SlideShare ist ein Scribd-Unternehmen logo

Aircrack

N
Nithin Sathees

CRACKING WIRELESS NETWORKS. CRACKING WEP, WPA PASSWORDS. SECURING WIFI NETWORKS

Internet
1 von 69
Downloaden Sie, um offline zu lesen
 Aircrack-ng suite – Suite of tools used to recover wireless encryptions keys and carry all sorts of attacks against wireless networks.
 Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.  It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
● WEP encryption flawed ● Integrity checks based on CRC ● Man-in-the-middle attacks possible o unilateral challenge-response used for authentication ● Clients do not authenticate APs ● Most APs insecure by default o standard passwords o open wireless
● Passive o Eavesdropping o Traffic Analysis ● Active o Masquerading o Replay o Message Modification o Denial of Service o Misappropriation
● Wireshark o Can read radio-level packets (using radiotap) ● Kismet ● Wifi Analyzer (Android) ● WiFinspect (Android) [needs root] ● KisMAC [Mac]
● Find My Router's Password (Android) [needs root] ● WiFi Key Recovery (Android) [needs root] ● FakeAP o generates lots of fake APs
● Aircrack-NG ● WepAttack ● WEPCrack ● coWPAtty ● Asleap ● THC-LEAPcracker ● Pyrit
Name Description aircrack-ng CracksWEP andWPA keys using dictionary attacks. airdecap-ng DecryptsWEP orWPA encrypted capture files with known key. airmon-ng Placing different cards in monitor mode. aireplay-ng Packet injector (Linux, andWindows with CommView drivers). airodump-ng Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks. airtun-ng Virtual tunnel interface creator.
packetforge-ng Create encrypted packets for injection. ivstools Tools to merge and convert. airbase-ng Incorporates techniques for attacking client, as opposed to Access Points airdecloak-ng removes WEP cloaking from pcap files airdriver-ng Tools for managing wireless drivers airolib-ng stores and manages ESSID and password lists and compute Pairwise Master Keys
airserv-ng allows you to access the wireless card from other computers. buddy-ng the helper server for easside-ng, run on a remote computer easside-ng a tool for communicating to an access point, without theWEP key tkiptun-ng WPA/TKIP attack wesside-ng automatic tool for recovering wep key.
 Due to the borderless nature of 802.11, security is an obvious concern.  WEP became the first attempt at security.  Serious weaknesses within the RC4 cryptographic implementation employed by WEP were quickly identified  These issues resulted in the immediate requirement for increased wireless security
 Unfortunately, due to the early adoption of wireless technologies, WEP is still in use by many companies and consumers alike.  the time it takes to crack WEP has been drastically reduced  That is, no implementation of WEP should be considered secure.
 Stands for Wi-Fi Protected Access  Created to provide stronger security  Still able to be cracked if a short password is used.  WPA 1 – Based on 3rd draft of 802.11i – UsesTKIP – Backward compatible with old hardware  WPA 2 –Based on 802.11i – Uses CCMP (AES) – Not compatible with old hardware
 Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
 Aircrack-ng can recover theWEP(Wired Equivalent Privacy) key once enough encrypted packets have been captured with airodump-ng.  This part of the aircrack-ng suite determines theWEP key using two fundamental methods.
 The first method is via the PTW approach (Pyshkin,Tews, Weinmann).  The default cracking method is PTW.  This is done in two phases.  In the first phase, aircrack-ng only uses ARP packets.
 If the key is not found, then it uses all the packets in the capture.  Not all packets can be used for the PTW method.  An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys.  The main advantage of the PTW approach is that very few data packets are required to crack theWEP key.
 The second method is the FMS/KoreK method.  The FMS/KoreK method incorporates various statistical attacks to discover theWEP key and uses these in combination with brute forcing.  Additionally, the program offers a dictionary method for determining theWEP key.
 aircrack-ng [options] <capture file(s)> Option Param. Description -a amode Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK). -b Bssid Long version –bssid. Select the target network based on the access point's MAC address. -e essid If set, all IVs from networks with the same ESSID will be used.This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden). -p nbcpu On SMP systems: # of CPU to use.This option is invalid on non-SMP systems. -q none Enable quiet mode (no status output until the key is found, or not). -c none (WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).
-t none (WEP cracking) Restrict the search space to binary coded decimal hex characters. -h none (WEP cracking) Restrict the search space to numeric characters (0x30- 0x39)These keys are used by default in most Fritz!BOXes. -d start (WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes. -m maddr (WEP cracking) MAC address to filterWEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network. -M number (WEP cracking) Sets the maximum number of ivs to use. -n nbits (WEP cracking) Specify the length of the key: 64 for 40-bitWEP, 128 for 104-bit WEP, etc.The default value is 128. -i index (WEP cracking) Only keep the IVs that have this key index (1 to 4).The default behaviour is to ignore the key index. -f fudge (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bitWEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
-H none Long version –help. Output help information. -l file name (Lowercase L, ell) logs the key to the file specified. -K none Invokes the KorekWEP cracking method. (Default in v0.x) -k korek (WEP cracking)There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs.Try -k 1, -k 2, … -k 17 to disable each attack selectively. -p threads Allow the number of threads for cracking even if you have a non-SMP computer. -r database Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support.
 Here are the basic steps we will be going through:  Start the wireless interface in monitor mode on the specific AP channel  Test the injection capability of the wireless device to the AP  Use aireplay-ng to do a fake authentication with the access point  Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs  Start aireplay-ng in ARP request replay mode to inject packets  Run aircrack-ng to crack key using the IVs collected
 The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is mode whereby your card can listen to every packet in the air.  Normally your card will only “hear” packets addressed to you.  By hearing every packet, we can later select some for injection.  As well, only (there are some rare exceptions) monitor mode allows you to inject packets.
 The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.  Enter:  aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0  Where:  -9 means injection test  -e teddy is the wireless network name  -a 00:14:6C:7E:40:80 is the access point MAC address  ath0 is the wireless interface name
 The purpose of this step is to capture the IVs generated.This step starts airodump-ng to capture the IVs from the specific access point.  Open another console session to capture the generated IVs. Then enter:  airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0  Where:  -c 9 is the channel for the wireless network  --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic.  -w capture is file name prefix for the file which will contain the IVs.  ath0 is the interface name.
 In order for an access point to accept a packet, the source MAC address must already be associated.  If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext.  In this state, no new IVs are created because the AP is ignoring all the injected packets.
 The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network.  The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV.  Again, this is our objective, to obtain a large number of IVs in a short period of time.
 The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.  Two methods will be shown. It is recommended you try both for learning purposes.  By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method.  PTW method only works successfully with arp request/reply packets.  The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ”--ivs” option.
 The basic idea is to capture as much encrypted traffic as possible using airodump.  EachWEP data packet has an associated 3-byte InitializationVector (IV)  After a sufficient number of data packets have been collected, run aircrack on the resulting capture file.  aircrack will then perform a set of statistical attacks
 The number of required IVs depends on the WEP key length, and it also depends on your luck.  Usually, 40-bitWEP can be cracked with 300.000 IVs, and 104-bitWEP can be cracked with 1.000.000 Ivs  if you're out of luck you may need two million IVs, or more.
 cracking WPA/WPA2 networks which use pre-shared keys  WPA/WPA2 supports many types of authentication beyond pre-shared keys.  aircrack-ng can ONLY crack pre-shared keys.
 There is another important difference between cracking WPA/WPA2 and WEP.  This is the approach used to crack the WPA/WPA2 pre-shared key.  Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2.
 That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack.  The only thing that does give the information to start an attack is the handshake between client and AP.
 When clients connect to a WPA encrypted network, they have a 4-way handshake with the router.  We need this 4-way handshake to recover the password.  We can crack the password offline once we get the handshake  Attack is completely passive on the router.
airmon-ng start wlan0  Tool used for putting your card into monitor mode  wlan0 = Wireless interface. You can find your wireless interface by typing “iwconfig” You should see “monitor mode enabled on mon0” somewhere.
airodump-ng mon0  Tool used to listen to wireless routers in the area  Look for any wireless networks that say WPA  Remember their BSSID and Channel
airodump-ng –-bssid 00:13:10:73:FC:C5 –c 6 –w dump mon0  --bssid is the mac address of the router  -c is the channel of the router  -w is where to save the dump file  dump is the file name Keep that running in it’s own terminal until a client connects
 Wait until a client connects  Alternatively, force a connected client to disconnect, making them reconnect and capturing their handshake.
 In airodump-ng, look in the top left.  You should see “WPA handshake <bssid>”  Now you are ready to crack.  Stop airodump-ng by pressing Control + c
 aircrack-ng will crack the password.We specify the bssid, the dump file, and a wordlist to guess the password with.  Wordlist = /pentest/database/sqlmap/txt/wordlist.txt  aircrack-ng –w <list> –b 00:13:10:73:FC:C5 dump*.cap  Aircrack-ng –w /pentest/databas
 Beacons :-Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.  CH:-Channel number (taken from beacon packets).  MB:-Maximum speed supported by theAP. If MB = 11, it's MB 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g.
 You must sniff until a handshake takes place between a wireless client and the access point.  To force the client to reauthenticate, you can start a deAuth attack with aireplay.  Also, a good dictionary is required;
 Mainly 5 types of attacks are performed using aireplay-ng  Attack 0: deAuthentication  Attack 1: fake authentication  Attack 2: interactive packet replay  Attack 3: ARP request re-injection  Attack 4: KoreK's "chopchop" (WEP decryption)
 It is an attack through which we send disassociation packets to computers/devices connected to a particular WiFi access point.  This will disconnect all connected computers from that access point (It won’t work if there are no associated wireless client or on fake authentications).
 Recovering a hidden ESSID.This is an ESSID which is not being broadcast. Another term for this is “cloaked.”  Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate  Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)  If those three point don’t make any sense, in simple words, this attack disconnects computers from an access point so you can have all WiFi bandwidth for yourself
 Put ourWireless card to monitor mode, issue following command in terminal window: sudo airmon-ng start wlan0  which will show a message “monitor mode enabled on mon0″, where mon0 is a new interface which we will use for monitoring.  Find out which networks are available from our location. Make sure you are as close to your desired access point as possible and issue this command in terminal: sudo airodump-ng mon0  Note down the BSSID (MAC address) of your access point.
 The final step! Issue following command in terminal:  sudo aireplay-ng -0 0 -a 00:AB:6C:CD:40:70 -c mon0  Where,  -0 is for deAuthentication.  0 (zero) is for continuously sending deAuthentication packets.  -a 00:AB:6C:CD:40:70 is the BSSID of your network. (Replace 00:AB:6C:CD:40:70 with your network’s BSSID).  mon0 is the monitor interface we created earlier.  We will get an output like this:  20:10:02 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:02 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:03 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:03 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]  This means our deAuthentication attack is successful.
 This attack is particularly useful when there are no connected clients:  we create a fake client MAC address which will be registered in the AP's association table.  This address will then be used for ARP request reinjection and "chopchop" WEP decryption.  However if there is already an associated client, it's more reliable to just use his MAC address.
 aireplay -1 0 -e myap -a 00:13:10:30:24:9C - h 0:1:2:3:4:5 ath0  12:14:06 SendingAuthentication Request  12:14:06 Authentication successful  12:14:06 SendingAssociation Request  12:14:07 Association successful
 This attack is mostly useless and is present for debugging purposes only.  You could use it, for example, to replay "ToDS" packets coming from a wireless client; but in any case, ARP reinjection is more effective.  aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0
 The classic ARP-request replay attack is the most effective to generate new IVs, and works very reliably.  You need either the MAC address of an associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (0:1:2:3:4:5).  You may have to wait for a couple of minutes, or even longer, until an ARP request shows up  This attack will fail if there is no traffic.
 This attack, when successful, can decrypt a WEP data packet without knowing the key.  It can even work against dynamic WEP.  However, most access points are not vulnerable at all.  Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes.
 Choose WPA2  WPA2 can have up to 63 characters. Use them!  Use Numbers, lower-upper case, special characters
 The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length.  Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
 Use these tips to prevent unwanted users  Change default setting on your router ▪ When you install router modify id and pwd to something else rather than default  Disable SSID broadcast ▪ Hides network from beginner intruder. Ie. Windows Wireless Zero config utility ▪ Will not keep you safe from more advance hackers
 Turn off network when not in use ▪ Impossible to hack a network that it is not running  MAC address filtering ▪ AP grants access to certain MAC addresses ▪ Not fully proof, but good countermeasure  Encryption ▪ Use of WPA ▪ Use long and random WPA keys
 Aircrack-ng is a very useful and powerful tool  We can check the security of our own wireless network  Can analyze and check any wireless LAN around us  Can enable access to locked private networks
 Despite the fact that in today's world a lot of people use WPA encryption, several network providers offer high speed internet DSL and FIOS modems and WiFi routers which come preset to use the WEP encryption. Such encryption mode can be cracked in a few minutes using Aircrack application, even in the case when the access point name is hidden.
Aircrack
Aircrack

Empfohlen

Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating SystemMeghaj Mallick
 
Aircrack
AircrackAircrack
AircrackMuhammadHanzalah6
 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configurationRohit Phulsunge
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Wireshark
WiresharkWireshark
WiresharkSourav Roy
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 

Empfohlen

Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating SystemMeghaj Mallick
 
Aircrack
AircrackAircrack
AircrackMuhammadHanzalah6
 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configurationRohit Phulsunge
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Wireshark
WiresharkWireshark
WiresharkSourav Roy
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Wireshark
WiresharkWireshark
WiresharkKushagra Ganeriwal
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)udamale
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Network scanning
Network scanningNetwork scanning
Network scanningMD SAQUIB KHAN
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Firewalls
FirewallsFirewalls
FirewallsKalluri Madhuri
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Virus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti VirusVirus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti VirusAdeel Rasheed
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptxVignesh kumar
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic PresentationMD. SHORIFUL ISLAM
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic AnalysisDavid Sweigert
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Wireshark
WiresharkWireshark
WiresharkKasun Madusanke
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)New Frontiers Marketing
 
Big idea_Lego group
Big idea_Lego groupBig idea_Lego group
Big idea_Lego groupVladislava_Work
 

Weitere ähnliche Inhalte

Was ist angesagt?

Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)udamale
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsitmind4u
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Virus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti VirusVirus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti VirusAdeel Rasheed
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptxVignesh kumar
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic AnalysisDavid Sweigert
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngOpen Knowledge Nepal
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 

Was ist angesagt? (20)

Wireshark
WiresharkWireshark
Wireshark
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
NFS(Network File System)
NFS(Network File System)NFS(Network File System)
NFS(Network File System)
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Firewalls
FirewallsFirewalls
Firewalls
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Virus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti VirusVirus and Anti Virus - Types of Virus and Anti Virus
Virus and Anti Virus - Types of Virus and Anti Virus
 
Exchange server.pptx
Exchange server.pptxExchange server.pptx
Exchange server.pptx
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorial
 
Wireshark Basic Presentation
Wireshark Basic PresentationWireshark Basic Presentation
Wireshark Basic Presentation
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic Analysis
 
NMAP
NMAPNMAP
NMAP
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
 
Wireshark
WiresharkWireshark
Wireshark
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 

Andere mochten auch

New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)New Frontiers Marketing
 
Energy Prodution and D
Energy Prodution and DEnergy Prodution and D
Energy Prodution and Dlyle jones
 
Разбор ИМК на примере Harley Davidson
Разбор ИМК на примере Harley Davidson Разбор ИМК на примере Harley Davidson
Разбор ИМК на примере Harley Davidson Vladislava_Work
 
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectie
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectieOnzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectie
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectieOlaf Janssen
 
модели рекламы
модели рекламымодели рекламы
модели рекламыVladislava_Work
 
Fontys ICT - Minor Applied Data Science
Fontys ICT - Minor Applied Data ScienceFontys ICT - Minor Applied Data Science
Fontys ICT - Minor Applied Data ScienceOlaf Janssen
 

Andere mochten auch (10)

New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)New frontiers marketing the ultimate guide to facebook ad images (1)
New frontiers marketing the ultimate guide to facebook ad images (1)
 
Big idea_Lego group
Big idea_Lego groupBig idea_Lego group
Big idea_Lego group
 
Energy Prodution and D
Energy Prodution and DEnergy Prodution and D
Energy Prodution and D
 
-khurram-niaz
-khurram-niaz-khurram-niaz
-khurram-niaz
 
DNA
DNADNA
DNA
 
Разбор ИМК на примере Harley Davidson
Разбор ИМК на примере Harley Davidson Разбор ИМК на примере Harley Davidson
Разбор ИМК на примере Harley Davidson
 
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectie
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectieOnzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectie
Onzekerheid en Ethiek in het Onderwijs: een persoonlijke reflectie
 
Data recovery
Data recoveryData recovery
Data recovery
 
модели рекламы
модели рекламымодели рекламы
модели рекламы
 
Fontys ICT - Minor Applied Data Science
Fontys ICT - Minor Applied Data ScienceFontys ICT - Minor Applied Data Science
Fontys ICT - Minor Applied Data Science
 

Ähnlich wie Aircrack

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitationbarcamp.my
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security Hariraj Rathod
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Securityprachi67
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacksHuda Seyam
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hackingMihir Shah
 
Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmourSec Armour
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
AleksandrDoroninSlides.ppt
AleksandrDoroninSlides.pptAleksandrDoroninSlides.ppt
AleksandrDoroninSlides.pptImXaib
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 

Ähnlich wie Aircrack (20)

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu ExploitationAhmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2
 
WEP
WEPWEP
WEP
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour Wired equivalent privacy by SecArmour
Wired equivalent privacy by SecArmour
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Wifi cracking
Wifi crackingWifi cracking
Wifi cracking
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
AleksandrDoroninSlides.ppt
AleksandrDoroninSlides.pptAleksandrDoroninSlides.ppt
AleksandrDoroninSlides.ppt
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!
 

Kürzlich hochgeladen

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 

Kürzlich hochgeladen (20)

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

Aircrack

  • 1.
  • 2.  Aircrack-ng suite – Suite of tools used to recover wireless encryptions keys and carry all sorts of attacks against wireless networks.
  • 3.  Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.  It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
  • 4. ● WEP encryption flawed ● Integrity checks based on CRC ● Man-in-the-middle attacks possible o unilateral challenge-response used for authentication ● Clients do not authenticate APs ● Most APs insecure by default o standard passwords o open wireless
  • 5. ● Passive o Eavesdropping o Traffic Analysis ● Active o Masquerading o Replay o Message Modification o Denial of Service o Misappropriation
  • 6. ● Wireshark o Can read radio-level packets (using radiotap) ● Kismet ● Wifi Analyzer (Android) ● WiFinspect (Android) [needs root] ● KisMAC [Mac]
  • 7. ● Find My Router's Password (Android) [needs root] ● WiFi Key Recovery (Android) [needs root] ● FakeAP o generates lots of fake APs
  • 8. ● Aircrack-NG ● WepAttack ● WEPCrack ● coWPAtty ● Asleap ● THC-LEAPcracker ● Pyrit
  • 9. Name Description aircrack-ng CracksWEP andWPA keys using dictionary attacks. airdecap-ng DecryptsWEP orWPA encrypted capture files with known key. airmon-ng Placing different cards in monitor mode. aireplay-ng Packet injector (Linux, andWindows with CommView drivers). airodump-ng Packet sniffer: Places air traffic into PCAP or IVS files and shows information about networks. airtun-ng Virtual tunnel interface creator.
  • 10. packetforge-ng Create encrypted packets for injection. ivstools Tools to merge and convert. airbase-ng Incorporates techniques for attacking client, as opposed to Access Points airdecloak-ng removes WEP cloaking from pcap files airdriver-ng Tools for managing wireless drivers airolib-ng stores and manages ESSID and password lists and compute Pairwise Master Keys
  • 11. airserv-ng allows you to access the wireless card from other computers. buddy-ng the helper server for easside-ng, run on a remote computer easside-ng a tool for communicating to an access point, without theWEP key tkiptun-ng WPA/TKIP attack wesside-ng automatic tool for recovering wep key.
  • 12.  Due to the borderless nature of 802.11, security is an obvious concern.  WEP became the first attempt at security.  Serious weaknesses within the RC4 cryptographic implementation employed by WEP were quickly identified  These issues resulted in the immediate requirement for increased wireless security
  • 13.  Unfortunately, due to the early adoption of wireless technologies, WEP is still in use by many companies and consumers alike.  the time it takes to crack WEP has been drastically reduced  That is, no implementation of WEP should be considered secure.
  • 14.  Stands for Wi-Fi Protected Access  Created to provide stronger security  Still able to be cracked if a short password is used.  WPA 1 – Based on 3rd draft of 802.11i – UsesTKIP – Backward compatible with old hardware  WPA 2 –Based on 802.11i – Uses CCMP (AES) – Not compatible with old hardware
  • 15.  Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
  • 16.  Aircrack-ng can recover theWEP(Wired Equivalent Privacy) key once enough encrypted packets have been captured with airodump-ng.  This part of the aircrack-ng suite determines theWEP key using two fundamental methods.
  • 17.  The first method is via the PTW approach (Pyshkin,Tews, Weinmann).  The default cracking method is PTW.  This is done in two phases.  In the first phase, aircrack-ng only uses ARP packets.
  • 18.  If the key is not found, then it uses all the packets in the capture.  Not all packets can be used for the PTW method.  An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys.  The main advantage of the PTW approach is that very few data packets are required to crack theWEP key.
  • 19.  The second method is the FMS/KoreK method.  The FMS/KoreK method incorporates various statistical attacks to discover theWEP key and uses these in combination with brute forcing.  Additionally, the program offers a dictionary method for determining theWEP key.
  • 20.  aircrack-ng [options] <capture file(s)> Option Param. Description -a amode Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK). -b Bssid Long version –bssid. Select the target network based on the access point's MAC address. -e essid If set, all IVs from networks with the same ESSID will be used.This option is also required for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden). -p nbcpu On SMP systems: # of CPU to use.This option is invalid on non-SMP systems. -q none Enable quiet mode (no status output until the key is found, or not). -c none (WEP cracking) Restrict the search space to alpha-numeric characters only (0x20 - 0x7F).
  • 21. -t none (WEP cracking) Restrict the search space to binary coded decimal hex characters. -h none (WEP cracking) Restrict the search space to numeric characters (0x30- 0x39)These keys are used by default in most Fritz!BOXes. -d start (WEP cracking) Long version –debug. Set the beginning of the WEP key (in hex), for debugging purposes. -m maddr (WEP cracking) MAC address to filterWEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network. -M number (WEP cracking) Sets the maximum number of ivs to use. -n nbits (WEP cracking) Specify the length of the key: 64 for 40-bitWEP, 128 for 104-bit WEP, etc.The default value is 128. -i index (WEP cracking) Only keep the IVs that have this key index (1 to 4).The default behaviour is to ignore the key index. -f fudge (WEP cracking) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bitWEP. Specify a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelyhood of success.
  • 22. -H none Long version –help. Output help information. -l file name (Lowercase L, ell) logs the key to the file specified. -K none Invokes the KorekWEP cracking method. (Default in v0.x) -k korek (WEP cracking)There are 17 korek statistical attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs.Try -k 1, -k 2, … -k 17 to disable each attack selectively. -p threads Allow the number of threads for cracking even if you have a non-SMP computer. -r database Utilizes a database generated by airolib-ng as input to determine the WPA key. Outputs an error message if aircrack-ng has not been compiled with sqlite support.
  • 23.  Here are the basic steps we will be going through:  Start the wireless interface in monitor mode on the specific AP channel  Test the injection capability of the wireless device to the AP  Use aireplay-ng to do a fake authentication with the access point  Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs  Start aireplay-ng in ARP request replay mode to inject packets  Run aircrack-ng to crack key using the IVs collected
  • 24.  The purpose of this step is to put your card into what is called monitor mode.  Monitor mode is mode whereby your card can listen to every packet in the air.  Normally your card will only “hear” packets addressed to you.  By hearing every packet, we can later select some for injection.  As well, only (there are some rare exceptions) monitor mode allows you to inject packets.
  • 25.  The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.  Enter:  aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 ath0  Where:  -9 means injection test  -e teddy is the wireless network name  -a 00:14:6C:7E:40:80 is the access point MAC address  ath0 is the wireless interface name
  • 26.  The purpose of this step is to capture the IVs generated.This step starts airodump-ng to capture the IVs from the specific access point.  Open another console session to capture the generated IVs. Then enter:  airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0  Where:  -c 9 is the channel for the wireless network  --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic.  -w capture is file name prefix for the file which will contain the IVs.  ath0 is the interface name.
  • 27.  In order for an access point to accept a packet, the source MAC address must already be associated.  If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext.  In this state, no new IVs are created because the AP is ignoring all the injected packets.
  • 28.  The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network.  The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV.  Again, this is our objective, to obtain a large number of IVs in a short period of time.
  • 29.  The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.  Two methods will be shown. It is recommended you try both for learning purposes.  By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method.  PTW method only works successfully with arp request/reply packets.  The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ”--ivs” option.
  • 30.  The basic idea is to capture as much encrypted traffic as possible using airodump.  EachWEP data packet has an associated 3-byte InitializationVector (IV)  After a sufficient number of data packets have been collected, run aircrack on the resulting capture file.  aircrack will then perform a set of statistical attacks
  • 31.  The number of required IVs depends on the WEP key length, and it also depends on your luck.  Usually, 40-bitWEP can be cracked with 300.000 IVs, and 104-bitWEP can be cracked with 1.000.000 Ivs  if you're out of luck you may need two million IVs, or more.
  • 32.
  • 33.
  • 34.  cracking WPA/WPA2 networks which use pre-shared keys  WPA/WPA2 supports many types of authentication beyond pre-shared keys.  aircrack-ng can ONLY crack pre-shared keys.
  • 35.  There is another important difference between cracking WPA/WPA2 and WEP.  This is the approach used to crack the WPA/WPA2 pre-shared key.  Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2.
  • 36.  That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack.  The only thing that does give the information to start an attack is the handshake between client and AP.
  • 37.  When clients connect to a WPA encrypted network, they have a 4-way handshake with the router.  We need this 4-way handshake to recover the password.  We can crack the password offline once we get the handshake  Attack is completely passive on the router.
  • 38. airmon-ng start wlan0  Tool used for putting your card into monitor mode  wlan0 = Wireless interface. You can find your wireless interface by typing “iwconfig” You should see “monitor mode enabled on mon0” somewhere.
  • 39. airodump-ng mon0  Tool used to listen to wireless routers in the area  Look for any wireless networks that say WPA  Remember their BSSID and Channel
  • 40. airodump-ng –-bssid 00:13:10:73:FC:C5 –c 6 –w dump mon0  --bssid is the mac address of the router  -c is the channel of the router  -w is where to save the dump file  dump is the file name Keep that running in it’s own terminal until a client connects
  • 41.  Wait until a client connects  Alternatively, force a connected client to disconnect, making them reconnect and capturing their handshake.
  • 42.  In airodump-ng, look in the top left.  You should see “WPA handshake <bssid>”  Now you are ready to crack.  Stop airodump-ng by pressing Control + c
  • 43.  aircrack-ng will crack the password.We specify the bssid, the dump file, and a wordlist to guess the password with.  Wordlist = /pentest/database/sqlmap/txt/wordlist.txt  aircrack-ng –w <list> –b 00:13:10:73:FC:C5 dump*.cap  Aircrack-ng –w /pentest/databas
  • 44.
  • 45.  Beacons :-Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.  CH:-Channel number (taken from beacon packets).  MB:-Maximum speed supported by theAP. If MB = 11, it's MB 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g.
  • 46.  You must sniff until a handshake takes place between a wireless client and the access point.  To force the client to reauthenticate, you can start a deAuth attack with aireplay.  Also, a good dictionary is required;
  • 47.  Mainly 5 types of attacks are performed using aireplay-ng  Attack 0: deAuthentication  Attack 1: fake authentication  Attack 2: interactive packet replay  Attack 3: ARP request re-injection  Attack 4: KoreK's "chopchop" (WEP decryption)
  • 48.  It is an attack through which we send disassociation packets to computers/devices connected to a particular WiFi access point.  This will disconnect all connected computers from that access point (It won’t work if there are no associated wireless client or on fake authentications).
  • 49.  Recovering a hidden ESSID.This is an ESSID which is not being broadcast. Another term for this is “cloaked.”  Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate  Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)  If those three point don’t make any sense, in simple words, this attack disconnects computers from an access point so you can have all WiFi bandwidth for yourself
  • 50.  Put ourWireless card to monitor mode, issue following command in terminal window: sudo airmon-ng start wlan0  which will show a message “monitor mode enabled on mon0″, where mon0 is a new interface which we will use for monitoring.  Find out which networks are available from our location. Make sure you are as close to your desired access point as possible and issue this command in terminal: sudo airodump-ng mon0  Note down the BSSID (MAC address) of your access point.
  • 51.  The final step! Issue following command in terminal:  sudo aireplay-ng -0 0 -a 00:AB:6C:CD:40:70 -c mon0  Where,  -0 is for deAuthentication.  0 (zero) is for continuously sending deAuthentication packets.  -a 00:AB:6C:CD:40:70 is the BSSID of your network. (Replace 00:AB:6C:CD:40:70 with your network’s BSSID).  mon0 is the monitor interface we created earlier.  We will get an output like this:  20:10:02 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:02 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:03 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70] 20:10:03 Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]  This means our deAuthentication attack is successful.
  • 52.  This attack is particularly useful when there are no connected clients:  we create a fake client MAC address which will be registered in the AP's association table.  This address will then be used for ARP request reinjection and "chopchop" WEP decryption.  However if there is already an associated client, it's more reliable to just use his MAC address.
  • 53.  aireplay -1 0 -e myap -a 00:13:10:30:24:9C - h 0:1:2:3:4:5 ath0  12:14:06 SendingAuthentication Request  12:14:06 Authentication successful  12:14:06 SendingAssociation Request  12:14:07 Association successful
  • 54.  This attack is mostly useless and is present for debugging purposes only.  You could use it, for example, to replay "ToDS" packets coming from a wireless client; but in any case, ARP reinjection is more effective.  aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0
  • 55.  The classic ARP-request replay attack is the most effective to generate new IVs, and works very reliably.  You need either the MAC address of an associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (0:1:2:3:4:5).  You may have to wait for a couple of minutes, or even longer, until an ARP request shows up  This attack will fail if there is no traffic.
  • 56.  This attack, when successful, can decrypt a WEP data packet without knowing the key.  It can even work against dynamic WEP.  However, most access points are not vulnerable at all.  Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.  Choose WPA2  WPA2 can have up to 63 characters. Use them!  Use Numbers, lower-upper case, special characters
  • 63.  The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length.  Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
  • 64.  Use these tips to prevent unwanted users  Change default setting on your router ▪ When you install router modify id and pwd to something else rather than default  Disable SSID broadcast ▪ Hides network from beginner intruder. Ie. Windows Wireless Zero config utility ▪ Will not keep you safe from more advance hackers
  • 65.  Turn off network when not in use ▪ Impossible to hack a network that it is not running  MAC address filtering ▪ AP grants access to certain MAC addresses ▪ Not fully proof, but good countermeasure  Encryption ▪ Use of WPA ▪ Use long and random WPA keys
  • 66.  Aircrack-ng is a very useful and powerful tool  We can check the security of our own wireless network  Can analyze and check any wireless LAN around us  Can enable access to locked private networks
  • 67.  Despite the fact that in today's world a lot of people use WPA encryption, several network providers offer high speed internet DSL and FIOS modems and WiFi routers which come preset to use the WEP encryption. Such encryption mode can be cracked in a few minutes using Aircrack application, even in the case when the access point name is hidden.