madwifi-ng driver on fedora 8 and packet lost

Questi i passi necessari:

svn checkout http://svn.madwifi-project.org/madwifi/trunk/ madwifi-ng

madwifi-unload

cd madwifi-ng

make clean && make && make install

modprobe ath_pci

depmod -ae

iwconfig wlan0 essid wlan rate 11M

A questo punto ad ogni ping perdevo molti pacchetti. Per risolvere:

iwpriv wlan0 mode 2

in modo da forzare il funzionamento in 802.11b

Adesso tutto funziona!

Error – mount nfs from linux client to windows server

Ho avuto un problema con il mount di una share nfs windows server 2003 r2 da parte di un client linux.
Ottenevo sempre un problema di timeout o un errore di i/o.
Nei log c’era:
portmap: server localhost not responding, timed out

Il problema si risolve avviando il servizio portmap:

su redhat/centos:

/etc/init.d/portmap start

su slackware:

chmod ugo+x /etc/rc.d/rc.rpc
/etc/rc.d/rc.rpc start

Error vmware esxi mount nfs datastore

Mi dava sempre l’errore

cannot open volume /vmfs/volumes/xxx

mentre cesco di montare un datastore nfs windows.

Ho risolto con il mapping degli utenti su SFU collegando root con administrator

Fai il tuo Cavo RJ45 seguendo lo standard

Indice

[nascondi]

Cablaggio per connettore RJ-45 secondo gli standard EIA/TIA-568A/B

Pin Cp. T568A Cp. T568B Cond. Codice colori T568A Codice colori T568B
1 3 2 1 Coppia 3 Cond. 1 bianco di bianco/verde Coppia 2 Cond. 1 bianco di bianco/arancio
2 3 2 2 Coppia 3 Cond. 2 verde di bianco/verde Coppia 2 Cond. 2 arancio di bianco/arancio
3 2 3 1 Coppia 2 Cond. 1 bianco di bianco/arancio Coppia 3 Cond. 1 bianco di bianco/verde
4 1 1 2 Coppia 1 Cond. 2 blu di bianco/blu Coppia 1 Cond. 2 blu di bianco/blu
5 1 1 1 Coppia 1 Cond. 1 bianco di bianco/blu Coppia 1 Cond. 1 bianco di bianco/blu
6 2 3 2 Coppia 2 Cond. 2 arancio di bianco/arancio Coppia 3 Cond. 2 verde di bianco/verde
7 4 4 1 Pair 4 Cond. 1 bianco di bianco/marrone Pair 4 Cond. 1 bianco di bianco/marrone
8 4 4 2 Pair 4 Cond. 2 marrone di bianco/marrone Pair 4 Cond. 2 marrone di bianco/marrone

RJ-45 EIA/TIA 568A pinout Left RJ-45 EIA/TIA 568A pinout right

RJ-45 EIA/TIA 568B pinout Left RJ-45 EIA/TIA 568B pinout right

RJ-45 EIA/TIA 568A pinout Left RJ-45 EIA/TIA 568B pinout right

RJ45 – Pin Out

Female Male
Ethernet Female Ethernet Male
Pin Name Description
1 TX_D1+ Tranceive data +
2 TX_D1- Tranceive data –
3 RX_D2+ Receive data +
4 BI_D3+ Bi-directional Data+
5 BI_D3- Bi-directional Data-
6 RX_D2- Receive data –
7 BI_D4+ Bi-directional Data+
8 BI_D4- Bi-directional Data-

Assemblare un cavo tipo Diretto secondo lo standard EIA568A.

  1. La maggior parte delle pinze a crimpare ha due coppie di lame, una coppia, da un lato, per spellare i fili e l’altra coppia, dall’altro lato, per tagliare i fili. Se la pinza non vi permette di tagliare la guaina del cavo dovete usare una lametta ed incidere con questa la guaina stessa, togliendone un pezzo della lunghezza di circa tre centimetri. Fate molta attenzione a non tagliare o incidere l’isolamento dei fili dentro la guaina, la maggior parte delle guaine appena incise si spezzano se piegate o tirate.
  2. Quando avete rimosso la guaina, avrete quattro coppie di file avvolti tra di loro a due a due e di colore diverso. Svolgete le coppie di fili in modo da avere otto fili separati, ma fate attenzione a distinguerli nel caso non avessero colori diversi (in alcuni cavi i fili bianco/colore sono tutti bianchi).
  3. Aprite a ventaglio i fili nell’ordine in cui dovrete crimparli da sinistra a destra. La configurazione del cavo la potete vedere in Tabella 1 e Figura A.
  4. Tabella 1: Come configurare un cavo tipo Diretto

    Connettore 1

    Connettore 2

    Bianco/Verde

    Bianco/Verde

    Verde

    Verde

    Bianco/Arancio

    Bianco/Arancio

    Blu

    Blu

    Bianco/Blu

    Bianco/Blu

    Arancio

    Arancio

    Bianco/Marrone

    Bianco/Marrone

    Marrone

    Marrone

    Nota bene: se i colori del cavo sono diversi basta mantenere le corrispondenze giuste.



    Nelle figure a sinistra vedete come devono essere configurati entrambi i connettori del cavo diretto T568A. Tenendo il connettore nella posizione indicata e con i fili che entrano dal basso, l’aletta si trova dietro.

    Figura A: Schema di cablaggio secondo lo Standard EIA/TIA T568A.

  5. Tenere i fili stretti tra due dita ed appiattirli in modo che stiano ben affiancati tra di loro, lisciateli bene, togliendo le leggere curvature dovute al precedente avvolgimento tra i fili, stirandoli con le dita. Attenzione che non si spostino dall’ordine in cui devono stare.
  6. Continuando a tenerli stretti tagliate con la pinza la parte eccedente i due centimetri in modo da averli tutti della stessa lunghezza.
  7. Inserire i fili nel connettore RJ45 tenendoli sempre allineati stretti tra le dita. Il connettore deve avere la linguetta in basso, non in vista. La guaina isolante deve arrivare giusto vicino al bordo del connettore.
  8. Guardando sul lato del connettore trasparente, verificate che i fili siano giunti sino in fondo. Quindi inserite il connettore nella pinza a crimpare e, stringendo la pinza con due mani, crimpate il connettore in modo da fermare i fili. La pinza non dovrebbe aprirsi se non si é giunti fino in fondo.
  9. Ora ripetete esattamente i vari passaggi visti sopra nei punti da 1 a 7 per crimpare il cavo dall’altro lato.



Fotografie del connettore completato.

Assemblare un cavo tipo incrociato (crossover) secondo lo standard EIA568B.

Il cavo incrociato (crossover) si deve usare quando si devono connettere, direttamente tra loro, due macchine senza usare un hub, uno switch o un router. Su uno dei connettori del cavo si devono posizionare i fili nello stesso identico modo appena visto sopra nei punti da 1 a 7 (vedi Tabella 2 e Figura B).
Nel secondo connettore i fili devono essere posizionati in modo diverso da quello visto sopra invertendo tra loro le coppie 2 e 3 (vedi Tabella 2). La procedura é la stessa e la cura nel posizionare i fili deve essere sempre attenta.

Tabella 2: Come configurare un cavo tipo Incrociato (Crossover).

Connettore 1

Connettore 2

Bianco/verde

Bianco/Arancio

verde

Arancio

Bianco/Arancio

Bianco/verde

Blu

Blu

Bianco/Blu

Bianco/Blu

Arancio

verde

Bianco/Marrone

Bianco/Marrone

Marrone

Marrone

Nota bene: se i colori del cavo sono diversi basta mantenere le corrispondenze giuste. Come si vede il connettore 1 é uguale a quello del cavo Diretto mentre il connettore 2 é diverso.



Nelle figure vedete come devono essere configurati entrambi i connettori del cavo incrociato T568B (crossover). Tenendo il connettore nella posizione indicata e con i fili che entrano dal basso, l’aletta si trova dietro.


Figura B: Schema di cablaggio secondo lo Standard EIA/TIA T568B.



Ecco un altro modo di rappresentare le connessioni sopra descritte.


Schema delle connessioni nella presa a muro per RJ45.


Configurazione Netgear DG834G per una adsl Telecom Interbusiness

Oggi configuriamo una ADSL Telecom Interbusiness su un Netgear Router
Firewall ADSL Wireless DG834G.

Ipotizziamo che i seguenti parametri ci siano stati dati da Telecom:

ip lan: 88.57.20.1/255.255.255.248
ip ptp: 88.57.6.1/255.255.255.252

il gateway è in genere il secondo ip della lan, quinid in questo caso:
gw: 88.57.20.2

L’ip da assegnare al nostro router è quindi, di solito, il terzo:
ip router: 88.57.20.3

Detto questo copiate le seguenti righe dentro un file dal nome
netgear.cfg
ed importatelo nella configurazione del router.
L’ip del router in lan sarà 192.168.0.254
il nome utente/password: admin/admin

# Netgear DG834 Text Format Configure File v0.2
#
# FW Version V4.01.04
#
# Usage:
# # value list or syntax
# [index]”variable”=value

#< Wizard >
# English German Italian French
[10001]”Language”=Italian
# Australia France Italy Singapore Sweden Switzerland UK Other
[10002]”Country”=Italy
#< Basic Settings >
# dhcpc pppoe pppoa ipoa bridge ip
[20001]”WAN protocol”=ipoa
# 0:off 1:on
[20002]”NAT (Network Address Translation)”=1
#< PPPoE >
[20101]”Login”=
[20102]”Password”=
[20103]”Service Name”=
[20104]”Idle Timeout”=0
[20105]”Static IP Address”=
#< PPPoA >
[20201]”Login”=Guest
[20202]”Password”=
[20203]”Idle Timeout”=0
[20204]”Static IP Address”=
#< Get Dynamically From ISP >
[20301]”Account Name”=
[20302]”Domain Name”=
#< Static IP Address >
[20401]”IP Address”=
[20402]”IP Subnet Mask”=
[20403]”Gateway IP Address”=
#< IP Over ATM (IPoA) >
[20501]”IP Address”=88.57.20.3
[20502]”IP Subnet Mask”=255.255.255.248
[20503]”Gateway IP Address”=88.57.20.2
#< Domain Name Server (DNS) Address >
# 0:off 1:on
[20601]”Use These DNS Servers”=1
[20602]”Primary DNS”=151.99.125.2
[20603]”Secondary DNS”=212.216.172.62
#< Router MAC Address >
# MAC address
[20701]”Use This MAC Address”=
#< ADSL Settings >
# 0: LLC-BASED 1: VC-BASED
[30001]”Multiplexing Method”=0
[30002]”VPI”=8
[30003]”VCI”=35
#< Wireless Settings >
[40001]”Name (SSID)”=wlan
# Africa Asia Australia Canada France Israel Japan Mexico ‘South
America’ USA
[40002]”Region”=Europe
# 0 – 14
[40003]”Channel”=11
# 0: g & b 1: b only 3: g only
[40004]”Mode”=0
# 0:off 1:on
[40005]”Enable Wireless Access Point”=1
# 0:off 1:on
[40006]”Allow Broadcast of Name (SSID)”=1
# 0:off 1:on
[40007]”Wireless Isolation”=0
# 0:off 1:wep 2:wpa 3:802.1x
[40008]”Security Options”=0
#< Wireless Station Access List >
# 0:off 1:on
[40101]”Turn Access Control On”=1
# MAC+name
[40102]”Trusted Wireless Stations”=00:18:DE:A0:47:55MaurizioNB
#< WEP (Wired Equivalent Privacy) >
# 1: Open System 2: Shared Key 3: Automatic
[40201]”Authentication Type”=3
# 0 64 or 128
[40202]”Encryption Strength”=0
# 1 2 3 4
[40203]”Key Index”=1
[40204]”Key 1″=
[40205]”Key 2″=
[40206]”Key 3″=
[40207]”Key 4″=
#< WPA-PSK >
# (8 ~ 64 characters)
[40301]”Network Key”=
#< WPA-802.1x >
[40401]”Radius Server Name/IP Address”=
[40402]”Radius Port”=1812
[40403]”Shared Key”=
#< Logs >
# 0:off 1:on
[50001]”Attempted access to blocked sites”=1
# 0:off 1:on
[50002]”Connections to the Web-based interface of this Router”=1
# 0:off 1:on
[50003]”Router operation”=1
# 0:off 1:on
[50004]”Known DoS attacks and Port Scans”=1
# 0:Disable 1:Broadcast on LAN 2:Send to Syslog server
[50005]”Syslog”=0
[50006]”Send to this Syslog server IP address”=
#< Block Sites >
# 0:Never 1:Always 2:Per Schedule
[60001]”Keyword Blocking”=1
[60002]”Block Sites Containing these Keywords or Domain Names”=
# 0:off 1:on
[60003]”Allow Trusted IP Address to Visit Blocked Sites”=0
[60004]”Trusted IP Address”=
#< Firewall Rules >
# ENABLE:SERVICE_NAME:ACTION:LAN:WAN:LOG
#
# ENABLE: 0=on or 1=off
# SERVICE_NAME: Actual Service in service table
# ACTION: 0:BLOCK always 1:BLOCK by schedule 2:ALLOW always 3:ALLOW by
schedule
# LAN: 0/0: Any a.b.c.d: Single 1.2.3.4-5.6.7.8: Range
# WAN: 0/0: Any a.b.c.d: Single 1.2.3.4-5.6.7.8: Range
# LOG: 0:Never 1:Always 2: Match 3: Not Match
# ex: 1:Any(ALL):2:192.168.0.250:0/0:1
[70001]”Inbound Rule”=
# The Same as Inbound Rule
[70002]”Outbound Rule”=
#< Services >
# NAME:PROTOCOL:START_PORT-END_PORT
#
# PROTOCOL: tcp udp both all
# ex: Any(TCP):tcp:1-65535
[80001]”Service Table”=
#< Schedule >
# DAY:START_TIME-END_TIME ex:1111111:00:00-24:00
[90001]”Schedule”=1111111:00:00-24:00
#< Time Zone >
# UI (-12 ~ GMT ~ +12)
[90101]”Time Zone”=GMTb
# System (GMT+12 ~ GMT-12)
[90102]”Time Zone”=GMT+0
# 0:off 1:on
[90103]”Daylight Savings Time”=
# 0:off 1:on
[90104]”Use this NTP Server”=0
[90105]”NTP Server”=
#< E-mail >
# 0:off 1:on
[100001]”Turn E-mail Notification On”=1
[100002]”Send To This E-mail Address”=
[100003]”Outgoing Mail Server”=
# 0:off 1:on
[100004]”My Mail Server requires authentication”=0
[100005]”User Name”=
[100006]”Password”=
#< Send E-Mail alerts immediately >
# 0:off 1:on
[100101]”If a DoS attack is detected”=1
# 0:off 1:on
[100102]”If a Port Scan is detected”=1
# 0:off 1:on
[100103]”If someone attempts to access a blocked site”=1
# 0:None 1:When Log is Full 2:Hourly 3:Daily 4:Daily
[100104]”Send Logs According to this Schedule”=3
# 0:off 1:on
[100105]”Send mail when Log is Full”=0
# 0:Sun ~ 6:Sat
[100106]”Day”=
# 0 ~ 24
[100107]”Hour”=11
#< Set Password >
[110001]”Username”=admin
[110002]”Password”=admin
# 0 ~ 99
[110003]”Login times out”=5
#< WAN Setup >
# 0:off 1:on
[120001]”Connect Automatically, as Required”=1
# 0:off 0:on
[120002]”Port Scan and DOS Protection”=1
# 0:off 1:on
[120003]”Enable DMZ Server”=0
[120004]”DMZ Server”=
# 0:off 1:on
[120005]”Respond to Ping on Internet WAN Port”=1
[120006]”MTU Size”=1500
#< Dynnamic DNS >
# 0:off 1:on
[130001]”Use a Dynamic DNS Service”=0
[130002]”Host Name”=
[130003]”User Name”=
[130004]”Password”=
# 0:off 1:on
[130005]”Use Wildcards”=0
#< LAN IP Setup >
#< LAN TCP/IP Setup >
[140101]”IP Address”=192.168.0.254
[140102]”IP Subnet Mask”=255.255.255.0
[140103]”Broadcast IP Address”=192.168.0.255
#< RIP >
# 0:none in:In Only out:Out Only both:Both
[140201]”RIP Direction”=0
# 1:RIP-1 2B:RIP-2B 2M:RIP-2M
[140202]”RIP Version”=1
#< DHCP Server >
# 0:off 1:on
[140301]”Use Router as DHCP Server”=1
[140302]”Starting IP Address”=192.168.0.210
[140303]”Ending IP Address”=192.168.0.250
# Name;IP;MAC
[140304]”Address Reservation”=
#< Remote Management >
# 0:off 1:on
[150001]”Turn Remote Management On”=1
# 1:single 2:range 3:everyone
[150002]”Allow Remote Access By”=3
[150003]”Only This Computer”=
[150004]”IP Address Range Start”=
[150005]”IP Address Range End”=
[150006]”Port Number”=8080
#< Static Routes >
# Name:Dest_ip:Netmask:Gateway:Metric:Private:Active
[160001]”Routes”=
#< UPnP >
# 0:off 1:on
[170001]”Turn UPnP On”=1
[170002]”Advertisement Period”=30
[170003]”Advertisement Time To Live”=4
#< VPN >
[180001]”VPN Version”=2
[180001]”VPN policy”=1
#< SNMP >
# 0:off 1:on
[190001]”Turn SNMP On”=0
# 0:off 1:on
[190002]”Disable Local Web Admin Access”=
[190003]”Read Community Name”=
[190004]”System Contact”=
[190005]”System Name”=
[190006]”System Location”=


principio di Napoleone:
non attribuire a malintenzione cio’ che puo’
essere semplicemente spiegato come imbecillita’

MaoX Blog:
http://maox.blogspot.com

Tutorial: How to Crack WPA/WPA2

Tutorial: How to Crack WPA/WPA2

fonte: http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Version: 1.05 May 16, 2007
By: darkAudax
Introduction

This tutorial walks you through cracking WPA/WPA2 networks which use
pre-shared keys. I recommend you do some background reading to better
understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section.

WPA/WPA2 supports many types of authentication beyond pre-shared keys.
aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng
shows the network as having the authentication type of PSK, otherwise,
don't bother trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP.
This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike
WEP, where statistical methods can be used to speed up the cracking
process, only plain brute force techniques can be used against WPA/WPA2.
That is, because the key is not static, so collecting IVs like when
cracking WEP encryption, does not speed up the attack. The only thing
that does give the information to start an attack is the handshake
between client and AP. Handshaking is done when the client connects to
the network. Although not absolutely true, for the purposes of this
tutorial, consider it true. Since the pre-shared key can be from 8 to 63
characters in length, it effectively becomes impossible to crack the
pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary
word or relatively short in length. Conversely, if you want to have an
unbreakable wireless network at home, use WPA/WPA2 and a 63 character
password composed of random characters including special symbols.

The impact of having to use a brute force approach is substantial.
Because it is very compute intensive, a computer can only test 50 to 300
possible keys per second depending on the computer CPU. It can take
hours, if not days, to crunch through a large dictionary. If you are
thinking about generating your own password list to cover all the
permutations and combinations of characters and special symbols, check
out this brute force time calculator first. You will be very surprised
at how much time is required.

There is no difference between cracking WPA or WPA2 networks. The
authentication methodology is basically the same between them. So the
techniques you use are identical.

It is recommended that you experiment with your home wireless access
point to get familiar with these ideas and techniques. If you do not own
a particular access point, please remember to get permission from the
owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team for producing
such a great robust tool.

Please send me any constructive feedback, positive or negative.
Additional troubleshooting ideas and tips are especially welcome.
Assumptions

First, this solution assumes:

*
You are using drivers patched for injection. Use the injection
test to confirm your card can inject.
*
You are physically close enough to send and receive access point
and wireless client packets. Remember that just because you can receive
packets from them does not mean you may will be able to transmit packets
to them. The wireless card strength is typically less then the AP
strength. So you have to be physically close enough for your transmitted
packets to reach and be received by both the AP and the wireless client.
You can confirm that you can communicate with the specific AP by
following these instructions.
*
You are using v0.9 of aircrack-ng. If you use a different version
then some of the command options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that
follows will not work. In the examples below, you will need to change
"ath0" to the interface name which is specific to your wireless card.

In the examples, the option "double dash bssid" is shown as "- -bssid".
Remember to remove the space between the two dashes when using it in
real life. This also applies to "- -ivs", "- -arpreplay", "- -deauth",
"- -channel", "- -arp" and "- -fakeauth".
Equipment used

To follow this tutorial at home, you must have two wireless cards.

In this tutorial, here is what was used:

*
MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82
*
MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2
*
BSSID (MAC address of access point): 00:14:6C:7E:40:80
*
ESSID (Wireless network name): teddy
*
Access point channel: 9
*
Wireless interface: ath0

You should gather the equivalent information for the network you will be
working on. Then just change the values in the examples below to the
specific network.
Solution
Solution Overview

The objective is to capture the WPA/WPA2 authentication handshake and
then use aircrack-ng to crack the pre-shared key.

This can be done either actively or passively. "Actively" means you will
accelerate the process by deauthenticating an existing wireless client.
"Passively" means you simply wait for a wireless client to authenticate
to the WPA/WPA2 network. The advantage of passive is that you don't
actually need injection capability and thus the Windows version of
aircrack-ng can be used.

Here are the basic steps we will be going through:

1.
Start the wireless interface in monitor mode on the specific AP
channel
2.
Start airodump-ng on AP channel with filter for bssid to collect
authentication handshake
3.
Use aireplay-ng to deauthenticate the wireless client
4.
Run aircrack-ng to crack the pre-shared key using the
authentication handshake

Step 1 – Start the wireless interface in monitor mode

The purpose of this step is to put your card into what is called monitor
mode. Monitor mode is the mode whereby your card can listen to every
packet in the air. Normally your card will only "hear" packets addressed
to you. By hearing every packet, we can later capture the WPA/WPA2 4-way
handshake. As well, it will allow us to optionally deauthenticate a
wireless client in a later step.

First stop ath0 by entering:

airmon-ng stop ath0

The system responds:

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP
destroyed)

Enter "iwconfig" to ensure there are no other athX interfaces. It should
look similar to this:

lo no wireless extensions.

eth0 no wireless extensions.

wifi0 no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you
are finished, run "iwconfig" to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9
in monitor mode:

airmon-ng start wifi0 9

Note: In this command we use "wifi0" instead of our wireless interface
of "ath0". This is because the madwifi-ng drivers are being used.

The system will respond:

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
(monitor mode enabled)

You will notice that "ath0" is reported above as being put into monitor
mode.

To confirm the interface is properly setup, enter "iwconfig".

The system will respond:

lo no wireless extensions.

wifi0 no wireless extensions.

eth0 no wireless extensions.

ath0 IEEE 802.11g ESSID:"" Nickname:""
Mode:Monitor Frequency:2.452 GHz Access Point:
00:0F:B5:88:AC:82
Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the
2.452GHz frequency which is channel 9 and the Access Point shows the MAC
address of your wireless card. Only the madwifi-ng drivers show the card
MAC address in the AP field, other drivers do not. So everything is
good. It is important to confirm all this information prior to
proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out:

http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then
select the "Wifi Channel Selection and Channel Overlap" tab. This will
give you the frequency for each channel.
Step 2 – Start airodump-ng to collect authentication handshake

The purpose of this step is run airodump-ng to capture the 4-way
authentication handshake for the AP we are interested in.

Enter:

airodump-ng -c 9 – -bssid 00:14:6C:7E:40:80 -w psk ath0

Where:

*
-c 9 is the channel for the wireless network
*
– -bssid 00:14:6C:7E:40:80 is the access point MAC address. This
eliminate extraneous traffic.
*
-w psk is the file name prefix for the file which will contain
the IVs.
*
ath0 is the interface name.

Important: Do NOT use the "- -ivs" option. You must capture the full
packets.

Here what it looks like if a wireless client is connected to the network:

CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC
CIPHER AUTH ESSID

00:14:6C:7E:40:80 39 100 51 116 14 9 54 WPA2 CCMP
PSK teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 0 116

Here it is with no connected wireless clients:

CH 9 ][ Elapsed: 4 s ][ 2007-03-24 17:51

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC
CIPHER AUTH ESSID

00:14:6C:7E:40:80 39 100 51 0 0 9 54 WPA2 CCMP
PSK teddy

BSSID STATION PWR Lost Packets Probes

Step 3 – Use aireplay-ng to deauthenticate the wireless client

This step is optional. You only perform this step if you opted to
actively speed up the process. The other constraint is that there must
be a wireless client currently associated with the AP. If there is no
wireless client currently associated with the AP, then move onto the
next step and be patient. Needless to say, if a wireless client shows up
later, you can backtrack and perform this step.

What this step does is send a message to the wireless client saying that
that it is no longer associated with the AP. The wireless client will
then hopefully reauthenticate with the AP. The reauthentication is what
generates the 4-way authentication handshake we are interested in
collecting. This what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a
client which is currently connected. You need the MAC address for the
following. Open another console session and enter:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:

*
-0 means deauthentication
*
1 is the number of deauths to send (you can send muliple if you wish)
*
-a 00:14:6C:7E:40:80 is the MAC address of the access point
*
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are
deauthing
*
ath0 is the interface name

Here is what the output looks like:

11:09:28 Sending DeAuth to station — STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way
handshake.
Troubleshooting Tips

*
The deauthentication packets are sent directly from your PC to
the clients. So you must be physically close enough to the clients for
your wireless card transmissions to reach them.

Step 4 – Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared
key. To do this, you need a dictionary of words as input. Basically,
aircrack-ng takes each word and tests to see if this is in fact the
pre-shared key.

There is a small dictionary that comes with aircrack-ng –
"password.lst". The Wiki FAQ has an extensive list of dictionary
sources. You can use John the Ripper (JTR) to generate your own list and
pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is
beyond the scope of this tutorial.

Open another console session and enter:

aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Where:

*
-w password.lst is the name of the dictionary file. Remember to
specify the full path if the file is not located in the same directory.
*
*.cap is name of group of files containing the captured packets.
Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found:

Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.

No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the
wireless client) or wait longer if you are using the passive approach.
When using the passive approach, you have to wait until a wireless
client authenticates to the AP.

Here is typical output when handshakes are found:

Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.

# BSSID ESSID Encryption

1 00:14:6C:7E:40:80 teddy WPA (1 handshake)

Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the
pre-shared key. Depending on the speed of your CPU and the size of the
dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like:

Aircrack-ng 0.8

[00:00:00] 2 keys tested (37.20 k/s)

KEY FOUND! [ 12345678 ]

Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E
B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD

Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40
FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71

EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB


principio di Napoleone:
non attribuire a malintenzione cio' che puo'
essere semplicemente spiegato come imbecillita'

MaoX Blog:
http://maox.blogspot.com