...

Crack a WPA Network eng

by user

on
145

views

Report

Comments

Transcript

Crack a WPA Network eng
Crack a WPA Network eng
Scritto da Administrator - Ultimo aggiornamento Mercoledì 30 Settembre 2009 11:39
We have already seen how easy it is with time and the right tools to get the WEP key of any
wireless network.
We have already explained that these operations are not lawful but for pure interest and
personal enrichment ...
In the crack of a WPA/WPA2 network the sniffing process is easier and faster than WEP crack
the stage of cracking is a bit 'a lottery because for now it is a simple bruteforce attack with
dictionaries .. The advantage is that once captured the handhake needed to crack it is possible
to crack offline, the disadvantage is that the word is not complete meaning or contained in our
dictionaries crack is for now impossible.
0) What is the wpa handhake?
can define
it as a kindbefore
of "greeting"
.. at this stage they "agree" transmission
)We
between
two computers
starting(hand-shake,
communication
rates, protocols and encryption .... It always speak in the guides of four-way handshake, in a
nutshell it is a simple communication request / acknowledgment.
- A asks B -> Hello I'm a wifi card
- B replies to A, -> I'm an access point are protected by WPA, transmits to 54M mode b. ..
- A asks B -> but I pass it on to 11M, you're lucky my WPA PSK and my MAC?
- A responds to B -> ok is just, well log
We must capture this communication in order to operate the crack wpa, obviously with the
aircrack suite .. No client no crack ..
Will be left implied the use of linux-live tools like Kismet and backtrack (which have been
explained in the previous tutorial of WEP).
1) Analysis of the target network
1/5
Crack a WPA Network eng
Scritto da Administrator - Ultimo aggiornamento Mercoledì 30 Settembre 2009 11:39
We start kismet and try all this data:
Network objective of our analysis, it is essential that its protection is of a type with WPA/WPA2
PSK (Pre Shared Key),
- its channel, its MAC address
-
the transmission rate (rate, eg 11 M, 22M, 54M ...)
-
mode of transmission (802.3bog)
Now you need to look for clients connected, we can still do it with kismet (press c).
Of course even if there are no clients connected, you can always continue the tutorial but still
must wait for some good soul to connect ..
Now that we have recorded everything we need we can set the capture ..
2) Basic settings
After turning off kismet (which seems to me interferences with the capture), set the monitor
mode on channel network
Suppose both the channel 11:
airmon-ng stop wlan0
airmon-ng start wlan0 11
Now set the rate and mode of transmission with the following commands, (personally I thought
it was not important but the facts I have been denied ..):
iwconfig wlan0 rate 22M # supponendo il rate sia 22M
iwpriw wlan0 mode 2 # modalità b (0 sta per auto 1 per g..etc)
Now note that if the capture will not go 'to succeed is a good idea to try lowering the rate to a
minimum:
iwconfig wlan0 rate 1M
3) Capture the handshake
We set airodump to listen to the right channel (BSSID is the MAC of the access point goal, write
the results to file "testhandshake")
airodump-ng --bssid 00:1D:8B:XX:XX:XX --channel 11 -w testhandshake wlan0
2/5
Crack a WPA Network eng
Scritto da Administrator - Ultimo aggiornamento Mercoledì 30 Settembre 2009 11:39
Now we must wait for some clients connect with the correct password so there will be a
handshake properly ...
Or we can deauthenticate a client already connected to reconnect it to do so we send one or
more packets with aireplay deauthentication:
aireplay-ng -0 1 -a 00:1D:8B:XX:XX:XX -c 0E:1B:DA:XX:XX:XX wlan0
{{adsensegrande}}
-0 Mode is about - deauth and the number following is the number of packets
de-authentication (5,9,10 we too, but not too much, otherwise the AP does not listen)
The first MAC is the station, while the second is that of the client to disconnect.
Now with a little of patience and attempts (changing also the rate to 1M) in the airodump
window should appear in the top right :
WPA HANDSHAKE ! WPA handshake!
Now many say they check the filter EAPOL handshake with wireshark, but I have noticed
that if airodump it says to be trusted, and then also controls aircrack.
(NOTE: Who says there must be all four of the handshake reply cloning guides inexperienced
staff, try with only three and does the same crack ...)
{{adsensegrande}}
4)Crack wpa
It 'really hard when it comes to access points with a random password of 24 characters ...
But fortunately many use common words that are often found in many dictionaries.
So at this point is crucial to find many dictionaries in the right language for the bruteforcing
with aircrack, there are many existing network.
But a little 'social engineering does not hurt if the network is called CapitanoKirk Get a
dictionary with all the characters of Star Trek right?
For the crack we can operate offline (also on Windows with Aircrack Windows) by typing:
aircrack-ng -w dizionario.txt -b 00:19:5B:XX:XX:XX testhandshake.cap
where obviously dizionario.txt is your wordlist and the MAC is that of Pointe. Note: WPA on
3/5
Crack a WPA Network eng
Scritto da Administrator - Ultimo aggiornamento Mercoledì 30 Settembre 2009 11:39
bruteforcing devote a separate article where also analyze the so-called rainbow tables (genpmk,
cowpatty ... etc)
If you want you can
post your handshake
n // -->
[email protected]
Questo indirizzo e-mail è protetto dallo spam bot.
This e-mail address is being protected from spambots.
Abilita Javascript per vederlo.
You need JavaScript enabled to view it.
Tried a bruteforcing and we will give you an answer within a week.
Here
carry an effective date and worlist Italian words. (15.5 MB, compressed 5MB)
5) Generation of targeted wordlist
In subsequent articles we will deal with the generation of effective Wordlist shell script.
A first example of generation wordlist numbers can be found here.
{{adsensegrande}}
UPDATE: Non perdere i nuovi articoli sulla generazione di
wordlist e sulle tabelle di hash precomputate!
UPDATE:Stiamo leggendo la tesidi laurea di Erick Tews
sul tkip injection....A presto con un nuovo articolo su
tkiptun-ng
!!
La tesi e la successiva esposizione pubblica hanno già suscitato un gran polverone(vd metodo
Michael), è reperibile a questo indirizzo http://eprint.iacr.org/2007/471.pdf e apre nuove
frontiere e metodi per il crack wpa. Accettiamo consigli ed esperimenti su tkiptun(potete usare i
commenti qua sotto).
4/5
Crack a WPA Network eng
Scritto da Administrator - Ultimo aggiornamento Mercoledì 30 Settembre 2009 11:39
5/5
Fly UP