Kein öffentlicher Weg. Bitte entfernen. Weg mittlerweile versperrt

Der korrekte - auch ausgeschilderte - Name ist Skatepark, ohne r. Kann das bei meinem nächsten JOSM Start natürlich selbst ändern....falls jemand schneller ist, bitte gerne.

Dylan22"hewitt"In the previous section, we saw how easy it is to crack a WEP key on a busy network. In a busy network, the number of data increases very fast. One problem that we could face is if the network is not busy. If the network is not busy, the number of data will be increasing very very slowly. At that time we're going to fake as an AP that doesn't have any clients connected to it or an AP that has a client connected to it, but the client is not using the network as heavily as the client in the previous section.

Let's look at an example. We will run airodump against the target AP which is javaTpoint. We now have javaTpoint, the same AP that we used before, but the difference is that we've disconnected the clients that were connected to do this attack. As we can see, in the client area, there are no clients connected and the #Data is 0, it didn't even go to 1.

In this section, we want to be able to crack a key like this, with 0 data:

Fake authentication attack

To solve this problem, what we can do is inject packets into the traffic. When we do this, we can force the AP to create a new packet with the new IVs in them, and then capture these IVs. But we have to authenticate our device with the target AP before we can inject packets. APs have lists of all of the devices that are connected to them. They can ignore any packets that come from a device that is not connected. If a device that doesn't have the key tries to send a packet to the router, the router will just ignore the packet, and it wouldn't even try to see what's inside it. Before we can inject packets into a router, we have to authenticate ourselves with the router. To do this, we're going to use a method called fake authentication.

In the previous section, we already executed airodump. Let's see how we can use fake authentication. In the previous screenshot, we can see that AUTH have no value. Once we have done fake authentication, we will see an OPN show up there, which will mean that we have

Dylan22hewitt"In this section, we are going to discuss Wi-Fi Protected Access(WPA) encryption. After WEP, this encryption was designed to address all of the issues that made WEP very easy to crack. In WEP, the main issue is the short IV, which is sent as plain text in each packet. The short IV means that the possibility of having a unique IV in each packet can be exhausted in active network so that when we are injecting packets, we will end up with more than one packet that has the same IV. At that time, aircrack-ng can use statistical attacks to determine the key stream and WEP key for the network.

In WPA, each packet is encrypted using a temporary key or unique key. It means that the number of data packets that we collect is irrelevant. If we collect one million packets, these packets are also not useful because they do not contain any information that we can use to crack the WPA key. WPA2 is the same as WPA. It works with the same methods and using the same method it can be cracked. The only difference between WPA, WPA2 is that WPA2 uses an algorithm called Counter-Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) for encryption.

Dylan22hewitt"The AP now accepts packets that we send to it because we've successfully associated ourselves with it by using a fake authentication attack. We are now ready to inject packets into the AP and make the data increase very quickly, in order to decrypt the WEP key.

ARP request replay is the first method of packet injection. In this method, we're going to wait for an AP packet, capture the packet, and inject it into the traffic. Once we do this, the AP will be forced to create a new packet with a new IVs. We will capture the new packets, inject it back into the traffic again, and force the AP to create another packet with another IV. We will be repeating this process until the amount of data is high enough to crack the WEP key.

Using the following command we can launch airodump-ng:

ARP request replay attack

We're going to add a --write command to store all of the packets that we capture into a file which is arp-request-reply-test. When it runs, we will see that the target network has 0 data, it has no clients associated with it, and there is no traffic going through, which means that it's not useful, we can't crack its key.

To solve this problem, we are going to perform a fake authentication attack as shown in the Fake authenticationsection, so that we can start injecting packets into the network, and it will accept them.

That leads us to our next step, which is the ARP request reply step. In this step, we will inject packets into the target network, forcing it to create new packets with new IVs. Following command is used to do this:

ARP request replay attack

This command is very similar to the previous command, but in this command, we're going to use --arpreplayinstead of ?fakeauth. We will also include -b, for BSSID. With this command, we are going to wait for an ARP packet, capture it, and then reinject it out into the air. We can then see that we have captured an ARP packet, inject it, captured another, inject it into the traffic, and so on. The

Dylan22hewitt"In order to crack WEP, we need first to capture the large number of packets that means we can capture a large number of IVs. Once we have done that, we will use a tool called aircrack-ng. This tool will be able to use statistical attacks to determine the key stream and the WEP key for the target network. This method is going to be better when we have more than two packets, and our chances of breaking the key will be higher.

Let's look at the most basic case of cracking a WEP key. To do this, we will set WiFi card in monitor mode. After this, we will run a command airodump-ng wlan0 to see all of the networks that are within our Wi-Fi range and then we will target one of those networks. Where wlan0 stands for the interface. The following output will be displayed after executing this command:

WEP Cracking

In this figure, the fourth network that has come up is javaTpoint. On this network, we are going to perform our attacks. We are going to run airodump against javaTpoint network by using the following command:

WEP Cracking

Here, we run airodump against the javaTpoint network with a --bssid as 74:DA:DA:DB:F7:67. We include the --channel, number 11, and we add --write to store all of the packets that we capture into a file, which is wep. After running the above command, the following output will be displayed:

WEP Cracking

This is a busy network. #Data, shows the number of useful packets that contain a different IV and we can use it to crack the key. If the number is higher, then it is more lightly to crack the key for us. In the following section, we can see the clients:

WEP Cracking

Now we use ls command to list all the file.

WEP Cracking

We can see that we have the captured file that was specified in the write argument. Now we will launch aircrack-ng against the file that airodump has created for us. We can launch aircrack against it even if we didn't stop airodump. It will keep reading the new packet that airodump is capturing. Use the fol

Dylan22hewitt"In this section, we will discuss WEP (Wired Equivalent Privacy). It is the oldest one, and it can be easily broken. WEP uses the algorithm called RC4 encryption. In this algorithm, each packet is encrypted at the router or access point and then send out into the air. Once the client receives this packet, the client will be able to transform it back to its original form because it has the key. In other words, we can say that the router encrypts the packet and send it, and the client receives and decrypts it. The Same happens if the client sends something to the router. It will first encrypt the packet using a key, send it to the router, and the router will be able to decrypt it, because it has the key. In this process, if a hacker captures the packet in the middle, then they will get the packet, but they wouldn't be able to see the contents of the packet because they do not have the key.

WEP Introduction

Each packet that is sent into the air has a unique keystream. The unique keystream is generated using a 24- bit IV (Initialization Vector). An initialization vector is a random number that is sent into each packet in plain text form, which is not encrypted. If someone captures the packet, they will not be able to read the packet content because it is encrypted, but they can read the IV in plain text form.

The weakness with the IV is that it is sent in the pain text and it is very short(only 24- bit). In a busy network, there will be a large number of packets sent in the air. At this time 24-bit number is not big enough. The IV will start repeating on a busy network. The repeated IVs can be used to determine the key stream. This makes WEP vulnerable to statistical attacks.

To determine the key stream we can use a tool called as aircrack-ng. This tool is used to determine the key stream. Once we have enough repeated IV, then it will also be able to crack WEP and give us the key to the network.

dylan22hewitt"It is also known as deauthentication attacks. These attacks are very useful. These attacks allow us to disconnect any device from any network that is within our range even if the network has encryption or uses a key.

In deauthentication attack, we are going to pretend to be client and send a deauthentication packet to the router by changing our MAC address to the MAC address of the client and tell the router that we want to disconnect from you. At the same time, we are going to pretend to be router by changing our MAC address to the router's MAC address until the client that we are requesting to be disconnected. After this, the connection will be lost. Through this process, we can disconnect or deauthenticate any client from any network. To do this, we will use a tool called aireplay-ng.

Deauthenticate the wireless client
Deauthenticate the wireless client

First of all, we will run airodump-ng on the target network, because we want to see which clients or devices are connected to it. This time, we will not need the --write option, so we are just going to remove it. After completion the run process of airodump-ng, we are going to disconnect the device with STATION A8:7D:12:30:E9:A4 using the airoplay-ng.

Syntax
aireplay-ng --deauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]

Deauthenticate the wireless client

After executing this command, the device whose STATION is A8:7D:12:30, lost the internet connection. We can only connect to the network again when we quit this executing command by pressing Ctrl + C.

Deauthenticate the wireless client

Where

-deauth is used to tell airplay-ng that we want to run a deauthentication attack and assign 100000 which is the number of packets so that it keeps sending a deauthentication packets to both the router and client and keep the client disconnected.
-a is used to specify the MAC address of the router. 50:C8:E5:AF:F6:33 is the target access point.
-c specifies the MAC address of the client.

Dylan22hewitt"In this step, we will run airodump-ng to see all the devices that are connected to a particular network and collect more information about it. Once we have a network to the target, it's useful to run airodump-ng on that network only, instead of running it on all the networks around us.

Currently, we are running airodump-ng on all the networks around us. Now we are going to target the network BS1A-YW5 whose BSSID is 50:C8:E5:AF:F6:33. We are going to sniff on that network only.

To do this, we will be use the same program. The command will be as follows:

Run airodump-ng

Where

--bssid 50:C8:E5:AF:F6:33 is the access point MAC address. It is used to eliminate extraneous traffic.
--channel 11 is the channel for airodump-ng to snif on.
--write test is used to store all the data in a file named as test. It is not mandatory, you can skip this part.
wlan0 is the interface name in Monitor mode.
After execution of this command, the following devices will be shown:

Run airodump-ng

Where

BSSID of all the devices is same because devices are connected to the same network
STATION shows the number of devices that are connected to this network
PWR shows the power strength of each of the devices
Rate shows the speed
Lost shows the amount of data loss
Frames show the number of frames that we have captured
After executing this command, we have 3 devices that are connected to the network BS1A-YW5 and all the devices have the same BSSID as 50:C8:E5:AF:F6:33.