User Tools

Site Tools


shared_key

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
shared_key [2007/02/14 19:18] – created darkaudaxshared_key [2018/03/11 20:19] (current) – Removed link to trac mister_x
Line 1: Line 1:
 ====== Tutorial: How to do shared key fake authentication ? ====== ====== Tutorial: How to do shared key fake authentication ? ======
-Version: 1.00 February 142007 (Change log is at the end) \\+Version: 1.08 November 72008\\
 By: darkAudax By: darkAudax
 +
 +File linked to this tutorial: [[http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap|wep.shared.key.authentication.cap]]
  
 ===== Introduction ===== ===== Introduction =====
Line 15: Line 17:
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
  
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org|Aircrack-ng team]] for producing such a great robust tool. +I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool. 
  
-Please send me any constuctive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.+Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
  
  
Line 23: Line 25:
  
 First, this solution assumes: First, this solution assumes:
-  * You are using drivers patched for injection. You can sniff the packets with [[http://www.wireshark.org|Wireshark]] to confirm you are in fact injecting+  * You are using drivers patched for injection.  Use the [[injection_test|injection test]] to confirm your card can inject prior to proceeding
-  * You are physically close enough to send and receive access point packets.  Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength.  So you have to be physically close enough for your transmitted packets to reach and be received by the AP. +  * You are physically close enough to send and receive access point packets.  Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength.  So you have to be physically close enough for your transmitted packets to reach and be received by the AP.  You should confirm that you can communicate with the specific AP by following [[injection_test#hidden_or_specific_ssid|these instructions]]
-  * You are using v0.of aircrack-ng. If you use a different version then some of the command options may have to be changed.  NOTE: The shared key authentication feature is broken in v0.7 as of this writing.  So you MUST download the latest SVN version to be successful in this tutorial.+  * You are using v0.of aircrack-ng. If you use a different version then some of the command options may have to be changed.
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
Line 56: Line 58:
 ==== Solution Overview ==== ==== Solution Overview ====
  
-In order to do a shared key fake authentication, you need to have a PRGA (pseudo random genration algorithm) xor file to feed into it.  We will look at the detailed steps to obtain this in a typical scenario.  Then use the PRGA xor file to do a fake authentication.+In order to do a shared key fake authentication, you need to have a PRGA (pseudo random generation algorithm) xor file to feed into it.  We will look at the detailed steps to obtain this in a typical scenario.  Then use the PRGA xor file to do a fake authentication.
  
 Here are the basic steps we will be going through: Here are the basic steps we will be going through:
Line 70: Line 72:
 Enter the following command to start the wireless card on channel 9 in monitor mode: Enter the following command to start the wireless card on channel 9 in monitor mode:
  
-airmon-ng start wifi0 9+   airmon-ng start wifi0 9
  
 Note: In this command we use "wifi0" instead of our wireless interface of "ath0" This is because the madwifi-ng drivers are being used. Note: In this command we use "wifi0" instead of our wireless interface of "ath0" This is because the madwifi-ng drivers are being used.
Line 82: Line 84:
  
 You will notice that "ath0" is reported above as being put into monitor mode. You will notice that "ath0" is reported above as being put into monitor mode.
- 
-Then enter "ifconfig ath0 up" to bring up ath0 to be used in later steps. 
  
 To confirm the interface is properly setup, enter "iwconfig". To confirm the interface is properly setup, enter "iwconfig".
Line 105: Line 105:
              Tx excessive retries: Invalid misc:  Missed beacon:0              Tx excessive retries: Invalid misc:  Missed beacon:0
  
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.+In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  Only the madwifi-ng drivers show the MAC address of the card in the AP field, other drivers do no.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.
  
-To match the frequency to the channel, check out: +To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 .  This will give you the frequency for each channel.
-http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap" tab.  This will give you the frequency for each channel.+
  
 === Troubleshooting Tips === === Troubleshooting Tips ===
  
-  *If another interface started other then ath0 then you can use that one or use "airomon-ng stop athX" where X is each interface you want to stop.+  *If another interface started other then ath0 then you can use "airomon-ng stop athX" where X is each interface you want to stop.  Once they are all stopped, then use "airmon-ng start wifi0 <channel>" to start it. 
  
 ==== Step 2 -  Start airodump-ng ==== ==== Step 2 -  Start airodump-ng ====
Line 118: Line 118:
 Open another console session to capture the PRGA xor file.  Then enter: Open another console session to capture the PRGA xor file.  Then enter:
  
-airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w sharedkey ath0+  airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w sharedkey ath0
  
 Where: Where:
   *-c 9 is the channel for the wireless network   *-c 9 is the channel for the wireless network
-  *--bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic.+  *-''''-bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic.
   *-w sharedkey is file name prefix for the file which will contain the PRGA xor data.   *-w sharedkey is file name prefix for the file which will contain the PRGA xor data.
   *ath0 is the interface name.   *ath0 is the interface name.
  
-Beyond the error message shown in the introduction, how do you determine if shared key authentication is required?  In the screen below, notice the "PSK" for the AP under CIPHER.  This means it is using shared key authentication.  This will not show up until a client has successfully associated with the AP.+Beyond the error message shown in the introduction, how do you determine if shared key authentication is required?  In the screen below, notice the "SKA" for the AP under AUTH.  This means it is using shared key authentication.  This will not show up until a client has successfully associated with the AP.
  
     CH  9 ][ Elapsed: 20 s ][ 2007-02-10 16:29      CH  9 ][ Elapsed: 20 s ][ 2007-02-10 16:29 
Line 132: Line 132:
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                                                                                                                                                    
-    00:14:6C:7E:40:80   37 100      197              11  WEP  WEP    PSK  teddy                            +    00:14:6C:7E:40:80   37 100      197              11  WEP  WEP    SKA  teddy                            
                                                                                                                                                                                                                                    
     BSSID              STATION            PWR  Lost  Packets  Probes                                                  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                                                                                                                                                    
-    00:14:6C:7E:40:80  00:0F:B5:34:30:30   61                  +    00:14:6C:7E:40:80  00:0F:B5:34:30:30   61                  
  
-Now if you do  file listingit will look something like: +Once "SKA" appears on the airodump-ng screen like in example above, do  file listing and it will look something like:
-sharedkey-01-00-14-6C-7E-40-80.xor  sharedkey-01.cap  sharedkey-01.txt+
  
-The "sharedkey-01-00-14-6C-7E-40-80.xor" contains the PRGA xor bits that can be used in a later step to successfully complete the fake authentication.+   sharedkey-01-00-14-6C-7E-40-80.xor  sharedkey-01.cap  sharedkey-01.txt
  
-Chances are will not be that lucky to capture shared key handshake that easily.  You have two basic choices for obtaining the PRGA xor bit file:+The "sharedkey-01-00-14-6C-7E-40-80.xor" file contains the PRGA xor bits that can be used in a later step to successfully complete the fake authentication.  The sample [[http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap|wep.shared key authentication file]] can be viewed with WireShark to see what the packet exchange looks like.  You can compare this to your own captures to determine if you are missing packets. 
 + 
 +In real life, you will not likely be that lucky and happen to be sniffing when wireless client associates with the access point yielding the PRGA xor file.  To obtain the PRGA xor bit file, there are two basic methods:
  
   * The first is to be patient.  Meaning start airodump-ng and just wait for a client to associate.  You know this has happened when CIPHER field goes from blank to "PSK" Success!  If this happens then skip step 3 "Deauthenticate a connected client" and proceed to step 4    * The first is to be patient.  Meaning start airodump-ng and just wait for a client to associate.  You know this has happened when CIPHER field goes from blank to "PSK" Success!  If this happens then skip step 3 "Deauthenticate a connected client" and proceed to step 4 
Line 155: Line 156:
 Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.  You need the MAC address for the following command: Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.  You need the MAC address for the following command:
  
-aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0+   aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
  
 Where: Where:
   * -0 means deauthentication   * -0 means deauthentication
-  * 1 is the number of deauths to send (you can send muliple if you wish)+  * 1 is the number of deauths to send (you can send multiple if you wish)
   * -a 00:14:6C:7E:40:80 is the MAC address of the access point   * -a 00:14:6C:7E:40:80 is the MAC address of the access point
   * -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing   * -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing
   *ath0 is the interface name   *ath0 is the interface name
  
-Here is what the ouput looks like:+Here is what the output looks like:
  
    11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]    11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]
  
-Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier "airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w sharedkey ath0".+Prior to executing the command above, open another console and start airodump-ng in the same way as you did earlier "airodump-ng -c 9 -''''-bssid 00:14:6C:7E:40:80 -w sharedkey ath0".
  
 Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file.  If not, try another deauthentication or against another client. Once you run the deauthentication command, see if airodump-ng has output the PRGA xor file.  If not, try another deauthentication or against another client.
Line 176: Line 177:
 === Troubleshooting Tips === === Troubleshooting Tips ===
  
-  *  Be sure you are physically close enough to send and receive access point packets.  Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP.  The wireless card strength is typically less then the AP strength So you have to be physically close enough for your transmitted packets to reach and be received by the AP.+  *  The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.
  
 ==== Step 4 - Perform Shared Key Fake Authentication ==== ==== Step 4 - Perform Shared Key Fake Authentication ====
Line 182: Line 183:
 Now that you have a PRGA xor file, you are ready to do the shared key fake authentication. Now that you have a PRGA xor file, you are ready to do the shared key fake authentication.
  
-aireplay-ng -1 0  -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0+   aireplay-ng -1 0  -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
  
 Where: Where:
Line 231: Line 232:
 === Usage Tip === === Usage Tip ===
  
-  * If you use a PRGA xor file obtained from a chopchop attack, be sure it is at least 144 bytes long.  You need a mininum number of bits to successfully do the shared key fake authentication.+  * If you use a PRGA xor file obtained from a chopchop attack, be sure it is at least 144 bytes long.  You need a minimum number of bits to successfully do the shared key fake authentication.
  
 === Troubleshooting Tips === === Troubleshooting Tips ===
Line 237: Line 238:
   * If you received the "Part 1 authentication failure" message, try another xor file.  Sometimes it appears that you have a proper handshake but this is not the case.  Failing this, try some of the other tips below.   * If you received the "Part 1 authentication failure" message, try another xor file.  Sometimes it appears that you have a proper handshake but this is not the case.  Failing this, try some of the other tips below.
   *   Some access points are configured to only allow selected MAC access to associate and connect.  If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  Changing your MAC address is not covered in this tutorial.  Check the [[http://aircrack-ng.org/|wiki]] for FAQs and other related tutorials.   *   Some access points are configured to only allow selected MAC access to associate and connect.  If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.  Changing your MAC address is not covered in this tutorial.  Check the [[http://aircrack-ng.org/|wiki]] for FAQs and other related tutorials.
-  * Make sure you are physically close enough to the access point to inject packets.+  * Make sure you are physically close enough to the access point to inject packets.  You can confirm that you can communicate with the specific AP by following [[injection_test#hidden_or_specific_ssid|these instructions]].
   * If you received the "Part2: Association Not answering...(Step3)" message then means your card MAC address does not match the MAC address being used on the fake authentication command.  Make sure both are the same and retry.   * If you received the "Part2: Association Not answering...(Step3)" message then means your card MAC address does not match the MAC address being used on the fake authentication command.  Make sure both are the same and retry.
- 
- 
-=====Change Log ===== 
-February 14/2007 v1.00 
-  * Initial Release 
- 
  
shared_key.1171477121.txt.gz · Last modified: 2007/02/14 19:18 (external edit)