simple_wep_crack [Aircrack-ng] --- simple_wep_crack [空裂]

type

status

date

slug

summary

Introduction

This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. It assumes you have a working wireless card with drivers already patched for injection.

本教程将引导您完成一个非常简单的破解 WEP 密钥的案例。它旨在培养您的基本技能并让您熟悉这些概念。它假设您有一个工作正常的无线网卡，其中驱动程序已经修补以进行注入。

The basic concept behind this tutorial is using aireplay-ng replay an ARP packet to generate new unique IVs. In turn, aircrack-ng uses the new unique IVs to crack the WEP key. It is important to understand what an ARP packet is. This “What is an ARP?” section provides the details.

本教程背后的基本概念是使用 aireplay-ng 重放 ARP 数据包来生成新的唯一 IV。反过来，Aircrack-ng使用新的独特IV来破解WEP密钥。了解什么是 ARP 数据包非常重要。“什么是 ARP？”部分提供了详细信息。

For a start to finish newbie guide, see the Linux Newbie Guide. Although this tutorial does not cover all the steps, it does attempt to provide much more detailed examples of the steps to actually crack a WEP key plus explain the reason and background of each step. For more information on installing aircrck-ng, see Installing Aircrack-ng and for installing drivers see Installing Drivers.

有关新手指南的开始到结束，请参阅 Linux 新手指南。虽然本教程没有涵盖所有步骤，但它确实尝试提供更详细的实际破解WEP密钥的步骤示例，并解释每个步骤的原因和背景。有关安装 aircrck-ng 的详细信息，请参阅安装 Aircrack-ng，有关安装驱动程序，请参阅安装驱动程序。

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

建议您尝试使用家庭无线接入点，以熟悉这些想法和技术。如果您没有特定的接入点，请记住在玩之前获得所有者的许可。

Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.

请向我发送任何建设性的反馈，无论是正面的还是负面的。特别欢迎其他故障排除想法和提示。

Assumptions

First, this solution assumes: 首先，此解决方案假定：

You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding.

您正在使用为注入打补丁的驱动程序。在继续之前，请使用注射测试确认您的卡可以注射。

You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions.

您在物理上足够接近，可以发送和接收接入点数据包。请记住，仅仅因为您可以从接入点接收数据包并不意味着您将能够将数据包传输到 AP。无线网卡强度通常小于 AP 强度。因此，您必须在物理上足够接近，以便传输的数据包到达并被AP接收。您应该按照这些说明确认您可以与特定 AP 通信。

There is at least one wired or wireless client connected to the network and they are active. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets.

至少有一个有线或无线客户端连接到网络，并且它们处于活动状态。原因是本教程依赖于接收至少一个 ARP 请求数据包，如果没有活动客户端，则永远不会有任何 ARP 请求数据包。

You are using v0.9 of aircrack-ng. If you use a different version then some of the common options may have to be changed.

您正在使用 aircrack-ng 的 v0.9。如果您使用其他版本，则可能必须更改一些常用选项。

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change “ath0” to the interface name which is specific to your wireless card.

确保上述所有假设都是正确的，否则下面的建议将不起作用。在下面的示例中，您需要将“ath0”更改为特定于无线网卡的接口名称。

Equipment used

In this tutorial, here is what was used:

在本教程中，使用了以下内容：

MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82

运行 aircrack-ng 套件的 PC 的 MAC 地址：00：0F：B5：88：AC：82

BSSID (MAC address of access point): 00:14:6C:7E:40:80

BSSID（接入点的 MAC 地址）：00：14：6C：7E：40：80

ESSID (Wireless network name): teddy

ESSID（无线网络名称）：泰迪熊

Access point channel: 9接入点通道：9

Wireless interface: ath0无线接口：ath0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.

您应该收集您将要使用的网络的等效信息。然后只需将以下示例中的值更改为特定网络即可。

Solution

Solution Overview

To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time.

要破解接入点的WEP密钥，我们需要收集大量初始化向量（IV）。正常的网络流量通常不会很快生成这些 IV。从理论上讲，如果您有耐心，您可以通过简单地侦听网络流量并保存它们来收集足够的 IV 来破解 WEP 密钥。由于我们都没有耐心，我们使用一种称为注射的技术来加快该过程。注入涉及让接入点（AP）非常快速地一遍又一遍地重新发送选定的数据包。这使我们能够在短时间内捕获大量IV。

Once we have captured a large number of IVs, we can use them to determine the WEP key.

一旦我们捕获了大量的IV，我们就可以使用它们来确定WEP密钥。

Here are the basic steps we will be going through:

以下是我们将要经历的基本步骤：

Start the wireless interface in monitor mode on the specific AP channel

在特定 AP 信道上以监控模式启动无线接口

Test the injection capability of the wireless device to the AP

测试无线设备向 AP 的注入能力

Use aireplay-ng to do a fake authentication with the access point

使用 aireplay-ng 对接入点进行虚假身份验证

Start airodump-ng on AP channel with a bssid filter to collect the new unique IVs

使用 bssid 过滤器在 AP 信道上启动 airodump-ng 以收集新的独特 IV

Start aireplay-ng in ARP request replay mode to inject packets

在 ARP 请求重放模式下启动 aireplay-ng 以注入数据包

Run aircrack-ng to crack key using the IVs collected

使用收集的 IV 运行 aircrack-ng 以破解密钥

Step 1 - Start the wireless interface in monitor mode on AP channel

步骤 1 - 在 AP 信道上以监控模式启动无线接口

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. (Note: this procedure is different for non-Atheros cards.)

此步骤的目的是将您的卡置于所谓的监控模式。监控模式是您的卡可以侦听空中每个数据包的模式。通常，您的卡只会“听到”发送给您的数据包。通过听到每个数据包，我们以后可以选择一些进行注射。同样，只有（有一些罕见的例外）监控模式允许您注入数据包。（注意：对于非Atheros卡，此过程是不同的。

First stop ath0 by entering:

首先停止 ath0 通过输入：

The system responds: 系统响应：

Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this:

输入“iwconfig”以确保没有其他athX接口。它应该看起来像这样：

If there are any remaining athX interfaces, then stop each one. When you are finished, run “iwconfig” to ensure there are none left.

如果还有任何剩余的 athX 接口，请停止每个接口。完成后，运行“iwconfig”以确保没有剩余。

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

现在，输入以下命令以在监视模式下启动通道 9 上的无线网卡：

Substitute the channel number that your AP runs on for “9” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.

在上面的命令中，将运行 AP 的通道号替换为“9”。这很重要。您必须将无线网卡锁定到 AP 信道，本教程中的以下步骤才能正常工作。

Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the madwifi-ng drivers are being used. For other drivers, use the wireless interface name. Examples: “wlan0” or “rausb0”.

注意：在此命令中，我们使用“wifi0”而不是“ath0”的无线接口。这是因为正在使用madwifi-ng驱动程序。对于其他驱动程序，请使用无线接口名称。示例：“wlan0”或“rausb0”。

The system will respond: 系统将响应：

You will notice that “ath0” is reported above as being put into monitor mode.

您会注意到上面报告“ath0”已进入监视模式。

To confirm the interface is properly setup, enter “iwconfig”.

要确认接口设置正确，请输入“iwconfig”。

The system will respond: 系统将响应：

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

在上面的响应中，您可以看到ath0处于监视模式，在2.452GHz频率上，即通道9，接入点显示无线网卡的MAC地址。请注意，只有 madwifi-ng 驱动程序显示您的无线网卡的 MAC 地址，其他驱动程序不会这样做。所以一切都很好。在继续之前确认所有这些信息非常重要，否则以下步骤将无法正常工作。

To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.

要将频率与频道匹配，请查看：http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 。这将为您提供每个频道的频率。

Step 2 - Test Wireless Device Packet Injection

步骤 2 - 测试无线设备数据包注入

The purpose of this step ensures that your card is within distance of your AP and can inject packets to it.

此步骤的目的是确保您的卡在 AP 的距离内，并且可以向其注入数据包。

Enter:

Where:

9 means injection test-9 表示注射测试

e teddy is the wireless network name

-e 泰迪是无线网络名称

a 00:14:6C:7E:40:80 is the access point MAC address

-a 00：14：6C：7E：40：80 是接入点 MAC 地址

ath0 is the wireless interface name

ATH0 是无线接口名称

The system should respond with:

系统应响应：

The last line is important. Ideally it should say 100% or a very high percentage. If it is low then you are too far away from the AP or too close. If it is zero then injection is not working and you need to patch your drivers or use different drivers.

最后一行很重要。理想情况下，它应该说 100% 或非常高的百分比。如果它很低，那么您离AP太远或太近。如果为零，则注入不起作用，您需要修补驱动程序或使用不同的驱动程序。

See the injection test for more details.

有关更多详细信息，请参阅注射测试。

Step 3 - Start airodump-ng to capture the IVs

第 3 步 - 启动 airodump-ng 以捕获 IV

The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.

此步骤的目的是捕获生成的 IV。此步骤启动 airodump-ng 以从特定接入点捕获 IV。

Open another console session to capture the generated IVs. Then enter:

打开另一个控制台会话以捕获生成的 IV。然后输入：

Where:

c 9 is the channel for the wireless network

-c 9 是无线网络的信道

–bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminate extraneous traffic.

- 0-bssid 00：14：6C：7E：40：80 是接入点 MAC 地址。这消除了无关的流量。

w capture is file name prefix for the file which will contain the IVs.

-w 捕获是将包含 IV 的文件的文件名前缀。

ath0 is the interface name.

ath0 是接口名称。

While the injection is taking place (later), the screen will look similar to this:

在注射进行时（稍后），屏幕将如下所示：

Step 4 - Use aireplay-ng to do a fake authentication with the access point

步骤4 - 使用aireplay-ng对接入点进行虚假身份验证

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

为了使接入点接受数据包，源 MAC 地址必须已关联。如果您注入的源 MAC 地址未关联，则 AP 将忽略数据包并以明文形式发送“取消身份验证”数据包。在此状态下，不会创建新的 IV，因为 AP 忽略所有注入的数据包。

The lack of association with the access point is the single biggest reason why injection fails. Remember the golden rule: The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client.

与接入点缺乏关联是注入失败的最大原因。请记住黄金法则：用于注入的 MAC 必须通过使用虚假身份验证或使用来自已关联客户端的 MAC 与 AP 关联。

To associate with an access point, use fake authentication:

要与接入点关联，请使用虚假身份验证：

Where:

1 means fake authentication-1 表示虚假身份验证

0 reassociation timing in seconds

0 重新关联计时（以秒为单位）

e teddy is the wireless network name

-e 泰迪是无线网络名称

a 00:14:6C:7E:40:80 is the access point MAC address

-a 00：14：6C：7E：40：80 是接入点 MAC 地址

h 00:0F:B5:88:AC:82 is our card MAC address

-h 00：0F：B5：88：AC：82 是我们的卡 MAC 地址

ath0 is the wireless interface name

ATH0 是无线接口名称

Success looks like: 成功看起来像：

Or another variation for picky access points:

或者挑剔接入点的另一种变体：

Where:

6000 - Reauthenticate every 6000 seconds. The long period also causes keep alive packets to be sent.

6000 - 每 6000 秒重新进行身份验证。较长的时间段还会导致发送保持活动状态的数据包。

o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.

-o 1 - 一次只发送一组数据包。默认值为多个，这会混淆某些 AP。

q 10 - Send keep alive packets every 10 seconds.

-q 10 - 每 10 秒发送一次保持活动状态的数据包。

Success looks like: 成功看起来像：

Here is an example of what a failed authentication looks like:

下面是身份验证失败的示例：

Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly.

请注意上面的“获得取消身份验证数据包”和连续重试。在正确运行假身份验证之前，不要继续下一步。

Troubleshooting Tips故障排除提示

Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and… 某些接入点配置为仅允许选定的 MAC 地址关联和连接。如果是这种情况，除非您知道允许列表中的某个 MAC 地址，否则您将无法成功执行虚假身份验证。如果您怀疑这是问题所在，请在尝试执行虚假身份验证时使用以下命令。启动另一个会话并…

You would then look for error messages.

然后，您将查找错误消息。

If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and… 如果您希望在任何时候确认您已正确关联，请使用 tcpdump 并查看数据包。启动另一个会话并…

Run: “tcpdump -n -e -s0 -vvv -i ath0”

运行： “tcpdump -n -e -s0 -vvv -i ath0”

Here is a typical tcpdump error message you are looking for:

这是您正在寻找的典型 tcpdump 错误消息：

Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets.

请注意，接入点（00：14：6c：7e：40：80）告诉源（00：0F：B5：88：AC：82）您未关联。这意味着，AP 不会处理或接受注入的数据包。

If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want.

如果您只想选择带有 tcpdump 的 DeAuth 数据包，则可以使用：“tcpdump -n -e -s0 -vvv -i ath0 |grep -i DeAuth”。您可能需要调整短语“DeAuth”以挑选出您想要的确切数据包。

Step 5 - Start aireplay-ng in ARP request replay mode

步骤5 - 在ARP请求重放模式下启动aireplay-ng

The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. For an explanation of ARP, see this PC Magazine page or Wikipedia. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.

此步骤的目的是以侦听ARP请求然后将其重新注入网络的模式启动aireplay-ng。有关 ARP 的说明，请参阅此 PC 杂志页面或维基百科。我们选择 ARP 请求数据包的原因是 AP 通常会重新广播它们并生成新的 IV。同样，这是我们的目标，在短时间内获得大量的静脉注射。

Open another console session and enter:

打开另一个控制台会话并输入：

It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time.

它将开始侦听ARP请求，当它听到一个请求时，aireplay-ng将立即开始注入它。请参阅生成 ARP 部分，了解在等待很长时间后屏幕显示“收到 0 个 ARP 请求”时生成 ARP 的技巧。

Here is what the screen looks like when ARP requests are being injected:

以下是注入 ARP 请求时的屏幕外观：

You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The “#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second.

您可以通过检查您的airodump-ng屏幕来确认您正在注射。数据包应该迅速增加。“#/s”应该是一个不错的数字。然而，体面取决于多种因素。典型范围是每秒 300 到 400 个数据包。它可以低至100 /秒，最高可达500 /秒。

Troubleshooting Tips故障排除提示

If you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 3) and successfully associate with the AP. 如果您收到类似于“收到一个 deauth/disassoc 数据包。源 mac 是否关联？“，这意味着您已失去与 AP 的关联。所有注入的数据包都将被忽略。您必须返回到虚假身份验证步骤（步骤 3）并成功与 AP 关联。

Step 6 - Run aircrack-ng to obtain the WEP key

步骤 6 - 运行 aircrack-ng 以获取 WEP 密钥

The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps.

此步骤的目的是从前面步骤中收集的 IV 中获取 WEP 密钥。

Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. If this is the case, then you can include “-n 64” to limit the checking of keys to 64 bits.

注意：出于学习目的，您应该在AP上使用64位WEP密钥以加快破解过程。如果是这种情况，则可以包含“-n 64”以将密钥检查限制为 64 位。

Two methods will be shown. It is recommended you try both for learning purposes. By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. As a reminder, the PTW method only works successfully with arp request/reply packets. Since this tutorial covers injection of ARP request packets, you can properly use this method. The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the “–ivs” option.

将展示两种方法。建议您出于学习目的尝试两者。通过尝试这两种方法，您将很快看到PTW方法与FMS / Korek方法相比成功地确定了WEP密钥。提醒一下，PTW 方法仅适用于 arp 请求/回复数据包。由于本教程介绍了 ARP 请求数据包的注入，因此您可以正确使用此方法。另一个要求是使用 airodump-ng 捕获整个数据包。意思是，不要使用“- 0-ivs”选项。

Start another console session and enter:

启动另一个控制台会话并输入：

Where:

b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.

-b 00：14：6C：7E：40：80 选择我们感兴趣的一个接入点。这是可选的，因为当我们最初捕获数据时，我们应用了一个过滤器来仅捕获此 AP 的数据。

output.cap selects all files starting with “output” and ending in “.cap”. output.cap 选择以“output”开头并以“.cap”结尾的所有文件。

To also use the FMS/Korek method, start another console session and enter:

要同时使用 FMS/Korek 方法，请启动另一个控制台会话并输入：

Where:

K invokes the FMS/Korek method

-K 调用 FMS/Korek 方法

b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.

-b 00：14：6C：7E：40：80 选择我们感兴趣的一个接入点。这是可选的，因为当我们最初捕获数据时，我们应用了一个过滤器来仅捕获此 AP 的数据。

output.cap selects all files starting with “output” and ending in “.cap”. output.cap 选择以“output”开头并以“.cap”结尾的所有文件。

If you are using 1.0-rc1, add the option “-K” for the FMS/KoreK attack. (1.0-rc1 defaults to PTW.)

如果您使用的是 1.0-rc1，请为 FMS/KoreK 攻击添加选项“-K”。（1.0-rc1 默认为 PTW。

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.

您可以在生成数据包时运行此操作。在短时间内，WEP 密钥将被计算并呈现。64 位密钥大约需要 250，000 个 IV，128 位密钥需要大约 1，500，000 个 IV。如果您使用的是 PTW 攻击，那么 64 位将需要大约 20，000 个数据包，128 位需要 40，000 到 85，000 个数据包。这些是非常近似的，关于您实际需要多少次 IV 才能破解 WEP 密钥，有很多变量。

Here is what success looks like:

以下是成功的样子：

Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.)

请注意，在这种情况下，破解密钥所需的时间远远少于估计的 250，000 个 IV。（在本例中，使用了FMS/KoreK攻击。

General Troubleshooting常规故障排除

Be sure to read all the documentation on the Wiki for the various commands used in this tutorial. 请务必阅读 Wiki 上有关本教程中使用的各种命令的所有文档。

Generating ARPs

In order for this tutorial to work, you must receive at least one ARP packet. On your home network, here is an easy way to generate an ARP packet. On a wired or wireless PC, ping a non-existent IP on your home LAN. A wired PC means a PC connected to your LAN via an ethernet cable. Lets say your home LAN address space is 192.168.1.1 through 192.168.1.254. Pick an IP between 1 and 254 which is not assigned to a network device. For example, if the IP 192.168.1.213 is not being used then “ping 192.168.1.213”. This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.

为了使本教程正常工作，您必须至少接收一个 ARP 数据包。在您的家庭网络上，这是一种生成 ARP 数据包的简单方法。在有线或无线 PC 上，对家庭 LAN 上不存在的 IP 执行 ping 操作。有线 PC 是指通过以太网电缆连接到 LAN 的 PC。假设您的家庭 LAN 地址空间是 192.168.1.1 到 192.168.1.254。选择介于 1 和 254 之间的 IP，该 IP 未分配给网络设备。例如，如果未使用 IP 192.168.1.213，则“ping 192.168.1.213”。这将导致ARP通过您的无线接入点广播，反过来，这将启动aireplay-ng对数据包的重新注入。