BackTrack Wireless Penitration- Complete Guide

This tutorial is for educational purpose and I'm not responsible for any misuse of the aircrack-ng tool.

Here's a WEP and WPA cracking tutorial.

Wep Cracking Tutorial:

First of all you need Backtrack Live Cd ( ISO or Vmware Image ) that can be downloaded from :
http://www.backtrack-linux.org/downloads/

Or a Linux Distro with Aircrack-ng installed (it can be cracked with other tools but this tutorial is for aircrack ).
And the most important thing is that YOU NEED TO HAVE A WIRELESS CARD that SUPPORTS INJECTION.

Description:

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

In fact, Aircrack-ng is a set of tools for auditing wireless networks.

Tutorial: How to crack WEP with no wireless clients. (it will work even with clients, work for both).

1) To know what interface your wireless card is using, for example wlan0 or mon0 or ath0 .......
type:

iwconfig

my interface will be "wlan0"

2) to set you wireless card on monitor mode you must type:

airmon-ng start wlan0

2) To know if your wireless card supports injection or not.
open a shell and type:

aireplay-ng -9 wlan0         or           aireplay-ng --test wlan0

3) To dump all the wireless around your wireless card.

airodump-ng wlan0

and it will show you all the wireless names (ESSID), MAC address (BSSID), Channel .......

4) To know your wireless card Mac Address, type:

macchanger -s wlan0

5) After you choose your TARGET, you type:

airodump-ng --bssid (Mac address) -c (channel number) -w (any name) wlan0

Keep this shell and open another to typer the other commands.

6) Use aireplay-ng to do a fake authentication with the access point.

This is a very important step.

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet. In this state, no new IVs are created because the AP is ignoring all the injected packets.

The lack of association with the access point is the single biggest reason why injection fails.

To associate with an access point, use fake authentication.

Type:

 aireplay-ng -1 0 -e (Target wireless name or ESSID) -a (Target Mac address or BSSID) -h (your wireless card mac address) wlan0

-e is optional.

7)

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.

Here you can use 2 types of attacks. Either you use ChopChop(-4) or Fragmentation(-5) attack.

 aireplay-ng -5 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0

I prefer Fragmentation but still if Fragmentation didn't work, you can always try ChopChop attack.

 aireplay-ng -4 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0

When a packet from the access point arrives, enter “y” to proceed. You may need to try a few to be successful.

if succesful then you will get:
"Success! The file “fragment-01234-42132148.xor”= "example.xor" can then be used in the next step to generate an arp packet. "

8) In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with “xor”. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.

 packetforge-ng -0 -a (Target mac address or BSSID) -h (your wireless card mac address) -k 255.255.255.255 -l 255.255.255.255 -y (.xor you received in the last step) -w (any name)

9) Now to Inject the arp packet, enter:

aireplay-ng -2 -r (name in -w in packetforge) ath0

or

aireplay-ng -3 -r (name in -w in packetforge) -b (target mac address) -h (your wireless card mac address) wlan0

10) LAST STEP:

 aircrack-ng (name in -w from airodump step 5)-01.cap

if you used step 5) more than 1 time with the same name in -w, check the desktop.
For example, if you used in step 2 -w lebgeek  then you used it again same name, your last step will be lebgeeks-02.cap.

=================================================
Cracking WPA:

WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

Before we start, There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

1) Start airodump-ng to collect authentication handshake
The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.
Beware - YOU CAN'T CRACK A WPA WITHOUT GETTING a 4-WAY AUTHENTICATION HANDSHAKE.

Same steps in WEP until STEP 4.
type:

airodump-ng -c (target channel) --bssid (target mac address or BSSID) -w (any name) wlan0

CH  9 ][ Elapsed: 4 s ][ 20010-12-6 16:30 ][ WPA handshake: 00:14:6C:7E:40:80
In the line above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

2) Use aireplay-ng to deauthenticate the wireless client.

"This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key."

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.

Open a new shell and type the following:

 aireplay-ng -0 1 -a (target mac address) -c (your wireless card mac address) wlan0

To know if its working or not you should check the output:

 16:30:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

Tip:"The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet."

3)Run aircrack-ng to crack the pre-shared key.

aircrack-ng -w (any worldlist .lst ...) -b (Target mac address) (name in -w in airodump-ng)-01.cap

if you get this error:  No valid WPA handshakes found. That means you didn't get any handshake.

Anyway I won't waste my time with WPA cracking because lebanese people use most of the time their phone numbers or strange names as password so its difficult to crack.
WPA cracking could be done by Bruteforcing but imagine how much time it needs to be done ?
check this site to calculate the bruteforcing speed to crack a pass http://lastbit.com/pswcalc.asp

Hope you enjoy it.
Will post some tutorials from time to time.