Professional Documents
Culture Documents
Hng trm v c th l hng nghn bi bo vit v cch tn cng WEP, nhng c bao nhiu ngi thc s c th crack c WEP, nhng beginner thng nn lng vi nhng comand ca n v nhng loi card yu cu v nhng iu phc tp hn l khng wen vi mi trng linux. Trong phn ny chng ti s hng dn tng bc cch hack WEP. Bi c u tin s gip cc bn xy dng mt m hnh m phng v hng dn lt qua nhng phn ca crack WEP, vic tip cn mt cch tiu chun ha v a dng m bn c th tp trung vo nhng cng c crack WEP m khng b cn tr bi nhng li hardware hay software. Ton b qu trnh c lm vi nhng software c sn v khng yu cu nhng hardware c bit ch mt vi ci laptop vi my ci card wireless l . Bi u tin s gip bn build mt ci lab v hng dn scanport ca crac wep, sau ht, cc bn cn kim mt ci document tm hiu trc khi c th crack n Bi hai s m t cch kch hot thng access point to ra traffic v qu trnh s l d liu sau khi capture, sau hai bi ny bn c th crack c wep key ri . Bi ba s gip chng ta cc skill bo mt nhm chng li s xm nhp vo wireless. Mc d WEP crack c th lm c trn cng mt laptop nhng l tng nht l bn nn lm trn hai my, mt my thc hin tn cng kch thch lung data lng data bt c trong mt thi gian ngn, trong khi my kia s sniff hoc capture lung data do my u to ra. Tht ra bn c th s dng trn mt my vi mt wireless card, nhng tui khuyn iu ny khng nn ti thi im mi bt u, n thng bt gp nhng nhm ln trong nhng vic bn ang lm, v tui nhn ra rng nhng chng trnh audit thng hay gp mt cht khng n nh khi dng cch ny.
ch rng dng mt ci active attack v mt ci passive capture s lm tng c hi thnh cng hn, v tng tc qu trnh crack bng cch n s gip sinh ra nhiu packet hn l mi trng bnh thng. v y l danh sch hardware cn thit c trong lab ca chng ta:
hai biu tng quan trng s l program v commandline pha di bn tri mn hnh
trc khi tip tc lm bn nn chc rng wirelesscard gn vo ng v c config bng auditor: click vo biu tng command line ri wunh n.hihiihih IWCONFIG
Trong s nhng thng tin m auditor x ra hy ch thng s wlan0 vy l card c chipset PRISM based card v auditor detect c card mng ca bn ri , bn c th cu hnh tng t vi laptopB, xong ri shutdown hihiihiiihi, v bn s khng cn n cho n phn hai, ni m bn s hc lm sao kick data ci traffic v s capture bng laptopA. bt u dng kismet ri ( chin u thui) y l cng c hu ch detect WLAN, ACP N cng capture traffic nhng c mt chng trnh hay hn l airodump mt phn ca aircrack, cng c rt tt trong cng vic crack WEP cho nn chng ta s dng v chc rng card wireless ang
Thm vo scan mng wireless, kismet s capture d liu vo mt file sau ny phn tch, cho nn kismet yu cu ni lu file c capture, click vo desktop v sau ok
Khi kismet hot ng n s lit k tt c cc mng wireless trong mt range, bao gm c target ACP bn setup, channel ( ging knh o h),di ct CH column, nhng ci m bn ghi lc ny , check li xem ging ko?. Nu kismet lit k nhiu ACP gn ci lab ca bn, th nn chuyn ci lab y ra xa ci ACP ca ngi ta mt t (ng ti ko mang ho..hihihi).
Trong khi kismet dang hot ng bn s thy s packet ang thay i cho tt c cc ACP bn phi mn hnh. Kismet hin ra tng s network c tm thy, s packet c capture v tng s packet c encrypted, thm ch c nhng target computer tt ngm i ri, th n cng c show ra nhng packet t ACP ( v c khong vi giy thng ACP s pht ra n bo hiu v ni ( ly ng tui bi nyheheh). Kismet hot ng trong ch autofit nn s khng lit k y cc ACP theo th t ca n, nhn S sort, y bn c th xc nh th t sort, n s d nhn hn khi ta sort n. Nhn C th ACP s theo channel
Kismet mc nh s nhy channel t 1 ti 11( hiphophihi) dng tr chut di chuyn highlight ti SSID ca bn v nhn L kissmet s kho ci channel ca SSID ,
By gi mt iu hp l l chng ta bit kissmet ang hot ng, chng ta s xem iu g s din ra khi my target computer trn mng bt u trao chuyn thng tin,bt u kt ni thng d tha vo mng trong khi vn scan kismet, khi thng d tha boot vo window v kt ni vi ACP bn ch rng mt lng d liu c m ho nhanh chng c kissmet capture, bn s dng nhng gi ny attack trong phn hai. Ti thi im ny bn bit cch c bn tip cn vi crack WEP, 1 ACP, 2 laptop sniff v attack ang hot ng, v cng wen vi vic tm ng vo ca software trong disk auditor, dng kismet tm ra range wireless. Phn hai chng ta s dng laptop B kick ci WLAN sinh ra traffic v chng ta s capture v thc s crack. Cho n khi bn thc s quen vi vic dng kismet, ti WLAN v khm ph vi cng c khc c trong disk auditor. Phn hai: phn mt chng ta ch ra cch basic crack wep, config wlan v hai laptop sniff v attack. Trong phn ny chng ti s hng dn lm sao dng thm nhng cng c c trong auditor cd capture traffic v dng n crack wep, chng ti cng hng dn lm sao deauthentication ( chng thc li) v packetreplay kick WLAN sinh ra traffic l mt yu t chnh tit kim thi gian crack Tuy nhin trc khi bt u, chng ta hy lm mt vi im cn ch m c th tit kim thi gian v kh nng s dng nhng chng trnh s dng thnh cng, bn cn c nhng cn bn v thut ng network v nhng yu t cn bn, bn cng nn bit cch ping mng, open command prompt v nhp nhng command, cn bn v linux th cng tt. Nhng quy tc yu cu v hardware c bn v phn 1 Mt mng WLAN v mt thng d tha kt ni vi ACP V iu quan trng trong m hnh lab ny l khng c truy cp vo nhng ACP ca ngi khc m khng c s ng ca ch Cng ch l iu ny c th thc hin trn ch mt laptop khng nht thit l hai my, nhng cho r rng v trnh nhm ln chng ta nn s dng hai my laptop. 4 tool chnh dng trong phn ny l AIRODUMP, VOID11,AIRREPLAY V AIRCRACK u c trn disk auditor. AIRODUMP : scan mng wireless v capture packet vo mt ni no VOID11: s deauthenticatiom ( chng thc li) computer t ACP , s p t cho chng kt ni li vi ACP, to ARP request ( ly MAC) AIRREPLAY: tm ci ARP request ri gi li ti thng ACP AIRCRACK: s ly nhng file capture c to ra bi AIRODUMP phn1: bn s dng kismet ly nhng thng tin, by gi hy ghi ra giy nh sau ny cn xi. MAC ca ACP MAC ca thng d tha
c vi trng hp ngi ta s dng giu ci SSID khng cho broadcash ra ngoi nhm mc ch ngn chn mt s phn mm nhng i vi kismet th ng c nm m, n s lit k tt c nhng thng tin m n capture c. Tm MAC ca client: Chng ta cn mt thng tin cui cng bt u qu trnh crack, MAC ca client kt ni vi ACP, quay lai kismet nhn Q quay li menu chnh, sau nhn shift + C lit k danh sch MAC ca client, MAC s c lit k bn khung bn tri
Trong khi AIRODUMP ang chy, bn s thy MAC ca ACP c lit ra BSSID phn bn tri, bn cng thy packet count v Ivs count tng ln, y l iu thng din ra trong bt k traffic no thm ch c khi bn khng ang lt web v nu nh bn duyt web hay email trn target computer th bn s thy mc IVs tng ln, IVs l quan trng nht n quyt nh bn c th crack c hay khng, thng thng th thng s IVs trong khong 50.000 ti 200.000 cho 64bit v 200.000 ti 700.000 cho 128 bit. Bn cng phi ch rng ch traffic bnh thng th IVs khng tng nhanh n c th mt mt gi hay thm ch c ngy capture d liu cho vic crack thnh cng, nhng may thay chng ta c mt cng c gip ta lm tng tc ny Cch nhanh nht sinh ra nhiu packet l kick cho thng WLAN lun ch busy, chng ta c th th bng cch download file hoc ping t thng target ti mt a ch no Vd: ping t l 5000 (ip no ) V ti y th VOID11 bt u vo cuc: VOID11 c dng deauthenticate gia target computer vi ACP, to ra traffic, target computer s b kick off ra khi mng v t ng kt ni li vi ACP, trong qu trnh kt ni li th traffic s c sinh ra m capture
Bt u vi laptopB vi auditor cd c cho vo,sau m shell v nh vo lnh sau: Commands for setting up a void11 deauth attack switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0 Ch thay THECHANNELNUM = knh ang hot ng trn ACP MACOFSTATION l MAC ca target client v MACOFAP l MAC ca ACP Trong qu trnh chy c th VOID11 bo mt thng bo li nhng bn ng bn tm ( khng n nhm g ti ho bnh th gii c) Trong khi laptopB ang chy th chng ta hy xem iu g s xy ra trn my target computer nha, mng s t t chm xung thm ch ngng hn, v vi giy sau s b ngt lun ra khi mng ( c qu ha) Bn c th kim tra iu ny bng cch vn tip tc ping ti t target ti ACP y l trc khi chy VOID11 trn my laptopB
V bn hy ch trn laptopA s IVs tng ln rt nhanh trong vi giy t 100 200, iu ny xy ra l v qu trnh kt ni li ca target v ACP Packet repaly da vo AIRREPALY Trong khi deauthentiace sinh ra traffic, n thng khng tng tc qu trnh lm cho IVs ca chng ta tng nhanh, tng hu hiu to ra traffic chng ta s dng ti mt cng c l replay attack, replay attack hot ng da vo packet bt c do target sinh ra, sau la client l n nhn c packet v lp li packet mt cch thng xuyn hn bnh thng. Stop deauthenticate attack sau m AIRREPLAY ln s dng nhng capture file, l nhng ARP request
Chng ta hy bt u vi tnh trng clean, ngha l restar hai laptop A,B. v hy ch rng laptopA ch chy AIRREPLAY vi mc ch kick traffic mng v IVs nhm tit kim thi gian crack v laptopB ang s dng AIRODUMP, hay VOID11 v ang s dng AIRCRACK phc v cho vic crack da vo nhng packet thu lm c
Trc tin chng ta hy khi ng AIREPLAY trn my laptopA v nhp vo cc command sau: Commands to set up aireplay to listen for an ARP packet switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff Ch switch-to-wlanng v monitor .wlan l nhng ci c tch hp sn trong disk n gin ho khi nhp command thay th THECHANNELNUM = s channel m bn tm thy c trong cc bc trc v MACADDRESSOFAP = MAC ca ACP no by gi ti my target computer bt n ln kt ni vi ACP sau sang my laptopB bt VOID11 v quan st, ta s thy rng tn hiu mng ca client t t gim xung v c khi mt hn, v bn cng thy rng AIREPLAY tng ln rt nhanh, thnh thong AIREPLAY thng bo mt packet tm c v hi bn c mun replay n khng
Bn s mun mt packet match nhng tiu chun sau: FromDS - 0 ToDS - 1 BSSID - MAC Address of the Target AP Source MAC - MAC Address of the Target computer Destination MAC - FF:FF:FF:FF:FF:FF Nhn ch n cho s khng ng v AIREPLAY s resume li v y xc nhn nu match nhng tiu chun trn AIREPLAY s chuyn t ch capture sang ch replay, ngay lp tc quay tr li laptopB v stop VOID11 Capture packet da vo deauthenticate c xem l phn gian xo nht trong phn crack. Trong khi n to ra traffic, nng n to ra khng c nhiu lm trong qu trnh client reconnect ti ACP, capture c th phc tp hn tu thuc vo driver ca card v h iu hnh ca client , VOID11 c th d dng p o thng client bng vi mt deauthen packet thm ch khng c thi gian reconnect li. Thnh thong bn c th may mn t nhng packet u nhng thnh thong bn cng phi i cho ti packet cn match Trong command ca AIREPLAY mt tham s -d cho ch delay Ti thi im ny th laptopA ang chy AIREPLAY c s IVs tm cho chng ta thc hin vic cracking, stop VOID11 trn my laptop B v bt AIRODUMP ln, nh vo nhng command sau: Starting up airodump after stopping void11 switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk airodump wlan0 cap1
bn c th thay s 2 bng mt s no ln hn nhng s lm qu trnh chm hn, nhng c kt qu chc hn, n s give up nu nh khng tm thy 64 bit format bn c th nhn ctrl + C stop v up arrow resart li lnh va ri ca AIRCRACK, n s update packet v tham s -p cho qu trnh multi process, thnh thong bn s c mn hnh nh sau:
V y l lenghkey 128 bit. Bn cng nn c mt my c cu hnh mnh c cpu v mt lng kh v RAM, bn cng c th tch ring qu trnh s l bng cch lu file capture vo mt my khc my khng cn phi kt ni vo mng ch cn chy AIRCRACK s l nhng packet m AIRODUMP lm v, hoc c th lu trn thit b USB, ch vic m command len v nhp command sau: Saving capture files to USB flash drive mkdir /mnt/usb mount -t vfat /dev/uba1 /mnt/usb copy /ramdisk/cap*.cap /mnt/usb umount /mnt/usb Kt lun: bo mt bng wepkey khng phi l phuong php tt, wired equivalent privacy, chng ta nn s sng ch bo mt cao hn l WPA2 WIFI PROTEC ACCESS version2 sau y l summary commad: Commands for setting up airodump iwconfig wlan0 mode monitor iwconfig wlan0 channel THECHANNELNUM cd /ramdisk airodump wlan0 cap Commands for setting up a void11 deauth attack switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master
D kha WEP ca mng WiFi v cch bo v Friday, 20 June 2008 04:08 Hin nay cng ngh mng ko dy wifi kh ph bin, c nhiu ni s dng v tnh tin dng ca n, nhng bn cnh vn bo mt cho wifi cng gy nhc u cho ko t ngi, nht l ngi dng gia nh & ko chuyn. Bi vit ny ti xin cp n kh nng d kho m ho WEP (wep key) ca wifi v cc gii php phng chng. Gii thiu chung v wifi v WEP. WIFI WIreless FIdelity ( thut ng ny hin gi vn cn ang gy tranh ci v n chng c ngha g c) l mt b giao thc cho thit b ko dy da trn chun 802.11x bao gm cc Access Point v cc thit b u cui ko dy nh pc card, usb card, wifi PDA kt ni vi nhau. Wifi s dng nhiu chun m ho khc nhau nhm bo v trnh s truy cp tri php, v tnh c th ca kt ni ko dy l ko th gii hn v mt vt l truy cp n ng truyn, bt c ai trong vng ph sng u c th truy cp c, nn m ho l iu cn thit i vi ngi s dng cn s ring t, an ton. Wifi hin nay c 3 kiu m ho chnh gm: WEP-Wired Equivalent Privacy , WPAWireless Protected Access v WPA2. WEP l kiu m ho ra i sm nht v c h tr ph bin nht bi cc nh sx thit b wifi, a s thit b wifi u h tr wep s dng kho m ho di t 40-128 bits. Gn y nhiu ngi pht hin ra im yu trong phng thc m ho wep v a ra rt nhiu cng c crack. Tuy nhin cng ko th t b WEP ngay c v n c s dng ph bin t lu, ko phi nh sx thit b no cng kp chuyn sang h tr cc kiu m ho khc vi cc thit b m h sx Vy im yu ca WEP l u ? Do wep s dng phng thc m ho dng (stream cipher), n cn 1 c ch m bo hai gi tin-packet ging nhau sau khi c m ho s cho ra kt qu ko ging nhau nhm trnh s suy on ca hacker. Nhm t mc tiu trn, mt gi tr c tn IV (Initialization Vector) c s dng cng thm vi kho ca ta a vo, to ra kho khc nhau sau mi ln m ho d liu. IV l gi tr c di 24 bit c thay i ngu nhin theo tng gi d liu, v vy thc t wep key chng ta c ch nh ch cn 40bits vi kiu m ho 64bits v 104bit vi kiu 128bit trong cc AP(access point), v 24bit c dnh cho vic to cc IV ny(cc bn th xem, khi nhp mt m trong AP nu chn m ho 64bit ta ch c th nhp c 5 k t nu chn mt m kiu string, hay 10 k t nu chn kiu hexa, tng ng vi 40bit). Do khi thit b gi to ra IV 1 cch ngu nhin nn bt buc phi c gi n thit b nhn dng ko m ho trong header ca gi tin, thit b nhn s s dng IV & kho gii m phn cn li ca gi d liu. IV chnh l im yu trong m hnh m ho WEP, v di ca IV l 24bits nn gi tr ca IV khong hn 16 triu trng hp, nu cracker bt gi 1 s lng packet no th hon ton c th phn tch cc IV ny on ra kho-key m nn nhn ang s dng. Phn tip sau y ti s m t m hnh mng wifi th nghim v cch thc d ra kho m. M hnh th nghim v cch d. M hnh th nghim ti gi lp l 1 mng wifi ging thc t bao gm 1 AP hiu DLink DI524 & 1 my tnh c card wifi, c gi l AP & client mc tiu, s dng kiu m ha WEP 64bits vi mt khu l 1a2b3c4d5e dng hex (xem hnh 1).
Hnh 1: Giao din Setup ca AP th nghim. Cng c crack ti dng bao gm b chng trnh phn mm Aircrack 2.4 chy trn linux, netstumbler, kismet, a live cd linux, 1 my laptop c 2 card wifi adapter hoc 2 my tnh mi my 1 card tng thch vi aircrack. Nh ngi ta thng ni: bit ngi bit ta trm trn trm thng, crack mng wifi mc tiu, u tin ta phi bit r mi thng tin v mc tiu nh chnh ch nhn ca n vy (tt nhin ch c kha m l cha bit thi. Th nhng thng tin cn bit l g ?, l : - SSID hoc ESSID (Service Set IDentifier -hiu nm na l tn nhn din ca mng, ging nh tn workgroup ca mng LAN ngang hng vy), m hnh th nghim ny ti t tn l thunghiem. - Knh channel ca mng, y ti l knh 11. - Kiu m ha, y l WEP 64 bit. - a ch MAC address ca AP & MAC card ca my mc tiu. Vy dng ci g thu thp nhng thng tin ny ?. l dng NetStumbler (xem hnh 2) chy trn windows hoc Kismet trn linux, netstumbler ko xem c MAC ca client mc tiu nn ta dng kismet or chng trnh airodump trong b cng c aircrack thu thp.
Hnh 3: deauth client, gi dng ARP & bm d liu tng lu thng mng - airodump dng monitor v capture-bt gi packet m AP pht ra, lu li thnh file capture.(hnh 4)
Hnh 4: bt cc gi d liu, di ct station l a ch MAC ca client- aircrack dng c file capture v d tm kha.(hnh 5)
Hnh 5: d tm kha bng aircrack, ch c 1s l ra !!! Ti s ko ghi c th cc dng lnh & tham s ra y v ta c th dng tham s help h bit c php c th. Nhng u tin ta phi a 2 card wifi ca chng ta qua ch monitor mode, xem help ca lnh ifconfig & iwconfig bit cch lm. V mng th nghim ca ti c qu t lu thng mng nn ti s dng aireplay bm cc gi tin ti AP. i khi cch hot ng ca aireplay l gi cc gi tin deauthentication n AP lm cho AP mt kt ni, client ra khi mng (nhiu ngi thng dng cch ny quy ph my qun caf wifi), client s phi gi cc yu cu ARP request kt ni li vi AP. Sau ta chy aireplay vi tham s khc cng vi /c MAC ca client bit gi dng gi cc ARP request ny lin tc ti AP, lm cho AP tr li cc yu cu ny. Trong lc chy aireplay, ta chy airodump bt gi cc gi tin tr li t AP c cha IV (lu aireplay & airodump phi chy trn 2 card khc nhau, ko c cng 1 card). Sau khi chy airodump, theo di mn hnh ta s thy s IV ct #Data s tng nhanh chng cng vi s tng packet ct Beacons nu ta chy aireplay bm d liu. Ti liu c ni rng phi cn bt khong di 500 ngn IV gii m kha 64bit & t 500 ngn IV tr ln gii m kha 128bit, thc t y ti ch cn hn 300k IV l thnh cng. Khi thy airodump capture c kha kh, ta c n chy tip v m 1 ca s console khc v chy aircrack c cc IV t file m airodump lu d tm kha, tin trnh ny rt nhanh thng ko mt qu 5s vi my P4 Mobile ca ti. Tng thi gian bm d liu & d tm kha ko qu 1 ting, kh n tng phi ko ?!. Ngoi ra cng c ny cn c th d c c kha m ha bng WPA, 1 phng thc an ton v mnh hn WEP nhiu. Do thi gian c hn nn ti ko trnh by trong bi vit ny. Cc phng php bo mt cho mng WiFi. Phn ny ti s trnh by cc cch bo mt cho mng wifi, phn tch cc mt u nhc ca tng cch, t cch n gin n phc tp, tuy nhin ai cng c th t lm c ht. Chng ta c th p dng ring l tng cch hay kt hp nhiu cch li u c. - Tt access point: khi xi xong or ko c nhu cu s dng mng na th ta c th tt in n i. Cch ny nghe c v cc oan & bun ci nhng li l cch hiu qu 100%. - Tt ch SSID Broadcast: a s cc AP u cho php ta tt ch ny, n lm cho tin ch wireless