Results 1 to 2 of 2

Thread: How can i accept a handshake with airbase-ng

  1. #1
    Join Date
    2015-Jul
    Posts
    32

    How can i accept a handshake with airbase-ng

    Hi all,
    let me for start by saying, yes i am a noob to Kali and all its' wonderful and mystical tool.. and perhaps i have watched too many episodes of Mr. Robot. that said, i have been playing with airbease-ng, airmon-ng, and airodump-ng and having a wonderful time.

    Recently i conducted an experiment where i created a fake ESSID called "freeboobs" like so:
    Code:
    airbase-ng -a AA:AA:AA:AA:AA:AA -e "freeboobs" -c 6 -W 1 -Z 4 wlan1mon

    in a second terminal window i started an dump like so:
    Code:
    airodump-ng -c 6 --output-format pcap -w /root/fakeboobs wlan1mon
    I then went over to my phone, and looked for the "freeboobs" network.. there it was! and who doesn't want to connect with 'freeboobs'... so i connected using the password "iloveyou" as i knew it existed in my wordlist 'rockyou.txt'

    soon enough i got the two terminal windows to output the following:

    Code:
    root@kali:~# airbase-ng -a AA:AA:AA:AA:AA:AA -e "freeboobs" -c 6 -W 1 -Z 4 -V 3 wlan1mon 
    18:14:11  Created tap interface at0
    18:14:11  Trying to set MTU on at0 to 1500
    18:14:11  Access Point with BSSID AA:AA:AA:AA:AA:AA started.
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    18:14:17  Client 84:7A:88:5D:0D:DB associated (WPA2;CCMP) to ESSID: "freeboobs"
    and...

    Code:
    CH  6 ][ Elapsed: 1 min ][ 2015-07-30 18:15 ][ WPA handshake: AA:AA:AA:AA:AA:AA                                         
                                                                                                                                       
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                       
     AA:AA:AA:AA:AA:AA    0  15      976      509    0   6  54   WPA2 CCMP   PSK  freeboobs

    My question is two part..

    1. The phone failed to connect.. it said "authenticating" and then never got authenticated.. i guess this is expected, but is it possible to fake the final part of the hand shake and allow the phone to be connected, so i can explore possible MitM attacks?

    2. after i stopped the airodump, i ran cowpatty and got a succes ::

    Code:
    root@kali:~# cowpatty -r '/root/fakeboobs-02.cap' -c
    cowpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg.com>
    
    Collected all necessary data to mount crack against WPA2/PSK passphrase.
    but i have been running aircrack:
    Code:
    aircrack-ng -w /root/rockyou.txt fakeboobs-02.cap
    knowing that the password i entered, 'iloveyou' is early in the list, and it is still going for about 2 hours now.. is it possible that it won't crack the password even though it's in the list? if so why?

    UPDATE:: it did not crack the password after three hours, so i ran the script again, insuring that i used "iloveyou" as the password and using a txt file that only has 'iloveyou' it did NOT crack the password

    any ideas why?

    thanks for helping me learn

    elidd1
    Last edited by elidd1; 2015-07-31 at 00:17. Reason: airbase-ng, aircrack-ng, MitM,

  2. #2
    Join Date
    2015-Mar
    Posts
    48
    1. Your phone will never really authenticate when using airbase-ng, you will have to use something like hostapd.
    2. Aircrack-ng does not always find the password because the handshake may be malformed, or not complete, or out of sequence. The best tool is pyrit with the --all-handshakes option. It always finds the password unless your handshake is really corrupt.

Similar Threads

  1. airbase-ng broadcasts two APs
    By speedking in forum General Archive
    Replies: 2
    Last Post: 2016-03-24, 12:00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •