Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

Step by Step Backtrack 5 and wireless Hacking basics
Installing Backtrack 5
Creating a Backtrack 5 R3 Live CD
Installing to the Hard drive
Installing and running with VMware
Reaver
WPA dictionary attack
Getting a handshake and a data capture
Using aircrack and a dictionary to crack a WPA data capture

www
...
org
Step by Step Backtrack 5 and wireless Hacking basics
All information in this book is for testing and educational purposes only; for use by network
security administrators or testing the security of your own wireless connection
...

If you have never used Backtrack before all you really need to know it is the best software to
use for Digital Forensics, Intrusion Detection and Penetration Testing
...
I will go
step by step through each
...


The two main types of wireless hacks are WPA dictionary attack, and Reaver
...
WPA or WPA2, which are really the same thing, are the
way in which routers are now encrypted and much harder to crack
...
There is no
point and click option
...


Buying multiple routers to play with is also a good idea
...
Different manufactures do different things and have
different setups so some have a weakness another will not
...
This is not because the adapter is not supported it
may or may not be
...


The most common wireless USB adapter currently used are the Alfa AWUS036H and the Alfa
AWUS036NH
...
While the Alfa AWUS036H supports wireless G
...
wirelesshack
...

http://www
...
org/backtrack-5-download
The Backtrack file is big 2-4 GB depending on the type of file you download
...

I will talk about how each install works, but if you are new to Backtrack 5 the easiest way is to
burn the Backtrack 5 ISO to a DVD or a flash drive and boot from it, of course once the
computer restarts data can be lost if not stored correctly
...


Running Backtrack 5 within virtualization is possibly the most common way
...
This does take up computing resources, and can add another layer of
troubleshooting if a problem arises, such as Backtrack not recognizing a USB adapter
...
If you are just starting
out I would start by using a Boot DVD then move on to virtualization later, but this is a personal
option and depends on your own experience and knowledge of using Operating Systems
...
The download can be
found here http://www
...
org/backtrack-5-download The download site has
recently changed and will have to be downloaded by using a Torrent
...
First download and install a Torrent Client, the most popular
is Utorrent but there are many
...

There are often spam links so be sure to click only the correct link
...


ISO burning software will be needed
...


(I have no connection with Power ISO it is simply what I use, so I will be using it for this
example
...


After the ISO has been burned to a DVD it now can be used as a Live CD or used to install to the
hard drive
...
Most computers have a boot option button to press or will automatically boot
the disk
...


Chose the first option which is "Default Boot Text Mode" and the computer will boot from the
DVD and up to the login
...

Once logged in and at the command prompt (pound symbol #) type "startx" and this will start
the graphical user interface
...
Download the Backtrack ISO http://www
...
org/backtrack-5-download
2
...

http://www
...
com/download
...
Install PowerISO
4
...

5
...

6
...

7
...
The password is toor
8
...


Installing to the Hard drive
Any existing Operating System will be wiped out and only Backtrack will be installed if this is
done
...

Backtrack can be setup to dual boot along with an existing Operating System, but explaining
how to do a dual boot is more advanced
...

If you don't understand Operating Systems, use the other options, boot from the DVD but do
not install Backtrack, or run Backtrack with VMware
...
This is the same as
the above booting off the DVD
...
sh on the
desktop
...


Quick Steps installing Backtrack 5 to the hard drive
...

2 Login username root, Password toor
...

4 Double click the Install Backtrack
...


Installing and running with VMware

Running two operating systems at the same time is quite common now and done relatively
easy
...

For those who do not know VMware is a way to run another operating system virtually within
another operating system
...

VMware works very well and as long as you have a fairly recent computer it should run fine
...
Mainly because a ISO
can be burned to a disk or any bootable device and booted from
...

VMware workstation is not exactly cheap although there is a free version
...

VMware Workstation is not free but there is a free version called VMware Player
...


VMware Player can be downloaded here http://www
...
com/products/player You will
have to scroll down to find the free download of VMware Player
...
wirelesshack
...


Once both VMware player and the Backtrack 5 VMware image is downloaded run and install
VMware Player and follow the default options
...

Once it is done extracting all the files, run VMware Player and on the right click "Open a Virtual
Machine
...

Only one file will come up because of the
...


Quick steps to installing Backtrack 5 and VMware player
1
...
vmware
...
Download the Backtrack VMware image file
...
wirelesshack
...

3
...
Once VMware is installed go to Open a Virtual Machine, go to VMware Backtrack 5
Image file location and click on the file
...
The user name is root and the password is toor
...
The user name is root and the password is toor
...


Reaver
Commands we will be using
...
Before WPA was implemented and
WEP ruled wireless encryption any network could be cracked easily
...
Then came Reaver
...
WPS makes it easy
for wireless devices to find and connect to a router
...

If a router has WPS enabled then cracking the encryption is no longer necessary
...

If a router has WPS enabled it can usually be cracked in two to ten hours
...
It’s a feature that exists on many routers, intended to
provide an easy setup process, and it’s tied to a PIN that’s hard-coded into the device
...
Reaver does not attempt to take on the WPA encryption itself but goes
around it using WPS and then displaying the password
...
Such as signal strength, a strong signal
is almost a must
...


Reaver has many option or switches it can use to deal with these problems
...
There are many more commands to use with Reaver, you can see
them all by typing "reaver /?", or In the Appendix there is a full list of the commands that can
be used with Reaver
...

Start Backtrack 5 and open two terminal windows
...
It
should show "Wlan" along with the chipset, if it doesn't then some troubleshooting will have to
be done until it does
...
To do this run the following
command "airmon-ng start wlan0"

If all goes well the screen will scroll by with some information then say enabled on mon0
...


The “wash” command has been notorious for having problems and not working correctly
...
I believe I have found a fix that has been working for me on
both Backtrack 5 and Kali Linux
...


“MKdir /etc/reaver”
then run the wash command

“wash -i mon0 -C”
(That is a capitol C)

Copy the BSSID, to paste it when needed later, then press CTRL+C to stop the terminal window
using the wireless USB adapter
...
Run the following command
to see all access point within your reach
...
Only do this if the wash
command finds nothing)
Now we can get to using Reaver
...
You can copy and
paste the BSSID
...


"reaver -i mon0 -b (Target BSSID) –vv"
(The -vv is two V not a W)

Reaver should start to run
...
It will run
until it finds the wireless password usually 2-10 hours
...


The password is "jackandjillwentupthehill"
...

A dictionary attack is one of the easiest to understand but the least likely to find a password
...

Basically a data capture of the router is captured wirelessly when someone logs into the router
...

If someone knows the person then they may be able to guess the password but otherwise this
can take a long time and never find anything
...
The data
capture could be copied between multiple computers to split the things up
...
Cloud computing might be a option to harness someone else computing power and
so on
...
The way this works basically is that there is a
large dictionary that you use to throw as many combinations of words as possible at the WPA
encryption until it cracks
...


Getting a handshake and getting a data capture
Commands used
airmon-ng
airmon-ng start wlan0
airodump-ng mon0

Backtrack should be up and running
...
For this example I am using a Alfa
AWUS036H which uses the RTL8187L chipset

Once you know the adapter is connected and operating run this command to get the adapter
into monitor mode
...

sometime it will enable on mon1 or mon2 if it does use this
...

airodump-ng mon0

A picture like the above should come up and show all the AP out there
...
Use CTRL+C to stop the command and copy the BSSID
...
Here
we are going to setup the adapter to do a data capture on the AP point we selected
...
To do this we do the following command
...


At this point we could simply wait for someone to connect wirelessly to the router
...
If we wait then we stay in passive mode and
no one can detect we are there
...


There is a way to speed this up if you know someone has a wireless device connected to the
router by de-authenticating them or kicking them forcing them to reconnect
...
To do this open another
terminal window and type the following
...

The default storage for a WPA handshake is under /root and will be there under whatever
name you called it
...
lst
...


We will be using aircrack to do the cracking and the command to do this is:
aircrack-ng (file name) -w (dictionary location)
Where the file name is the handshake file you captured and the dictionary location is the path
to your dictionary
...
as
I said above the usual default location of the handshake file is under /root and is whatever you
called it
...
lst dictionary for this example under the
/pentest/passwords/wordlists directory
...
cap -w /pentest/passwords/wordlists/darkc0de
...


If the dictionary finds it, it will show as below if not then another dictionary will need to be
used
...


Conclusion
The information in this book is to give the reader a basic overview of the current hacks against
wireless routers with Backtrack 5, and hopefully it has done that
...
In the Appendix you can see these options
...
wirelesshack
...
4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner ...
11 channel for the interface (implies -f)

-o, --out-file=

Send output to a log file [stdout]

-s, --session=

Restore a previous session file

-C, --exec=
-D, --daemonize

Execute the supplied command upon successful pin recovery
Daemonize reaver

-a, --auto

Auto detect the best advanced options for the target AP

-f, --fixed

Disable channel hopping

-5, --5ghz
-v, --verbose

Use 5GHz 802
...
20]

Do not associate with the AP (association must be done by another

Do not send NACK messages when out of order packets are received
Use small DH keys to improve crack speed
Ignore locked state reported by the target AP
Terminate each WPS session with an EAP FAIL packet

-n, --nack

Target AP always sends a NACK [Auto]

-w, --win7

Mimic a Windows 7 registrar [False]

Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv



---

Title: step-by-step-Backtrack-5
Description: This notes learn you how to use backtrack step by step, after you read this notes, I'm sure you will pro in backtrack.

Buy These NotesPreview