Jump to content


Photo
- - - - -

commview for wifi help


  • Please log in to reply
5 replies to this topic

#1 Danec

Danec

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 11 February 2009 - 01:21 PM

Hello,
I have been using commview for wifi for over a week trying to crack my own wep.
when I first start the scan and run it I see that a bunch of MGMT packets are coming in and I have collected these with out much ivs in them. I collected over 2 million of them and when i use aircrack-ng to get the code it always fails.
I see on one of the post that someone installed some plugins for commview for wifi ( WEPKR And WAPKR plugins).
I am wondering if this is my problem.
I have even tried backtrack 3 without any success.
I have let it run (commview) for 24 hours and I only got 38,000 ivs. Of course thats not enough to crack it.
Could you please tell me what settings i need to make on commview to make this thing work.
I need a complete walkthru if that is possible.
Do I need to collect data, management and control packets?
I really need some help here and I would be very grateful.
I am at a loss. I have searched the internet for 10 days straight and none of the things or tutorial seem to work for me. I am using a netgear WPN 311 wireless rangemax pci card and its suppose to be completly compatable and i have installed the correct commview for wifi drivers.
Thanks.
Dane

#2 Meman5150

Meman5150

    Will I break 10 posts?

  • Members
  • 8 posts

Posted 11 February 2009 - 04:39 PM

When I tried cracking WEP I didn't find commview for wifi a good enough tool. I recommend using airodump and aircrack if your card is supported. If not, you can do what I did and buy a new wireless card. The linux tools just work a lot better.

#3 stacksmasher

stacksmasher

    Mack Daddy 31337

  • Members
  • 214 posts

Posted 12 February 2009 - 10:38 AM

The best way to get as many ivs as possible is to "feed" the access point with a bunch of traffic. Remember hearing about people who can crack WEP in 2mins?

They are using fake traffic and requests to make the access point spew ivs.

I use 2 laptops for wireless pen testing, one has "several" USB 802.11 adapters.

Cracking WEP is sooooo 1999!


All the cool kids have moved on to 802.11X

#4 Danec

Danec

    Will I break 10 posts?

  • Members
  • 4 posts

Posted 12 February 2009 - 03:24 PM

Thanks for the reply.
This really isnt for me but for a friend who doesnt want to pay for high-speed internet.
There is 2 great connections as well as 10 other not so great connections and they are all locked up with wep or wpa.
I have tried using the backtrack 3 on the wpa's but i couldnt get a handshake but one time and then the dictionary was so small that it didnt find the password. I then downloaded a 107 mb. dictionary on to a usb pen drive but i couldnt figure out how to paste it into the root folder so that i could use the dictionary. I tried using cd /mnt/media/sbd1/ root but that command didnt work to put the dictionary on the root folder. I tried all the commands that i could think of but i am a nubie at all this and so i dont know the right command to do that.
Can you please tell me what command to use to put the dictionary on the root folder.
I am using a backtrack 3 live cd and a usb pendrive as well as a netgear 311 wpn wireless card. The card is supported.
I have read and printed out so many differant versions of how to use backtrack for cracking wpa and wep and it seems that no matter how hard i try i just get know where.
I just guess i am doing it wrong.
So if any body can give me command to put the dictionary onto the root then that would be helpfull.
Also if anyone knows the simplest way to crack wpa please post the commands so that i can understand them.
My wirelees card registers wifi0 and ath0 as its parent when i start airmon-ng. When it starts it says monitored mode enabled so i know its not the card.
so i need the commands using ath0.
I would greatly appreciate any help.
thanks.
Dane

#5 Zermelo

Zermelo

    the 0ne

  • Members
  • 1 posts

Posted 13 February 2009 - 12:35 AM

Also if anyone knows the simplest way to crack wpa please post the commands so that i can understand them.


Cracking Wifi Protected Access (WPA) or WPA2 is not as easy as cracking wep. In WEP parts of the key are transmitted in each iv, so that after enough traffic is captured, you can make a statistical analysis of the parts gathered and determine to a certainty what the key is.

WPA is much more sophisticated. The passphrase, is first hashed using the password based key derivation function 2, PBKDF2, which is a hash using the passphrase and the essid of the network as a salt which is iterated 4096 times in the hash. This results in the Pairwise Master Key or PMK, the PMK is then used to derive the Pairwise transient Key, or PTK. The PTK is different for each session, so even if you could somehow statistically determine the key, the key would only be good for that particular session.

Anyway, the only effective attack known to date to GET THE PASSPHRASE is a dictionary attack as you are attempting. There are other attacks, but they will not retrieve the passphrase (Tkiptun-ng utilizes the newfound weaknesses in WPA) they will only allow you to decrypt data and inject data into the network.

The bottom line is that with a dictionary attack, you are relying on the person using a weak passphrase that is likely to be in a dictionary of common passphrases. If the person is smart and used a long passphrase with special characters and upper and lower case letters, chances are you will not find in with a dictionary attack.

It is simply not feasible to do a brute force attack on WPA (bruteforce would mean going through EVERY possible combination). This is simple mathematics.

A WPA passphrase is a minimum of 8 characters and a max of 64 characters. To determine the combinations of a particular password length X you raise the number of possible characters to the power of X. So for example if you wanted to go through every possible combination of a 10 character password with just lower case letters, it would be:

26^10=1.41167096 × 10^14 possible combinations which would take testing 500 passwords per second = 2.82334191 × 10^11 seconds = 4.70556986 × 10^9 minutes = 78,426,164.3 hours = 3,267,757 days = 8,953 days

and that's just testing lower case letters. If you wanted to test lower and upper case letters the base then becomes 52, add in numbers, and a space character then the base becomes 63. So if you wanted to test the same length passwords against all these possibilities it would be:

63^10=9.84930292 × 10^17 combinations or 53,967,295 years

Have some fun here is a brute force calculator you can play with: http://lastbit.com/pswcalc.asp

Bottom line you can try a good dictionary on a handshake, but there is NO guarantee that you will crack the passphrase. In fact, in most cases even with a good dictionary you won't. So if you obtained the handshake, then that is pretty much the end of the technical part of cracking it. The rest is a matter of luck and how much time and hard drive space you're willing to waste trying to crack it, and even if you're willing to devote vast amounts of resources there is still no guarantee.

There are ways to speed things up, but again when you're talking about numbers like this, even a speedup of 20x still will take years, decades, centuries, etc. depending on the password complexity.

Edited by Zermelo, 13 February 2009 - 12:38 AM.


#6 _Sam_

_Sam_

    Will I break 10 posts?

  • Members
  • 3 posts

Posted 13 February 2009 - 02:22 PM

WPA
WEP
more WEP an other funny things with backtrack
I havent tryed it yet, but cracking wep seems to be easy. If the quality of one of these wep-protected AP's is good enough, you should try it. Sorry for my english :)




BinRev is hosted by the great people at Lunarpages!