Aircrack/Packet Injection Testing

From charlesreid1

Before You Begin

Install LibUSB

Install the development version of libusb: 

$ apt-get install libusb-1.0-0-dev

Bringing Two Cards Up

Plug in your two cards.

Figure out what they're called: 

$ iwconfig

Now make sure they're down: 

$ ifconfig wlan0 down
$ ifconfig wlan1 down

If you must: 

$ macchanger -r wlan0
$ macchanger -r wlan1

Put them in monitoring mode: 

$ iwconfig wlan0 mode monitor
$ iwconfig wlan1 mode monitor

Now bring them back up: 

$ ifconfig wlan0 up
$ ifconfig wlan1 up

and to make sure they're listening on the same frequency: 

$ airodump-ng -c 6 wlan0
$ airodump-ng -c 6 wlan1

Starting the Injection Test

Basic Injection Test

In order to confirm that packet injection works, you can use aireplay-ng in packet injection test mode (mode 9). The command looks like this: 

$ aireplay-ng -9 -a AA:BB:CC:DD:EE wlan2mon

where -9 or --test tells it to operate in packet injection test mode, -a AA:BB:CC:DD:EE is the MAC address of the target access point, wlan2mon is the wireless device that has already been put into monitoring mode with airomon-ng.

Here's what the output should look like: 

$ aireplay-ng -9 -a AA:BB:CC:DD:EE wlan2mon 
12:47:05  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 7
12:47:05  Trying broadcast probe requests...
12:47:06  Injection is working!
12:47:07  Found 1 AP 

12:47:07  Trying directed probe requests...
12:47:07  AA:BB:CC:DD:EE - channel: 7 - 'Walrus'
12:47:08  Ping (min/avg/max): 0.891ms/15.899ms/32.832ms Power: -21.72
12:47:08  29/30:  96%

and what it looks like if it fails: 

$ aireplay-ng -9 -a AA:BB:CC:DD:EE wlan0
21:47:18  Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 6
21:47:18  Trying broadcast probe requests...
21:47:20  No Answer...
21:47:20  Found 1 AP

21:47:20  Trying directed probe requests...
21:47:20  74:85:2A:97:5B:08 - channel: 6 - 'Walrus'
21:47:26   0/30:   0%

Attack Tests

Now you can insert a second wireless card into the laptop (I used a second USB dongle of the same type/manufacturer/chipset).


Setup

Look for it in the list: 

$ airmon-ng

In my case it was called wlan3. Now bring it online: 

$ airmon-ng start wlan3

This will rename the device to wlan3mon. List wireless devices again: 

$ airmon-ng

If you want to test your new wireless card really quick, you can do: 

$ aireplay-ng -9 wlan3mon

Get Wireless Devices on Same Channel

Now get both cards listening on the same channel. Run a quick airodump-ng command for the new wireless card to ensure it's listening on the right channel: 

$ airdoump-ng -bssid AA:BB:CC:DD:EE -c 7 -w /tmp/junk wlan3mon

and kill it as soon as you've run it. This will switch the card to channel 7 (or, our channel of choice) and make sure both cards are on the same channel.

Run Attack Test

Now you can run the attack test: 

$ aireplay-ng -9 -i wlan3mon wlan2mon

And the output: 

$ aireplay-ng -9 -i wlan3mon wlan2mon
13:05:50  Trying broadcast probe requests...
13:05:50  Injection is working!
13:05:51  Found 3 APs

13:05:51  Trying directed probe requests...
13:05:51  AA:BB:CC:DD:EE - channel: 7 - 'Walrus'
13:05:52  Ping (min/avg/max): 1.273ms/20.986ms/33.943ms Power: -26.67
13:05:52  30/30: 100%

13:05:52  34:95:3B:84:5C:18 - channel: 7 - ''
13:05:53  Ping (min/avg/max): 5.004ms/28.884ms/64.336ms Power: -30.13
13:05:53  30/30: 100%

13:05:53  F7:71:85:13:6A:4B - channel: 7 - 'Dee'
13:05:54  Ping (min/avg/max): 1.262ms/8.353ms/31.431ms Power: -60.40
13:05:54  25/30:  83%

13:05:54  Trying card-to-card injection...
13:05:54  Attack -0:           OK
13:05:54  Attack -1 (open):    OK
13:05:54  Attack -1 (psk):     OK
13:05:54  Attack -2/-3/-4/-6:  OK
13:05:58  Attack -5/-7:        Failed

From this site: "If you get a failure on attack 5, it may still work in the field if the injection MAC address matches the current card MAC address. With some drivers, it will fail if they are not the same."

Airserv Tests

Window 1

To begin, open a window and run an Aircrack server on your device: 

$ airserv-ng -d wlan2mon
Opening card wlan2mon
Setting chan 1
Opening sock port 666
Serving wlan2mon chan 1 on port 666

Once you run the command given below in Window 2, you'll see multiple messages like this: 

Connect from 127.0.0.1
Death from 127.0.0.1
Connect from 127.0.0.1
Death from 127.0.0.1
Connect from 127.0.0.1
Death from 127.0.0.1
Connect from 127.0.0.1
Death from 127.0.0.1
[...]

Window 2

Now run an injection test against the server: 

aireplay-ng -9 127.0.0.1:666
13:09:13  Testing connection to injection device 127.0.0.1:666
13:09:13  TCP connection successful
13:09:13  airserv-ng found
13:09:13  ping 127.0.0.1:666 (min/avg/max): 0.049ms/0.145ms/0.414ms

Connecting to 127.0.0.1 port 666...
Connection successful

13:09:13  Trying broadcast probe requests...
13:09:13  Injection is working!
13:09:17  Found 3 APs

13:09:17  Trying directed probe requests...
13:09:17  F4:CC:CC:13:62:B0 - channel: 7 - 'Dee'
13:09:21  Ping (min/avg/max): 1.845ms/33.413ms/43.924ms Power: -61.58
13:09:21  24/30:  80%

13:09:21  AA:BB:CC:DD:EE - channel: 7 - 'Walrus'
13:09:22  Ping (min/avg/max): 1.400ms/28.752ms/42.283ms Power: -20.73
13:09:22  30/30: 100%

13:09:22  74:85:2A:97:5B:09 - channel: 7 - ''
13:09:23  Ping (min/avg/max): 1.139ms/36.904ms/43.698ms Power: -21.47
13:09:23  30/30: 100%




Defcon.png
aircrack-ng
a suite of tools for wireless cracking.


Aircrack  · Category:Aircrack


aircrack-ng

Many Ways to Crack a Wifi: Cracking Wifi

Aircrack Benchmarking: Aircrack/Benchmarking

WEP Attacks with Aircrack: Aircrack/WEP Cracking

WPA Attacks with Aircrack: Aircrack/WPA Cracking

Aircrack Hardware: Aircrack/Packet Injection Testing

Harvesting Wireless Network Information


airodump-ng

Basic Usage of Airodump


Category:Security  · Category:Wireless  · Category:Passwords


Flags  · Template:AircrackFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Aircrack/Packet_Injection_Testing&oldid=7997"