diff --git a/tools/aircrack-ng_suite.md b/tools/aircrack-ng_suite.md index 35f4fb0..0acc57b 100644 --- a/tools/aircrack-ng_suite.md +++ b/tools/aircrack-ng_suite.md @@ -4,7 +4,7 @@ Notes ------- * Version: 1.2-beta2 release - * Kali Linux Verison: 1.0.5 + * Kali Linux Verison: 1.0.6 * Developers: Thomas d'Otreppe @@ -33,5 +33,5 @@ Notes # Links -Resource Page: http://www.aircrack-ng.org/resources.html -Tutorial Page: http://www.aircrack-ng.org/doku.php?id=tutorial +Resource Page: http://www.aircrack-ng.org/resources.html +Tutorial Page: http://www.aircrack-ng.org/doku.php?id=tutorial diff --git a/tools/aircrack-ng_suite/airbase-ng.md b/tools/aircrack-ng_suite/airbase-ng.md index f298364..3100313 100644 --- a/tools/aircrack-ng_suite/airbase-ng.md +++ b/tools/aircrack-ng_suite/airbase-ng.md @@ -3,8 +3,12 @@ Notes ----- + * Version: 1.2-beta2 release + * Kali Linux Verison: 1.0.6 + * Developers: Thomas d'Otreppe + **Purpose**: airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge. Here are some of the feature highlights: - - Implements the Caffe Latte WEP client attack +``` - Implements the Caffe Latte WEP client attack - Implements the Hirte WEP client attack - Ability to cause the WPA/WPA2 handshake to be captured - Ability to act as an ad-hoc Access Point @@ -18,15 +22,13 @@ The main idea is of the implementation is that it should encourage clients A tap interface (atX) is created when airbase-ng is run. This can be used to receive decrypted packets or to send encrypted packets. As real clients will most probably send probe requests for common figured networks, these frames are important for binding a client to our softAP. In this case, the AP will respond to any probe request with a proper probe response, which tells the client to authenticate to the airbase-ng BSSID. That being said, this mode could possibly disrupt the correct functionality of many APs on the same channel. - +``` Usage: airbase-ng [options] DESCRIPTION ``` - airbase-ng is multi-purpose tool aimed at attacking clients as opposed - to the Access Point (AP) itself. Since it is so versatile and flexible, - summarizing it is a challenge. Here are some of the feature highlights: + airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge. Here are some of the feature highlights: - Implements the Caffe Latte WEP client attack - Implements the Hirte WEP client attack - Ability to cause the WPA/WPA2 handshake to be captured @@ -43,7 +45,7 @@ DESCRIPTION A tap interface (atX) is created when airbase-ng is run. This can be used to receive decrypted packets or to send encrypted packets. - As real clients will most probably send probe requests for common/con‐ + As real clients will most probably send probe requests for common figured networks, these frames are important for binding a client to our softAP. In this case, the AP will respond to any probe request with a proper probe response, which tells the client to authenticate to the @@ -66,7 +68,7 @@ OPTIONS -w If WEP should be used as encryption, then the parameter "-w " sets the en-/decryption key. This is sufficient to let - airbase-ng set all the appropriate flags by itself. If the sof‐ + airbase-ng set all the appropriate flags by itself. If the sof- tAP operates with WEP encryption, the client can choose to use open system authentication or shared key authentication. Both authentication methods are supported by airbase-ng. But to get a @@ -87,7 +89,7 @@ OPTIONS causes airbase to ignore the clients specified by the filters. -W <0|1> - This sets the beacon WEP flag. Remember that clients will nor‐ + This sets the beacon WEP flag. Remember that clients will nor- mally only connect to APs which are the same as themselves. Meaning WEP to WEP, open to open. @@ -96,7 +98,7 @@ OPTIONS example, if you set a WEP key with -w, then the beacon flag would be set to WEP. - One other use of "auto" is to deal with clients which can auto‐ + One other use of "auto" is to deal with clients which can auto- matically adjust their connection type. However, these are few and far between. @@ -105,7 +107,7 @@ OPTIONS -q This suppresses printing any statistics or status information. - -v This prints additional messages and details to assist in debug‐ + -v This prints additional messages and details to assist in debug- ging. -M This option is not implemented yet. It is a man-in-the-middle @@ -126,9 +128,9 @@ OPTIONS -Y The parameter "-Y" enables the "external processing" Mode. This - creates a second interface "atX", which is used to replay/mod‐ + creates a second interface "atX", which is used to replay/mod- ify/drop or inject packets at will. This interface must also be - brought up with ifconfig and an external tool is needed to cre‐ + brought up with ifconfig and an external tool is needed to cre- ate a loop on that interface. The packet structure is rather simple: the ethernet header (14 @@ -146,12 +148,12 @@ OPTIONS application. Obviously "in" redirects only incoming (through the wireless NIC) frames, while outgoing frames aren't touched. "out" does the opposite, it only loops outgoing packets and - "both" sends all both directions through the second tap inter‐ + "both" sends all both directions through the second tap inter- face. There is a small and simple example application to replay all frames on the second interface. The tool is called "replay.py" - and is located in "./test". It's written in python, but the lan‐ + and is located in "./test". It's written in python, but the lan- guage doesn't matter. It uses pcapy to read the frames and scapy to possibly alter/show and reinject the frames. The tool as it is, simply replays all frames and prints a short summary of the @@ -163,7 +165,7 @@ OPTIONS as a real programming language can be used to build complex logic for filtering and packet customization. The downside on using python is, that it adds a delay of around 100ms and the - cpu utilizations is rather large on a high speed network, but + CPU utilizations is rather large on a high speed network, but its perfect for a demonstration with only a few lines of code. -c @@ -171,7 +173,7 @@ OPTIONS Point. -X, --hidden - This causes the Access Point to hide the SSID and to not broad‐ + This causes the Access Point to hide the SSID and to not broad- cast the value. -s When specfiied, this forces shared key authentication for all @@ -212,8 +214,8 @@ OPTIONS This attack listens for an ARP request or IP packet from the client. Once one is received, a small amount of PRGA is extracted and then used to create an ARP request packet targeted - to the client. This ARP request is actually made of up of multi‐ - ple packet fragments such that when received, the client will + to the client. This ARP request is actually made of up of multiple + packet fragments such that when received, the client will respond. This attack works especially well against ad-hoc networks. As @@ -224,7 +226,7 @@ OPTIONS This sets the number of packets per second that packets will be sent (default: 100). - -y When using this option, the fake AP will not respond to broad‐ + -y When using this option, the fake AP will not respond to broad- cast probes. A broadcast probe is where the the specific AP is not identified uniquely. Typically, most APs will respond with probe responses to a broadcast probe. This flag will prevent @@ -257,8 +259,7 @@ OPTIONS This sets the time in milliseconds between each beacon. -C - The wildcard ESSIDs will also be beaconed this number of sec‐ - onds. A good typical value to use is "-C 60" (require -P). + The wildcard ESSIDs will also be beaconed this number of seconds. A good typical value to use is "-C 60" (require -P). Filter options: @@ -276,9 +277,13 @@ OPTIONS --essid , -e Specify a single ESSID. For SSID containing special characters, - see http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐ + see http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_space ces_double_quote_and_single_quote_etc._in_ap_names --essids , -E read a list of ESSIDs out of that file. -``` \ No newline at end of file +``` + +Example Usage +--------------- + diff --git a/tools/aircrack-ng_suite/aircrack-ng.md b/tools/aircrack-ng_suite/aircrack-ng.md new file mode 100644 index 0000000..a4b41b8 --- /dev/null +++ b/tools/aircrack-ng_suite/aircrack-ng.md @@ -0,0 +1,147 @@ +AIRCRACK-NG + +NAME + aircrack-ng - a 802.11 WEP / WPA-PSK key cracker + +SYNOPSIS + aircrack-ng [options] <.cap / .ivs file(s)> + +DESCRIPTION + aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. + It can recover the WEP key once enough encrypted packets have been cap‐ + tured with airodump-ng. This part of the aircrack-ng suite determines + the WEP key using two fundamental methods. The first method is via the + PTW approach (Pyshkin, Tews, Weinmann). The main advantage of the PTW + approach is that very few data packets are required to crack the WEP + key. The second method is the FMS/KoreK method. The FMS/KoreK method + incorporates various statistical attacks to discover the WEP key and + uses these in combination with brute forcing. + Additionally, the program offers a dictionary method for determining + the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or + stdin) or an airolib-ng has to be used. + +OPTIONS + Common options: + + -a + Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA- + PSK. + + -e + Select the target network based on the ESSID. This option is + also required for WPA cracking if the SSID is cloacked. For SSID + containing special characters, see http://www.aircrack- + ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐ + gle_quote_etc._in_ap_names + + -b or --bssid + Select the target network based on the access point MAC address. + + -p + Set this option to the number of CPUs to use (only available on + SMP systems). By default, it uses all available CPUs + + -q If set, no status information is displayed. + + -C or --combine + Merges all those APs MAC (separated by a comma) into a virtual + one. + + -l + Write the key into a file. + + -E + Create Elcomsoft Wireless Security Auditor (EWSA) Project file + v3.02. + + Static WEP cracking options: + + -c Search alpha-numeric characters only. + + -t Search binary coded decimal characters only. + + -h Search the numeric key for Fritz!BOX + + -d or --debug + Specify mask of the key. For example: A1:XX:CF + + -m + Only keep the IVs coming from packets that match this MAC + address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and + every IVs, regardless of the network (this disables ESSID and + BSSID filtering). + + -n + Specify the length of the key: 64 for 40-bit WEP, 128 for + 104-bit WEP, etc., until 512 bits of length. The default value + is 128. + + -i + Only keep the IVs that have this key index (1 to 4). The default + behaviour is to ignore the key index in the packet, and use the + IV regardless. + + -f + By default, this parameter is set to 2. Use a higher value to + increase the bruteforce level: cracking will take more time, but + with a higher likelihood of success. + + -k + There are 17 KoreK attacks. Sometimes one attack creates a huge + false positive that prevents the key from being found, even with + lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack + selectively. + + -x or -x0 + Disable last keybytes bruteforce (not advised). + + -x1 Enable last keybyte bruteforcing (default) + + -x2 Enable last two keybytes bruteforcing. + + -X Disable bruteforce multithreading (SMP only). + + -s Shows ASCII version of the key at the right of the screen. + + -y This is an experimental single brute-force attack which should + only be used when the standard attack mode fails with more than + one million IVs. + + -z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann) + attack (default attack). + + -P or --ptw-debug + PTW debug: 1 Disable klein, 2 PTW. + + -K Use KoreK attacks instead of PTW. + + -D or --wep-decloak + WEP decloak mode. + + -1 or --oneshot + Run only 1 try to crack key with PTW. + + -M + Specify maximum number of IVs to use. + + WEP and WPA-PSK cracking options + + -w + Path to a dictionary file for wpa cracking. Specify "-" to use + stdin. Here is a list of wordlists: http://www.aircrack- + ng.org/doku.php?id=faq#where_can_i_find_good_wordlists + + WPA-PSK cracking options: + + -S WPA cracking speed test. + + -r + Path to the airolib-ng database. Cannot be used with '-w'. + + Other options: + + -H or --help + Show help screen + + -u or --cpu-detect + Provide information on the number of CPUs and MMX/SSE support \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airdecap-ng.md b/tools/aircrack-ng_suite/airdecap-ng.md new file mode 100644 index 0000000..4d87e29 --- /dev/null +++ b/tools/aircrack-ng_suite/airdecap-ng.md @@ -0,0 +1,39 @@ +AIRDECAP-NG + +NAME + airdecap-ng - decrypt a WEP/WPA crypted pcap file + +SYNOPSIS + airdecap-ng [options] + +DESCRIPTION + airdecap-ng decrypts a WEP/WPA crypted pcap file to a uncrypted one by + using the right WEP/WPA keys. + +OPTIONS + -H, --help + Shows the help screen. + + -l Do not remove the 802.11 header. + + -b + Access point MAC address filter. + + -k + WPA Pairwise Master Key in hex. + + -e + Target network SSID. For SSID containing special characters, see + http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐ + ces_double_quote_and_single_quote_etc._in_ap_names + + -p + Target network WPA passphrase. + + -w + Target network WEP key in hex. + +EXAMPLES + airdecap-ng -b 00:09:5B:10:BC:5A open-network.cap + airdecap-ng -w 11A3E229084349BC25D97E2939 wep.cap + airdecap-ng -e my_essid -p my_passphrase tkip.cap diff --git a/tools/aircrack-ng_suite/airdecloak-ng.md b/tools/aircrack-ng_suite/airdecloak-ng.md new file mode 100644 index 0000000..516a1cc --- /dev/null +++ b/tools/aircrack-ng_suite/airdecloak-ng.md @@ -0,0 +1,81 @@ +AIRDECLOAK-NG + +NAME + airuncloak-ng - Removes wep cloaked framed from a pcap file. + +SYNOPSIS + airuncloak-ng + +DESCRIPTION + airuncloak-ng is a tool that removes wep cloaking from a pcap file. + Some WIPS (actually one) can actively "prevent" cracking a WEP key by + inserting chaff (fake wep frames) in the air to fool aircrack-ng. In + some rare cases, cloaking fails and the key can be recovered without + removing this chaff. In the cases where the key cannot be recovered, + use this tool to filter out chaff. + + The program works by reading the input file and selecting packets from + a specific network. Each selected packet is put into a list and clas‐ + sified (default status is "unknown"). Filters are then applied (in the + order specified by the user) on this list. They will change the status + of the packets (unknown, uncloaked, potentially cloaked or cloaked). + The order of the filters is really important since each filter will + base its analysis amongst other things on the status of the packets and + different orders will give different results. + + Important requirement: The pcap file needs to have all packets (includ‐ + ing beacons and all other "useless" packets) for the analysis (and if + possible, prism/radiotap headers). + +OPTIONS + -h, --help + Shows the help screen. + + -i + Path to the capture file. + + --ssid + Essid of the network (not yet implemented) to filter. + + --bssid + BSSID of the network to filter. + + --null-packets + Assume that null packets can be cloaked. + + --disable-base-filter + Do not apply base filter. + + --drop-frag + Drop fragmented packets. + + --filters + Apply different filters (separated by a comma). See below. + +FILTERS + signal Try to filter based on signal (prism or radiotap headers in the + pcap file). + + duplicate_sn + Remove all duplicate sequence numbers for both the AP and the + client (that are close to each other). + + duplicate_sn_ap + Remove duplicate sequence number for the AP only (that are close + to each other). + + duplicate_sn_client + Remove duplicate sequence number for the client only (that are + close to each other). + + consecutive_sn + Filter based on the fact that IV should be consecutive (only for + AP). + + duplicate_iv + Filter out all duplicate IV. + + signal_dup_consec_sn + Use signal (if available), duplicate and consecutive sequence + number (filtering is much more precise than using all these fil‐ + ters one by one). \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airdriver-ng.md b/tools/aircrack-ng_suite/airdriver-ng.md new file mode 100644 index 0000000..a296aba --- /dev/null +++ b/tools/aircrack-ng_suite/airdriver-ng.md @@ -0,0 +1,52 @@ +AIRDRIVER-NG + +NAME + airdriver-ng - automatically install/uninstall and patch drivers and + 802.11 stacks + +SYNOPSIS + airdriver-ng [drivernumber] + +DESCRIPTION + airdriver-ng is a script that provides status information about the + wireless drivers on your system plus the ability to load and unload the + drivers. Additionally, airdriver-ng allows you to install and uninstall + drivers complete with the patches required for monitor and injection + modes. Plus a number of other functions. + +COMMAND + supported + Lists all supported drivers + + kernel Lists all in-kernel drivers + + installed + Lists all installed drivers + + loaded Lists all loaded drivers + + load + Loads a driver + + unload + Unloads a driver + + reload + Reloads a driver + + install + Installs a driver + + remove + Removes a driver + + remove_stack + Removes a stack + + install_stack + Installs a stack + + details + Prints driver details + + detect Detects wireless cards \ No newline at end of file diff --git a/tools/aircrack-ng_suite/aireplay-ng.md b/tools/aircrack-ng_suite/aireplay-ng.md new file mode 100644 index 0000000..213376e --- /dev/null +++ b/tools/aircrack-ng_suite/aireplay-ng.md @@ -0,0 +1,264 @@ +AIREPLAY-NG + +NAME + aireplay-ng - inject packets into a wireless network to generate traf‐ + fic + +SYNOPSIS + aireplay-ng [options] + +DESCRIPTION + aireplay-ng is used to inject/replay frames. The primary function is + to generate traffic for the later use in aircrack-ng for cracking the + WEP and WPA-PSK keys. There are different attacks which can cause deau‐ + thentications for the purpose of capturing WPA handshake data, fake + authentications, Interactive packet replay, hand-crafted ARP request + injection and ARP-request reinjection. With the packetforge-ng tool + it's possible to create arbitrary frames. + + aireplay-ng supports single-NIC injection/monitor. + This feature needs driver patching. + +OPTIONS + -H, --help + Shows the help screen. + + Filter options: + + -b + MAC address of access point. + + -d + MAC address of destination. + + -s + MAC address of source. + + -m + Minimum packet length. + + -n + Maximum packet length. + + -u + Frame control, type field. + + -v + Frame control, subtype field. + + -t + Frame control, "To" DS bit (0 or 1). + + -f + Frame control, "From" DS bit (0 or 1). + + -w + Frame control, WEP bit (0 or 1). + + -D Disable AP Detection. + + Replay options: + + -x + Number of packets per second. + + -p + Set frame control word (hex). + + -a + Set Access Point MAC address. + + -c + Set destination MAC address. + + -h + Set source MAC address. + + -g + Change ring buffer size (default: 8 packets). The minimum is 1. + + -F Choose first matching packet. + + -e + Fake Authentication attack: Set target SSID (see below). For + SSID containing special characters, see http://www.aircrack- + ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐ + gle_quote_etc._in_ap_names + + -o + Fake Authentication attack: Set the number of packets for every + authentication and association attempt (Default: 1). 0 means + auto + + -q + Fake Authentication attack: Set the time between keep-alive + packets in fake authentication mode. + + -Q Fake Authentication attack: Sends reassociation requests instead + of performing a complete authentication and association after + each delay period. + + -y + Fake Authentication attack: Specifies the keystream file for + fake shared key authentication. + + -T n Fake Authentication attack: Exit if fake authentication fails + 'n' time(s). + + -j ARP Replay attack : inject FromDS pakets (see below). + + -k + Fragmentation attack: Set destination IP in fragments. + + -l + Fragmentation attack: Set source IP in fragments. + + -B Test option: bitrate test. + + Source options: + + -i + Capture packets from this interface. + + -r + Extract packets from this pcap file. + + Miscellaneous options: + + -R disable /dev/rtc usage. + + --ignore-negative-one if the interface's channel can't be determined + ignore the mismatch, needed for unpatched cfg80211 + + Attack modes: + + -0 , --deauth= + This attack sends deauthentication packets to one or more + clients which are currently associated with a particular access + point. Deauthenticating clients can be done for a number of rea‐ + sons: Recovering a hidden ESSID. This is an ESSID which is not + being broadcast. Another term for this is "cloaked" or Capturing + WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐ + erate ARP requests (Windows clients sometimes flush their ARP + cache when disconnected). Of course, this attack is totally + useless if there are no associated wireless client or on fake + authentications. + + -1 , --fakeauth= + The fake authentication attack allows you to perform the two + types of WEP authentication (Open System and Shared Key) plus + associate with the access point (AP). This is useful is only + useful when you need an associated MAC address in various aire‐ + play-ng attacks and there is currently no associated client. It + should be noted that the fake authentication attack does NOT + generate any ARP packets. Fake authentication cannot be used to + authenticate/associate with WPA/WPA2 Access Points. + + -2, --interactive + This attack allows you to choose a specific packet for replaying + (injecting). The attack can obtain packets to replay from two + sources. The first being a live flow of packets from your wire‐ + less card. The second being from a pcap file. Reading from a + file is an often overlooked feature of aireplay-ng. This allows + you read packets from other capture sessions or quite often, + various attacks generate pcap files for easy reuse. A common use + of reading a file containing a packet your created with packet‐ + forge-ng. + + -3, --arpreplay + The classic ARP request replay attack is the most effective way + to generate new initialization vectors (IVs), and works very + reliably. The program listens for an ARP packet then retransmits + it back to the access point. This, in turn, causes the access + point to repeat the ARP packet with a new IV. The program + retransmits the same ARP packet over and over. However, each ARP + packet repeated by the access point has a new IVs. It is all + these new IVs which allow you to determine the WEP key. + + -4, --chopchop + This attack, when successful, can decrypt a WEP data packet + without knowing the key. It can even work against dynamic WEP. + This attack does not recover the WEP key itself, but merely + reveals the plaintext. However, some access points are not vul‐ + nerable to this attack. Some may seem vulnerable at first but + actually drop data packets shorter that 60 bytes. If the access + point drops packets shorter than 42 bytes, aireplay tries to + guess the rest of the missing data, as far as the headers are + predictable. If an IP packet is captured, it additionally checks + if the checksum of the header is correct after guessing the + missing parts of it. This attack requires at least one WEP data + packet. + + -5, --fragment + This attack, when successful, can obtain 1500 bytes of PRGA + (pseudo random generation algorithm). This attack does not + recover the WEP key itself, but merely obtains the PRGA. The + PRGA can then be used to generate packets with packetforge-ng + which are in turn used for various injection attacks. It + requires at least one data packet to be received from the access + point in order to initiate the attack. + + -6, --caffe-latte + In general, for an attack to work, the attacker has to be in the + range of an AP and a connected client (fake or real). Caffe + Latte attacks allows one to gather enough packets to crack a WEP + key without the need of an AP, it just need a client to be in + range. + + -7, --cfrag + This attack turns IP or ARP packets from a client into ARP + request against the client. This attack works especially well + against ad-hoc networks. As well it can be used against softAP + clients and normal AP clients. + + -8, --migmode + This attack works against Cisco Aironet access points configured + in WPA Migration Mode, which enables both WPA and WEP clients to + associate to an access point using the same Service Set Identi‐ + fier (SSID). The program listens for a WEP-encapsulated broad‐ + cast ARP packet, bitflips it to make it into an ARP coming from + the attacker's MAC address and retransmits it to the access + point. This, in turn, causes the access point to repeat the ARP + packet with a new IV and also to forward the ARP reply to the + attacker with a new IV. The program retransmits the same ARP + packet over and over. However, each ARP packet repeated by the + access point has a new IV as does the ARP reply forwarded to the + attacker by the access point. It is all these new IVs which + allow you to determine the WEP key. + + -9, --test + Tests injection and quality. + +FRAGMENTATION VERSUS CHOPCHOP + Fragmentation: + + + Pros + - Can obtain the full packet length of 1500 bytes XOR. This + means you can subsequently pretty well create any size of + packet. + - May work where chopchop does not + - Is extremely fast. It yields the XOR stream extremely quickly + when successful. + + + Cons + - Setup to execute the attack is more subject to the device + drivers. For example, Atheros does not generate the correct + packets unless the wireless card is set to the mac address you + are spoofing. + - You need to be physically closer to the access point since if + any packets are lost then the attack fails. + + Chopchop + + + Pro + - May work where frag does not work. + + + Cons + - Cannot be used against every access point. + - The maximum XOR bits is limited to the length of the packet + you chopchop against. + - Much slower then the fragmentation attack. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airmon-ng.md b/tools/aircrack-ng_suite/airmon-ng.md new file mode 100644 index 0000000..c9a490f --- /dev/null +++ b/tools/aircrack-ng_suite/airmon-ng.md @@ -0,0 +1,55 @@ +AIRMON-NG + +Notes +------- + + * Version: 1.2-beta2 release + * Kali Linux Verison: 1.0.6 + * Developers: Thomas d'Otreppe + +***Purpose*** - bash script designed to turn wireless cards into monitor + mode. + +**SYNOPSIS** +``` + airmon-ng [channel] airmon-ng [kill] +``` +**DESCRIPTION** +``` airmon-ng is script can be used to enable monitor mode on wireless + interfaces. It may also be used to go back from monitor mode to managed + mode. Entering the airmon-ng command without parameters will show the + interfaces status. It can list/kill programs that can interfere with + the wireless card and set the right sources in /etc/kismet/kismet.conf + too. +``` +**OPTIONAL PARAMETERS** +``` start [channel] + Enable monitor mode on an interface (and specify a channel). + Note: Madwifi-ng is a special case, 'start' has to be used on + wifi interfaces and 'stop' on ath interfaces. stop + Disable monitor mode and go back to managed mode (except for + madwifi-ng where it kills the ath VAP). + + check [kill] + List all possible programs that could interfere with the wire + less card. If 'kill' is specified, it will try to kill all of + them. +``` + +Example Usage +--------------- + +Display all process that will interfere with wireless card + * `airmon-ng check` + +Kill any process that will interfere with wireless card + * `airmon-ng check kill` + +Start monitor mode + * `airmon-ng start wlan0` + +Start monitor mode on a specific channel + * `airmon-ng start wlan0 11` + +Stop monitor mode + * `airmon-ng stop mon0` \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airodump-ng-oui-update.md b/tools/aircrack-ng_suite/airodump-ng-oui-update.md new file mode 100644 index 0000000..99dc25e --- /dev/null +++ b/tools/aircrack-ng_suite/airodump-ng-oui-update.md @@ -0,0 +1,12 @@ +AIRODUMP-NG-OUI-UPDATE + +NAME + airodump-ng-oui-updater - IEEE oui list updater for airodump-ng + + +SYNOPSIS + airodump-ng-oui-updater + + +DESCRIPTION + airodump-ng-oui-updater downloads and parses IEEE OUI list. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airodump-ng.md b/tools/aircrack-ng_suite/airodump-ng.md new file mode 100644 index 0000000..2cf3d6a --- /dev/null +++ b/tools/aircrack-ng_suite/airodump-ng.md @@ -0,0 +1,273 @@ +AIRODUMP-NG + +NAME + airodump-ng - a wireless packet capture tool for aircrack-ng + +SYNOPSIS + airodump-ng [options] + +DESCRIPTION + airodump-ng is used for packet capturing of raw 802.11 frames for the + intent of using them with aircrack-ng. If you have a GPS receiver con‐ + nected to the computer, airodump-ng is capable of logging the coordi‐ + nates of the found access points. Additionally, airodump-ng writes out + a text file containing the details of all access points and clients + seen. + +OPTIONS + -H, --help + Shows the help screen. + + -i, --ivs + It only saves IVs (only useful for cracking). If this option is + specified, you have to give a dump prefix (--write option) + + -g, --gpsd + Indicate that airodump-ng should try to use GPSd to get coordi‐ + nates. + + -w , --write + Is the dump file prefix to use. If this option is not given, it + will only show data on the screen. Beside this file a CSV file + with the same filename as the capture will be created. + + -e, --beacons + It will record all beacons into the cap file. By default it only + records one beacon for each network. + + -u , --update + Delay seconds delay between display updates (default: 1 + second). Useful for slow CPU. + + --showack + Prints ACK/CTS/RTS statistics. Helps in debugging and general + injection optimization. It is indication if you inject, inject + too fast, reach the AP, the frames are valid encrypted frames. + Allows one to detect "hidden" stations, which are too far away + to capture high bitrate frames, as ACK frames are sent at 1Mbps. + + -h Hides known stations for --showack. + + --berlin + Time before removing the AP/client from the screen when no more + packets are received (Default: 120 seconds). See airodump-ng + source for the history behind this option ;). + + -c [,[,...]], --channel [,[,...]] + Indicate the channel(s) to listen to. By default airodump-ng hop + on all 2.4GHz channels. + + -b , --band + Indicate the band on which airodump-ng should hop. It can be a + combination of 'a', 'b' and 'g' letters ('b' and 'g' uses 2.4GHz + and 'a' uses 5GHz). Incompatible with --channel option. + + -s , --cswitch + Defines the way airodump-ng sets the channels when using more + than one card. Valid values: 0 (FIFO, default value), 1 (Round + Robin) or 2 (Hop on last). + + -r + Reads packet from a file. + + -x + Active Scanning Simulation (send probe requests and parse the + probe responses). + + -M, --manufacturer + Display a manufacturer column with the information obtained from + the IEEE OUI list. See airodump-ng-oui-update(8) + + -U, --uptime + Display APs uptime obtained from its beacon timestamp. + + --output-format + Define the formats to use (separated by a comma). Possible val‐ + ues are: pcap, ivs, csv, gps, kismet, netxml. The default values + are: pcap, csv, kismet, kismet-newcore. 'pcap' is for recording + a capture in pcap format, 'ivs' is for ivs format (it is a + shortcut for --ivs). 'csv' will create an airodump-ng CSV file, + 'kismet' will create a kismet csv file and 'kismet-newcore' will + create the kismet netxml file. 'gps' is a shortcut for --gps. + Theses values can be combined with the exception of ivs and + pcap. + + --ignore-negative-one + Removes the message that says 'fixed channel : -1'. + + Filter options: + + -t , --encrypt + It will only show networks matching the given encryption. May be + specified more than once: '-t OPN -t WPA2' + + -d , --bssid + It will only show networks, matching the given bssid. + + -m , --netmask + It will only show networks, matching the given bssid ^ netmask + combination. Need --bssid (or -d) to be specified. + + -a It will only show associated clients. + +INTERACTION + airodump-ng can receive and interpret key strokes while running. The + following list describes the currently assigned keys and supposed + actions: + + a Select active areas by cycling through these display options: + AP+STA; AP+STA+ACK; AP only; STA only + + d Reset sorting to defaults (Power) + + i Invert sorting algorithm + + m Mark the selected AP or cycle through different colors if the + selected AP is already marked + + r (De-)Activate realtime sorting - applies sorting algorithm + everytime the display will be redrawn + + s Change column to sort by, which currently includes: First seen; + BSSID; PWR level; Beacons; Data packets; Packet rate; Channel; + Max. data rate; Encryption; Strongest Ciphersuite; Strongest + Authentication; ESSID + + SPACE Pause display redrawing/ Resume redrawing + + TAB Enable/Disable scrolling through AP list + + UP Select the AP prior to the currently marked AP in the displayed + list if available + + DOWN Select the AP after the currently marked AP if available + + If an AP is selected or marked, all the connected stations will also be + selected or marked with the same color as the corresponding Access + Point. + +EXAMPLES + airodump-ng --band bg ath0 + + Here is an example screenshot: + + ----------------------------------------------------------------------- + CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ BAT: 2 hours 10 mins ][ + WPA handshake: 00:14:6C:7E:40:80 + + BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER + AUTH ESSID + + 00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN + + 00:14:6C:7A:41:81 34 100 57 14 1 9 11 WEP WEP + bigbear + 00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP + PSK teddy + + BSSID STATION PWR Rate Lost Frames + Probes + + 00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 11-11 2 14 big‐ + bear + (not associated) 00:14:A4:3F:8D:13 19 11-11 0 4 mossy + 00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 11-2 0 5 big‐ + bear + 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 36-24 0 99 teddy + ----------------------------------------------------------------------- + + BSSID MAC address of the access point. In the Client section, a BSSID + of "(not associated)" means that the client is not associated + with any AP. In this unassociated state, it is searching for an + AP to connect with. + + PWR Signal level reported by the card. Its signification depends on + the driver, but as the signal gets higher you get closer to the + AP or the station. If the BSSID PWR is -1, then the driver + doesn't support signal level reporting. If the PWR is -1 for a + limited number of stations then this is for a packet which came + from the AP to the client but the client transmissions are out + of range for your card. Meaning you are hearing only 1/2 of the + communication. If all clients have PWR as -1 then the driver + doesn't support signal level reporting. + + RXQ Only shown when on a fixed channel. Receive Quality as measured + by the percentage of packets (management and data frames) suc‐ + cessfully received over the last 10 seconds. It's measured over + all management and data frames. That's the clue, this allows you + to read more things out of this value. Lets say you got 100 per‐ + cent RXQ and all 10 (or whatever the rate) beacons per second + coming in. Now all of a sudden the RXQ drops below 90, but you + still capture all sent beacons. Thus you know that the AP is + sending frames to a client but you can't hear the client nor the + AP sending to the client (need to get closer). Another thing + would be, that you got a 11MB card to monitor and capture frames + (say a prism2.5) and you have a very good position to the AP. + The AP is set to 54MBit and then again the RXQ drops, so you + know that there is at least one 54MBit client connected to the + AP. + + Beacons + Number of beacons sent by the AP. Each access point sends about + ten beacons per second at the lowest rate (1M), so they can usu‐ + ally be picked up from very far. + + #Data Number of captured data packets (if WEP, unique IV count), + including data broadcast packets. + + #/s Number of data packets per second measure over the last 10 sec‐ + onds. + + CH Channel number (taken from beacon packets). Note: sometimes + packets from other channels are captured even if airodump-ng is + not hopping, because of radio interference. + + MB Maximum speed supported by the AP. If MB = 11, it's 802.11b, if + MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot + (after 54 above) indicates short preamble is supported. 'e' + indicates that the network has QoS (802.11e) enabled. + + ENC Encryption algorithm in use. OPN = no encryption,"WEP?" = WEP or + higher (not enough data to choose between WEP and WPA/WPA2), WEP + (without the question mark) indicates static or dynamic WEP, and + WPA or WPA2 if TKIP or CCMP or MGT is present. + + CIPHER The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or + WEP104. Not mandatory, but TKIP is typically used with WPA and + CCMP is typically used with WPA2. WEP40 is displayed when the + key index is greater then 0. The standard states that the index + can be 0-3 for 40bit and should be 0 for 104 bit. + + AUTH The authentication protocol used. One of MGT (WPA/WPA2 using a + separate authentication server), SKA (shared key for WEP), PSK + (pre-shared key for WPA/WPA2), or OPN (open for WEP). + + ESSID The so-called "SSID", which can be empty if SSID hiding is acti‐ + vated. In this case, airodump-ng will try to recover the SSID + from probe responses and association requests. + + STATION + MAC address of each associated station or stations searching for + an AP to connect with. Clients not currently associated with an + AP have a BSSID of "(not associated)". + + Rate This is only displayed when using a single channel. The first + number is the last data rate from the AP (BSSID) to the Client + (STATION). The second number is the last data rate from Client + (STATION) to the AP (BSSID). + + Lost It means lost packets coming from the client. To determine the + number of packets lost, there is a sequence field on every non- + control frame, so you can subtract the second last sequence num‐ + ber from the last sequence number and you know how many packets + you have lost. + + Packets + The number of data packets sent by the client. + + Probes The ESSIDs probed by the client. These are the networks the + client is trying to connect to if it is not currently connected. + + The first part is the detected access points. The second part is a list + of detected wireless clients, stations. By relying on the signal power, + one can even physically pinpoint the location of a given station. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airolib-ng.md b/tools/aircrack-ng_suite/airolib-ng.md new file mode 100644 index 0000000..c68af24 --- /dev/null +++ b/tools/aircrack-ng_suite/airolib-ng.md @@ -0,0 +1,47 @@ +AIROLIB-NG + +NAME + airolib-ng - manage and create a WPA/WPA2 pre-computed hashes tables + +SYNOPSIS + airolib-ng [options] + +DESCRIPTION + airolib-ng is a tool for the aircrack-ng suite to store and manage + essid and password lists, compute their Pairwise Master Keys (PMKs) and + use them in WPA/WPA2 cracking. The program uses the lightweight SQLite3 + database as the storage mechanism which is available on most platforms. + The SQLite3 database was selected taking in consideration platform + availability plus management, memory and disk overhead. + +DATABASE + database + It is name of the database file. Optionally specify the full + path. + +OPERATION + --stats + Output information about the database. + + --sql + Execute specified SQL statement. + + --clean [all] + Clean the database from old junk. When specifying 'all', it will + also reduce filesize if possible and run an integrity check. + + --batch + Start batch-processing all combinations of ESSIDs and passwords. + + --verify [all] + Verify a set of randomly chosen PMKs. If 'all' is given, all + invalid PMK in the database will be deleted. + + --import [essid|passwd] + Import a flat file as a list of ESSIDs or passwords. + + import cowpatty + Import a coWPAtty file. + + --export cowpatty + Export to a cowpatty file. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airserv-ng.md b/tools/aircrack-ng_suite/airserv-ng.md new file mode 100644 index 0000000..777f93f --- /dev/null +++ b/tools/aircrack-ng_suite/airserv-ng.md @@ -0,0 +1,36 @@ +AIRSERV-NG + +NAME + airserv-ng - a wireless card server + +SYNOPSIS + airserv-ng + +DESCRIPTION + airserv-ng is a wireless card server which allows multiple wireless + application programs to independently use a wireless card via a client- + server TCP network connection. All operating system and wireless card + driver specific code is incorporated into the server. This eliminates + the need for each wireless application to contain the complex wireless + card and driver logic. It is also supports multiple operating systems. + +OPTIONS + -h Shows the help screen. + + -p + TCP port to listen on (by default: 666). + + -d + Wifi interface to use. + + -c + Lock interface to this channel. + + -v + Debug level. There are 3 debug levels. Debug level of 1 shows + client connection/disconnection (default). Debug level of 2 + shows channel change requests and invalid client command + requests in addition to the debug level 1 messages. Debug level + of 3 displays a message each time a packet (and its length) is + sent to the client. It also include messages from level 2 (and + 1). \ No newline at end of file diff --git a/tools/aircrack-ng_suite/airtun-ng.md b/tools/aircrack-ng_suite/airtun-ng.md new file mode 100644 index 0000000..ffe4601 --- /dev/null +++ b/tools/aircrack-ng_suite/airtun-ng.md @@ -0,0 +1,66 @@ +AIRTUN-NG + +NAME + airtun-ng - a virtual tunnel interface creator for aircrack-ng + +SYNOPSIS + airtun-ng [options] + +DESCRIPTION + airtun-ng creates a virtual tunnel interface (atX) for sending arbi‐ + trary IP packets by using raw ieee802.11 packet injection. + +OPTIONS + -H, --help + Shows the help screen. + + -x + Sets maximum number of packets per second. + + -a + Specifies the BSSID for the iee802.11 header. In WDS Mode this + sets the Receiver. + + -h + Specifies the source MAC for the iee802.11 header. + + -i + Sets the capture interface. + + -r + Specifies a file to read 802.11 frames. + + -y + Is the name of the file, which provides the keystream for WEP + encoding. (No receiving, just transmitting of IP packets.) + + -w + This is the WEP key to en-/decrypt all traffic going through the + tunnel. + + -t + Defines the ToDS and FromDS bit in the ieee802.11 header. For + tods=1, the ToDS bit is set to 1 and FromDS to 0, while tods=0 + sets them the other way around. If set to 2, it will be tunneled + in a WDS/bridge. + + -m , --netmask + Filters networks based on bssid ^ netmask combination. Needs -d, + used in replay mode. + + -d , --bssid + Filters networks based on the . Used in replay mode. + + -f, --repeat + Enables replay mode. All read frames, filtered by bssid and net‐ + mask (if specified), will be replayed. + + -s + Set Transmitter MAC address for WDS Mode. + + -b Bidirectional mode. This enables communication in Transmitter's + AND Receiver's networks. Works only if you can see both sta‐ + tions. + +EXAMPLES + airtun-ng -a 00:14:22:56:F3:4E -t 0 -y keystream.xor wlan0 diff --git a/tools/aircrack-ng_suite/buddy-ng.md b/tools/aircrack-ng_suite/buddy-ng.md new file mode 100644 index 0000000..b0fe129 --- /dev/null +++ b/tools/aircrack-ng_suite/buddy-ng.md @@ -0,0 +1,18 @@ +BUDDY-NG + +NAME + buddy-ng - a tool to work with easside-ng + +SYNOPSIS + buddy-ng + +DESCRIPTION + buddy-ng server echoes back the decrypted packets to the system running + easside-ng in order to access the wireless network without knowing the + WEP key. It is done by having the AP itself decrypt the packets. When + ran, it automatically starts and listen to port 6969. + +OPTIONS + -h Shows the help screen. + + -p Don't drop privileges \ No newline at end of file diff --git a/tools/aircrack-ng_suite/easside-ng.md b/tools/aircrack-ng_suite/easside-ng.md new file mode 100644 index 0000000..5656719 --- /dev/null +++ b/tools/aircrack-ng_suite/easside-ng.md @@ -0,0 +1,46 @@ +EASSIDE-NG + +NAME + easside-ng - an auto-magic tool which allows you to communicate via an + WEP-encrypted AP without knowing the key + +SYNOPSIS + easside-ng + +DESCRIPTION + easside-ng is an auto-magic tool which allows you to communicate via an + WEP-encrypted access point (AP) without knowing the WEP key. It first + identifies a network, then proceeds to associate with it, obtain PRGA + (pseudo random generation algorithm) xor data, determine the network IP + scheme and then setup a TAP interface so that you can communicate with + the AP without requiring the WEP key. All this is done without your + intervention. + +OPTIONS + -h Shows the help screen. + + -v + Victim BSSID (Optional). + + -m + Source MAC address to be used (Optional). + + -i + Source IP address to be used on the wireless LAN. Defaults to + the decoded network plus '.123' (Optional). + + -r + IP address of the AP router. This could be the WAN IP of the AP + or an actual router IP depending on the topology. Defaults to + the decoded network plus '.1' (Optional). + + -s + IP address of Buddy-ng server (Mandatory) + + -f + Wireless interface to use (Mandatory) + + -c + Lock interface to this channel (Optional). + + -n Determine Internet IP only. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/ivstools.md b/tools/aircrack-ng_suite/ivstools.md new file mode 100644 index 0000000..bdc702b --- /dev/null +++ b/tools/aircrack-ng_suite/ivstools.md @@ -0,0 +1,18 @@ +IVSTOOLS + +NAME + ivstools - extract IVs from a pcap file or merges several .ivs files + into one + +SYNOPSIS + ivstools --convert ivstools --merge .. + +DESCRIPTION + ivstools is a tool designed to extract ivs (initialization vectors) + from a pcap dump to an ivs file and it can also merge several ivs (ini‐ + tialization vectors) files into one.. + +EXAMPLE + ivstools --convert wep_dump.cap out.ivs ivstools --merge myivs1.ivs + myivs2.ivs myivs3.ivs allivs.ivs \ No newline at end of file diff --git a/tools/aircrack-ng_suite/kstats.md b/tools/aircrack-ng_suite/kstats.md new file mode 100644 index 0000000..30c5616 --- /dev/null +++ b/tools/aircrack-ng_suite/kstats.md @@ -0,0 +1,16 @@ +KSTATS + +NAME + kstats - show statistical FMS algorithm votes for an ivs dump and a + specified WEP key + +SYNOPSIS + kstats <104-bit key> + +DESCRIPTION + kstats is a tool designed to show the FMS algorithm votes for an ivs + dump (intialization vectors) with a specified WEP key. The ivs dump can + be get by using the combinaison of both airodump(1) and ivstools(1). + +EXAMPLE + kstats kstats out.ivs 123456789ABCDEF123456789AB \ No newline at end of file diff --git a/tools/aircrack-ng_suite/makeivs-ng.md b/tools/aircrack-ng_suite/makeivs-ng.md new file mode 100644 index 0000000..4efa672 --- /dev/null +++ b/tools/aircrack-ng_suite/makeivs-ng.md @@ -0,0 +1,15 @@ +MAKEIVS-NG + +NAME + makeivs - generate a dummy IVS dump file with a specific WEP key + +SYNOPSIS + makeivs <104-bit key> + +DESCRIPTION + makeivs is a tool designed to generate an IVS dump file with an inputed + WEP key. The aim of is tools is to provide a way to create dumps with + a known encryption key for tests. + +EXAMPLE + makeivs makeivs out.ivs 123456789ABCDEF123456789AB \ No newline at end of file diff --git a/tools/aircrack-ng_suite/packetforge-ng.md b/tools/aircrack-ng_suite/packetforge-ng.md new file mode 100644 index 0000000..4e77105 --- /dev/null +++ b/tools/aircrack-ng_suite/packetforge-ng.md @@ -0,0 +1,80 @@ +PACKETFORGE-NG + +NAME + packetforge-ng - forge packets: ARP, UDP, ICMP or custom packets. + +SYNOPSIS + packetforge-ng + +DESCRIPTION + packetforge-ng is a tool to create encrypted packets that can subse‐ + quently be used for injection. You may create various types of packets + such as arp requests, UDP, ICMP and custom packets. The most common use + is to create ARP requests for subsequent injection. + To create an encrypted packet, you must have a PRGA (pseudo random gen‐ + ration algorithm) file. This is used to encrypt the packet you create. + This is typically obtained from aireplay-ng chopchop or fragmentation + attacks. + +OPTIONS + -H, --help + Shows the help screen. + + -p + Set frame control word (hex) + + -a + Set Access Point MAC addres + + -c + Set Destination MAC address + + -h + Set Source MAC address + + -j set FromDS bit + + -o clear ToDS bit + + -e disable WEP encryption + + -k + Set destination IP (and port) + + -l + Set source IP (and port) + + -w + Write packet to this pcap file + + -r + Read packet from this pcap file + + -y + Read PRGA from this file + + -t + Set Time To Live in IP-Header + + -s + Set size of the generated null packet. + + -0, --arp + Forge an ARP packet + + -1, --udp + Forge an UDP packet + + -2, --icmp + Forge an ICMP packet + + -3, --null + Forge a llc null packet + + -9, --custom + Build a custom packet, requires -r to read an unencrypted frame + out of a pcap file. + +EXAMPLE + packetforge-ng -y test.xor -a 00:09:5b:12:40:cc -h 00:10:2a:cb:30:14 -k + 192.168.1.100 -l 192.168.1.1 -w arp-request.cap \ No newline at end of file diff --git a/tools/aircrack-ng_suite/tkiptun-ng.md b/tools/aircrack-ng_suite/tkiptun-ng.md new file mode 100644 index 0000000..0b30e72 --- /dev/null +++ b/tools/aircrack-ng_suite/tkiptun-ng.md @@ -0,0 +1,87 @@ +TKIPTUN-NG + +NAME + tkiptun-ng - inject a few frames into a WPA TKIP network with QoS + +SYNOPSIS + tkiptun-ng [options] + +DESCRIPTION + tkiptun-ng is a tool created by Martin Beck aka hirte, a member of air‐ + crack-ng team. This tool is able to inject a few frames into a WPA TKIP + network with QoS. He worked with Erik Tews (who created PTW attack) for + a conference in PacSec 2008: "Gone in 900 Seconds, Some Crypto Issues + with WPA". + +OPERATION + -H, --help + Shows the help screen. + + Filter options: + + -d + MAC address of destination. + + -s + MAC address of source. + + -m + Minimum packet length. + + -n + Maximum packet length. + + -t + Frame control, "To" DS bit. + + -f + Frame control, "From" DS bit. + + -D Disable AP Detection. + + Replay options: + + -x + Number of packets per second. + + -p + Set frame control word (hex). + + -a + Set Access Point MAC address. + + -c + Set destination MAC address. + + -h + Set source MAC address. + + -F Choose first matching packet. + + -e + Set target SSID. + + Debug options: + + -K + Keystream for continuation. + + -y + Keystream file for continuation. + + -j Inject FromFS packets. + + -P + Pairwise Master key (PMK) for verification or vulnerability + testing. + + -p + Preshared key (PSK) to calculate PMK with essid. + + Source options: + + -i + Capture packets from this interface. + + -r + Extract packets from this pcap file. \ No newline at end of file diff --git a/tools/aircrack-ng_suite/wesside-ng.md b/tools/aircrack-ng_suite/wesside-ng.md new file mode 100644 index 0000000..dbae883 --- /dev/null +++ b/tools/aircrack-ng_suite/wesside-ng.md @@ -0,0 +1,53 @@ +WESSIDE-NG + +NAME + wesside-ng - crack a WEP key of an open network without user interven‐ + tion + +SYNOPSIS + wesside-ng + +DESCRIPTION + wesside-ng is an auto-magic tool which incorporates a number of tech‐ + niques to seamlessly obtain a WEP key in minutes. It first identifies a + network, then proceeds to associate with it, obtain PRGA (pseudo random + generation algorithm) xor data, determine the network IP scheme, rein‐ + ject ARP requests and finally determine the WEP key. All this is done + without your intervention. + +OPTIONS + -h Shows the help screen. + + -i + Wireless interface name. (Mandatory) + + -n + Network IP as in 'who has destination IP (netip) tell source IP + (myip)'. Defaults to the source IP on the ARP request which is + captured and decrypted. (Optional) + + -m + \(aqwho has destination IP (netip) tell source IP (myip)\(aq. + Defaults to the network.123 on the ARP request captured + (Optional). + + -a + Source MAC address (Optional) + + -c Do not crack the key. Simply capture the packets until control-C + is hit to stop the program! (Optional) + + -p + Determines the minimum number of bytes of PRGA which is gath‐ + ered. Defaults to 128 bytes. (Optional). + + -v + Wireless access point MAC address (Optional). + + -t + For each number of IVs specified, restart the airecrack-ng PTW + engine (Optional). It will restart PTW every IVs. + + -f + Allows the highest channel for scanning to be defined. Defaults + to channel 11 (Optional). \ No newline at end of file