Crack WPA Well you convinced me in this post I'll write a guide on how WPA Crakk I'm cursed with the tools we have at present, waiting to be discovered (but already and discovery! and who do not want to say it) a flaw in this damn protection.
After talking about wireless & BackTack could not miss an article about how Crakk wireless networks.
not write an article on WEP because this protection is now obsolete and the internet is full of guides and tutorials on how to overcome this protection, I will speak instead of the second protection created to fill gaps in WEP WPA'm talking about.
WPA (Wireless Access Protect) a bit 'tricky to protect, so far you can try Crakk only if the guard uses the PSK (Pre-Shared Key). In
This procedure uses the aircrack-ng (to recover password) provided in the distribution of BackTack live below the list of the material.
1) 3 main Linux distributions live BackTack
2) PC
3) wireless card with a compatible chipset to perform the attack
4) Just say so and Ass!
EXPLANATION OF MATERIAL:
1) the main Linux distributions utliizzeremo live BackTack 3 so we save a lot of work, I do not know if you know you can crack the network with Windows but is not convenient because first and foremost about serving the driver enabled Winzoz to go into monitor mode (as if an ethernet card in promiscuous mode to go!), and drivers that give with the card to be clear that the original ones are not enabled to go into monitor mode, and if one does not know where to go is likely to turn on the internet without finding anything, because secondus in order to make the attack should Pacht drivers to do packet injetion in terzus not use a little linux it hurts, and Quartus the distribution of live born BackTack and not just for this purpose but also for other things (which I will not say) and is full of tools and spares us a lot of time and effort, all in one distribution convenient NO!.
2) Geez ... if you do not understand better if you need a PC laptop to move to receive the best possible signal!
3) It is with BackTrack we have all the drivers but you must have a wireless card with chipset compatible to make the packet injetion, so far all the wireless cards with drivers contained in the distribution should be in monitor mode, but not everyone does inetion packet, the packet injetion used to speed up the operation for cracking WEP and WPA make sure have a compatible chipset, is a list of some of the most popular chipsets compatible with the packet injetion: Atheros Railink, Prism 1 & 2, Prism GT, Realtek, Zydas,
4) If you are unlucky, forget it ! :-) I do not believe this crap but in life it takes a bit of luck also to do anything about cracking!! and is it takes a long time!
5) oh there is a fifth , So better to go hard nay! cracking! :-))
* Before *
REMEMBER THAT I INTEND TO ENTER INTO A PROTECTED NETWORK AND 'AN OFFENCE LIABLE TO THE LAW, WHY THIS GUIDE AND' TO REFER TO A TEST YOUR NETWORK, THE END OF THE JUDGE SICUREZZA.SE NOT CONVINCED SIE See RULES on Wireless.
* It really starts! *
To date, the only way to a Network Crakk WPA/WPA2 PSK is used in an attack dictionay Italian dictionary attack or an attack Dictionary sequentially trying all passwords in a file dizionario.Nell 'pending discovery of a vulnerability WPA/WPA2 PSK, we see how to proceed.
Warning! I REPEAT! This method only works with WPA/WPA2 PSK authentication method or with pre-shared keys. If the
authentication method is different from PSK you can not use this procedure:
To do a dictionary attack we need a file called: handshake. handshake or literally''handshake''and a file that AP (Access Point) exchange with the client connected only at the time of authentication. This file is essential to accomplish the task of cracking. So if you have not figured in the network there must be at least one client connected! (No client NO cracking handshake goodbye: (.
We initiate the boot of the live distribution BackTrack 3 and wait until
..... Just go to the desktop veins in the lower right on the flag and change the keyboard layout Italian.
Then we go to the MAIN MENU and go to the internet voice and then go to click the application WiFi Assistant will open an application where you can detect wireless networks target the selected network is logged onto a piece of paper data network, the MAC address of the router and the channel used by routers to communicate,
OK now that we have these small but essential data we need to enable monitor mode on the wireless card.
Open a window icon in the lower left (the black SCREENS so to speak!), And in terminal write:
airmon-ng
below and we'll see a list like this:
Interface Chipset Driver wifi0 Atheros
madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP estroyed)
eth1 ZyDAS zw1112wz
then under interface we see all the wireless interfaces on your PC, note that ath0 & eth1 are the names of the virtual device (device). And wifi0 and ath0 are the same thing.
below are the names of the chipset Chipset that uses the device, and we see the driver in the driver assigned (to backtrack) and used by the devices.
Ultimately (in my case) looking at the menu above: my external NIC uses eth1 as using a virtual name and uses the Chipset driver ZyDAS zw1112wz (integrated and already used in backtrack), and the same goes for my PCI device (internal) was used as a virtual name ath0 Atheros chipset (the best around) and use the madwifi driver.
then disable the interfaces we need with the following command:
Aimon-ng stop ath0
Use this command to disable only the network adapter ath0, eth1 is still active and if we can disable with the following command:
airmon-ng stop eth1
Now the network adapters are disabled and the menu that will come out and the following:
Interface Chipset Driver wifi0 Atheros madwifi
-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode disable)
eth1 ZyDAS zw1112wz (disable monitor mode)
Now we enable the board we are interested in my case I enable ath0 with the following command:
airmon-ng start wifi0 1
be noted that the ath0 interface, as mentioned above and the same with that of wifi0 practically name and a virtual device with two names I do not know why but maybe backtrack and question the driver does so with all cipset Atheros, so if you try to write airmon-ng start ath0 returns an error.
Note that if you wanted to activate eth1 drovrà airmon write-ng start eth1
Another thing you will notice how I wrote the name of the device, '1 'that number stands for the channel in which the router communicates, you put the channel number previously recorded on paper pezzetino
:-) Now that we have enabled the board we will have the following menu:
Interface Chipset Driver wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enable)
eth1 ZyDAS zw1112wz (disable monitor mode)
And now you go to the juice, the terminal type the command:
airodump-ng-c 1 - w ath0 wpa
with the command mentioned above we are going to use the application airodump-ng.
airodump-ng is nothing but a sniffer program that captures data traveling the network, and he'll capture the handshake.
hours analyzing the command step PASSSO .......
airodump-ng: airodump-ng start the application
-c: indicates the channel the router \\ access point communicates in this case Channel 1
-w: indicates the name of the file where the data will be saved, the file will be called 'wpa' (the file is saved in your home on your desktop)
ath0: and the name of the interface use
hit Enter if the data entered is correct you will end up a screen like this:
CH 9] [Elapsed: 4 s] [22/11/2007 16:58
BSSID PWR Beacons # Data # RXQ / s CH MB ENC CIPHER AUTH ESSID
00:11:5 C: 7E: 40:90 39 100 51 116 14 9 54 WPA2 CCMP PSK Wireless
BSSID STATION PWR Lost Packets Probes
00:11:5 C: 7E: 40:90 00:04: F5: FD: FB: 35 C9 0116
This is the screen airodump-ng which is composed of 2 'rows' .. ... Analiza the most important parts of the first lines ....
under BSSID are the mac-adress of the router \\ access point
under PWR signal strength is received under
beacons are beacons that send packets the access point to say: 'I am an Access Point connected to me' These packages are useless even if you collect very quickly
under CH there is the issue of channel to transmit the network
ENC are under protection of the network in this case under WPA2
AUTH include network authentication in this case under
PSK ESSID network name
In the second 'top' toviamo data on the client Colegate, if there is a client on the network connected to the network, with its data:
BSSID: there is the mac-adress of the router \\ access point where the client is connected
STATION: the mac-adress of the wireless card with which the client connects to the network are not importatnti
other ... ..
After starting airodump-ng wait a few minutes so all the Notes client ........
Now go to the attack, with WPA handshake should deautenticare to produce the client then connected to another terminal type the command:
aireplay-ng -0 5-a 00:11:5 C: 7E: 40:90-c 00:04: F5: FD: FB: C9 ath0
with the command mentioned above we are going to use the application aireplay-ng.
aireplay-ng and the application that allows us to carry out the attack using packet injection,
using aireplay-ng you go to 'speed up' the production of handshake.
But look at the command .......
aireplay-ng: start the program aireplay-ng -0
: deauthentication is the mode that the mode of attack
5: The number of groups of packets to send deauthentication (you can also increase or decrease!)
-a 00:11:5 C: 7E: 40:90: This is the MAC address of the router / access point
-c 00:0 F: B5: FD: FB: C2 It is the MAC address of the client to deautenticare
ath0: the name of the wireless
giving proper written submission if you return the following command:
12:55:56 Sending DeAuth to station - STMAC: [00:04 : F5: FD: FB: C9] 12:55:56 Sending
DeAuth to station - STMAC: [00:04: F5: FD: FB: C9] 12:55:57 Sending
DeAuth to station - STMAC: [00:04: F5: FD: FB: C9] 12:55:58 Sending
DeAuth to station - STMAC: [00:04: F5: FD: FB: C9] 12:55:58 Sending
DeAuth to station - STMAC: [00:04: F5: FD: FB: C9]
deautenticato Once the client, it will retry to reconnect handshake producing such packages.
If the attack was successful and airodump-ng will capture the handshake packets, and displays at the top right (near the date and time so to speak!): WPA handshake and the MAC Address of the client.
Good! now open a parenthesis, following this guide, to date you purchased the handshake packets using the normal method used by all (which is also right!), note that before starting I have not said how it is possible to determine whether the your card is compatible with aireplay-ng packet injection, and if does, this will be before that is before you run airodump-ng, airodump-ng if already running and pressing CTRL + C stoppatelo
command and the following :
aireplay-ng -9 ath0
dispatch giving the program will analyze your chipset and try to make a fake packet injection networks, which states, if you see the word
Working means that your chipset is compatible with packet injection and the program and will detect the network and make a statistic of the percentage is successful packet injection on each network, a
else and if our card is not compatible with packet injection you do?
have 2 options:
1) the change we seek another that has a compatible cipset
2) We can make it go into monitor mode and wait for the cliet connect, this is a difficult option because you can only do this if you are familiar with the target, imagine if our target turn the PC off in the morning and the evening hours should we wait before capturing a mere handshake and we will have a lower probability than that connects and disconnects constantly. So people meditate Meditate
..........
Closed brackets ...... Now that we have captured the handshake we recover the password.
blessed to retrieve this password, we will explain two methods:
In the first method we will use Aircrack-ng and then end up writing:
aircrack-ng-w [dictionary path] [path of the *. cap]
With command mentioned above we are going to use the program aircrack-ng, aircrack-ng is not
a program included in the aircrack-ng, its function is to reuperare of the password using methods of cracking. Analiza
the command:
aircrack-ng: aircrack
-start the program w: after the 'w' and without brackets, you put the path of the dictionary will use aircrack, and after you leave a space and type in the path of *. cap file, that contains the handshake.
In other words, we (re) explaing some things that you will certainly convenient:
-per Crakk unlike WEP, WPA should place an dictionary attack, so if you do not have a dictionary, get one!.
-I remember starting airodump-ng the program creates the file
home folder on the desktop-to know that aircrack-ng works off-line so you can capture the handshake, and have it processed by a more powerful PC-
The command to start aircrack-ng you have to write the paths, not to write them hand, but do this: go to the folder select the file and drag it into the terminal, the issue you'll see a small menu click on 'paste' and you have already written the way!
If the command was correctly 'assembled' aircrack-ng will open the file and give you the following output:
Opening wpa-01.cap
Read 1827 packets.
# BSSID ESSID Encryption
a 00:11:5 C: 7E: 40:90 Wireless WPA (1 handshake)
Once you open the file aircrack-ng packages check if there are valid and will come out of the list of found files, in this case in this file and a handshake packet, in this example, instead .. ..
Opening wpa-01.cap
Read 1827 packets.
No valid WPA handshakes found.
Aircrack-ng can not find handshake packets and thus can not continue, and now a little gem, if I remember correctly the handshake packet consists of 4 rows and two that sends the access point and two that sends the client that you must associate with the network, note that the latest version of aircrack-ng does not need to have the 4 files to make the handshake are necessary even two!
therefore in the example above where there is the valid handshake aircrack-ng which network you domaderà crack, press 1 and press Enter and you will aircrack-ng to do. The program tries all passwords in the dictionary in a sequential manner.
below the screen when aircrack-ng locates the key!
Aircrack-ng 0.9 [00:00:00] 2 keys tested (37.20 k / s)
KEY FOUND! [12345678]
Master Key: CD 69 0D 11 8E AC AA C5 C5 EC 59 85 BB 7D 49 3E B8 A6 13 C5 4A
72 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key: 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98 CE 8A 9D A0
FC ED A6 DE 70 84 BA 90 83 7E CD 40 FF 1D 41 E1
65 17 93 64 32 0E BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71 EAPOL HMAC
: 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB
and now some information, if using development version (beta or alpha) aircrack-ng to find and if the password contains a special character or a capital letter or a space, aircrack-ng beta version will not be able to recognize it. So
advice to always use the latest stable version where aircrack-ng can easily find any
characters. In fact the definition of the WPA, the password must be minimum length of 8 and maximum 63 characters of printable ASCII table.
Good! qulche until recently this was the only way to recover your password, but there is a problem and if the password is not in the dictionary do?, it was thought that instead of doing a dictionary attack could enable aircrack -ng to do a brute-force attack that is a brute force attack, which in plain English test all possible combinations until you recover your password, but rather the attempt proved useless because the process is very slow in recovering the password because if you do not know a default password of the router alice and 24 alphanumeric characters pseudorandom then I challenge you to do simple calculations to see Combima are possible.
26 characters (small) + 10 numbers (0-9) = 36 raised to the 24th virtually impossible.
for some time now a well-known solution that deals with the recovery password, Elcomsoft, baked to a wonderful software that can mount a brute-force attack on the handshake, exploiting the graphics card to speed the attack, in fact, as I said before, the password must be a minimum length of 8 and maximum 63 characters of printable ASCII table, and you you imagine a poor processor to deal with a mess of possible combinations, it would take years! !
anyway and a good program does its job very well the interface and a little sparse but intuitive (for this I will not explain how it works and the various processes), the program and in English, ah I forgot I did not say what it's called: Elcomsoft Wireless Security Auditor program and in the trial version and allows only discovery of partially see the password for those who want to buy the program costs $ 1000 dollarazzi then it's up to you whether to buy or Crakk !!!!!!!!
Good!! my guide ends here! I thank everyone and everything, especially my external wireless card that has left me in need
