Results 1 to 27 of 27

Thread: Cracking a WPA/WPA2 wireless Access Point

  1. #1
    Join Date
    2014-Jan
    Posts
    6

    Cracking a WPA/WPA2 wireless Access Point

    Before going into the commands of what you need to type you need to understand the basics of what you need to do. Here is what you need to do in order (roughly):

    Create a monitoring device on your computer. Presuming you have a wireless adapter on your computer you should be able to create a monitoring device. Not all devices can inject packets however which is very important.
    Search for wireless access points to crack into. Although you might be able to see an AP you might not necessarily be able to sit between the router and a user, but running the following commands will determine that.
    Hone in on the specific AP. You need to get some specific information about the access point and who is connected to it. You need to do this to enable you to know who to listen in on. You’re looking for the requests sent from the user to the router.
    Start logging the requests hashes. Specifically the password hashes!
    Start a brute force attack. You need a password list file(s) to do this. Get one!

    Don’t worry if you don’t understand all of the above, all will become apparent soon.

    Type:
    ifconfig

    Providing you get a result that says you have a wlan0,1,2 etc you should be ok! If you have one that says mon0,1,2 etc that skip the next step.

    Type:
    airmon-ng start wlan0

    This will create a monitoring device. Take note of what it’s called. Should be something like mon0, mon1 etc.

    Type:
    airodump-ng -c 6 mon0

    This will start a scan of everything you can see around you. Note that it’s using mon0 as the monitoring device and it’s on channel 6. Change these options as you see fit.

    Now this is the time to do some watching. You’re looking for a wireless connection that is WPA/WPA2 enabled. Note which channel it’s on and take a note of the MAC address.

    Type:
    airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w psk mon0

    Use the string above to start listening in on to a specific AP. Again change the channel the MAC address and monitoring device as you see fit.

    Now, this bit gets a bit complicated and cool at the same time. What you may (or may not) need to do is force users to send login requests to the router. You can do this by entering the AP MAC address and another users MAC address into the following string.
    HINT: You can obtain a users MAC address from the window we last used.

    Type:
    aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

    Now, see the number 1 near the start? That isn’t enough i don’t believe force a users computer to send a login request to the router. However, i’ve been told it is. The truth is, if you change the ’1′ to ’9999999′ or some other ridiculous number then it’s sure to work. However, you will completely block that users connection to the internet… So, yeah. Do what you will with that command, and don’t hold me responsible!!

    Anyway, by now you should have sufficient hashes for you to crack.

    Type:
    aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

    This will start a brute force password file attack and eventually produce a password you can use to connect to the router.

    I have not gone into great detail about what each little bit does and there is so much more you can do. This tutorial is just to get you started. If you want to know even more then go here to the lovely people who made this great product and check out their tutorials.

    Have fun! Oh, and only crack into wireless devices you manage or get permission from the owner! cough cough

  2. #2
    Join Date
    2014-Jan
    Posts
    17
    Hi MrShingles,
    i am wondring - what could be reason for not catching 4 way handshake when doing deauthentication with -0 reason. i checked the .cap file that i saved and it has eapol in the inside of it but, for some unknown reason airodump-ng wasn't able to see them. do you have any guess i how could i fix this ?

  3. #3
    Failed attempt on my home wireless network on WPA with 1 handshake and using darkc0de.lst from teamctfu. It's a simple 14 letter two merged word passphrase. After 1,144,730 keys tested, it posts passphrase not in dictionary. Is there a better or longer dictionary out there or do I need to collect more handshakes?

  4. #4
    Join Date
    2013-Jul
    Posts
    841
    We suggest you turn to aircrack-ng forums for questions concerning cracking WPA thru brute force methods.

  5. #5
    Join Date
    2013-Nov
    Posts
    68
    disregard.....
    Last edited by thepoor; 2014-02-24 at 18:03. Reason: fixed

  6. #6
    Join Date
    2013-Nov
    Posts
    68
    Sorry but this does not work for me. I set up my router with key as 12345678 have my other laptop connected and got a handshake. aircrack-ng with darkc0de.lst but it did not found the key. I also cracked it with WPAword list and nada.
    Where is the darn "any key" key?

  7. #7
    Join Date
    2013-Nov
    Posts
    68
    Well, I crunched my own 8 digits numeric wordlist and it found my key. I guess you have to tried a different wordlists and patient to get it. just like fishing.
    Where is the darn "any key" key?

  8. #8
    Join Date
    2013-Mar
    Location
    n0wh3r3
    Posts
    53
    Try Reaver which makes things easy don't depend on word-lists its a long process with minimum success rates.

  9. #9
    Join Date
    2013-Nov
    Posts
    68
    I tried and I got the following:

    reaver -i mon0 -c 10 -b 00:00:00:00:00:00 -vv -S -N -L -d 15 -r 3:15 -T .5 -x 360

    [+] Sending EAPOL START request
    [!] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] Received identity request
    [+] Sending identity response
    [!] WARNING: Receive timeout occurred
    [+] Sending WSC NACK
    [!] WPS transaction failed (code: 0x02), re-trying last pin
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    Last edited by thepoor; 2014-03-02 at 20:16.
    Where is the darn "any key" key?

  10. #10
    Name Taken Guest
    Cracking at 500-1k passwords per CPU thread per second in a laptop with Aircrack-ng is not very efficient. If you have a Scrypt mining rig with 6 R9 290 for example, that can crack at 900k passwords/second with oclHashcat. I have complied my own wordlist from dozens of smaller ones then stripped them using
    Code:
    "grep -E '^[0-9a-zA-Z]{8,}$' dict_unique.txt > wordlist.stripped.txt"

  11. #11
    Join Date
    2013-Jul
    Posts
    841
    To Name Taken

    Is there any chance that you provide more details and expand on the following :

    Scrypt mining rig with 6 R9 290

    We are always interested in higher speeds

    MTA

  12. #12
    Name Taken Guest
    Quote Originally Posted by mmusket33 View Post
    To Name Taken

    Is there any chance that you provide more details and expand on the following :

    Scrypt mining rig with 6 R9 290

    We are always interested in higher speeds

    MTA
    What specifically do you want to know? Scrypt is an alternative algorithm to SHA-256 many cryptocurrencies use. Mining cryptocurrencies is very similar to password cracking. GPUs are significantly faster than CPU.

  13. #13
    Join Date
    2014-Mar
    Location
    Edinburgh
    Posts
    1
    As Name taken states, he was referring to mining rigs. 6 R9 290's are about as powerful a rig as you can get nowadays. I also mine on reasonably powerful rigs and with some help would put my Hash power towards password cracking for people here. I'm a new user to Kali and currently learning lots as I go but keep to get involved.

    I have an HD7990 and 5970 that I could put towards cracking.
    Alternative Music & Video Producer with a keen interest in OPsec and Linux in general.

    Edinburgh, Scotland.

    http://zambianastronaut.com

  14. #14
    Join Date
    2015-Feb
    Posts
    4
    Hello everybody!

    I would like to capture encrypted frames, but I can't. Help me, please.
    Used the commands:

    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up

    airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0

    Just capture a control frames: Clear-to-send, ack; and beacon frames.

    I would like capture a bit stream encrypted 1001110110101001 by data frames.... How can I do it?

    Thank you very much.

  15. #15
    Join Date
    2013-Jul
    Posts
    12
    Quote Originally Posted by henrique_luiz View Post
    Hello everybody!

    I would like to capture encrypted frames, but I can't. Help me, please.
    Used the commands:

    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up

    airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0

    Just capture a control frames: Clear-to-send, ack; and beacon frames.

    I would like capture a bit stream encrypted 1001110110101001 by data frames.... How can I do it?

    Thank you very much.
    First off all as he told you in the tutorial you shoud use the monitor device (mon0)and not wlan0 in your "airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0" line
    Second i dont know why you set wlan0 2 times in same line.

    And for the third when you start to put your wlan0 into monitor mode you dont need 2 down it, just use following line

    airmon-ng start wlan0 (device is putting into monitormode)

    now you sometimes can se some info about process who may disturb your monitordevice, in my case its look like this

    Found 4 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID Name
    2589 NetworkManager
    2708 wpa_supplicant
    2736 dhclient
    3121 dhclient
    Process with PID 2736 (dhclient) is running on interface wlan0

    If you se this warning just use the kill command like this.

    kill 2589

    and so on until all process are killed. (sometimes it says a process dont exist becouse when you kill 1 process another chainreact to that and close auto)

    Now your ready to move on to the airodump-ng line again and this time use mon0 and just 1 time.
    Last edited by squashen; 2015-02-05 at 00:30.

  16. #16
    Join Date
    2015-Feb
    Posts
    4
    Firstly, thank you squashen.
    I used the command: "airmon-ng start wlan0" and killed the process. So run the command: "airodump-ng --bssid 9c:d6:43:a8:9d:60 -c 4 -w 05022015 mon0"
    Unfortunately the problem persists: I can capture only control frames and beacon frames.
    Thereafter, I tried use the kismet but occurred the same result: capture only control frame, QoS frame and beacon frame.
    I would like capture encrypted data frames. Is it possible?

  17. #17
    Join Date
    2015-Feb
    Posts
    3
    Hey,

    after doing a lot of reading on this topic and messing with Kali quite a bit I've decided to ask the more experienced guys..
    I am running Kali 1.0.9a 64 bit from USB.

    My goal is to crack a wifi password obiously. I tried the built in tool (with gui .. can't remember the exact name as I have no reference).
    With attacks on WPS (reaver) I always get the 'failed to associate with... ' error.
    When I was trying airodump, I even failed to get a handshake. I also tried wifite, which is quite intuitive.. but also didn't have any success.

    Is there something I am doing wrong? I can repeat the process and take screenshots of all outputs... without the handshake, I cannot progress in any way.

    Also there are few technical things that I was unable to look up.
    1. I understand that when the wifi adapter is in monitor (promiscuous) mode, it's able to listen to all the passing traffic. But how is it possible that Kali can interact (send commands) with the AP? It is not connected in any way.
    2. When sending deauth packets, what exactly happens to the clients? Do they get disconnected completely? Wouldn't that make (the slightly more educated ones) suspicious of what's going on? What if the AP that I am attacking doesn't have clients connected?
    3. OP mentions that the client's MAC address can be obtained from airodump-ng output.. which one is it? There's a BSSID and a station address displayed.
    4. I completely don't get the way wordlist work. I mean, what is the probability that the AP would have a password from a randomly generated wordlist?
    Is it not better to use, let's say crunch to generate all combinations of lower, upper case letters and numbers?

    Thanks a lot for help
    And sorry for the lengthy post, I wanted to compile it into one post.. this is driving me crazy for the past couple of days and I really want to make some progress.
    I am happy to provide any further details if needed.

  18. #18
    Join Date
    2015-Feb
    Posts
    4
    I read this pdf <www.kismetwireless.net/bsides/wifi_tools.pdf>, page 2: "If you’re on a WPA protected network, you will only see packets destined to your device, and
    broadcasts." Ok. I know this because GTK is the same for all stations. But, for capture broadcast frames I need have the password and be concected with access point. I don't conect the AP, but I want colect the encrypted frames, the set of bits: ...10110100101110011010111001... Is it possible?

  19. #19
    Join Date
    2013-Jul
    Posts
    12
    Quote Originally Posted by Randall View Post
    Hey,

    after doing a lot of reading on this topic and messing with Kali quite a bit I've decided to ask the more experienced guys..
    I am running Kali 1.0.9a 64 bit from USB.

    My goal is to crack a wifi password obiously. I tried the built in tool (with gui .. can't remember the exact name as I have no reference).
    With attacks on WPS (reaver) I always get the 'failed to associate with... ' error.
    When I was trying airodump, I even failed to get a handshake. I also tried wifite, which is quite intuitive.. but also didn't have any success.

    Is there something I am doing wrong? I can repeat the process and take screenshots of all outputs... without the handshake, I cannot progress in any way.

    Also there are few technical things that I was unable to look up.
    1. I understand that when the wifi adapter is in monitor (promiscuous) mode, it's able to listen to all the passing traffic. But how is it possible that Kali can interact (send commands) with the AP? It is not connected in any way.
    2. When sending deauth packets, what exactly happens to the clients? Do they get disconnected completely? Wouldn't that make (the slightly more educated ones) suspicious of what's going on? What if the AP that I am attacking doesn't have clients connected?
    3. OP mentions that the client's MAC address can be obtained from airodump-ng output.. which one is it? There's a BSSID and a station address displayed.
    4. I completely don't get the way wordlist work. I mean, what is the probability that the AP would have a password from a randomly generated wordlist?
    Is it not better to use, let's say crunch to generate all combinations of lower, upper case letters and numbers?

    Thanks a lot for help
    And sorry for the lengthy post, I wanted to compile it into one post.. this is driving me crazy for the past couple of days and I really want to make some progress.
    I am happy to provide any further details if needed.
    Answer on your first question can be some of the following

    1. you are to far away from AP (even if you have a signal its sometimes not enough for a good communication, You may hear the routers signal, but dont forget that router needs to hear you 2)
    2 you are 2 close 2 router (its like reading a paper, you cant se the letters from a mile, but you cant even se the letter if you press the papers against your eyes.
    3. you wirelesscard doesent support this kind of stuff.
    4. sometimes reaven can have problem with the association, try use the -A options to not use assocciation in reaver, but if you do you must use another associationprogram like aireplay-ng with -1 option.

    your other question.

    1. when you are accosiated with a router you have a kind of conection with the router and can talk to it but you are not letted in on the network yet (its like knocking on someones door and he open, you can talk to the person in the house, but he hasent yet let you in the house.)
    2. the deauth packet force the client of the network, if the client has a autoconnect option enable hes online again in a few sec if you only send 1 or few packet, if you send like 50 packets hes offline while the packets sends and try to reconect and gona do so when those 50 packets stop coming.
    What i have got is that the deauth-packet is a warning send to the Ap that this client is not a valid client (not trusted, have sneaked in) and the Ap diretly kicks the client out for doing a pass-control again before he lets in (and its that we wanted to happen if we want a handshake)
    and to do so we sont need to be inside the house to send the warning, its enough to knock on the door and tell him when he open the door (being associated)
    But the people do often when they dont get a handshake is that they send to few pakets to the ap with deauth, send about 30-40 so its relly goes offline, and the clients need to have the autoconnect enabled.

    3. bssid is the Ap:s mac and the station is a client and its mac
    in your pic you se 2 ap:s in the top, below you se a connection between 1 of the ap:s and a client.(if you do an association to that ap your mac gona show up there 2)
    and the other Ap have no clients cconnected what you have found anyway.
    4. The wordlist was more better before when the mostly routers have password setted from the owner, and that was often a knowed word wich was easy to remeber. and if you just try wellknowed word the brute time went down drastic.

    hope that clear some of your question and sorry for my extremt badly englishXD

  20. #20
    Join Date
    2015-Feb
    Posts
    3
    oh perfect. Thanks a lot! Definitely cleared some things up.

    I guess I will repeat the whole process and take screenshots so you know what's going on. I think the distance should be alright... it's my neighbor's AP in a flat. I usually get 3-4/5 signal strength.
    Is there a test to see if my wifi card is capable of this? I tried an injection test some time, but don't remember the output.

  21. #21
    Join Date
    2013-Jul
    Posts
    12
    Yeah aireplayng -9 is one test (the injecttest)
    Otherwise the thing you an do is check what other people say about your card in different forum, sometimes differnt card work different good with different drivers and different program with different libs.

  22. #22
    Join Date
    2015-Feb
    Posts
    3
    so just another update..
    I used wifite this time. I managed to finally get a handshake at least (still took quite a long time). Not sure why a WPS attack failed, when the wps on the AP was enabled.
    One thing I am curious about is the size of crunch generated wordlists.. do I require to have such a massive free space on my disk? With a combination of lower and uppercase letters and numbers, it would be 100s of TB.
    I am now trying to use pyrit to do this with my GPU... with my nb's i5 cpu it would take ages.

  23. #23
    Join Date
    2015-Feb
    Posts
    4
    Hello, everybody!

    I learned with Nayanajith that QoS frames are encrypted data frames. Using wireshark and the password, it is possible to decrypt frames collected with airodump.
    <http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark>

    Thanks a lot!

  24. #24
    Join Date
    2014-Jun
    Posts
    71
    reaver -i mon0 -c 1 -b <mac> -S -N -a -vv -d 30 -r 3:15 -L -A
    this worked for me on a Linksys E1000 , found the WPS pin which was '92489448'
    We need to look into wps-pin its doing , creating a database of wps-pin numbers.

  25. #25
    Join Date
    2015-Feb
    Posts
    1
    I get neither wlan0 or mon0 when typing ifconfig. I have eth0 and lo

    Trying to start eth0 gives me :
    Code:
    root@kali01:~# airmon-ng start eth0
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e 
    PID	Name
    2126	dhclient
    2419	NetworkManager
    Now keep in mind that I am completely new to this, but after some research I believe I have to buy an usb wireless adapter that supports packet injection?
    Could anyone confirm that or help me out in another way

  26. #26
    Quote Originally Posted by Invictus View Post
    I get neither wlan0 or mon0 when typing ifconfig. I have eth0 and lo

    Trying to start eth0 gives me :
    Code:
    root@kali01:~# airmon-ng start eth0
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e 
    PID	Name
    2126	dhclient
    2419	NetworkManager
    Now keep in mind that I am completely new to this, but after some research I believe I have to buy an usb wireless adapter that supports packet injection?
    Could anyone confirm that or help me out in another way
    i think you are using Virtual Machine (if yes then ofcourse you need to buy an Usb Wifi Card). And if no then Simply Boot Kali from USB and Then Check , i 'm Sure it'll Work Fine...

  27. #27
    Join Date
    2015-May
    Posts
    25
    Hi,

    I would like to share something, Which I have tested and proved 100% results:

    Please use wifite-mod-pixiewps, it cracks the PIN and reveals the WPA Passphrase in less than 2 minutes.
    Here is the link to https://github.com/aanarchyy/wifite-mod-pixiewps . All the credits goes to aanarchyy and the team.

    How to install wwifite-mod-pixiewps
    1. unzip the package
    2. copy the wifite-ng program to desktop
    3. Right-click on wifite-ng
    4. properties
    5. Permissions - check allow executing as a program
    6. close
    7. run and select open in terminal

    Please note:
    Make sure you have installed:
    1. reaver-wps-fork-t6x by t6x (https://github.com/t6x/reaver-wps-fork-t6x)
    2. Pixiewps by Wiire (https://github.com/wiire/pixiewps)

    You can also instal latest reaver and aircrack-ngl via terminal
    1. apt-get update
    2. apt-get install reaver aircrack-ng
    This is will install the latest aircrack version( no longer mon0 instead wlan0mon) and will also install reaver 1.5.2

    Here is the link for reference https://www.kali.org/penetration-tes...ck-ng-updates/

    Always target a router whose db signal is between 40db - 50db pr more, not less than 20db(check in wifite when you run)

    Happy Hacking.

    Cheers!

Similar Threads

  1. Aerial - Multi-mode wireless LAN Based on a Software Access point
    By Nick_the_Greek in forum How-To Archive
    Replies: 72
    Last Post: 2015-10-13, 15:15
  2. Rogue Access Point with 2 Wireless Cards
    By m4rshall in forum General Archive
    Replies: 2
    Last Post: 2014-07-01, 07:12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •