[Cracking WPA2 1/2] Capturing the Handshake

Discussion in 'Network' started by skokkk, Mar 5, 2016.

?

How many times did you need to run the capture/deauth command?

  1. Once only!

    0 vote(s)
    0.0%
  2. Between two and five times.

    2 vote(s)
    33.3%
  3. Between five and ten times.

    0 vote(s)
    0.0%
  4. Between ten and fifty times.

    2 vote(s)
    33.3%
  5. It didn't work (I was too far from the target)

    2 vote(s)
    33.3%
  1. skokkk

    skokkk Contributor

    Hello r4p3 members. This tutorial is going to show you how to hack WiFi (Wireless Fidelity) access points. This tutorial specifically covers capturing the encrypted four-way handshake. You only need to get ¾ packets that are sent. My next tutorial will cover cracking the handshake.

    The Method:

    The best way to capture WiFi handshakes on WPA2 is by making the user(s) disconnect and reconnect. When they reconnect you capture their handshakes, as mentioned before you only need ¾ packets that are part of the handshake, to be more specific the first two and then either the third or fourth. You can also wait for a user to reconnect if the network is very active instead of removing someone from the network, this might cause less suspicion, but your chances of success are way lower.

    Software Required:
    Linux
    : aircrack-ng suite – Should be in your repos.
    Windows: aircrack-ng suite - http://www.aircrack-ng.org/downloads.html

    Hardware Required:
    A compatible WiFi card.

    Step one: Identify your target
    This means you get the BSSID of the WiFi network you own. Make sure to have exact spelling.

    Step Two: Configure Your Hardware
    On linux:
    You need to set your WiFi device (usually wlan0, use “airmon” to check) to monitor mode. You can use the following command to do this.
    Code:
    airmon-ng start wlan0
    On windows:
    This is very hard. There are a very limited amount of WiFi cards that can work. Do not be surprised if it doesn’t work. If it does you are very lucky (or have done your research and bought the correct hardware). Note: For all commands: run the same command as Linux, just with the correct application name (aircrack-ng.exe <command>) for all commands.
    Code:
    airmon-ng start wlan0
    Step Three: Further Identification of Target
    Next you need to get the WiFi BSSID Mac Address. You can run the following command to identify the Mac address.
    Code:
    airodump-ng wlan0
    Step Four: Deauthing the User(s) and Capturing the Handshake
    This is where the magic happens. You are now going to “kick” the user off their network and then capture the handshake when they automatically reconnect. You can use the following command to do this:
    Code:
    aireplay-ng --deauth 100 -a AA:BB:CC:DD:EE:11 mon0
    Step Five: Repeat Step Four Until Key is Captured
    As mentioned in step. You can confirm you have captured the key by looking for “WPA Handshake” in the info section.
     
    kingston, Supervisor, Derp and 2 others like this.
  2. ehthe

    ehthe Super Mod TS3 Dev-Team

    I had tried that a while ago and it just wouldn't capture the handshake. Even when I was like 1 meter away from both device and every conflicting services stopped. I suspected my wifi card. Those were weird times xD
     
  3. skokkk

    skokkk Contributor

    Ah yes, I know that feeling.. I remember building a 1x1x3m tinfoil tunnel from my WiFi router to my laptop to my phone to try it XD
    On a more serious note, if you use linux you can modify your WiFi card's TX power to the "legal" limit ;) *cough*1W*cough*
     
  4. ehthe

    ehthe Super Mod TS3 Dev-Team

    Yeah I had done that (iw reg set BO) but it would still not capture the handshake everything else was just there (well it was encrypted).
     
  5. Laszl0w

    Laszl0w Contributing Member

    There's no wlan0 :D
     
  6. ehthe

    ehthe Super Mod TS3 Dev-Team

    Then you either have a special card or your card is not supported at all. Try and run airmon-ng without any argument
     
  7. Laszl0w

    Laszl0w Contributing Member

    It works with live-cd linux,it doesnt work on virtual computers :D
     
  8. Derp

    Derp Super Mod WebApp Dev-Team TS3 Dev-Team

    The monitoring interface name differs on different aircrack packages. Older versions of aircrack use wlan0, newer versions use mon0.


    @skokk - Great thread. However, personally I don't like this method very much. On my opinion, this method should be a "Last Option".

    Instead of wasting processing power. You could setup a EvilTwin attack. Or, if you're really into cracking stuff at least consider cracking the WPS Pin first (If WPS is enabled)(Beside, if you're lucky the device might be vulnerable to PixieDust)

    -Derp
     
  9. ehthe

    ehthe Super Mod TS3 Dev-Team

    EvilTwin is more and more difficult with new version of windows for example that checks some attributes of your access point. But still it can be great agains clueless people :D
     
  10. Derp

    Derp Super Mod WebApp Dev-Team TS3 Dev-Team

    In some cases, running services may interfere. In that case, "airmon-ng check" would come in handy.
     
  11. skokkk

    skokkk Contributor

    Thanks! EvilTwin is also probably the easiest/best solution. I might create a post sometime in the future showing how to use it and also a MANA attack.
     
    Derp likes this.
  12. Derp

    Derp Super Mod WebApp Dev-Team TS3 Dev-Team

    Thank you for bringing up Mana :)

    Wifiphisher is also good, It has less features but it does what it says ;)
     
  13. skokkk

    skokkk Contributor

    Yes. I have had quite a few interesting conversations with the guys that made Sensepost's Mana attack :)
     
    Derp likes this.
  14. kingston

    kingston Contributor

    This thread makes me feel like i want to try it. I'm surrounded by several, nice networks and they are all WPA2 protected. Till today i thought so cracking WPA2 takes a whole lot of time and computing power to succeed.

    Is there any particular wi-fi card that you recommend for this kind of stuff? I mean fully compatible, etc. This is partially covered e.g. in this article but still i don't think we have to stick to one of these only?

    http://www.inkthat.info/kali-backtrack-wireless-adapters/top-kali-linux-usb-wireless-adapters/

    What i noticed at once is that dongles significantly differ in operating power. Having 1 watt and 2 watts makes a lot of a difference for sure. I bet that generic ones don't even offer half a watt. Still not sure about the best chipset available and what else to look at when choosing a card.

    After doing some quick research i learned the most important stuff to look at when choosing the right card: monitor mode, packet injection, radiated power 1000mW minimum (EIRP), upgradable antenna (9dBi recommended and 5dBi minimum).

    It is very important to check the chipset before ordering the card, e.g. popular and cheap RTL8188EUS and RTL8188CUS are useless.
     
    Last edited: Mar 6, 2016
  15. ehthe

    ehthe Super Mod TS3 Dev-Team

    This is not the most important part for capturing handhaske. You need to care about RX sensitivity :)

    Also you can try with what you already have in terms of wifi cards / chip as many are already compatible :D
    (for example my laptop has an integrated chip that is really good)
     
  16. kingston

    kingston Contributor

    I have been studying the subject all day long and as from what i found out TX seems also very important. Without enough TX and nice RX you might be able to monitor but not to inject packets which seems crucial for the success. For this reason integrated are not so good unless you are relatively close to the target compared to what you could do having more TX.

    In my particular case i can see 18 different networks of which only 3 are strong enough to play with. The rest is out of my reach. I'm quite sure that things could drastically change with a proper card. Will most likely decide on Alfa but this is quite scary as there are many fakes in the market.

    I have also learned that gathering the handshake is just the beginning and it is getting worse after as you basically need to bruteforce unless you are lucky to crack some WPS (much less bruteforce) but in my case there are mostly TP Link and Cisco routers around and they are barely crackable this way :/

    Cracking a silly 5 characters password may take up to 1 week with average hardware and a few days at least with GPU. Unless the password is really stupid. But in case of longer passwords or more complicated ones... you would need a cluster of GPUs to compute that in a reasonable time. Which has been done by someone already to crack Windows passwords (25 GPUs cluster able brute any password up to 8 characters in just 6 hours).

    Just my 3 cents after day one. Please correct me wherever i went wrong - very noob to this :D
     
    Last edited: Mar 6, 2016
  17. ehthe

    ehthe Super Mod TS3 Dev-Team

    Indeed without injecting capability you become very limited :p
    That can also depend on how the chip's antenna is made. Mine runs around the screen which is very good :D plus the additional power (1W)
     
    kingston likes this.
  18. skokkk

    skokkk Contributor

    Also try invest in a good 2.4ghz grid. Many WISP's over here are throwing theirs away or selling for cheap because they are moving to 5.8ghz
     
    kingston likes this.
  19. onerodz

    onerodz New Member

    ok capturing HANDSHAKE done... but u know the HANDSHAKE only can be cracked using bruteforce... using a text library... i use a 1tb txt library and after 4 days, i no get the pass.
     
  20. ehthe

    ehthe Super Mod TS3 Dev-Team

    And what can we do about it ?
     

Share This Page