
valid_lft forever preferred_lft
forever
It shows three interfaces: lo, eth0 and wlan0 (these are hardware names
of them). MAC or hardware address is shown in link/ether line, e.g.
current MAC address of eth0 is 4c:22:d0:b8:78:ae.
7.1 Using ifconfig
To Change MAC address using ifconfig, type the following commands:
ifconfig
[interface name] down
ifconfig
[interface name] hw ether [new MAC address]
ifconfig
[interface name] up
Example:
ifconfig eth0
down
ifconfig eth0
hw ether 1A:2B:3C:4D:5E:6F
ifconfig eth0
up
and verify the changes.
7.2 Macchanger console utility
Install macchanger using command:
sudo aptitude
install macchanger
Installed application makes it possible not only to change MAC address
to defined one but also makes it possible:
* Change MAC to random value
* Apply MAC from list of vendors
For example to change MAC address of the interface to hardware address
belonging to Linksys you can do the following:
macchanger
--list=linksys
It will show that Linksys MAC addresses start with 00:0f:66. Now change
MAC address of the interface:
sudo ifconfig
eth0 down
sudo
macchanger -m 00:0f:66:4e:16:88 eth0
sudo ifconfig
eth0 up
You will see the following output in case of successful change of MAC
address:
Current MAC: 4c:22:d0:b8:78:ae (unknown)
Faked MAC: 00:0f:66:4e:16:88 (Cisco-linksys)
Please notice that above mentioned ways to change MAC address in Debian
implies that normal hardware address
will be restored once you rebooted.
