ESSIDPROBEWPA3-21.sh has been release for general use.

The bug when used with kali2.0 and the newer versions of aircrack-ng has been corrected.

Additions:

When MTeams associated C-Programmer found essidprobes that were incomplete strings for WPA keys like 7 characters in length - an extensive rewrite of this program resulted. To find the missing characters, crunch was used to fill in the blanks as follows:

Menu based crunch modules have been included to allow the user to expand ESSIDPROBES using ESSIDPROBE strings as the base words to find any missing characters.

Specific words can be randomized thru menu driven selections by the user.

Random characters can be Crunch Character Groups like [0123456789] or selected specific characters like 12Dc just as examples.

This program can produce large file sizes so care should be used if employed with operating systems having small amounts of storage space such as persistent usb installs of kali2.0.

To see how the program functions try writing only one(1) character or a specific text string and play with the selections before you make large files based on Crunch Character Groups or large essidprobe text files.

Users should feel free to suggest other crunch permutations be included. They will be added if possible into latter versions. Any bugs found please advise.

You can download here with kali or at:

http://www.datafilehost.com/d/3fb327e4


Overview

The most sophisticated ciphers are many times defeated by simple operator error. The German Army High Command(OKW) used enigma in WWII to encrypt messages. The cipher was finally broken when a radio operator sent the same message twice without changing the key settings.

Wi-Fi managing systems are also prone to operator errors. Musket Teams began seeing WPA keys broadcast in clear text paired with the ESSID name when running airodump-ng. MTeams knew the data pair sent was the WPA key and the station as the code had previously been broken thru other means such as Reaver or brute force. It soon became apparent that two(2) events were occurring. The wifi user was loading the WPA key into the ESSID(AP Name) block of the wifi managing software, The software began probing for a station using the WPA Key as the ESSID(AP Name). Later, when the connection did not work, the user corrected the error by setting up a new connection and leaving the old connection in place. The software then probed the BSSID using both the WPA Key and the ESSID.

In airodump-ng you might see something like this at the bottom;

BSSID STATION PROBE
55:44:33:22:11:00 00:11:22:33:44:55 12345678,Wifi_Home

or

BSSID STATION PROBE
55:44:33:22:11:00 00:11:22:33:44:55 12345678

Using the screen to collect this data is not practical. The best way is to access the two(2) .csv files made by airodump-ng when using the -w filename (write a dump file) in the airodump-ng command line. Musket Teams then wrote a small program to strip the kismet.csv file and .csv file of relevant data. The script has a commented help file embedded at the top of the script. It gives you a text file suitable for aircrack-ng, pyrit and elcomsoft. And it produces two(2) reference files to help determine ESSID,BSSID,PROBE pairing. This wordlist file has other uses. Sometimes the user loads the ESSID name into the WPA key block. Hence the WPA key is the AP name. This cannot be determined by the scan BUT the wordlist has all the ESSIDs seen therefore it can quickly determine if the WPA key is the ESSID when run against a handshake using aircrack-ng pyrit or elcomsoft.

For example:

aircrack-ng wifi.cap -w essidprobesdic,txt

Musket Teams

ESSIDPROBEWPA1-2.sh has been withdrawn.

You can download

ESSIDPROBEWPA1-4.sh at

http://www.datafilehost.com/d/083a4c11


MTeams

@mmusket thanks for your tool ,Hi i have try to test this scrypt but it's always ask for .csv file i have it already in root .But the scrypt told me the file is not here !
Why?

I have dumpfile-01.csv and dumpfile-01.kismet.csv in root .

To Sherubin

We downloaded the program from datahost and loaded it on three(3) different computers and the program ran fine. All computers were running kali-linux 1.09a fully updated and upgraded.

MTeams then tried to simulate the failure. We induced your failure when the program was run from a folder off root so just place this program in root and run it as follows ./ESSIDPROBEWPA1-4.sh

We will be issuing ESSIDPROBEWPA1-5.sh as soon as we are satisfied with the testing. But the changes have to do with making the essidprobesdic.txt file dos friendly and remove the duplicates that still remain. Look back here in a few days if you are interested.

Write us again if this has not solved your problem and we will retest again.

MTeams

Yes thanks musket33 it's run fine from root .

MTeams has updated to ESSIDPROBEWPA1-5.sh

This version corrects some duplicate problems and makes the dic file easier to use with aircrack-ng and elcomsoft

You can download the newer version at:

http://www.datafilehost.com/d/c161a915

WPA Key Fragments Broadcast In Clear Text


WPA keys in clear text have taken another turn. Our Musket Team C Programmer has found cases where WPA key fragments(i.e. incomplete keys) are being broadcast in clear text. In this case the wifi user is inputting an incomplete WPA key in the ESSID block of the wifi software. When the key doesnot work the user makes another connection and does not remove the older version. The wifi device then probes using both the WPA key Fragment and the essid name.

These key fragments are easy to discover if they are less then 8 characters in length. However incomplete keys greater then 7 are more difficult to handle.

A rule of thumb in WPA brute force cracking is that 50% of the keys chosen by users are numeric strings 8 to 10 characters in length. And more then half of these numeric only keys are local telephone numbers.

You might see something like this in the airodump-ng probes:

1234567, Wifi Home

Hence ESSID probes shorter then 8 characters in length that appear to be key fragments might be attacked as follows.

Most WPA keys are numeric only, 8 to 10 characters in length. If you have elcomsoft and windows use the word attack and check combinations of the string. If not make a series of dictionary files and test it against a handshake.


For example if you see 1234567, Wifi Home in your probes run crunch

A simple approach here would be

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234567@ -o File88-01

crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@ -o File99-01

crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@@ -o File1010-01

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t @1234567 -o File88-02

crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" @@1234567 -o File99-02

crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" @@@1234567 -o File1010-02


A more complicated approach would be to work thru ALL the positions making small dictionaries


crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@234567 -o File88c-01

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12@34567 -o File88c-02

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123@4567 -o File88c-03

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234@567 -o File88c-04

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12345@67 -o File88c-05

crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123456@7 -o File88c-06


crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@2345678 -o File99c-06

etc etc etc

All variations are not shown here


Keys 8 or more in length that do not successfully crack the key thru tools like aircrack-ng might be WPA Key fragments. In such a case the more complicated approach must be employed

There is a significant social engineering component in successful brute forcing a WPA key. Even if your computer cracking speed is slow, running numeric keys 8 to 10 characters in length against a WPA handshake is possible. If you are given a part of the key the chances of cracking the WPA key increases.

Mteams are working on an expansion of ESSIDPROBE1-5 to construct these dictionaries automatically. In the meantime if you discover these WPA Fragments in clear text you can try the simple approach above - you might just get lucky.

Musket Teams

MTeams run constant airodump-ng scans listening for both WPA handshakes and WPA keys broadcast in clear text.

airodump-ng -w scanwifi mon0

We also get e-mails saying clear text WPA keys cannot occur. Here is a typical example received within the last 24 hours. All ESSID, BSSID info and WPA Key has been sterilized. The WPA key broadcast in clear text is 033441345

CH 5 ][ Elapsed: 8 s ][ 2015-09-28 07:20

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

55:44:33:22:11:00 -1 0 0 5 0 5 -1 WEP WEP <length: 0>
66:44:33:22:11:00 -66 0 2 7 1 6 54e WPA CCMP PSK Wifi Name 1
77:44:33:22:11:00 -72 0 2 0 0 7 54e WPA2 CCMP PSK Wifi Name 2
88:44:33:22:11:00 -73 19 14 0 0 5 54e. WPA2 CCMP PSK Wifi Name 3

BSSID STATION PWR Rate Lost Frames Probe

55:44:66:00:22:33 00:11:22:33:55:77 -57 0 - 1 148 5
(not associated) 00:11:22:33:44:99 -73 0 - 1 0 1 Wifi Name 4
(not associated) 00:11:22:33:44:77 -72 0 - 1 0 1 033441345
(not associated) 00:11:22:33:55:55 -64 0 - 1 0 1
(not associated) 00:11:22:33:55:55 -75 0 - 1 0 2
55:44:33:22:11:00 00:11:22:33:44:55 -1 1e- 0 0 2
66:44:33:22:11:00 00:11:22:33:44:66 -51 0 - 1e 43 5


You can quickly check for handshakes by running

wpaclean scanwifi-01a.cap scanwifi-01.cap

Where:

scanwifi-01a.cap is cleaned file

scanwifi-01.cap is original file


This will give a list of WPA handshakes on the screen and can be run anytime even while airodump-ng is collecting data.

MTeams

It looks like very good. Thanks for your sharing.








huawei nexus 6p tasche (http://www.hulle6.com/category-huawei-nexus-6p-zubehoer-269.html)

This happened to me, i was scanning away when i noticed what looked like a WPA key on the probe column, so i tested it on the AP and it worked.
Never seen this before, any idea why it was shown, been scanning again and its not shown second time.

http://s28.postimg.org/b715veyst/fsdfsdfsdfsf.png

To zerocool

MTeams are constantly learning field craft. We see these probes all the time but you have to know what to look for. In fact we saw one this morning.

With airodump-ng what is kept on the screen for view is for only 120 sec unless you add the --berlin 1,000,000 to the command line. Also add the --beacons to increase the number of becons stored. See airodump-ng --help

Example:

airodump-ng --berlin 1000000 --beacons -w dumpfile mon0

After you capture this data run it thru our ESSIDPROBEWPA.sh

Note MTeams will add these commands to the airodump-ng command lines when we update handshakeharvest2-5.sh

Musket Teams

Ive been looking at these 'Probe' characters since I started with pentesting (2 weeks back).
In fact, initially I did a web search for probe stations to figure what they actually are/were, but no info or TMI.

Once again, thx MTeams for pointing this out, will keep an eye for these things.
Is this script kali 2.0 compatible ?

To zerocool

MTeams are constantly learning field craft. We see these probes all the time but you have to know what to look for. In fact we saw one this morning.

With airodump-ng what is kept on the screen for view is for only 120 sec unless you add the --berlin 1,000,000 to the command line. Also add the --beacons to increase the number of becons stored. See airodump-ng --help

Example:

airodump-ng --berlin 1000000 --beacons -w dumpfile mon0

After you capture this data run it thru our ESSIDPROBEWPA.sh

Note MTeams will add these commands to the airodump-ng command lines when we update handshakeharvest2-5.sh

Musket Teams

I have tried to do what you said, but both text files are empty ?> what am doing wrong?>?

Does this look correct to you.
http://i.imgur.com/DrYHPbM.png

To zerocool

Thanks for pointing out this out.

We ran some test with kali 1.1 and it ran fine so we cranked up kali 2.0 and it did not run. We traced the error to airodump-ng csv output which looks like it has changed slightly which cause one of the awk lines to fail.

We do not have alot of .csv files captured thru k2.0. to test this so will capture a big block of data and rewrite the program to fit the newer airodump-ng output.

Again Thanks!!!

MTeams

I got some strange probe.

986

It seems that not only ssid and wpa-key can be found, but also local ip XD

To zerocool

Thanks for pointing out this out.

We ran some test with kali 1.1 and it ran fine so we cranked up kali 2.0 and it did not run. We traced the error to airodump-ng csv output which looks like it has changed slightly which cause one of the awk lines to fail.

We do not have alot of .csv files captured thru k2.0. to test this so will capture a big block of data and rewrite the program to fit the newer airodump-ng output.

Again Thanks!!!

MTeams

Any eta on this, while we wait isn't there a copmmand or another way to output any keys found in the dumpfile.

To zerocool

The are no tools for this as far as we know. This approach was not even recognized.

To do this manually will take time if you have allot of .csv data. You could open up each .csv file collected by airodump-ng and look for any text strings that look like like WPA key. And then there is the fact that users may load the AP name into the WPA key block so the WPA Key and the ESSID are the same.
MTeams has stopped all other projects to correct this as any of our lab programs if airodump-ng is run also collect data on the side and then send it to a textfile for brute force work. The program is running we are just adding modules to handle cases where the user inputs the WPA key incorrectly and the length is less then 8. I would think within three to five days unless the waves become rideable.

MTeams

ESSIDPROBEWPA3-21.sh has been release for general use.

See start of thread for version commentary.

You can download at:

http://www.datafilehost.com/d/3fb327e4

MTeams

Those working with csv files may find the following script useful see:


http://forum.aircrack-ng.org/index.php/topic,898.0.html


Musket Teams

nice work thanks to MTeams

Thank you for the info and for sharing it!

To KabelHorst and Maculo:


May the password be with you

Musket Teams

Chris has issued an update to his csv program.

See https://forum.aircrack-ng.org/index.php/topic,898.0.html

Musket Teams

Chris has issued an update to his csv program.

v0.5 now: https://forum.aircrack-ng.org/index.php/topic,898.msg4550.html?PHPSESSID=sbpllv0me24ei8cnl qs0ebvn86#msg4550