Sunday, February 19, 2012

WPA cracking tips and tricks

WPA cracking is at the same time easy and hard to crack. It is quite easy because all you need is getting the handshake (with WEP, you need a lot of data frames). It is hard because getting the handshake can be tricky and also because cracking can take a lot of time (due to passphrase length, 8 to 63 characters).

Important notes:
  • Never forget to read the documentation in the wiki
  • Don't hack AP you don't own or if you don't have the permission to do it.


There are several things to consider when getting the handshake:
  • You need to be somehow close to both the AP and the client. If you only have the client, you should use airbase-ng to get the client to connect to you.
  • If RXQ is below 70 then there is a good chance you'll get a partial handshake which will be unusable.
  • You MUST be on the same channel as the AP (in airodump-ng, you will see RXQ column when on a fixed channel)
  • It is not necessary to keep deauthenticating the client, once or twice should be more than enough. And let the client reconnect in order to get the handshake. Each aireplay-ng tells you it sent deauthentication, it sent 128 or 256 deauth frames.
 If you still don't get the handshake after reading the wiki and those tips, then you might want to have a look at WPA Packet Capture Explained tutorial in the wiki to help understand what's going on.

Tip: It is always a good idea to clean up the capture to include one beacon the handshake before cracking it or submitting it to an online cracking service. The reason is that YOU select the handshake to crack and don't let the tool on those services to select the handshake (that might be the wrong one).

It might sound funny but it is true, there is 0% chances to crack it if the passphrase is not in the dictionary (and 100% when it is in the dictionary). So what you want to do is profiling your victim when cracking the handshake to include words/phrases related to it. You can also find a few tools on backtrack such as John The Ripper that will help you mangle the dictionary and "add" new words.
If you need to generate phrases such as number, check out 'crunch'.
Note that aircrack-ng doesn't mangle the wordlist and doesn't do any permutation, it just tries each passphrase against the handshake. And in case you want to be able to 'pause' the cracking, use John The Ripper to output to stdout and pipe the results to aircrack-ng (using -w -).
GPU cracking makes cracking much faster. One of the best solution for that is oclHashcat-plus (and it is much faster than pyrit).

Now that you've cracked the handshake, you might want to verify it. People have been trying to connect to the AP but it is the wrong way of checking since there are a lot of variables involved (such as distance, mac filtering, bad drivers, etc) that will prevent you to connect even if the passphrase is valid.
So what you have to do is using airdecap-ng.
With WPA, since what you get with the handshake is a session key for a specific device, you can only decrypt the traffic after the handshake for that device. Don't be fooled by airdecap-ng giving 0 frames decrypted when there are a few data frames encrypted with WPA, there might not be any traffic from that device after the handshake. Hence why it is very important to be able to understand a capture file.

27 comments:

  1. Hey, just wanted to say thanks for starting to post again. The blog and site are an awesome resource!

    ReplyDelete
  2. Hey..good discription you have there. thanks...it helped alot..

    ReplyDelete
  3. im a new user in Backtrack I would like to know
    how to crack handshake cap file i need 12 chracters exp ( 40I3WQ893RCO ) password
    can u explained to me please

    ReplyDelete
  4. Pretty interesting, I would've definitely been stuck if it was not for this. Keep up the good work.

    ReplyDelete
  5. There's services around like wpacracker where you can upload the handshake and they'll go to town on it using an Amazon GPU cluster

    ReplyDelete
  6. Hey!! I recently started hacking stuff..wanted to ask something..when i try to hack wap with backtrap5, at command
    airepaly-ng ...
    I get
    sending 64 directed deAuth. STMAC [***]
    and it just stops there showing no handshakes..am i doing something wrong or i have to wait for some time?

    ReplyDelete
  7. Very good tut. Helped me out alot before. Stumbled onto this while trying to improve my SE skills, twas fun to reread nonetheless.

    ReplyDelete
  8. I have the same problem as countless others... but I never see a real solution.

    Even BT5-R3 still has the the problem:
    "airmon-ng" never lists any wifi cards.

    I know my laptop has wifi, I use it all the time.

    ReplyDelete
    Replies
    1. SAME PROBLEM ON BACK TRACK VIRTUAL BOX EDITION BT5 R3

      airmon-ng cannot list my wifi cards ....

      Delete
    2. Buy support wifi usb and airmon-ng with it.

      As for virtualbox - monitoring wifi is not possible unless on the host machine itself - if virtualized, all it can see is the *virtual* ethernet cable to your host machine's internet.

      Therefore; there is no wifi on virtualbox. U need to be actually booted onto the linux on a REAL machine.

      Delete
  9. why i can crack wep, but i cant crack wpa2(not handshake).. i was tested at my AP that dont have internet access... because of that i cant handshake or what??

    ReplyDelete
  10. I am using backtrack 5. I start airmon-ng start wlan0 then airodump-ng,I capture the wpa=HANDSHAKE within 2 mins,The problem i have how do i increase the data? i have tryed putting my wlan0 in monitor mode alsorts. thanks

    ReplyDelete
    Replies
    1. run aireplay-ng a few times until its " 0 | " then thats the limit. you can continue capturing packets naturally, but it'll take a while.

      Delete
  11. I already done all the things untill the last step which is using the wordlist , I have a folder name "wordlist" and have about 20 files in it , how do I write the command so that aicrack can read the whole folder , because I have to use aicrack to read the file 1 by 1 manually , so how do I write the command to read the whole files without having to do it 1 by 1?

    ReplyDelete
  12. testing a wifi network (WPA2 - CCMP PSK), i get the handshake with airodump, and also get a pasfrase with aircrack, but the password is not the correct one ¿any ideas?

    ReplyDelete
  13. IS there any way to know length of password of WPA

    ReplyDelete
  14. Dear All! I'm a new user & i'm trying for a long time but still i didn't get a valid handshake. Can any 1 help me please?? My adapter is injecting & i get over 15,000 beacons/data & over 400,000 packets. why i'm not getting it?? any useful suggestions please? waiting for your comments.. ... . . .. .. Thanks!

    ReplyDelete
  15. Wy do i get this waring when visiting this site?


    Infection detected!

    http://aircrack-ng.blogspot.no/search?updated-min=2012-01-01T00:00:00-07:00&updated-max=2013-01-01T00:00:00-07:00&max-results=10

    The requested URL contains malicious code that can damage your computer. If you want to access the URL anyway, turn off the avast! web shield and try it again.

    Infection type: JS:Redirector-VZ [Trj]

    ReplyDelete
  16. I have a question that might be abit stupid or not. Is there a way to use a folder of password list to crack or do they have to be compiled into one file. I have found over 18GB of word list that could be used for passwords and usernames and I would want to use just a folder allowing it to read from all them is that able to be done?

    ReplyDelete
    Replies
    1. Write a script in Linux that you input the basic info into (MAC, Channel, handshake location/cap file, etc), and have it launch the aircrack parameters for each dictionary one action after the other. .. Should make life easier after the baseline script is built, as then you'll only need to run the script then walk away.

      Delete
    2. When you do the aircrack-n you can use a comma to include multiple dictionaries lol. For example: aircrack-ng -w /home/user/Dict/a,/home/user/Dict/b,/home/user/Dict/c -b "bssid here" file-01.cap

      Delete
  17. tell me the whole process of it because it is very easy to view a video and copy + pasting the content it seems to be very critical post less knowledge =======complete danger

    ReplyDelete
  18. I recomend to the majority of posters that first buy/read a book about wifi security. Read first, understand and then ask.

    So a beginner first book I can recommend is the "backtrack 5 wireless penetration testing for beginner" or something.
    Hope that help people.

    ReplyDelete
  19. am trying to pipe crunch into john the ripper (to pause and resume) into aircrack. How? I want crunch to generate and feed into either john or aircrack, but I need john to still function it's pause and resume capability

    ReplyDelete
  20. Sometimes when I unplug the antenna I actually get better reception that is so weird does anybody know why that is?

    ReplyDelete