Rabu, 12 Agustus 2009


Software: BackTrack Remote Exploit V3Download: http://www.remote-exploit.org
Chipset: ATHEROS (Cisco Aironet 802.11 a/b/g / NECWarpStar WL54AG, Netgear WG311T)
- Boot from CD or HD with BT V3
- 64 MB free writeable Space
- 2 Shells (under Xwindows it’s easier (startx))
If XWindows doesn’t work, configure it wirh
“xconf” or„xorgconfig --textmode“
- BT = BackTrack
- MAC = MAC Address
- AP = Accesspoint
- CL = Client
- IFC = Interface (here ath0 placeholder)
- FILE = Log file 2 store the packets
- CH = Channel- DIC = Dictionary File (.dic or .txt)
This Hack is only working with the Brute Force method.
My Core2Duo 3GHz hacks 420 Keys / Sec.
It doesn’t matter WPA or WPA2. For hacking it is thesame.
ONLY WPA2 encrypted as TKIP works.
AES isincompatible!
General Conditions:
- Accesspoint with good Signal
- one Client, who is connected to the AP.
- A Dictionary FileHack it !

1) Wireless Device identificationWe want to know how our device is named in the System.Type „iwconfig“. With Atheros Chipsets the devices callsalways athX.
2) Fake that MAC! (optional)First, we fake our own MAC address. So nobody canidentify us any more.ifconfig IFC hw ether 00:11:22:33:44:55
3) Turn on Monitor ModeTo get all the packages we put our device in the„Promiscuous Mode“First we kill the monitor mode on the ath0 device andcreate a new monitor device over the wifi0 device. Afterwe created the monitor device, we can use the ath0.airmon-ng stop ath0 (delete the monitor mode)airmon-ng start wifi0 (start monitor mode auf ath0)
4) What is online ? (SHELL 1)Search some AP’s with already connected Clients.(you can see it in the bottom half of the screen, callsStations and Clients)airodump-ng –w FILE IFCCTRL – C
5) Choose your enemy (SHELL 1)Please remember the MAC address of the AP you want tohack. Remember also the channel number from the AP youwant to hack.Now we only want to collect the packages on that channeland we like to store that traffic in a CAP-file.(DONT USE „--ivs“ Option!!)airodump-ng –w FILE –c CH --bssid APMAC IFC
6) Waiting for a Handshake ! (SHELL 2)Ok .. now we can wait for a Handshake. (You can see it inthe ariodump-ng window SHELL 1). The “enemy” don’t feelanything about. But this can take a long time. You have towait for a client-reconnect from which you will get thehandshake. But we can provoke a reconnect form a client.How can we provoke a reconnect? easy… we tell to the AP„Hello I am the client , and I want to disconnect.” The realClient think „Shiiit I am disconnected.. I must reconnectimmediately!“ And we get the handshake we need and westore it in SHELL1You can see it in the first line of SHELL1.So, if you want provoke a reconnect, type more then onetimes the fallowing command. (wait 5-20s between)aireplay-ng -0 1 -a AP_MAC –c CL_MAC IFC
7) Crack the key! (SHELL 1)Ok … we got the handshake. Let’s crack it! We compare thestored handshake in the .cap file with the dictionary file.aircrack-ng -0 –x2 -w DIC FILE.cap
8) Connect to the hacked AP (SHELL2)With a MAC filtered AP you have to set a trusted MACaddress from a client on your own card.ifconfig IFC down hw ether CL_MAC (maybe reset IFC first)and then connect to the AP
dikarenakan waktu gw gak banyak, jadi gw sajikan trik wpa/wpa2 masih dalam versi inggris klo ada waktu nanti gw akan ganti beserta gambarnya.he...he...he...

0 komentar:

Designed by Animart Powered by Blogger