How To Crack WEP WiFi In Mac OS X With Aircrack MacOSX
Heberto Calderon
Get the name of the file because we will use them in the next step. This file is very important because it will contain the hash captured by the handshake. And the brute force will try broke this hash comparing with each line of the wordlist file.
si, la informacin tu debes cambiar por l que tiene en el JamWiFI. L informacion es donde se queda las informaciones que tu agarraste por el sniff, paso 4, ac tiene las informacionoes del handshake.
L ultima informacion debe tener una lista de palabras para que el script intente, tiene muchos arquivo por la internet. es eso?
Thanks for the info really useful stuff. Really appreciate it.
I have one question and still, you have answered previously in the comments here but I am a bit confused.
aircrack-ng -1 -a 1 -b -w
I know what to use for:
BSSID and cap_file
What do I need to use for ?
Thanks for the info really useful stuff. Really appreciate it.
I have one question and still, you have answered previously in the comments here but I am a bit confused.
aircrack-ng -1 -a 1 -b BSSID cap_file -w wordlist
I know what to use for:
BSSID and cap_file
What do I need to use for wordlist ?
Otherwise, it's still possible to use aircrack-ng within Kali, if the handshake packets are first captured within Mac OS X using tcpdump. Here's a shell script that will capture a WPA handshake on a MacBook Air, tested on OS X 10.11 (El Capitan):
(If you want to run aircrack-ng on Mac OS X, you can install it via Homebrew using brew install aircrack-ng.)If it's not already supported, I think it should possible to patch this driver (on Linux and Mac) to send arbitrary deauth frames and support general packet injection.
Idea and initial work: ASPj
Additions by: a number of good souls
Last updated: Nov 21, 2018
This tutorial will give you the basics to get started using the aircrack-ng suite. It is impossible to provide every piece of information you need and cover every scenario. So be prepared to do some homework and research on your own. The Forum and the Wiki have lots of supplementary tutorials and information.
The first step in getting aircrack-ng working properly on your Linux system is patching and installing the proper driver for your wireless card. Many cards work with multiple drivers, some of which provide the necessary features for using aircrack-ng, and some of which do not.
Needless to say, you need a wireless card which is compatible with the aircrack-ng suite. This is hardware which is fully compatible and can inject packets. A compatible wireless card can be used to crack a wireless access point in under an hour.
To determine to which category your card belongs to, see hardware compatibility page. Read Tutorial: Is My Wireless Card Compatible? if you don't know where to look in this table. It still does not hurt to read this tutorial to build your knowledge and confirm your card attributes.
First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph. The drivers section will tell you which drivers you need.
The following chapter is very important, if something doesn't work as expected. Knowing what all is about helps you find the problem or helps you at least to describe it so someone else who can help you. This is a little bit scientific and maybe you feel like skipping it. However, a little knowledge is necessary to crack wireless networks and because it is a little more than just typing one command and letting aircrack do the rest.
This is a short introduction into managed networks, these ones working with Access Points (AP). Every AP sends out about 10 so called beacon frames a second. These packets contain the following information:
Every AP has a unique MAC address (48 bit, 6 pair of hexadecimal numbers). It looks like 00:01:23:4A:BC:DE. Every network hardware device has such an address and network devices communicate with each other by using this MAC address. So its basically like a unique name. MAC addresses are unique, no two network devices in the world have the same MAC address.
If you want to connect to a wireless network, there are some possibilities. In most cases, Open System Authentication is used. (Optional: If you want to learn more about authentication, check this out.)
airodump-ng hops from channel to channel and shows all access points it can receive beacons from. Channels 1 to 14 are used for 802.11b and g (in US, they only are allowed to use 1 to 11; 1 to 13 in Europe with some special cases; 1-14 in Japan). 802.11a is in the 5GHz and availability in different countries is more fragmented than on 2.4GHz. In general, known channels starts at 36 (32 in some countries) to 64 (68 in some countries) and 96 to 165. Wikipedia has more details on channel availability. The Linux Central Regulatory Domain Agent takes care of allowing/forbidding transmissions on the different channels for your country; however, it needs to be set appropriately.
Now you should look out for a target network. It should have a client connected because cracking networks without a client is an advanced topic (See How to crack WEP with no clients). It should use WEP encryption and have a high signal strength. Maybe you can re-position your antenna to get a better signal. Often a few centimeters make a big difference in signal strength.
In the example above the net 00:01:02:03:04:05 would be the only possible target because it's the only one with an associated client. But it also has a high signal strength so it's really a good target to practice.
Before being able to crack WEP you'll usually need between 40 000 and 85 000 different Initialization Vectors (IVs). Every data packet contains an IV. IVs can be re-used, so the number of different IVs is usually a bit lower than the number of data packets captured.
So you'll have to wait and capture 40K to 85K of data packets (IVs). If the network is not busy it will take a very long time. Often you can speed it up a lot by using an active attack (=packet replay). See the next chapter.
The MAC after the -b option is the BSSID of the target and dump-01.cap the file containing the captured packets. You can use multiple files, just add all their names or you can use a wildcard such as dump*.cap.
The number of IVs you need to crack a key is not fixed. This is because some IVs are weaker and leak more information about the key than others. Usually these weak IVs are randomly mixed in between the stronger ones. So if you are lucky, you can crack a key with only 20 000 IVs. But often this it not enough and aircrack-ng will run a long time (up to a week or even longer with a high fudge factor) and then tell you the key could not be cracked. If you have more IVs cracking can be done a lot faster and is usually done in a few minutes, or even seconds. Experience shows that 40 000 to 85 000 IVs is usually enough for cracking.
The first step is to make sure packet injection really works with your card and driver. The easiest way to test it is the injection test attack. Make sure to perform this test prior to proceeding. Your card must be able to successfully inject in order to perform the following steps.
ARP works (simplified) by broadcasting a query for an IP and the device that has this IPsends back an answer. Because WEP does not protect against replay, you can sniff a packet, send it out again and again and it is still valid.So you just have to capture and replay an ARP-request targeted at the AP to create lots of traffic (and sniff IVs).
If the number of data packets received by airodump-ng sometimes stops increasing you maybe have to reduce the replay-rate. You do this with the -x option. I usually start out with 50 and reduce until packets are received continuously again. Better positioning of your antenna usually also helps.
Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID and possibly a keystream during reconnection too. This comes in handy if the ESSID of your target is hidden, or if it uses shared-key authentication.
So PLEASE, if you want to do other advanced networking things than network sniffing or what is described in this article, do yourself a favour and buy an USB adapter to use with the virtual machine.
There is a list on the website of aircrack-ng, and I think the Alfa AWUS051NH v2 is great.Some people say it is expensive, but last time I checked on Google Shopping, it cost less than half an Apple mouse.
Use JamWiFi to deauth some users, and when tcpdump shows you it got 4 frames or more, Ctrl-C. It appears you can use less that 4 frames, but it depends on the frames you got (for instance 1,2 or 2,3 are sufficient). Anyway you should normally get at least 4. If nothing shows, try to deauth another user.
After much frustration with this same problem I found a way to actually use Airodump on my Mac terminal. What I realized is that all of the files that I can successfully execute are located in the directory path
And I was unable to execute it from that path. All I did was move Airodump from the /usr/local/sbin path to the /usr/local/bin path and it now works great! I was going crazy for hours and it was that simple
It is possible to use Wireshark with monitor mode enabled to essentially do the job of airodump-ng. This will allow for capture of raw 802.11 frames which will show the traffic from APs and clients. It needs to be remembered that the WiFi device can only listen on one channel at a time so you'll only see the traffic on the channel it's set to. You can choose the channel by associating a desired network before the capture or using the using the airport (/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport) command (e.g. to sniff channel 1 given your WiFi adapter is called en0) :
b37509886e