User Manual
Contents
1. The w command is used to both write to the file and give it a prefix so it is easy to find The interface specified here must be the same as created in step 3 8a Crack the WEP key using the aircrack ng command aircrack ng b lt bssid gt lt packetfile gt The b option in the command accepts identical information to the bssid option in the previous step It is the mac address of the target network The packet file to be checked is the one containing the prefix given to it in the previous step You can also scan multiple packet files by using the wildcard in the name If for some reason you have not captured enough packets then the command will give you an error and be unable to get the password At this point you will need to begin from step 7a and repeat It is recommended that you retrieve between 40 and 85 thousand points of data This may take anywhere from seconds to minutes depending on the network traffic CONDUCT A WPA ATTACK 1 Determine network interfaces running on attack machine ifconfig 2 Choose the wireless interface to use for monitoring The network will be prefaced with wlan to indicate that it is a wireless network 3 Place the wireless interface into monitoring mode airmon ng start lt chosen interface gt 4 Confirm wireless interface placed into monitoring mode iwconfig You will need to look for the wireless interface chosen in the previous step If monitoring mode has been successfully2. enabled it will display an interface with the name of mono 5 Look for available networks to attack airodump ng lt interface gt The interface entered here must be the monitoring interface created in step 3 6 This command will display as much information that can be gathered about all of the wireless networks accessible by the machine This information includes the BSSID mac address of the router the CH channel the network is operating on and the ENC encryption type These encryption types include WEP OPN open WPA and WEP do not know encryption type The cracking of a WPA password is both simultaneously easier and more difficult than WEP In order to properly crack a WPA password you must have a password list to run through and compare to the hash value of the captured handshake There are many easily obtainable large and well organized open source password lists This is balanced by requiring much less data to be captured by the network portion A WPA password crack only requires that the handshake between a device and the network be captured This occurs when a device authenticates to a network 7b Listen to a specific channel and write all of the data to disk to be used for cracking of the password airodump ng ignore negative one c lt channel the network is on gt bssid lt of target network gt w lt prefix for capture file gt lt monitoring interface gt The ignore negative one option bypasses a
3. known error in the current version of the airodump command Without this option data will not be captured The c command is what determines the wireless channel the command will copy information from The bssid command is the mac address of the network you wish to capture data from The w command is used to both write to the file and give it a prefix so it is easy to find The interface specified here must be the same as created in step 3 8b Wait until the top right corner of the information displayed on the screen tell you that a WPA handshake has been captured This area will remain blank until the capture has occured This may take anywhere from hours to days depending on how often people authenticate to the network 9b Run the capture file against the user supplied password list This will hash each value in the password file and compare it to the contents of the WPA handshake aircrack ng bssid lt target network gt w lt password dictionary file gt lt capture file gt The bssid option is used identically to the previous steps This is the mac address of the target network This is considered useful when your packet file contains the handshakes and information for multiple networks The w option is used to give the location of the password file to hash The capture file option is used to specify any file using the prefix that was created in step 7b This will pull up a command window that will s
4. of the previous options Reaver is also highly dependent on the signal strength of the network connection If there is a weak signal the pins will not always be able to make it to the router and the attack machine may not also be able to retrieve the response CONCLUSION These instructions cover the most common wireless attack methods They will allow the penetration of most consumer or small business networks The best defense against these attacks is to change your password on a regular basis You can also completely disable the reaver attack vector by disabling the WPS functionality on your router
5. Installation of Kali and the use of the aircrack ng suite of tools TABLE OF CONTENTS Installation of Kali Description of aircrack ng Suite Conduct WEP Attack Conduct WPA Attack Conduct a Reaver Attack Conclusion INSTALLATION OF KALI Kali Live USB Stick Creation 1 2 3 4 5 6 7 8 9 10 11 If you Download Kali 64 bit ISO image from www kali org Download Rufus Live USB Creator from rufus akeo ie Connect 4 to 8 GB USB flash drive to computer Open Rufus Live USB Creator Select your USB Drive from the Device dropdown Select MBR Partition Type for BIOS or UEFI Select Large FAT32 File System type Select Cluster Size Give it a Volume name Select Create a Bootable Disk image check box and from ISO from the Dropdown Menu Select Create extended label and icon files wanted to ensure file system and drive integrity you could also select the check for bad blocks check box and choose the number of passes for the check Kali nstallation onto a Macbook Air Connect Kali Live USB to computer Turn on machine holding the ALT button during boot Select the Live USB stick from the boot options menu Select Graphical Install Select Manual Partitioning Create a 500MB partition At the beginning of the drive Format to FAT32 No mount point Create 100GB Partition Set at the beginning of the remaining free space Format to ext4 Use as the mount point Create swap partition Use rem
6. PA and WEP do not know encryption type The final attack option is the reaver tool The reaver tool exploits a vulnerability in the WPS Wi Fi Protected Setup This is a tool that most modern routers are equipped with There are many small businesses and consumers that never disable this option because of it s simplicity and ease of use It is symbolized by a button on the router that appears to be two arrows chasing each other This sends a pin between the two devices Reaver uses this vulnerability in order to brute force the pin number and connects to the network 7c Install the Reaver package apt get install reaver This installs the reaver package as not all distributions come with it pre installed 8c Run Reaver against the target network reaver i lt interface gt b lt BSSID gt This will send pins at a constant rate to the designated network until it finds the pin that allows a connection The i option is used to specify the wireless interface that was placed into monitoring mode in step 3 of this guide The b option is used to specify the BSSID or MAC address of the target network This will continue to run until you either run into the limit of the router or you find the proper pin and gain access to the network There are some routers that will only allow a certain number of pins to be sent to them before they lock themselves from remote pins At this point the only way to crack the password is to use one
7. aining freespace Format as swapspace No mount point Save and Write the partition information 10 11 12 13 14 Install Kali Select Yes when asked to install GRUB to the MBR Re boot the Macbook Air when install completed Hold the ALT key during the reboot and select the USB stick from the boot options Select the live boot option 5 Mount the 500MB FAT32 partition 16 Create a folder named EFI in the root if the FAT 32 partition 7 Create a folder named Boot inside of the EFI folder 8 Download all files from ftp mirrors kernel org fedora releases 18 Fedora x86_64 os EFI boot 19 Transfer files to EFI Boot on the FAT32 partition 20 Mount installed Kali filesystem 21 Navigate to boot grub 22 Copy grub cfg from boot grub to EFI Boot on FAT32 partition STk EFI Boot grub cfg from the FAT32 partition 24 Change instances of Linux to Linuxefi 25 Change instances of initrd to initrdefi 26 Save changes to grub cfg 27 Enter command shutdown r now into a terminal window 28 Hold the ALT key during the reboot until the image of an Hard Drive labeled EFI Boot appears 9 Select EFI Boot 0 GRUB bootloader will then appear 1 Select your boot option Enjoy your Kali Installation EFI Boot Structure If the EFI Boot structure is the only boot device on the machine the laptop should begin by loading the GRUB bootloader by default It will also directly load the full non repair version of the Kali installation without any interv
8. ention This allows the machine to natively boot to Kali and run it as the sole Operating System installed on the machine There may also be additional repositories required for the update and installation of new software For instructions on how to add the repositories along with an extensive repository list please visit www Linuxg net add the needed repositories for kali Linux Forensics Mode If you need to access the forensics mode for Kali please boot up using the USB installation key that was created earlier in this process Select the forensics option from the GRUB bootloader instead of the installation or repair options The forensics mode will not by default mount any file systems external to the operating system It gives you a clean baseline for a forensics analysis and also helps to prevent intrusions and infections from the system being analyzed Creation in Non Windows Environment All of the above instructions for creation of the Live USB creation are assuming you either have access to a Windows 7 or higher installation There may be other ways to create an Apple UEFI bootable USB drive in either OSX or Linux environments They would still use an identical ISO image to the instructions that are used for the creation using Rufus but would require an extensive knowledge of a command line environment DESCRIPTION OF AIRCRACKING NG SUITE Aircrack ng is an 802 11 WEP and WPA PSK keys cracking program that can recover keys o
9. face chosen in the previous step If monitoring mode has been successfully enabled it will display an interface with the name of mono 5 Look for available networks to attack airodump ng lt interface gt The interface entered here must be the monitoring interface created in step 3 6 This command will display as much information that can be gathered about all of the wireless networks accessible by the machine This information includes the BSSID mac address of the router the CH channel the network is operating on and the ENC encryption type These encryption types include WEP OPN open WPA and WEP Do not know encryption type This is now the stage where the instructions differ when cracking WEP and WPA The cracking of WEP requires the capture of a large number of packets also known as initialization vectors 7a Listen to a specific channel and write all of the data to disk to be used for cracking of the password airodump ng ignore negative one c lt channel the network is on gt bssid lt of target network gt w lt prefix for capture file gt lt monitoring interface gt The ignore negative one option bypasses a known error in the current version of the airodump command Without this option data will not be captured The c command is what determines the wireless channel the command will copy information from The bssid command is the mac address of the network you wish to capture data from
10. how each password being run through the command along with the rate at which passwords are being hashed If the password crack is not successful then you have the option to find either a larger password list which can run into the billions of combinations or run the packet file through another tool such as hashcat These tools allow you to brute force the password but are outside the scope of this guide CONDUCT A REAVER ATTACK 1 Determine network interfaces running on attack machine ifconfig 2 Choose the wireless interface to use for monitoring The network will be prefaced with WLAN to indicate that it is a wireless network 3 Place the wireless interface into monitoring mode airmon ng start lt chosen interface gt 4 Confirm wireless interface placed into monitoring mode iwconfig You will need to look for the wireless interface chosen in the previous step If monitoring mode has been successfully enabled it will display an interface with the name of mono 5 Look for available networks to attack airodump ng lt interface gt The interface entered here must be the monitoring interface created in step 3 6 This command will display as much information that can be gathered about all of the wireless networks accessible by the machine This information includes the BSSID mac address of the router the CH channel the network is operating on and the ENC encryption type These encryption types include WEP OPN open W
11. nce enough data packets have been captured It implements the standard FMS attack along with some optimizations like KoreK attacks as well as the PTW attack thus making the attack much faster compared to other WEP cracking tools In fact Aircrack ng is a set of tools for auditing wireless networks 9 These tools include programs such as airbase ng aircrack ng airdecap ng airdecloak ng airdriver ng airdrop ng aireplay ng airgraph ng airmon ng airodump ng airolib ng airserv ng airtun ng besside ng easside nq packetforge ng tkiptun ng wesside ng If you would like more specific details about the functionality of certain components of the suite please visit the aircrack ng suite website This contains both detailed explanations of the individual tools in the suite along with detailed tutorials for the use of each tool For the purpose of this user manual we have focused on airmon airodump ng and aircrack The information is located at http www aircrack ng org doku php aircrack ng_suite1 CONDUCT A WEP ATTACK 1 Determine network interfaces running on attack machine ifconfig 2 Choose the wireless interface to use for monitoring The network will be prefaced with wlan to indicate that it is a wireless network 3 Place the wireless interface into monitoring mode airmon ng start lt chosen interface gt 4 Confirm wireless interface placed into monitoring mode iwconfig You will need to look for the wireless inter
Download Pdf Manuals
Related Search