📄 readme.txt
字号:
|--------+--------+-------------------------------------------------|
| -x | none | (WEP cracking) Do not bruteforce the last two |
| | | keybytes. |
|--------+--------+-------------------------------------------------|
| | | (WEP cracking) This is an experimental single |
| -y | none | bruteforce attack which should only be used |
| | | when the standard attack mode fails with more |
| | | than one million IVs. |
|--------+--------+-------------------------------------------------|
| -w | words | (WPA cracking) Path to a wordlist. |
+-------------------------------------------------------------------+
Could you implement a resume option in aircrack ?
There are no plans to implement this feature.
How can I crack a WPA-PSK network ?
You must sniff until a handshake takes place between a wireless client and
the access point. To force the client to reauthenticate, you can start a
deauth attack with aireplay. Also, a good dictionary is required; see
http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
FYI, it's not possible to pre-compute large tables of Pairwise Master Keys
like rainbowcrack does, since the passphrase is salted with the ESSID.
Will WPA be cracked in the future ?
It's extremely unlikely that WPA will be cracked just like WEP was.
The major problem with WEP is that the shared key is appended to the IV;
the result is directly used to feed RC4. This overly simple construction is
prone to a statistical attack, since the first ciphertext bytes are
strongly correlated with the shared key (see Andrew Roos' paper). There are
basically two counter-measures against this attack: 1. mix the IV and the
shared key using a hash function or 2. discard the first 256 bytes of RC4's
output.
There has been some disinformation in the news about the "flaws" of TKIP:
For now, TKIP is reasonably secure but it is also living on borrowed
time since it still relies on the same RC4 algorithm that WEP relied
on.
Actually, TKIP (WPA1) is not vulnerable: for each packet, the 48-bit IV is
mixed with the 128-bit pairwise temporal key to create a 104-bit RC4 key,
so there's no statistical correlation at all. Furthermore, WPA provides
counter-measures against active attacks (traffic reinjection), includes a
stronger message integrity code (michael), and has a very robust
authentication protocol (the 4-way handshake). The only vulnerability so
far is a dictionnary attack, which fails if the passphrase is robust
enough.
WPA2 (aka 802.11i) is exactly the same as WPA1, except that CCMP (AES in
counter mode) is used instead of RC4 and HMAC-SHA1 is used instead of
HMAC-MD5 for the EAPOL MIC. Bottom line, WPA2 is a bit better than WPA1,
but neither are going to be cracked in the near future.
I have more than one million IVs, but aircrack doesn't find the key !
Possible reasons:
+ Out of luck: you must capture more IVs. Usually, 104-bit WEP can be
cracked with about one million IVs, but sometimes more IVs are needed.
+ If all votes seem equal, or if there are many negative votes, then the
capture file is corrupted, or the key is not static.
+ A false positive prevented the key from being found. Try to disable
each korek attack (-k 1 .. 17), raise the fudge factor (-f) or try the
experimental single reverse attack (-y).
I've found the key, how do I decrypt a capture file ?
You may use the airdecap program:
usage: airdecap [options] <pcap file>
-l : don't remove the 802.11 header
-b bssid : access point MAC address filter
-k pmk : WPA Pairwise Master Key in hex
-e essid : target network ascii identifier
-p pass : target network WPA passphrase
-w key : target network WEP key in hex
examples:
airdecap -b 00:09:5B:10:BC:5A open-network.cap
airdecap -w 11A3E229084349BC25D97E2939 wep.cap
airdecap -e my_essid -p my_passphrase tkip.cap
How do I recover my WEP key in Windows ?
You may use the WZCOOK program which recovers WEP keys from XP's Wireless
Zero Configuration utility. This is experimental software, so it may or may
not work depending on your service pack level.
Does WZCOOK also recovers WPA keys ?
WZCOOK will display the PMK (Pairwise Master Key), a 256-bit value which is
the result of the passphrase hashed 8192 times together with the ESSID and
the ESSID length. The passphrase itself can't be recovered -- however,
knowing the PMK is enough to connect to a WPA-protected wireless network
with wpa_supplicant (see the Windows README). Your wpa_supplicant.conf
configuration file should look like:
network={
ssid="my_essid"
pmk=5c9597f3c8245907ea71a89d[...]9d39d08e
}
How do I patch the driver for injection with aireplay ?
As of now, aireplay only supports injection on Prism2, PrismGT (FullMAC),
Atheros, RTL8180 and Ralink. Injection on Centrino, Hermes, ACX1xx,
Aironet, Marvel and Broadcom is not supported because of firmware and/or
driver limitations.
Injection on Prism2 and Atheros is still pretty much experimental; if your
card appears to hang (no packets captured or injected), disable the
interface, reload the drivers and re-insert the card. Also consider
updating the firmware (if Prism2).
All drivers must be patched so as to support injection in Monitor mode. You
will need linux headers that match your current running kernel; if not, you
will have to download the linux source and compile a custom kernel.
If you have trouble patching and compiling stuff, you may want to use the
WHAX or Auditor LiveCD; both already include patched device drivers.
+ Installing the madwifi driver (Atheros cards)
Note 1: you'll need uudecode from the sharutils package.
Note 2: the 20050814 patch should also work with newer version of the
madwifi CVS.
Note 3: if you use wpa_supplicant, you should recompile it (older
versions are not compatible with the current madwifi CVS), and make
sure CONFIG_DRIVER_MADWIFI=y is uncommented in config.h.
Note 4: with the current madwifi, it is no longer needed to run "iwpriv
ath0 mode 2", since the driver allows injection in mode 0 using the new
athXraw interface.
Note 5: some people have trouble with the current madwifi CVS; another
alternative is to use version 20050707, also available at http://
100h.org/wlan/linux/
+-----------------------------------+
| Allowed modes | Physical medium |
|---------------+-------------------|
| Mode 0 | Automatic (a/b/g) |
|---------------+-------------------|
| Mode 1 | 802.11a only |
|---------------+-------------------|
| Mode 2 | 802.11b only |
|---------------+-------------------|
| Mode 3 | 802.11g only |
+-----------------------------------+
ifconfig ath0 down
rmmod wlan_wep ath_rate_onoe ath_pci wlan ath_hal
find /lib/modules -name 'ath*' -exec rm -v {} \;
find /lib/modules -name 'wlan*' -exec rm -v {} \;
cd /usr/src
wget http://100h.org/wlan/linux/atheros/madwifi-cvs-20050814.tgz
wget http://100h.org/wlan/linux/patches/madwifi-cvs-20050814.patch
tar -xvzf madwifi-cvs-20050814.tgz
cd madwifi-cvs-20050814
patch -Np1 -i ../madwifi-cvs-20050814.patch
make && make install
modprobe ath_pci
It is now possible to set the transmit rate with madwifi (and also
rt2570). The recommended rate is 5.5 Mbps, but you can lower it or
raise it, depending on your distance from the AP. For example:
iwconfig ath0 rate 24M
+----------------------------------------------+
| Modulation | Allowed rates |
|------------+---------------------------------|
| DSSS / CCK | 1M, 2M, 5.5M, 11M |
|------------+---------------------------------|
| OFDM (a/g) | 6M, 9M, 12M, 24M, 36M, 48M, 54M |
+----------------------------------------------+
When using attacks 2, 3 and 4, changing the number of packets per
second sent by aireplay (option -x) sometimes helps getting better
results; the default is 500 pps.
+ Installing the prism54 driver (PrismGT FullMAC cards)
ifconfig eth1 down
rmmod prism54
cd /usr/src
wget http://100h.org/wlan/linux/prismgt/prism54-svn-20050724.tgz
wget http://100h.org/wlan/linux/patches/prism54-svn-20050724.patch
tar -xvzf prism54-svn-20050724.tgz
cd prism54-svn-20050724
patch -Np1 -i ../prism54-svn-20050724.patch
make modules && make install
wget http://100h.org/wlan/linux/prismgt/1.0.4.3.arm
mkdir -p /usr/lib/hotplug/firmware
mkdir -p /lib/firmware
cp 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
mv 1.0.4.3.arm /lib/firmware/isl3890
depmod -a
+ Installing the HostAP driver (Prism2 cards)
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
/etc/init.d/pcmcia stop
rmmod prism2_pci
rmmod hostap_pci
cd /usr/src
wget http://100h.org/wlan/linux/prism2/hostap-driver-0.3.9.tar.gz
wget http://100h.org/wlan/linux/patches/hostap-driver-0.3.9.patch
tar -xvzf hostap-driver-0.3.9.tar.gz
cd hostap-driver-0.3.9
patch -Np1 -i ../hostap-driver-0.3.9.patch
make && make install
mv -f /etc/pcmcia/wlan-ng.conf /etc/pcmcia/wlan-ng.conf~
/etc/init.d/pcmcia start
modprobe hostap_pci &>/dev/null
+ Installing the wlan-ng driver (Prism2 cards)
Important note: when the card is inserted, wlan-ng will flash the
firmware in RAM (volatile download) with versions PRI 1.1.4 and STA
1.8.3. Many users experienced problems with this operation, so in any
case it's safer to just use hostap instead. Furthermore, HostAP works
more reliably and supports iwconfig whereas wlan-ng doesn't.
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
/etc/init.d/pcmcia stop
rmmod prism2_pci
rmmod hostap_pci
find /lib/modules \( -name p80211* -o -name prism2* \) \
-exec rm -v {} \;
cd /usr/src
wget http://100h.org/wlan/linux/prism2/wlanng-0.2.1-pre26.tar.gz
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -