We have already seen how easy it is with time and the right tools to get the WEP key of any wireless network.

We have already explained that these operations are not lawful but for pure interest and personal enrichment ...

In the crack of a WPA/WPA2 network the sniffing process is easier and faster than WEP crack the stage of cracking is a bit 'a lottery because for now it is a simple bruteforce attack with dictionaries .. The advantage is that once captured the handhake needed to crack it is possible to crack offline, the disadvantage is that the word is not complete meaning or contained in our dictionaries crack is for now impossible.

0) What is the wpa handhake?

We can define it as a kind of "greeting" (hand-shake, ..

) between two computers before starting communication at this stage they "agree" transmission rates, protocols and encryption .... It always speak in the guides of four-way handshake, in a nutshell it is a simple communication request / acknowledgment.

A asks B -> Hello I'm a wifi card
B replies to A, -> I'm an access point are protected by WPA, transmits to 54M mode b. ..
A asks B -> but I pass it on to 11M, you're lucky my WPA PSK and my MAC?
A responds to B -> ok is just, well log

We must capture this communication in order to operate the crack wpa, obviously with the aircrack suite .. No client no crack ..
Will be left implied the use of linux-live tools like Kismet and backtrack (which have been explained in the previous tutorial of WEP).

1) Analysis of the target network

We start kismet and try all this data:

Network objective of our analysis, it is essential that its protection is of a type with WPA/WPA2 PSK (Pre Shared Key),

its channel, its MAC address

the transmission rate (rate, eg 11 M, 22M, 54M ...)

mode of transmission (802.3bog)

Now you need to look for clients connected, we can still do it with kismet (press c).
Of course even if there are no clients connected, you can always continue the tutorial but still must wait for some good soul to connect ..
Now that we have recorded everything we need we can set the capture ..

2) Basic settings

After turning off kismet (which seems to me interferences with the capture), set the monitor mode on channel network
Suppose both the channel 11:

airmon-ng stop wlan0
airmon-ng start wlan0 11

Now set the rate and mode of transmission with the following commands, (personally I thought it was not important but the facts I have been denied ..):

iwconfig wlan0 rate 22M # supponendo il rate sia 22M
iwpriw wlan0 mode 2 # modalità b (0 sta per auto 1 per g..etc)

Now note that if the capture will not go 'to succeed is a good idea to try lowering the rate to a minimum:

iwconfig wlan0 rate 1M

3) Capture the handshake

We set airodump to listen to the right channel (BSSID is the MAC of the access point goal, write the results to file "testhandshake")

airodump-ng --bssid 00:1D:8B:XX:XX:XX --channel 11 -w testhandshake wlan0

Now we must wait for some clients connect with the correct password so there will be a handshake properly ...
Or we can deauthenticate a client already connected to reconnect it to do so we send one or more packets with aireplay deauthentication:

aireplay-ng -0 1 -a 00:1D:8B:XX:XX:XX -c 0E:1B:DA:XX:XX:XX wlan0

-0 Mode is about - deauth and the number following is the number of packets de-authentication (5,9,10 we too, but not too much, otherwise the AP does not listen)

The first MAC is the station, while the second is that of the client to disconnect.
Now with a little of patience and attempts (changing also the rate to 1M) in the airodump window should appear in the top right :

WPA HANDSHAKE ! WPA handshake!

Now many say they check the filter EAPOL handshake with wireshark, but I have noticed that if airodump it says to be trusted, and then also controls aircrack.

(NOTE: Who says there must be all four of the handshake reply cloning guides inexperienced staff, try with only three and does the same crack ...)

4)Crack wpa

It 'really hard when it comes to access points with a random password of 24 characters ...
But fortunately many use common words that are often found in many dictionaries.

So at this point is crucial to find many dictionaries in the right language for the bruteforcing with aircrack, there are many existing network.
But a little 'social engineering does not hurt if the network is called CapitanoKirk Get a dictionary with all the characters of Star Trek right?

For the crack we can operate offline (also on Windows with Aircrack Windows) by typing:

aircrack-ng -w dizionario.txt -b 00:19:5B:XX:XX:XX testhandshake.cap
where obviously dizionario.txt is your wordlist and the MAC is that of Pointe.

Note: WPA on bruteforcing devote a separate article where also analyze the so-called rainbow tables (genpmk, cowpatty ... etc)

If you want you can post your handshake \n // -->webmaster@pcpedia.it

Tried a bruteforcing and we will give you an answer within a week.

Here carry an effective date and worlist Italian words. (15.5 MB, compressed 5MB)

5) Generation of targeted wordlist

In subsequent articles we will deal with the generation of effective Wordlist shell script.

A first example of generation wordlist numbers can be found here.

UPDATE: Non perdere i nuovi articoli sulla generazione di wordlist e sulle tabelle di hash precomputate!

UPDATE:Stiamo leggendo la tesidi laurea di Erick Tews sul tkip injection....A presto con un nuovo articolo su tkiptun-ng !!

La tesi e la successiva esposizione pubblica hanno già suscitato un gran polverone(vd metodo Michael), è reperibile a questo indirizzo http://eprint.iacr.org/2007/471.pdf e apre nuove frontiere e metodi per il crack wpa. Accettiamo consigli ed esperimenti su tkiptun(potete usare i commenti qua sotto).

Sostenete il rinnovamento del sito dando un'occhiata ai link pubblicitari che vi interessano.

Commenti

Nuovo

Cerca