📄 readme.txt
字号:
requires to have the WPC11 driver v2.5 installed. See http://100h.org/wlan/
linux/prism2/.
Which is the best card to buy ?
My favourite card is the Netgear WAG511, which is Atheros-based and has
excellent sensitivity (no external antenna connector though); a cheaper
version is the WG511T (PCMCIA) / WG311T (PCI). Another nice Atheros card is
the Proxim 8470-WD, this one has an external MC antenna connector. Also,
the DWL-G650/G650M is quite cheap (either rev. B or C, but do not buy the
DWL-650+ which has a TI chipset); the PCI equivalent is the DWL-G520
(likewise, don't buy the G520+).
Ralink makes some nice b/g chipsets, and has been very cooperative with the
open-source community to release GPL drivers. Packet injection is now fully
supported on PCI/PCMCIA RT2500 cards (such as the MSI CB54G2), and also
works on USB RT2570 cards (like the D-Link DWL-G122 or the Linksys
WUSB54G).
Do NOT buy anything that might have a PrismGT chipset. Some time ago,
Connexant decided to stop manufacturing their FullMAC chipset and released
a cheap, crippled-down version known as "SoftMAC", which is totally
incompatible with the prism54 driver.
Connexant has not been cooperative at all with the prism54 project, so they
don't deserve any of your money. As a matter of fact, FullMAC cards are not
being sold anymore -- you'll only find crappy SoftMAC in retail. In
particular, do not buy the WG511 (v2 / v3), the 3CRWE154G72 (v2 / v3), the
SMC2835W (v3), the SMC2802W (v2) or the ZyAIR G-300 (v2 / v3).
How do I use airodump for Windows ?
First of all, make sure that your card is compatible (see table above) and
that you have installed the proper driver. Also, you must download peek.dll
and peek5.sys and put them in the same directory as airodump.exe.
When running airodump, you should specify:
+ The network interface index number, which must be picked in the list
displayed by airodump.
+ The network interface type ('o' for HermesI and Realtek, 'a' for
Aironet and Atheros).
+ The channel number, between 1 and 14. You can also specify 0 to hop
between all channels.
+ The output prefix. For example, if the prefix is "foo", then airodump
will create foo.cap (captured packets) and foo.txt (CSV statistics). If
foo.cap already exists, airodump will resume the capture session by
appending the packets to it.
+ The "only IVs" flag. Specify 1 if you just want to save the IVs from
WEP data packets. This saves space, but the resulting file (foo.ivs)
will only be useful for WEP cracking.
To stop capturing packets, press Ctrl-C. You may get a blue screen, this is
due to a bug in the PEEK driver not cleanly exiting monitor mode. Also, the
capture file may be empty. The cause of this bug is unknown.
Why can't I compile airodump and aireplay on BSD / Mac OS X ?
Both airodump and aireplay sources are linux-specific. There are no plans
to port them on any other operating system.
How do I use airodump for Linux ?
Before running airodump, you may start the airmon.sh script to list the
detected wireless interfaces.
usage: airodump <interface name or pcap filename>
<output prefix> <channel> [IVs flag]
The first argument can be an interface name (such as: eth1, ath0, wlan0,
etc.) in which case airodump will capture packets on this interface. You
may also specify a pcap filename instead, for example to analyze a previous
capture.
It is not recommended to run airodump at the same time as Kismet.
If you specify the same output prefix, airodump will resume the session and
append the packets at the end of the existing capture file.
You can hop between channels by specifying 0 as the channel number;
however, when attacking a WLAN you should rather specify the channel number
of the target access point. Also, the channel number will be ignored if the
packet source is a capture file.
You may set the optional IVs flag to only write the captured WEP IVs; this
will save a lot of space, but the resulting file won't be useful for
anything else than WEP cracking. If the flag is not set, the whole packets
are saved.
Also, during the capture airodump updates a plain .txt file with all the
detected access points and stations.
Some examples:
Channel hopping with HostAP : airodump wlan0 out 0
Capture packets on channel 4 : airodump ath0 test 4
Only save IVs on channel 10 : airodump ath0 test 10 1
Extract IVs from a pcap file : airodump out.cap small 0 1
airodump keeps switching between WEP and WPA.
This is happening because your driver doesn't discard corrupted packets
(that have an invalid CRC). If it's a Centrino b, it just can't be helped;
go buy a better card. If it's a Prism2, try upgrading the firmware.
What's the meaning of the fields displayed by airodump ?
airodump will display a list of detected access points, and also a list of
connected clients ("stations"). Here's an example screenshot using a Prism2
card with HostAP:
+----------------------------------------------------------------+
| BSSID PWR Beacons # Data CH MB ENC ESSID |
| |
| 00:13:10:30:24:9C 58 4214 504 6 48 WEP myap |
| |
| BSSID STATION PWR Packets ESSID |
| |
| 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 203 154 myap |
| 00:13:10:30:24:9C 00:02:2D:C1:5D:1F 190 17 myap |
| |
+----------------------------------------------------------------+
+-------------------------------------------------------------------+
| Field | Description |
|---------+---------------------------------------------------------|
| BSSID | MAC address of the access point. |
|---------+---------------------------------------------------------|
| | Signal level reported by the card. Its signification |
| PWR | depends on the driver, but as the signal gets higher |
| | you get closer to the AP or the station. If PWR == -1, |
| | the driver doesn't support signal level reporting. |
|---------+---------------------------------------------------------|
| | Number of announcements packets sent by the AP. Each |
| Beacons | access point sends about ten beacons per second at the |
| | lowest rate (1M), so they can usually be picked up from |
| | very far. |
|---------+---------------------------------------------------------|
| # Data | Number of captured data packets (if WEP, unique IV |
| | count), including data broadcast packets. |
|---------+---------------------------------------------------------|
| | Channel number (taken from beacon packets). Note: |
| CH | sometimes packets from other channels are captured even |
| | if airodump is not hopping, because of radio |
| | interference. |
|---------+---------------------------------------------------------|
| | Maximum speed supported by the AP. If MB = 11, it's |
| MB | 802.11b, if MB = 22 it's 802.11b+ and higher rates are |
| | 802.11g. |
|---------+---------------------------------------------------------|
| | Encryption algorithm in use. OPN = no encryption, "WEP? |
| | " = WEP or higher (not enough data to choose between |
| ENC | WEP and WPA), WEP (without the question mark) indicates |
| | static or dynamic WEP, and WPA if TKIP or CCMP is |
| | present. |
|---------+---------------------------------------------------------|
| | The so-called "SSID", which can be empty if SSID hiding |
| ESSID | is activated. In this case, airodump will try to |
| | recover the SSID from probe responses and association |
| | requests. |
|---------+---------------------------------------------------------|
| | MAC address of each associated station. In the |
| STATION | screenshot above, two clients have been detected |
| | (00:09:5B:EB:C5:2B and 00:02:2D:C1:5D:1F). |
+-------------------------------------------------------------------+
How do I merge multiple capture files ?
You may use the mergecap program (part of the ethereal-common package or
the win32 distribution):
mergecap -w out.cap test1.cap test2.cap test3.cap
As of now, it's not possible to merge .ivs files.
Can I use Ethereal to capture 802.11 packets ?
Under Linux, simply setup the card in monitor mode with the airmon.sh
script. Under Windows, Ethereal can NOT capture 802.11 packets.
How do I change my card's MAC address ?
This operation is only possible under Linux. For example, if you have an
Atheros card:
ifconfig ath0 down hw ether 00:10:20:30:40:50
ifconfig ath0 up
If it doesn't work, try to eject and re-insert the card.
How do I use aircrack ?
Usage: aircrack [options] <capture file(s)>
You can specify multiple input files (either in .cap or .ivs format). Also,
you can run both airodump and aircrack at the same time: aircrack will
auto-update when new IVs are available.
Here's a summary of all available options:
+-------------------------------------------------------------------+
| Option | Param. | Description |
|--------+--------+-------------------------------------------------|
| -a | amode | Force attack mode (1 = static WEP, 2 = |
| | | WPA-PSK). |
|--------+--------+-------------------------------------------------|
| | | If set, all IVs from networks with the same |
| -e | essid | ESSID will be used. This option is also |
| | | required for WPA-PSK cracking if the ESSID is |
| | | not broadcasted (hidden). |
|--------+--------+-------------------------------------------------|
| -b | bssid | Select the target network based on the access |
| | | point's MAC address. |
|--------+--------+-------------------------------------------------|
| -p | nbcpu | On SMP systems, set this option to the number |
| | | of CPUs. |
|--------+--------+-------------------------------------------------|
| -q | none | Enable quiet mode (no status output until the |
| | | key is found, or not). |
|--------+--------+-------------------------------------------------|
| -c | none | (WEP cracking) Restrict the search space to |
| | | alpha-numeric characters only (0x20 - 0x7F). |
|--------+--------+-------------------------------------------------|
| -d | start | (WEP cracking) Set the beginning the WEP key |
| | | (in hex), for debugging purposes. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) MAC address to filter WEP data |
| -m | maddr | packets. Alternatively, specify -m |
| | | ff:ff:ff:ff:ff:ff to use all and every IVs, |
| | | regardless of the network. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) Specify the length of the key: |
| -n | nbits | 64 for 40-bit WEP, 128 for 104-bit WEP, etc. |
| | | The default value is 128. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) Only keep the IVs that have this |
| -i | index | key index (1 to 4). The default behaviour is to |
| | | ignore the key index. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) By default, this parameter is |
| | | set to 2 for 104-bit WEP and to 5 for 40-bit |
| -f | fudge | WEP. Specify a higher value to increase the |
| | | bruteforce level: cracking will take more time, |
| | | but with a higher likelyhood of success. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) There are 17 korek statistical |
| | | attacks. Sometimes one attack creates a huge |
| -k | korek | false positive that prevents the key from being |
| | | found, even with lots of IVs. Try -k 1, -k 2, |
| | | ... -k 17 to disable each attack selectively. |
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -