Wireless networks can be attacked in many ways. This let us look at some of the specific wireless network attack tools and techniques. This time in the fight against wireless attacks can be targeted.
Find and access the network
The first thing to do is to find the network. For Windows users can also use NetStumbler. Unless you plan your laptop on the car, otherwise you must configure an external antenna and more. There are two basic types of antennas: one-way and all directions. Single antenna can only be used in a single direction, but the whole direction of the antenna can receive signals in all directions. If you want to choose a good one-way antenna, can go to this site to see: www.cantenna.com, or look at the antenna on how to produce their own description: www.turnpoint.net / wireless / cantennahowto.html. If you are unsure of the location of target, the whole direction of the antenna is the better choice.
Target network is found, you may want to start using the tool to check whether the network uses encryption, such as Wireshark. You should also be able to use Kismet or NetStumbler to complete the inspection, but Wireshark also help you determine whether the use of MAC filtering unit. If so, then need to use the MAC cheating tool. Change-Mac is a computer can be used to change your MAC address and MAC address filtering to bypass the MAC cheating tool. Change-Mac can be downloaded from here: http://www.softpedia.com/get/Security/Security-Related/Change-MAC.shtml. Determine whether it is in your MAC filtering and how to use encryption, you can use several different tools to crack various encryption mechanisms.
Establish Aerodump
WEP crack from a system or two systems (one into the flow, another sniff traffic) to complete. Either way, we are here focused on the Aircrack. Aircrack is actually a tool suite that provides a lot of the time you need to crack WEP tools. Aircrack include:
Airodump - wireless packet capture
Aireplay - Executive Injection Attacks
Aircrack - crack the WEP key
Aircrack suite can be started from the command line, or if you use BackTrack, you can be found here: Kmenu? BackTrack? Wireless Tools? Cracking? Aircrack.
First of all we need to do is to configure wireless network card capture ARP packets, it can use the following commands:
airodump CARD dump CHANNEL 1
Let us look at this command that meant. CARD is your wireless card to use the name, CHANNEL is the AP's channel. Common channels are 1,6 and 11. Command line only the last one that Airodump IV to save the file. This will also capture the file extension name from. Cap changed to. Ivs.
Configuration Aireplay
Aireplay is used to inject packets to increase the choice of crack data. Aireplay There are several particularly useful tools, including:
Attack 0: Deauthentication
Attack 1: Fake authentication
Attack 2: Interactive packet replay
Attack 3: ARP request replay attack
Attack 4: KoreK chopchop attack
Attack 5: Fragmentation attack
Attack 9: Injection test
Now let's take some time to do some interaction, so that I can give you step by step how to use this tool. For example, I use the ARP request to lift the authentication and replay attack. Which, ARP (Address Resolution Protocol) aims to known IP addresses to unknown MAC addresses. In this two-step process The first step is to send a broadcast message to request the physical address of target. If a device discovery message the address of their own, it will reply to the sender that contains its own MAC address of the ARP message. And MAC addresses are saved to the ARP cache, and is used to process subsequent frames. This process is the same for the wireless clients. When a wireless client attempts to communicate through an AP, it sends an ARP request. Because wireless networks do not have the same reliability of wired networks, there are actually several ARP messages sent simultaneously. For encrypted networks, response will be encrypted. Unless restricted, or they may arise in a matter of seconds hundreds of ARP response.
Discharge into the certification and ARP
If for some reason allows a client device was removed from certification, it will try to re-certification to the WAP. During this process occurs several ARP requests. So I can use Aireplay and above the -0 attack to attack WAP. This will effectively relieve the client re-authentication and make it certified. Before you perform this attack, you need another system or another terminal window to capture the ARP request to establish Aireplay, so that it can be re-broadcast data packet and generate additional traffic. This is a new terminal window by entering the following command to perform the capture:
aireplay -3-b APMAC-h CLIENTMAC-x 500 DEVICE
The previous command told Aireplay monitor from a specific client MAC address ARP request, and turned to the specified WAP MAC address, then broadcast from your wireless NIC on 500 requests per second. Now you can attack the implementation of the de certification:
aireplay -0 10-a APMAC-c CLIENTMAC DEVICE
This command specifies APMAC, this is your WAP's MAC address, CLIENTMAC the client's MAC address, DEVICE is the device name.
Capture and crack the WEP key IV
When the attack began, will receive a steady stream of data. Destruction of 64-bit WEP will receive about 300,000 packets, and 128-bit WEP will receive 1,000,000 packets. In order to crack the key, we want to use Aircrack. Aircrack can be run when the packet capture. Aircrack several common options include the following:
-A [mode 1 or 2] 1 = WEP, 2 = WPA-PSK
-E [essid] target selection network ID
-B [bssid] target access point's MAC
-Q enable quiet mode
-W [path] path to a dictionary word list (WPA only)
-N [no. Bits] WEP key length (64, 128, 152 or 256)
-F [fudge no.] Defaults are 5 for 64 bit WEP and 2 for 128 bit WEP
Next, I break with the following command:
aircrack-a 1-b APMAC dump.ivs
This will be the start Aircrack, and read files from dump.ivs data needed. In this case, Aircrack will run about 35 minutes, and finally obtain the following results:
64-bit WEP key "3be6ae1345."
If the enterprises are still using WEP, you may want to use your own network security laboratory and WAP to try this technology. When you are familiar with this repetitive process, you can let other network members and management team into the laboratory, so they can see how the WEP attack, and thus to explain how to improve security. This also explains why the need to effectively spend money building laboratory.
Other wireless attack tools
Need to build a network for people who are wireless security laboratory tools is essential. Here are some of the tools:
Mognet - This is an open source Java is no doubt sniffing tool, it is designed for handheld devices, but it can also run on other platforms. It performs real-time frame capture, and can save and load frame to a common format, such as Ethereal, Libpcap and TCPdump.
WaveStumbler - This is another tool for the sniffer on Linux. It reports on the AP's basic information, such as channel, SSID and MAC.
AiroPeek - Windows, this is a commercial WLAN analysis tools that can help the deployment of security experts, security, and repair of WLAN. AiroPeek also be able to perform site inspections, safety assessments, client troubleshooting, WLAN monitoring, remote WLAN analysis, and application layer protocol analysis.
Airsnort - This is a Linux on WLAN WEP cracking tool, it can reproduce the encryption key. Airsnort by passively monitoring network traffic, and then capture enough packets calculated after the encryption key.
THC-wardrive - This is a Linux, WAP mapping tool to work with GPS.
AirTraf - it was an 802.11b wireless network packet capture decoding tool. The Linux tools to collect and organize data packets, each wireless node in the implementation of the bandwidth calculation and analysis of the signal length.
Airsnarf - Airsnarf is a simple rogue WAP installation tool that can show how a rogue AP is the flow from the public wireless hot spots to steal user names and passwords. Airsnarf is designed to display the flow of public 802.11b hot spot weaknesses in the internal attack - a competitive from the AP through the use of DNS and HTTP redirects to confuse the user and the user name and password sniffing.
Bluetooth attack
Bluetooth is also vulnerable to attack. An early attack was Bluejacking. Although not really attack, but from a Bluetooth Bluejacking sending unsolicited messages to other Bluetooth devices. This may include: text, images or sounds. The second is a more devastating attack Bluesnarfing. Bluesnarfing is designed to steal data, schedule information or call the information. Bluetooth tools for the attack, including:
RedFang - This is a small cheat tool, it can be used to find it difficult to discover Bluetooth devices.
Bluesniff - This is a deception for Bluetooth mobile search tool.
Btscanner - This is a Bluetooth scanner, which can perform query and powerful scanning, identification of Bluetooth devices within range, to export the scan results to a file and hit the results sorted.
BlueBug - This is an attack Bluetooth enabled mobile phone Bluetooth security vulnerabilities. It allows the unauthorized downloading phone book and call list, and then was attacked from the mobile phone to send and read SMS messages.