weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
zer0Trac3 2014-01-12 21:26:18 -05:00
parent f6f4840662
commit 8f25dc9864
21 changed files with 1436 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
tools/aircrack-ng_suite.md
View File

@ -4,7 +4,7 @@ Notes
-------
* Version: 1.2-beta2 release
* Kali Linux Verison: 1.0.5
* Kali Linux Verison: 1.0.6
* Developers: Thomas d'Otreppe
@ -33,5 +33,5 @@ Notes
# Links
Resource Page: http://www.aircrack-ng.org/resources.html
Tutorial Page: http://www.aircrack-ng.org/doku.php?id=tutorial
Resource Page: http://www.aircrack-ng.org/resources.html
Tutorial Page: http://www.aircrack-ng.org/doku.php?id=tutorial

51
tools/aircrack-ng_suite/airbase-ng.md
View File

@ -3,8 +3,12 @@
Notes
-----
* Version: 1.2-beta2 release
* Kali Linux Verison: 1.0.6
* Developers: Thomas d'Otreppe
**Purpose**: airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge. Here are some of the feature highlights:
- Implements the Caffe Latte WEP client attack
``` - Implements the Caffe Latte WEP client attack
- Implements the Hirte WEP client attack
- Ability to cause the WPA/WPA2 handshake to be captured
- Ability to act as an ad-hoc Access Point
@ -18,15 +22,13 @@ The main idea is of the implementation is that it should encourage clients
A tap interface (atX) is created when airbase-ng is run. This can be used to receive decrypted packets or to send encrypted packets.
As real clients will most probably send probe requests for common figured networks, these frames are important for binding a client to our softAP. In this case, the AP will respond to any probe request with a proper probe response, which tells the client to authenticate to the airbase-ng BSSID. That being said, this mode could possibly disrupt the correct functionality of many APs on the same channel.
```
Usage: airbase-ng [options] <interface name>
DESCRIPTION
```
airbase-ng is multi-purpose tool aimed at attacking clients as opposed
to the Access Point (AP) itself. Since it is so versatile and flexible,
summarizing it is a challenge. Here are some of the feature highlights:
airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge. Here are some of the feature highlights:
- Implements the Caffe Latte WEP client attack
- Implements the Hirte WEP client attack
- Ability to cause the WPA/WPA2 handshake to be captured
@ -43,7 +45,7 @@ DESCRIPTION
A tap interface (atX) is created when airbase-ng is run. This can be
used to receive decrypted packets or to send encrypted packets.
As real clients will most probably send probe requests for common/con‐
As real clients will most probably send probe requests for common
figured networks, these frames are important for binding a client to
our softAP. In this case, the AP will respond to any probe request with
a proper probe response, which tells the client to authenticate to the
@ -66,7 +68,7 @@ OPTIONS
-w <WEP key>
If WEP should be used as encryption, then the parameter "-w <WEP
key>" sets the en-/decryption key. This is sufficient to let
airbase-ng set all the appropriate flags by itself. If the sof‐
airbase-ng set all the appropriate flags by itself. If the sof-
tAP operates with WEP encryption, the client can choose to use
open system authentication or shared key authentication. Both
authentication methods are supported by airbase-ng. But to get a
@ -87,7 +89,7 @@ OPTIONS
causes airbase to ignore the clients specified by the filters.
-W <0|1>
This sets the beacon WEP flag. Remember that clients will nor‐
This sets the beacon WEP flag. Remember that clients will nor-
mally only connect to APs which are the same as themselves.
Meaning WEP to WEP, open to open.
@ -96,7 +98,7 @@ OPTIONS
example, if you set a WEP key with -w, then the beacon flag
would be set to WEP.
One other use of "auto" is to deal with clients which can auto‐
One other use of "auto" is to deal with clients which can auto-
matically adjust their connection type. However, these are few
and far between.
@ -105,7 +107,7 @@ OPTIONS
-q This suppresses printing any statistics or status information.
-v This prints additional messages and details to assist in debug‐
-v This prints additional messages and details to assist in debug-
ging.
-M This option is not implemented yet. It is a man-in-the-middle
@ -126,9 +128,9 @@ OPTIONS
-Y <in|out|both>
The parameter "-Y" enables the "external processing" Mode. This
creates a second interface "atX", which is used to replay/mod‐
creates a second interface "atX", which is used to replay/mod-
ify/drop or inject packets at will. This interface must also be
brought up with ifconfig and an external tool is needed to cre‐
brought up with ifconfig and an external tool is needed to cre-
ate a loop on that interface.
The packet structure is rather simple: the ethernet header (14
@ -146,12 +148,12 @@ OPTIONS
application. Obviously "in" redirects only incoming (through the
wireless NIC) frames, while outgoing frames aren't touched.
"out" does the opposite, it only loops outgoing packets and
"both" sends all both directions through the second tap inter‐
"both" sends all both directions through the second tap inter-
face.
There is a small and simple example application to replay all
frames on the second interface. The tool is called "replay.py"
and is located in "./test". It's written in python, but the lan‐
and is located in "./test". It's written in python, but the lan-
guage doesn't matter. It uses pcapy to read the frames and scapy
to possibly alter/show and reinject the frames. The tool as it
is, simply replays all frames and prints a short summary of the
@ -163,7 +165,7 @@ OPTIONS
as a real programming language can be used to build complex
logic for filtering and packet customization. The downside on
using python is, that it adds a delay of around 100ms and the
cpu utilizations is rather large on a high speed network, but
CPU utilizations is rather large on a high speed network, but
its perfect for a demonstration with only a few lines of code.
-c <channel>
@ -171,7 +173,7 @@ OPTIONS
Point.
-X, --hidden
This causes the Access Point to hide the SSID and to not broad‐
This causes the Access Point to hide the SSID and to not broad-
cast the value.
-s When specfiied, this forces shared key authentication for all
@ -212,8 +214,8 @@ OPTIONS
This attack listens for an ARP request or IP packet from the
client. Once one is received, a small amount of PRGA is
extracted and then used to create an ARP request packet targeted
to the client. This ARP request is actually made of up of multi‐
ple packet fragments such that when received, the client will
to the client. This ARP request is actually made of up of multiple
packet fragments such that when received, the client will
respond.
This attack works especially well against ad-hoc networks. As
@ -224,7 +226,7 @@ OPTIONS
This sets the number of packets per second that packets will be
sent (default: 100).
-y When using this option, the fake AP will not respond to broad‐
-y When using this option, the fake AP will not respond to broad-
cast probes. A broadcast probe is where the the specific AP is
not identified uniquely. Typically, most APs will respond with
probe responses to a broadcast probe. This flag will prevent
@ -257,8 +259,7 @@ OPTIONS
This sets the time in milliseconds between each beacon.
-C <seconds>
The wildcard ESSIDs will also be beaconed this number of sec‐
onds. A good typical value to use is "-C 60" (require -P).
The wildcard ESSIDs will also be beaconed this number of seconds. A good typical value to use is "-C 60" (require -P).
Filter options:
@ -276,9 +277,13 @@ OPTIONS
--essid <ESSID>, -e <ESSID>
Specify a single ESSID. For SSID containing special characters,
see http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
see http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_space
ces_double_quote_and_single_quote_etc._in_ap_names
--essids <file>, -E <file>
read a list of ESSIDs out of that file.
```
```
Example Usage
---------------

147
tools/aircrack-ng_suite/aircrack-ng.md Normal file
View File

@ -0,0 +1,147 @@
AIRCRACK-NG
NAME
aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
SYNOPSIS
aircrack-ng [options] <.cap / .ivs file(s)>
DESCRIPTION
aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program.
It can recover the WEP key once enough encrypted packets have been cap‐
tured with airodump-ng. This part of the aircrack-ng suite determines
the WEP key using two fundamental methods. The first method is via the
PTW approach (Pyshkin, Tews, Weinmann). The main advantage of the PTW
approach is that very few data packets are required to crack the WEP
key. The second method is the FMS/KoreK method. The FMS/KoreK method
incorporates various statistical attacks to discover the WEP key and
uses these in combination with brute forcing.
Additionally, the program offers a dictionary method for determining
the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or
stdin) or an airolib-ng has to be used.
OPTIONS
Common options:
-a <amode>
Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-
PSK.
-e <essid>
Select the target network based on the ESSID. This option is
also required for WPA cracking if the SSID is cloacked. For SSID
containing special characters, see http://www.aircrack-
ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
gle_quote_etc._in_ap_names
-b <bssid> or --bssid <bssid>
Select the target network based on the access point MAC address.
-p <nbcpu>
Set this option to the number of CPUs to use (only available on
SMP systems). By default, it uses all available CPUs
-q If set, no status information is displayed.
-C <macs> or --combine <macs>
Merges all those APs MAC (separated by a comma) into a virtual
one.
-l <file>
Write the key into a file.
-E <file>
Create Elcomsoft Wireless Security Auditor (EWSA) Project file
v3.02.
Static WEP cracking options:
-c Search alpha-numeric characters only.
-t Search binary coded decimal characters only.
-h Search the numeric key for Fritz!BOX
-d <mask> or --debug <mask>
Specify mask of the key. For example: A1:XX:CF
-m <maddr>
Only keep the IVs coming from packets that match this MAC
address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and
every IVs, regardless of the network (this disables ESSID and
BSSID filtering).
-n <nbits>
Specify the length of the key: 64 for 40-bit WEP, 128 for
104-bit WEP, etc., until 512 bits of length. The default value
is 128.
-i <index>
Only keep the IVs that have this key index (1 to 4). The default
behaviour is to ignore the key index in the packet, and use the
IV regardless.
-f <fudge>
By default, this parameter is set to 2. Use a higher value to
increase the bruteforce level: cracking will take more time, but
with a higher likelihood of success.
-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a huge
false positive that prevents the key from being found, even with
lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack
selectively.
-x or -x0
Disable last keybytes bruteforce (not advised).
-x1 Enable last keybyte bruteforcing (default)
-x2 Enable last two keybytes bruteforcing.
-X Disable bruteforce multithreading (SMP only).
-s Shows ASCII version of the key at the right of the screen.
-y This is an experimental single brute-force attack which should
only be used when the standard attack mode fails with more than
one million IVs.
-z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann)
attack (default attack).
-P <num> or --ptw-debug <num>
PTW debug: 1 Disable klein, 2 PTW.
-K Use KoreK attacks instead of PTW.
-D or --wep-decloak
WEP decloak mode.
-1 or --oneshot
Run only 1 try to crack key with PTW.
-M <num>
Specify maximum number of IVs to use.
WEP and WPA-PSK cracking options
-w <words>
Path to a dictionary file for wpa cracking. Specify "-" to use
stdin. Here is a list of wordlists: http://www.aircrack-
ng.org/doku.php?id=faq#where_can_i_find_good_wordlists
WPA-PSK cracking options:
-S WPA cracking speed test.
-r <database>
Path to the airolib-ng database. Cannot be used with '-w'.
Other options:
-H or --help
Show help screen
-u or --cpu-detect
Provide information on the number of CPUs and MMX/SSE support

39
tools/aircrack-ng_suite/airdecap-ng.md Normal file
View File

@ -0,0 +1,39 @@
AIRDECAP-NG
NAME
airdecap-ng - decrypt a WEP/WPA crypted pcap file
SYNOPSIS
airdecap-ng [options] <pcap file>
DESCRIPTION
airdecap-ng decrypts a WEP/WPA crypted pcap file to a uncrypted one by
using the right WEP/WPA keys.
OPTIONS
-H, --help
Shows the help screen.
-l Do not remove the 802.11 header.
-b <bssid>
Access point MAC address filter.
-k <pmk>
WPA Pairwise Master Key in hex.
-e <essid>
Target network SSID. For SSID containing special characters, see
http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
ces_double_quote_and_single_quote_etc._in_ap_names
-p <pass>
Target network WPA passphrase.
-w <key>
Target network WEP key in hex.
EXAMPLES
airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap
airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap
airdecap-ng -e my_essid -p my_passphrase tkip.cap

81
tools/aircrack-ng_suite/airdecloak-ng.md Normal file
View File

@ -0,0 +1,81 @@
AIRDECLOAK-NG
NAME
airuncloak-ng - Removes wep cloaked framed from a pcap file.
SYNOPSIS
airuncloak-ng <options>
DESCRIPTION
airuncloak-ng is a tool that removes wep cloaking from a pcap file.
Some WIPS (actually one) can actively "prevent" cracking a WEP key by
inserting chaff (fake wep frames) in the air to fool aircrack-ng. In
some rare cases, cloaking fails and the key can be recovered without
removing this chaff. In the cases where the key cannot be recovered,
use this tool to filter out chaff.
The program works by reading the input file and selecting packets from
a specific network. Each selected packet is put into a list and clas‐
sified (default status is "unknown"). Filters are then applied (in the
order specified by the user) on this list. They will change the status
of the packets (unknown, uncloaked, potentially cloaked or cloaked).
The order of the filters is really important since each filter will
base its analysis amongst other things on the status of the packets and
different orders will give different results.
Important requirement: The pcap file needs to have all packets (includ‐
ing beacons and all other "useless" packets) for the analysis (and if
possible, prism/radiotap headers).
OPTIONS
-h, --help
Shows the help screen.
-i <file>
Path to the capture file.
--ssid <ESSID>
Essid of the network (not yet implemented) to filter.
--bssid <BSSID>
BSSID of the network to filter.
--null-packets
Assume that null packets can be cloaked.
--disable-base-filter
Do not apply base filter.
--drop-frag
Drop fragmented packets.
--filters <filters>
Apply different filters (separated by a comma). See below.
FILTERS
signal Try to filter based on signal (prism or radiotap headers in the
pcap file).
duplicate_sn
Remove all duplicate sequence numbers for both the AP and the
client (that are close to each other).
duplicate_sn_ap
Remove duplicate sequence number for the AP only (that are close
to each other).
duplicate_sn_client
Remove duplicate sequence number for the client only (that are
close to each other).
consecutive_sn
Filter based on the fact that IV should be consecutive (only for
AP).
duplicate_iv
Filter out all duplicate IV.
signal_dup_consec_sn
Use signal (if available), duplicate and consecutive sequence
number (filtering is much more precise than using all these fil‐
ters one by one).

52
tools/aircrack-ng_suite/airdriver-ng.md Normal file
View File

@ -0,0 +1,52 @@
AIRDRIVER-NG
NAME
airdriver-ng - automatically install/uninstall and patch drivers and
802.11 stacks
SYNOPSIS
airdriver-ng <command> [drivernumber]
DESCRIPTION
airdriver-ng is a script that provides status information about the
wireless drivers on your system plus the ability to load and unload the
drivers. Additionally, airdriver-ng allows you to install and uninstall
drivers complete with the patches required for monitor and injection
modes. Plus a number of other functions.
COMMAND
supported
Lists all supported drivers
kernel Lists all in-kernel drivers
installed
Lists all installed drivers
loaded Lists all loaded drivers
load <drivernum>
Loads a driver
unload <drivernum>
Unloads a driver
reload <drivernum>
Reloads a driver
install <drivernum>
Installs a driver
remove <drivernum>
Removes a driver
remove_stack <num>
Removes a stack
install_stack <num>
Installs a stack
details <drivernum>
Prints driver details
detect Detects wireless cards

264
tools/aircrack-ng_suite/aireplay-ng.md Normal file
View File

@ -0,0 +1,264 @@
AIREPLAY-NG
NAME
aireplay-ng - inject packets into a wireless network to generate traf‐
fic
SYNOPSIS
aireplay-ng [options] <replay interface>
DESCRIPTION
aireplay-ng is used to inject/replay frames. The primary function is
to generate traffic for the later use in aircrack-ng for cracking the
WEP and WPA-PSK keys. There are different attacks which can cause deau‐
thentications for the purpose of capturing WPA handshake data, fake
authentications, Interactive packet replay, hand-crafted ARP request
injection and ARP-request reinjection. With the packetforge-ng tool
it's possible to create arbitrary frames.
aireplay-ng supports single-NIC injection/monitor.
This feature needs driver patching.
OPTIONS
-H, --help
Shows the help screen.
Filter options:
-b <bssid>
MAC address of access point.
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-u <type>
Frame control, type field.
-v <subt>
Frame control, subtype field.
-t <tods>
Frame control, "To" DS bit (0 or 1).
-f <fromds>
Frame control, "From" DS bit (0 or 1).
-w <iswep>
Frame control, WEP bit (0 or 1).
-D Disable AP Detection.
Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
-g <nb_packets>
Change ring buffer size (default: 8 packets). The minimum is 1.
-F Choose first matching packet.
-e <essid>
Fake Authentication attack: Set target SSID (see below). For
SSID containing special characters, see http://www.aircrack-
ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
gle_quote_etc._in_ap_names
-o <npackets>
Fake Authentication attack: Set the number of packets for every
authentication and association attempt (Default: 1). 0 means
auto
-q <seconds>
Fake Authentication attack: Set the time between keep-alive
packets in fake authentication mode.
-Q Fake Authentication attack: Sends reassociation requests instead
of performing a complete authentication and association after
each delay period.
-y <prga>
Fake Authentication attack: Specifies the keystream file for
fake shared key authentication.
-T n Fake Authentication attack: Exit if fake authentication fails
'n' time(s).
-j ARP Replay attack : inject FromDS pakets (see below).
-k <IP>
Fragmentation attack: Set destination IP in fragments.
-l <IP>
Fragmentation attack: Set source IP in fragments.
-B Test option: bitrate test.
Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.
Miscellaneous options:
-R disable /dev/rtc usage.
--ignore-negative-one if the interface's channel can't be determined
ignore the mismatch, needed for unpatched cfg80211
Attack modes:
-0 <count>, --deauth=<count>
This attack sends deauthentication packets to one or more
clients which are currently associated with a particular access
point. Deauthenticating clients can be done for a number of rea‐
sons: Recovering a hidden ESSID. This is an ESSID which is not
being broadcast. Another term for this is "cloaked" or Capturing
WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
erate ARP requests (Windows clients sometimes flush their ARP
cache when disconnected). Of course, this attack is totally
useless if there are no associated wireless client or on fake
authentications.
-1 <delay>, --fakeauth=<delay>
The fake authentication attack allows you to perform the two
types of WEP authentication (Open System and Shared Key) plus
associate with the access point (AP). This is useful is only
useful when you need an associated MAC address in various aire‐
play-ng attacks and there is currently no associated client. It
should be noted that the fake authentication attack does NOT
generate any ARP packets. Fake authentication cannot be used to
authenticate/associate with WPA/WPA2 Access Points.
-2, --interactive
This attack allows you to choose a specific packet for replaying
(injecting). The attack can obtain packets to replay from two
sources. The first being a live flow of packets from your wire‐
less card. The second being from a pcap file. Reading from a
file is an often overlooked feature of aireplay-ng. This allows
you read packets from other capture sessions or quite often,
various attacks generate pcap files for easy reuse. A common use
of reading a file containing a packet your created with packet‐
forge-ng.
-3, --arpreplay
The classic ARP request replay attack is the most effective way
to generate new initialization vectors (IVs), and works very
reliably. The program listens for an ARP packet then retransmits
it back to the access point. This, in turn, causes the access
point to repeat the ARP packet with a new IV. The program
retransmits the same ARP packet over and over. However, each ARP
packet repeated by the access point has a new IVs. It is all
these new IVs which allow you to determine the WEP key.
-4, --chopchop
This attack, when successful, can decrypt a WEP data packet
without knowing the key. It can even work against dynamic WEP.
This attack does not recover the WEP key itself, but merely
reveals the plaintext. However, some access points are not vul‐
nerable to this attack. Some may seem vulnerable at first but
actually drop data packets shorter that 60 bytes. If the access
point drops packets shorter than 42 bytes, aireplay tries to
guess the rest of the missing data, as far as the headers are
predictable. If an IP packet is captured, it additionally checks
if the checksum of the header is correct after guessing the
missing parts of it. This attack requires at least one WEP data
packet.
-5, --fragment
This attack, when successful, can obtain 1500 bytes of PRGA
(pseudo random generation algorithm). This attack does not
recover the WEP key itself, but merely obtains the PRGA. The
PRGA can then be used to generate packets with packetforge-ng
which are in turn used for various injection attacks. It
requires at least one data packet to be received from the access
point in order to initiate the attack.
-6, --caffe-latte
In general, for an attack to work, the attacker has to be in the
range of an AP and a connected client (fake or real). Caffe
Latte attacks allows one to gather enough packets to crack a WEP
key without the need of an AP, it just need a client to be in
range.
-7, --cfrag
This attack turns IP or ARP packets from a client into ARP
request against the client. This attack works especially well
against ad-hoc networks. As well it can be used against softAP
clients and normal AP clients.
-8, --migmode
This attack works against Cisco Aironet access points configured
in WPA Migration Mode, which enables both WPA and WEP clients to
associate to an access point using the same Service Set Identi‐
fier (SSID). The program listens for a WEP-encapsulated broad‐
cast ARP packet, bitflips it to make it into an ARP coming from
the attacker's MAC address and retransmits it to the access
point. This, in turn, causes the access point to repeat the ARP
packet with a new IV and also to forward the ARP reply to the
attacker with a new IV. The program retransmits the same ARP
packet over and over. However, each ARP packet repeated by the
access point has a new IV as does the ARP reply forwarded to the
attacker by the access point. It is all these new IVs which
allow you to determine the WEP key.
-9, --test
Tests injection and quality.
FRAGMENTATION VERSUS CHOPCHOP
Fragmentation:
Pros
- Can obtain the full packet length of 1500 bytes XOR. This
means you can subsequently pretty well create any size of
packet.
- May work where chopchop does not
- Is extremely fast. It yields the XOR stream extremely quickly
when successful.
Cons
- Setup to execute the attack is more subject to the device
drivers. For example, Atheros does not generate the correct
packets unless the wireless card is set to the mac address you
are spoofing.
- You need to be physically closer to the access point since if
any packets are lost then the attack fails.
Chopchop
Pro
- May work where frag does not work.
Cons
- Cannot be used against every access point.
- The maximum XOR bits is limited to the length of the packet
you chopchop against.
- Much slower then the fragmentation attack.

55
tools/aircrack-ng_suite/airmon-ng.md Normal file
View File

@ -0,0 +1,55 @@
AIRMON-NG
Notes
-------
* Version: 1.2-beta2 release
* Kali Linux Verison: 1.0.6
* Developers: Thomas d'Otreppe
***Purpose*** - bash script designed to turn wireless cards into monitor
mode.
**SYNOPSIS**
```
airmon-ng <start|stop> <interface> [channel] airmon-ng <check> [kill]
```
**DESCRIPTION**
``` airmon-ng is script can be used to enable monitor mode on wireless
interfaces. It may also be used to go back from monitor mode to managed
mode. Entering the airmon-ng command without parameters will show the
interfaces status. It can list/kill programs that can interfere with
the wireless card and set the right sources in /etc/kismet/kismet.conf
too.
```
**OPTIONAL PARAMETERS**
``` start <interface> [channel]
Enable monitor mode on an interface (and specify a channel).
Note: Madwifi-ng is a special case, 'start' has to be used on
wifi interfaces and 'stop' on ath interfaces. stop <interface>
Disable monitor mode and go back to managed mode (except for
madwifi-ng where it kills the ath VAP).
check [kill]
List all possible programs that could interfere with the wire
less card. If 'kill' is specified, it will try to kill all of
them.
```
Example Usage
---------------
Display all process that will interfere with wireless card
* `airmon-ng check`
Kill any process that will interfere with wireless card
* `airmon-ng check kill`
Start monitor mode
* `airmon-ng start wlan0`
Start monitor mode on a specific channel
* `airmon-ng start wlan0 11`
Stop monitor mode
* `airmon-ng stop mon0`

12
tools/aircrack-ng_suite/airodump-ng-oui-update.md Normal file
View File

@ -0,0 +1,12 @@
AIRODUMP-NG-OUI-UPDATE
NAME
airodump-ng-oui-updater - IEEE oui list updater for airodump-ng
SYNOPSIS
airodump-ng-oui-updater
DESCRIPTION
airodump-ng-oui-updater downloads and parses IEEE OUI list.

273
tools/aircrack-ng_suite/airodump-ng.md Normal file
View File

@ -0,0 +1,273 @@
AIRODUMP-NG
NAME
airodump-ng - a wireless packet capture tool for aircrack-ng
SYNOPSIS
airodump-ng [options] <interface name>
DESCRIPTION
airodump-ng is used for packet capturing of raw 802.11 frames for the
intent of using them with aircrack-ng. If you have a GPS receiver con‐
nected to the computer, airodump-ng is capable of logging the coordi‐
nates of the found access points. Additionally, airodump-ng writes out
a text file containing the details of all access points and clients
seen.
OPTIONS
-H, --help
Shows the help screen.
-i, --ivs
It only saves IVs (only useful for cracking). If this option is
specified, you have to give a dump prefix (--write option)
-g, --gpsd
Indicate that airodump-ng should try to use GPSd to get coordi‐
nates.
-w <prefix>, --write <prefix>
Is the dump file prefix to use. If this option is not given, it
will only show data on the screen. Beside this file a CSV file
with the same filename as the capture will be created.
-e, --beacons
It will record all beacons into the cap file. By default it only
records one beacon for each network.
-u <secs>, --update <secs>
Delay <secs> seconds delay between display updates (default: 1
second). Useful for slow CPU.
--showack
Prints ACK/CTS/RTS statistics. Helps in debugging and general
injection optimization. It is indication if you inject, inject
too fast, reach the AP, the frames are valid encrypted frames.
Allows one to detect "hidden" stations, which are too far away
to capture high bitrate frames, as ACK frames are sent at 1Mbps.
-h Hides known stations for --showack.
--berlin <secs>
Time before removing the AP/client from the screen when no more
packets are received (Default: 120 seconds). See airodump-ng
source for the history behind this option ;).
-c <channel>[,<channel>[,...]], --channel <channel>[,<channel>[,...]]
Indicate the channel(s) to listen to. By default airodump-ng hop
on all 2.4GHz channels.
-b <abg>, --band <abg>
Indicate the band on which airodump-ng should hop. It can be a
combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz
and 'a' uses 5GHz). Incompatible with --channel option.
-s <method>, --cswitch <method>
Defines the way airodump-ng sets the channels when using more
than one card. Valid values: 0 (FIFO, default value), 1 (Round
Robin) or 2 (Hop on last).
-r <file>
Reads packet from a file.
-x <msecs>
Active Scanning Simulation (send probe requests and parse the
probe responses).
-M, --manufacturer
Display a manufacturer column with the information obtained from
the IEEE OUI list. See airodump-ng-oui-update(8)
-U, --uptime
Display APs uptime obtained from its beacon timestamp.
--output-format <formats>
Define the formats to use (separated by a comma). Possible val‐
ues are: pcap, ivs, csv, gps, kismet, netxml. The default values
are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording
a capture in pcap format, 'ivs' is for ivs format (it is a
shortcut for --ivs). 'csv' will create an airodump-ng CSV file,
'kismet' will create a kismet csv file and 'kismet-newcore' will
create the kismet netxml file. 'gps' is a shortcut for --gps.
Theses values can be combined with the exception of ivs and
pcap.
--ignore-negative-one
Removes the message that says 'fixed channel <interface>: -1'.
Filter options:
-t <OPN|WEP|WPA|WPA1|WPA2>, --encrypt <OPN|WEP|WPA|WPA1|WPA2>
It will only show networks matching the given encryption. May be
specified more than once: '-t OPN -t WPA2'
-d <bssid>, --bssid <bssid>
It will only show networks, matching the given bssid.
-m <mask>, --netmask <mask>
It will only show networks, matching the given bssid ^ netmask
combination. Need --bssid (or -d) to be specified.
-a It will only show associated clients.
INTERACTION
airodump-ng can receive and interpret key strokes while running. The
following list describes the currently assigned keys and supposed
actions:
a Select active areas by cycling through these display options:
AP+STA; AP+STA+ACK; AP only; STA only
d Reset sorting to defaults (Power)
i Invert sorting algorithm
m Mark the selected AP or cycle through different colors if the
selected AP is already marked
r (De-)Activate realtime sorting - applies sorting algorithm
everytime the display will be redrawn
s Change column to sort by, which currently includes: First seen;
BSSID; PWR level; Beacons; Data packets; Packet rate; Channel;
Max. data rate; Encryption; Strongest Ciphersuite; Strongest
Authentication; ESSID
SPACE Pause display redrawing/ Resume redrawing
TAB Enable/Disable scrolling through AP list
UP Select the AP prior to the currently marked AP in the displayed
list if available
DOWN Select the AP after the currently marked AP if available
If an AP is selected or marked, all the connected stations will also be
selected or marked with the same color as the corresponding Access
Point.
EXAMPLES
airodump-ng --band bg ath0
Here is an example screenshot:
-----------------------------------------------------------------------
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][
WPA handshake: 00:14:6C:7E:40:80
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
AUTH ESSID
00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN
<length: 7>
00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP
bigbear
00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP
PSK teddy
BSSID STATION PWR Rate Lost Frames
Probes
00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐
bear
(not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy
00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐
bear
00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy
-----------------------------------------------------------------------
BSSID MAC address of the access point. In the Client section, a BSSID
of "(not associated)" means that the client is not associated
with any AP. In this unassociated state, it is searching for an
AP to connect with.
PWR Signal level reported by the card. Its signification depends on
the driver, but as the signal gets higher you get closer to the
AP or the station. If the BSSID PWR is -1, then the driver
doesn't support signal level reporting. If the PWR is -1 for a
limited number of stations then this is for a packet which came
from the AP to the client but the client transmissions are out
of range for your card. Meaning you are hearing only 1/2 of the
communication. If all clients have PWR as -1 then the driver
doesn't support signal level reporting.
RXQ Only shown when on a fixed channel. Receive Quality as measured
by the percentage of packets (management and data frames) suc‐
cessfully received over the last 10 seconds. It's measured over
all management and data frames. That's the clue, this allows you
to read more things out of this value. Lets say you got 100 per‐
cent RXQ and all 10 (or whatever the rate) beacons per second
coming in. Now all of a sudden the RXQ drops below 90, but you
still capture all sent beacons. Thus you know that the AP is
sending frames to a client but you can't hear the client nor the
AP sending to the client (need to get closer). Another thing
would be, that you got a 11MB card to monitor and capture frames
(say a prism2.5) and you have a very good position to the AP.
The AP is set to 54MBit and then again the RXQ drops, so you
know that there is at least one 54MBit client connected to the
AP.
Beacons
Number of beacons sent by the AP. Each access point sends about
ten beacons per second at the lowest rate (1M), so they can usu‐
ally be picked up from very far.
#Data Number of captured data packets (if WEP, unique IV count),
including data broadcast packets.
#/s Number of data packets per second measure over the last 10 sec‐
onds.
CH Channel number (taken from beacon packets). Note: sometimes
packets from other channels are captured even if airodump-ng is
not hopping, because of radio interference.
MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if
MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot
(after 54 above) indicates short preamble is supported. 'e'
indicates that the network has QoS (802.11e) enabled.
ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or
higher (not enough data to choose between WEP and WPA/WPA2), WEP
(without the question mark) indicates static or dynamic WEP, and
WPA or WPA2 if TKIP or CCMP or MGT is present.
CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or
WEP104. Not mandatory, but TKIP is typically used with WPA and
CCMP is typically used with WPA2. WEP40 is displayed when the
key index is greater then 0. The standard states that the index
can be 0-3 for 40bit and should be 0 for 104 bit.
AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a
separate authentication server), SKA (shared key for WEP), PSK
(pre-shared key for WPA/WPA2), or OPN (open for WEP).
ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐
vated. In this case, airodump-ng will try to recover the SSID
from probe responses and association requests.
STATION
MAC address of each associated station or stations searching for
an AP to connect with. Clients not currently associated with an
AP have a BSSID of "(not associated)".
Rate This is only displayed when using a single channel. The first
number is the last data rate from the AP (BSSID) to the Client
(STATION). The second number is the last data rate from Client
(STATION) to the AP (BSSID).
Lost It means lost packets coming from the client. To determine the
number of packets lost, there is a sequence field on every non-
control frame, so you can subtract the second last sequence num‐
ber from the last sequence number and you know how many packets
you have lost.
Packets
The number of data packets sent by the client.
Probes The ESSIDs probed by the client. These are the networks the
client is trying to connect to if it is not currently connected.
The first part is the detected access points. The second part is a list
of detected wireless clients, stations. By relying on the signal power,
one can even physically pinpoint the location of a given station.

47
tools/aircrack-ng_suite/airolib-ng.md Normal file
View File

@ -0,0 +1,47 @@
AIROLIB-NG
NAME
airolib-ng - manage and create a WPA/WPA2 pre-computed hashes tables
SYNOPSIS
airolib-ng <database> <operation> [options]
DESCRIPTION
airolib-ng is a tool for the aircrack-ng suite to store and manage
essid and password lists, compute their Pairwise Master Keys (PMKs) and
use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3
database as the storage mechanism which is available on most platforms.
The SQLite3 database was selected taking in consideration platform
availability plus management, memory and disk overhead.
DATABASE
database
It is name of the database file. Optionally specify the full
path.
OPERATION
--stats
Output information about the database.
--sql <sql>
Execute specified SQL statement.
--clean [all]
Clean the database from old junk. When specifying 'all', it will
also reduce filesize if possible and run an integrity check.
--batch
Start batch-processing all combinations of ESSIDs and passwords.
--verify [all]
Verify a set of randomly chosen PMKs. If 'all' is given, all
invalid PMK in the database will be deleted.
--import [essid|passwd] <file>
Import a flat file as a list of ESSIDs or passwords.
import cowpatty <file>
Import a coWPAtty file.
--export cowpatty <essid> <file>
Export to a cowpatty file.

36
tools/aircrack-ng_suite/airserv-ng.md Normal file
View File

@ -0,0 +1,36 @@
AIRSERV-NG
NAME
airserv-ng - a wireless card server
SYNOPSIS
airserv-ng <options>
DESCRIPTION
airserv-ng is a wireless card server which allows multiple wireless
application programs to independently use a wireless card via a client-
server TCP network connection. All operating system and wireless card
driver specific code is incorporated into the server. This eliminates
the need for each wireless application to contain the complex wireless
card and driver logic. It is also supports multiple operating systems.
OPTIONS
-h Shows the help screen.
-p <port>
TCP port to listen on (by default: 666).
-d <iface>
Wifi interface to use.
-c <chan>
Lock interface to this channel.
-v <level>
Debug level. There are 3 debug levels. Debug level of 1 shows
client connection/disconnection (default). Debug level of 2
shows channel change requests and invalid client command
requests in addition to the debug level 1 messages. Debug level
of 3 displays a message each time a packet (and its length) is
sent to the client. It also include messages from level 2 (and
1).

66
tools/aircrack-ng_suite/airtun-ng.md Normal file
View File

@ -0,0 +1,66 @@
AIRTUN-NG
NAME
airtun-ng - a virtual tunnel interface creator for aircrack-ng
SYNOPSIS
airtun-ng [options] <interface name>
DESCRIPTION
airtun-ng creates a virtual tunnel interface (atX) for sending arbi
trary IP packets by using raw ieee802.11 packet injection.
OPTIONS
-H, --help
Shows the help screen.
-x <pps>
Sets maximum number of packets per second.
-a <BSSID>
Specifies the BSSID for the iee802.11 header. In WDS Mode this
sets the Receiver.
-h <SMAC>
Specifies the source MAC for the iee802.11 header.
-i <iface>
Sets the capture interface.
-r <file>
Specifies a file to read 802.11 frames.
-y <PRGA-file>
Is the name of the file, which provides the keystream for WEP
encoding. (No receiving, just transmitting of IP packets.)
-w <WEP-key>
This is the WEP key to en-/decrypt all traffic going through the
tunnel.
-t <tods>
Defines the ToDS and FromDS bit in the ieee802.11 header. For
tods=1, the ToDS bit is set to 1 and FromDS to 0, while tods=0
sets them the other way around. If set to 2, it will be tunneled
in a WDS/bridge.
-m <netmask>, --netmask <netmask>
Filters networks based on bssid ^ netmask combination. Needs -d,
used in replay mode.
-d <BSSID>, --bssid <BSSID>
Filters networks based on the <BSSID>. Used in replay mode.
-f, --repeat
Enables replay mode. All read frames, filtered by bssid and net
mask (if specified), will be replayed.
-s <transmitter>
Set Transmitter MAC address for WDS Mode.
-b Bidirectional mode. This enables communication in Transmitter's
AND Receiver's networks. Works only if you can see both sta
tions.
EXAMPLES
airtun-ng -a 00:14:22:56:F3:4E -t 0 -y keystream.xor wlan0

18
tools/aircrack-ng_suite/buddy-ng.md Normal file
View File

@ -0,0 +1,18 @@
BUDDY-NG
NAME
buddy-ng - a tool to work with easside-ng
SYNOPSIS
buddy-ng <options>
DESCRIPTION
buddy-ng server echoes back the decrypted packets to the system running
easside-ng in order to access the wireless network without knowing the
WEP key. It is done by having the AP itself decrypt the packets. When
ran, it automatically starts and listen to port 6969.
OPTIONS
-h Shows the help screen.
-p Don't drop privileges

46
tools/aircrack-ng_suite/easside-ng.md Normal file
View File

@ -0,0 +1,46 @@
EASSIDE-NG
NAME
easside-ng - an auto-magic tool which allows you to communicate via an
WEP-encrypted AP without knowing the key
SYNOPSIS
easside-ng <options>
DESCRIPTION
easside-ng is an auto-magic tool which allows you to communicate via an
WEP-encrypted access point (AP) without knowing the WEP key. It first
identifies a network, then proceeds to associate with it, obtain PRGA
(pseudo random generation algorithm) xor data, determine the network IP
scheme and then setup a TAP interface so that you can communicate with
the AP without requiring the WEP key. All this is done without your
intervention.
OPTIONS
-h Shows the help screen.
-v <victim mac>
Victim BSSID (Optional).
-m <src mac>
Source MAC address to be used (Optional).
-i <ip>
Source IP address to be used on the wireless LAN. Defaults to
the decoded network plus '.123' (Optional).
-r <router ip>
IP address of the AP router. This could be the WAN IP of the AP
or an actual router IP depending on the topology. Defaults to
the decoded network plus '.1' (Optional).
-s <buddy ip>
IP address of Buddy-ng server (Mandatory)
-f <iface>
Wireless interface to use (Mandatory)
-c <channel>
Lock interface to this channel (Optional).
-n Determine Internet IP only.

18
tools/aircrack-ng_suite/ivstools.md Normal file
View File

@ -0,0 +1,18 @@
IVSTOOLS
NAME
ivstools - extract IVs from a pcap file or merges several .ivs files
into one
SYNOPSIS
ivstools --convert <pcap file> <ivs output file> ivstools --merge <ivs
file 1> <ivs file 2> .. <output file>
DESCRIPTION
ivstools is a tool designed to extract ivs (initialization vectors)
from a pcap dump to an ivs file and it can also merge several ivs (ini
tialization vectors) files into one..
EXAMPLE
ivstools --convert wep_dump.cap out.ivs ivstools --merge myivs1.ivs
myivs2.ivs myivs3.ivs allivs.ivs

16
tools/aircrack-ng_suite/kstats.md Normal file
View File

@ -0,0 +1,16 @@
KSTATS
NAME
kstats - show statistical FMS algorithm votes for an ivs dump and a
specified WEP key
SYNOPSIS
kstats <ivs file> <104-bit key>
DESCRIPTION
kstats is a tool designed to show the FMS algorithm votes for an ivs
dump (intialization vectors) with a specified WEP key. The ivs dump can
be get by using the combinaison of both airodump(1) and ivstools(1).
EXAMPLE
kstats kstats out.ivs 123456789ABCDEF123456789AB

15
tools/aircrack-ng_suite/makeivs-ng.md Normal file
View File

@ -0,0 +1,15 @@
MAKEIVS-NG
NAME
makeivs - generate a dummy IVS dump file with a specific WEP key
SYNOPSIS
makeivs <ivs file> <104-bit key>
DESCRIPTION
makeivs is a tool designed to generate an IVS dump file with an inputed
WEP key. The aim of is tools is to provide a way to create dumps with
a known encryption key for tests.
EXAMPLE
makeivs makeivs out.ivs 123456789ABCDEF123456789AB

80
tools/aircrack-ng_suite/packetforge-ng.md Normal file
View File

@ -0,0 +1,80 @@
PACKETFORGE-NG
NAME
packetforge-ng - forge packets: ARP, UDP, ICMP or custom packets.
SYNOPSIS
packetforge-ng <mode> <options>
DESCRIPTION
packetforge-ng is a tool to create encrypted packets that can subse
quently be used for injection. You may create various types of packets
such as arp requests, UDP, ICMP and custom packets. The most common use
is to create ARP requests for subsequent injection.
To create an encrypted packet, you must have a PRGA (pseudo random gen
ration algorithm) file. This is used to encrypt the packet you create.
This is typically obtained from aireplay-ng chopchop or fragmentation
attacks.
OPTIONS
-H, --help
Shows the help screen.
-p <fctrl>
Set frame control word (hex)
-a <bssid>
Set Access Point MAC addres
-c <dmac>
Set Destination MAC address
-h <smac>
Set Source MAC address
-j set FromDS bit
-o clear ToDS bit
-e disable WEP encryption
-k <ip:[port]>
Set destination IP (and port)
-l <ip:[port]>
Set source IP (and port)
-w <file>
Write packet to this pcap file
-r <file>
Read packet from this pcap file
-y <file>
Read PRGA from this file
-t <ttl>
Set Time To Live in IP-Header
-s <size>
Set size of the generated null packet.
-0, --arp
Forge an ARP packet
-1, --udp
Forge an UDP packet
-2, --icmp
Forge an ICMP packet
-3, --null
Forge a llc null packet
-9, --custom
Build a custom packet, requires -r to read an unencrypted frame
out of a pcap file.
EXAMPLE
packetforge-ng -y test.xor -a 00:09:5b:12:40:cc -h 00:10:2a:cb:30:14 -k
192.168.1.100 -l 192.168.1.1 -w arp-request.cap

87
tools/aircrack-ng_suite/tkiptun-ng.md Normal file
View File

@ -0,0 +1,87 @@
TKIPTUN-NG
NAME
tkiptun-ng - inject a few frames into a WPA TKIP network with QoS
SYNOPSIS
tkiptun-ng [options] <replay interface>
DESCRIPTION
tkiptun-ng is a tool created by Martin Beck aka hirte, a member of air
crack-ng team. This tool is able to inject a few frames into a WPA TKIP
network with QoS. He worked with Erik Tews (who created PTW attack) for
a conference in PacSec 2008: "Gone in 900 Seconds, Some Crypto Issues
with WPA".
OPERATION
-H, --help
Shows the help screen.
Filter options:
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-t <tods>
Frame control, "To" DS bit.
-f <fromds>
Frame control, "From" DS bit.
-D Disable AP Detection.
Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
-F Choose first matching packet.
-e <essid>
Set target SSID.
Debug options:
-K <prga>
Keystream for continuation.
-y <file>
Keystream file for continuation.
-j Inject FromFS packets.
-P <PMK>
Pairwise Master key (PMK) for verification or vulnerability
testing.
-p <PSK>
Preshared key (PSK) to calculate PMK with essid.
Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.

53
tools/aircrack-ng_suite/wesside-ng.md Normal file
View File

@ -0,0 +1,53 @@
WESSIDE-NG
NAME
wesside-ng - crack a WEP key of an open network without user interven
tion
SYNOPSIS
wesside-ng <options>
DESCRIPTION
wesside-ng is an auto-magic tool which incorporates a number of tech
niques to seamlessly obtain a WEP key in minutes. It first identifies a
network, then proceeds to associate with it, obtain PRGA (pseudo random
generation algorithm) xor data, determine the network IP scheme, rein
ject ARP requests and finally determine the WEP key. All this is done
without your intervention.
OPTIONS
-h Shows the help screen.
-i <iface>
Wireless interface name. (Mandatory)
-n <network ip>
Network IP as in 'who has destination IP (netip) tell source IP
(myip)'. Defaults to the source IP on the ARP request which is
captured and decrypted. (Optional)
-m <my ip>
\(aqwho has destination IP (netip) tell source IP (myip)\(aq.
Defaults to the network.123 on the ARP request captured
(Optional).
-a <source mac>
Source MAC address (Optional)
-c Do not crack the key. Simply capture the packets until control-C
is hit to stop the program! (Optional)
-p <min PRGA>
Determines the minimum number of bytes of PRGA which is gath
ered. Defaults to 128 bytes. (Optional).
-v <victim MAC>
Wireless access point MAC address (Optional).
-t <threshold>
For each number of IVs specified, restart the airecrack-ng PTW
engine (Optional). It will restart PTW every <threshold> IVs.
-f <channel>
Allows the highest channel for scanning to be defined. Defaults
to channel 11 (Optional).