shared_key
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
shared_key [2007/03/27 18:28] – typo mister_x | shared_key [2010/08/29 19:48] – Fixed channel/frequency graph link mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: How to do shared key fake authentication ? ====== | ====== Tutorial: How to do shared key fake authentication ? ====== | ||
- | Version: 1.02 March 9, 2007\\ | + | Version: 1.08 November 7, 2008\\ |
By: darkAudax | By: darkAudax | ||
- | File linked to this tutorial: [[http:// | + | File linked to this tutorial: [[http:// |
===== Introduction ===== | ===== Introduction ===== | ||
Line 18: | Line 17: | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | I would like to acknowledge and thank the [[http:// | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 26: | Line 25: | ||
First, this solution assumes: | First, this solution assumes: | ||
- | * You are using drivers patched for injection. | + | * You are using drivers patched for injection. |
- | * You are physically close enough to send and receive access point packets. | + | * You are physically close enough to send and receive access point packets. |
- | * You are using v0.7 of aircrack-ng. If you use a different version then some of the command options may have to be changed. NOTE: The shared key authentication feature is broken in v0.7 as of this writing. | + | * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. |
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
Line 73: | Line 72: | ||
Enter the following command to start the wireless card on channel 9 in monitor mode: | Enter the following command to start the wireless card on channel 9 in monitor mode: | ||
- | airmon-ng start wifi0 9 | + | airmon-ng start wifi0 9 |
Note: In this command we use " | Note: In this command we use " | ||
Line 85: | Line 84: | ||
You will notice that " | You will notice that " | ||
- | |||
- | Then enter " | ||
To confirm the interface is properly setup, enter " | To confirm the interface is properly setup, enter " | ||
Line 108: | Line 105: | ||
Tx excessive retries: | Tx excessive retries: | ||
- | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | + | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the MAC address of the card in the AP field, other drivers do no. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. |
- | To match the frequency to the channel, check out: | + | To match the frequency to the channel, check out: http://www.cisco.com/en/US/ |
- | http://www.rflinx.com/help/calculations/# | + | |
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *If another interface started other then ath0 then you can use that one or use " | + | *If another interface started other then ath0 then you can use " |
Line 122: | Line 118: | ||
Open another console session to capture the PRGA xor file. Then enter: | Open another console session to capture the PRGA xor file. Then enter: | ||
- | airodump-ng -c 9 --bssid 00: | + | |
Where: | Where: | ||
*-c 9 is the channel for the wireless network | *-c 9 is the channel for the wireless network | ||
- | *--bssid 00: | + | *-'''' |
*-w sharedkey is file name prefix for the file which will contain the PRGA xor data. | *-w sharedkey is file name prefix for the file which will contain the PRGA xor data. | ||
*ath0 is the interface name. | *ath0 is the interface name. | ||
- | Beyond the error message shown in the introduction, | + | Beyond the error message shown in the introduction, |
CH 9 ][ Elapsed: 20 s ][ 2007-02-10 16:29 | CH 9 ][ Elapsed: 20 s ][ 2007-02-10 16:29 | ||
Line 136: | Line 132: | ||
BSSID PWR RXQ Beacons | BSSID PWR RXQ Beacons | ||
- | 00: | + | 00: |
BSSID STATION | BSSID STATION | ||
Line 142: | Line 138: | ||
00: | 00: | ||
- | Once "PSK" appears on the airodump-ng screen, do file listing and it will look something like: | + | Once "SKA" appears on the airodump-ng screen |
- | sharedkey-01-00-14-6C-7E-40-80.xor | + | |
- | The " | + | |
+ | |||
+ | The " | ||
In real life, you will not likely be that lucky and happen to be sniffing when a wireless client associates with the access point yielding the PRGA xor file. To obtain the PRGA xor bit file, there are two basic methods: | In real life, you will not likely be that lucky and happen to be sniffing when a wireless client associates with the access point yielding the PRGA xor file. To obtain the PRGA xor bit file, there are two basic methods: | ||
Line 151: | Line 148: | ||
* The first is to be patient. | * The first is to be patient. | ||
* The second method is to [[deauthentication|deauthenticate]] a client to force it to associate again. | * The second method is to [[deauthentication|deauthenticate]] a client to force it to associate again. | ||
- | |||
Line 160: | Line 156: | ||
Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. | Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. | ||
- | aireplay-ng -0 1 -a 00: | + | aireplay-ng -0 1 -a 00: |
Where: | Where: | ||
* -0 means deauthentication | * -0 means deauthentication | ||
- | * 1 is the number of deauths to send (you can send muliple | + | * 1 is the number of deauths to send (you can send multiple |
* -a 00: | * -a 00: | ||
* -c 00: | * -c 00: | ||
Line 173: | Line 169: | ||
| | ||
- | Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier " | + | Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier " |
Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file. If not, try another deauthentication or against another client. | Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file. If not, try another deauthentication or against another client. | ||
Line 181: | Line 177: | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | * | + | * |
==== Step 4 - Perform Shared Key Fake Authentication ==== | ==== Step 4 - Perform Shared Key Fake Authentication ==== | ||
Line 187: | Line 183: | ||
Now that you have a PRGA xor file, you are ready to do the shared key fake authentication. | Now that you have a PRGA xor file, you are ready to do the shared key fake authentication. | ||
- | aireplay-ng -1 0 -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00: | + | aireplay-ng -1 0 -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00: |
Where: | Where: | ||
Line 236: | Line 232: | ||
=== Usage Tip === | === Usage Tip === | ||
- | * If you use a PRGA xor file obtained from a chopchop attack, be sure it is at least 144 bytes long. You need a mininum | + | * If you use a PRGA xor file obtained from a chopchop attack, be sure it is at least 144 bytes long. You need a minimum |
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
Line 242: | Line 238: | ||
* If you received the "Part 1 authentication failure" | * If you received the "Part 1 authentication failure" | ||
* Some access points are configured to only allow selected MAC access to associate and connect. | * Some access points are configured to only allow selected MAC access to associate and connect. | ||
- | * Make sure you are physically close enough to the access point to inject packets. | + | * Make sure you are physically close enough to the access point to inject packets. You can confirm that you can communicate with the specific AP by following [[injection_test# |
* If you received the " | * If you received the " | ||
shared_key.txt · Last modified: 2018/03/11 20:19 by mister_x