Right now I'm in a hostel in the city of Salta, where we came to Sebastian Del Prado and Pedro Cacivio to conduct a forensic seminar, which dictate day Nov. 5 at the University
UNSA
very well attended and the public in accordance with the information they could give. Some tips were, Del Prado showing full all that is forensic in Windows and the key concepts of how to act in an attack esenario to collect all the information, take pictures, take the information-volatile, flash drive, drives, access etc . Peter and I showed attacks on Linux servers. and in the case of a machine esenario hacked, what are the tracks that may have left the hacker, honeypot plantation, the syslogd daemon, etc apache log. But anyway I'm writing this article is about wireles hacking.
First of all I want to show a image that captures today walking around in a truck while looking for Hostel. Look at the amount of AP using WEP encryption there.
Well now let's see how we can break a WEP encryption. About 2: 30 hours I had a little problem where the girl who works nights at the hostel did not have the key to WIFI, and only knew the girls in the morning, I could not believe it !!!!. Looking for some miserable send a message and so I have no credit, hands-on, and break it. First
nesesitas aircrack package, then run as root. # aptitude install aircrack-ng
Perfect
once you have installed we can begin.
We place our IEEE 802.11 network card in promiscuous mode, so
to see that we have the network card IEEE 802.11
run # iwconfig
now if .. to put in promiscuous mode
# airmon-ng start wlan0
in my case my box wireless network is called wlan0, that place should place of you.
Second Step is start listening to the air to run this
# airodump-ng mon0
(mon0 is the name I was awarded the airodum-ng to call my plate "(monitor mode enabled on mon0)
CH 6] [Elapsed: 20 s] [11/07/2009 4:15 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:22:33:32:9E:70 -84 32 27 0 1 54e WEP WEP hostal la Linda
BSSID STATION PWR Rate Lost Packets Probes
00:22:33:32:9 E: 70 00:1 F: 3C: A4: 8C: 8C 0 0 28 0e 1e-hostal la Linda
And that's all this? in this case there is only one AP that my machine can be sniffed in his radio. BSSID where it says below is the MAC of the AP. then we ENC is WEP (encryption type), the ESSID field is the name of the network which is the nice hostel
and the third FILEA there are more fields that would come to show the machines connected to certain AP. Ie in this case the BSSID = 00:22:33:32:9 E: 70 has a machine connected to the which is the STATION = 00:1 F: 3C: A4: 8C: 8C.
Sometimes when you run airodump-ng have many AP we can see but we only want one specific set which break. So what can we do to put ourselves in the channel is working the target AP is as follows
mon0 # airodump-ng-c 1-w capture
did we? first you say that only sniff everything that is on channel 1 with-c 1 (channel) and capture-w (write) I say we keep them in a file called capture. After which we will nesesita for the aircrack-ng to break the pass.
Step Four: Serious speed packet capture, the way to reiyeccion ARP packet to the client (STATION) resubmit your auntentificacion and thus to generate more traffic. The command is this
# aireplay-ng -3-b 00:22:33:32:9 E: 70-h 00:19:7 D: 1E: 64:4 A-x 700 mon0
Now
-3 means the type of attack (read about arcracking-ng), which is replay ARP packet to cause new IVS. For all this out correctly will get a screen similar to this. Now, they have maybe wait a few minutes to see something like this
This screen is back in the shell of the output of airodump-ng mon0-c 1-w capture , and in which this overlay is to
aireplay-ng, and in this case the injection of ARP is being generated, so sastifactoria. :). If set at the output of airodump-ng DATA field will rise faster than previously and that is what we wanted to make xD.
Well if aireplay-ng could not have achieved this, we would have to make a DOS connected to the station. Open another shell and execute.
# aireplay-ng -0 -0-a 00:22:33:32:9 E: 70-c 00:19:7 D: 1E: 64:4 A mon0
This would empty the cache of the client to re-identify. AP-a-c is the CLIENT. Whether he would return to the shell where it was running aireplay-ng, it would have to start doing the attack. (In my case I did not do a DOS or deauthentication income as well inject ARP)
here another image of the injection, then fixed as the field grew
DATA
Well now we can only buy a coke and wait. I was walking down there to learn a little more of Salta. Well once we have a high number in the DATA field, for example I did with 234867 is the time to crack. First we stopped airdodump-ng with ^ C. (Control + C). At the same shell execute this
# aircrack-ng-01.cap capture
capture-01.cap
Where is the file that generated the airodump me when you put-w capture. And in seconds we have the key. Here the screen
# aircrack-ng-01.cap capture
capture-01.cap
Where is the file that generated the airodump me when you put-w capture. And in seconds we have the key. Here the screen
Moraleja, before all this attack to try to prove at least some clues related to the SSID. xD ..
Greetings. 
0 comments:
Post a Comment