Fallen Archangel

Using the Pineapple Without Modules or Infusions- Part Three - Crack WiFi Passwords

26 posts in this topic

Welcome to part three of my tutorial series. I will be showing you How to Crack WiFi.



Requirements:

  • SSH
  • WiFi Card with Monitor Mode
  • Aircrack Suite
  • Dictionary
  • mdk3 (Optional)

So if you've been following along you should now be able to sniff packets from a wireless card in monitor mode.

I'll briefly explain what we need to do.

We need to start recording just like we did before with airodump.
While that is running, we need to also do a deauthentication attack at the same time.
Optionally, we may may strip the file down to save space.
Then we can run a bruteforce attack using the data we just collected.


First we need to start monitor mode and start capturing as shown on part two.
ifconfig wlan1 up
airmon-ng check kill
airmon-ng start wlanX
airodump-ng -w MySecondDump wlanXmon

Now that we have that running in the background, capturing all the network traffic, we need to work on capturing a 4-way handshake.

So what's a 4-way handshake anyways?


Whenever you connect to a WiFi access point, a couple of things happen. First the AP has to announce that it is there and ready to give wifi.(Called a beacon) Then your phone has to let the router know that it wants to connect. The router will have a set way of authenticating a user, usually WPA PSK, so it will ask for a password. You type the password into your device and send it. Then the AP either accepts it or denies it.



If we can record this entire process using airodump, we will have all the information we need to perform an attack to get the actual password. The easiest way of doing this is simply to let airodump capture and record packets. Eventually someone will come along and connect to the network, then we will have the handshake.

So at this point in time you should have airodump running and collecting packets. In order to check if it has captured a 4-way handshake or not, simply run this command:

aircrack-ng MySecondDump-01.cap

(It automatically adds an 01 to the end of the name, to prevent to files from having the same name.)

Either you didn't wait long enough (Nobody connected to the network while it was capturing)


803f049cabb2fb67f3890f9aae6628e1.png



Or somebody connected to the network and it was successfully recorded.


707e685efca9f77c94e5d11592cbbc01.png



Now I realize that sitting there and waiting on someone to connect to the network might not be the funnest thing to do, or the fastest. So you can GREATLY speed this up, as long as there is already a wireless device on the network. The way we do this is by a deauthentication attack. Basically we force their devices to reconnect to the network, so we can capture the handshake when they do. I find the best way to do this is with a tool called mdk3. This is a part of Kali, but it's not built in on the pineapple. To install it on the pineapple, simply run:

opkg install mdk3

Now that we have mdk3, we can use it to run this attack. There are two ways to run this attack. One way is by running the attack against anything, basically creating a WiFi jammer. The second (And nicer) way, it to target a device and attack it.

To do it the first way, you will simply use:

mdk3 wlanXmon d -c



35d66ee6feed58dfff39129f5fe3db21.png



mdk3 is the tools
wlanXmon is the wifi card to use
d tells it to do a deauthitication attack
-c tells it to run the attack on all channels


If you would like to do it the second way, you need to know the targets MAC address. Once you have this address, save it in a text file named Targets.txt Then the command would be:

mdk3 wlanXmon d -b Targets.txt -c



By either waiting long enough, or by using this trick (Or both) you will eventually capture the handshake.

Now we can use it to bruteforce the wifi password. This is where the dictionary comes in.
You're going to need a password list. The ways this works is that it tests every single password in the list, and if one of them is right, it will tell you.
A good place to find them is here.

Now that we have both a .cap file containing the 4-Way handshake and a dictionary, we can start the attack.:

aircrack-ng MySecondDump.cap -w Dictionary.txt

It will then ask you which network you would like to attack. Simply type the number to the left, then press enter.
Now it will go though every password in the list until either it finds the password, or it goes though every password and it's not on the list.


e1dbf7425724bcdd519241617a844592.png



A few notes. The first one is that the speed of the crack depends on the capabilities of you computer. Using Both my CPU and GPU, my computer takes about 3 hours to test my massive 13Gb list, which contains just under one billion passwords. (i7 6700 3.4gh, Nvidia GTX960, 16gbs RAM)
If you have a computer less powerfull, you'll want to look for smaller, more optimized lists. Things like the most commonly used passwords.

Another note is that using the mdk3 toll without a target is extremely disruptive, please don't do it this way. It will kick everyone in range off of whatever wifi they are on, the only reason I even include it here is so you don't go around doing it unknowingly.

Also, aircrack only uses your computers CPU, so having a good video card will not make it run faster. I will create another tutorial later showing how to use a few alternatives. Just as deauthentication without mdk3, and using tshark, cowpatty, and pyrit to verify handshakes instead of aircrack. And also how to capture and strip your .cap files at the same time.

It's 3AM on December 25th, so I will be out with family most of the day tomorrow, odds are I won't have a chance to right part four until Saturday.

Edited by Fallen Archangel
6

Share this post


Link to post
Share on other sites

Great tutorial, you are spot on in regards to technique, but posting it here, not too sure about that. Maybe Kali Linux forums would have been more appropriate considering the Pineapple has no where near the specs to carry out such an attack, and even if you do, make sure you leave a note for your grand grand kids to check the results.

On a side note, might want to add something about using crunch instead of a dictionary for attacking routers with a default password.

0

Share this post


Link to post
Share on other sites

Great tutorial, you are spot on in regards to technique, but posting it here, not too sure about that. Maybe Kali Linux forums would have been more appropriate considering the Pineapple has no where near the specs to carry out such an attack, and even if you do, make sure you leave a note for your grand grand kids to check the results. On a side note, might want to add something about using crunch instead of a dictionary for attacking routers with a default password.

As far as capturing the handshake, the pineapple is perfect. For actually cracking it, I have it run though a list of 1000 most common ones, which takes about 15 seconds. If it's not on that list, the pineapple will do you no good there. I'll be sure to point that out better.

This is where the pixie dust attack is really nice if it works.

0

Share this post


Link to post
Share on other sites

713d0955c6.jpg

I don't believe mdk3 has been ported to the NANO/TETRA yet. If I heard right, this should be part of the 1.02 update sometime this week. (I could be wrong.)

It is not required, but if you still want to do a deauth attack until then, you can try aireplay-ng. Although I usually have better luck with mdk3.

aireplay-ng --deauth 5 -a APMACADDRESS -c TARGETMACADDRESS wlan1mon

--deauth tell it what type of attack to use.

-a Tells it the mac address of the access point you are attacking

-c Is the client (Device) that you are going to deauth

and Wlan1mon is the interface in monitor mode you're using.

1

Share this post


Link to post
Share on other sites

I don't believe mdk3 has been ported to the NANO/TETRA yet. If I heard right, this should be part of the 1.02 update sometime this week. (I could be wrong.)

It is not required, but if you still want to do a deauth attack until then, you can try aireplay-ng. Although I usually have better luck with mdk3.

aireplay-ng --deauth 5 -a APMACADDRESS -c TARGETMACADDRESS wlan1mon

--deauth tell it what type of attack to use.

-a Tells it the mac address of the access point you are attacking

-c Is the client (Device) that you are going to deauth

and Wlan1mon is the interface in monitor mode you're using.

I appreciate the help, just trying to learn how to use Linux / nano :)

0

Share this post


Link to post
Share on other sites

mdk3 is already available for the NANO :)

You have to install it with opkg install mdk3

0

Share this post


Link to post
Share on other sites

thanks Whistle Master ... but I get an error:

Unknown package 'mdk3' 

and then

* opkg_install_cmd: Cannot install package mdk3

Am I missing something?

thanks for your help.

0

Share this post


Link to post
Share on other sites

As I see it you don't even need a Pineapple to do all this. Just WiFi Card with monitor mode and Kali Linux...

Darren / Seb: It's time you improve your devices so it can crack passwords without the need of Kali. Bringing around a laptop everywhere is not the smoothest thing to do... Besides the Pineapple doesn't even work with Wifite! Please improve this.

0

Share this post


Link to post
Share on other sites

As I see it you don't even need a Pineapple to do all this. Just WiFi Card with monitor mode and Kali Linux...

Darren / Seb: It's time you improve your devices so it can crack passwords without the need of Kali. Bringing around a laptop everywhere is not the smoothest thing to do... Besides the Pineapple doesn't even work with Wifite! Please improve this.

It's not supposed to be used a super computer to crack passwords. Sure, the pineapples can, but it will be slower than a laptop because its not designed to crack passwords, it's designed as a WiFi audit tool that can recon, report, and MITM. And it does a pretty good job.

As for doing "all of this" with a linux box and a card that does monitor mode (incorrect, you'd need a card that supports packet injection, too.) You're probably going to run into some trouble getting pinejector running on your kali box.

You can use your laptop to do some of the things the Pineapple does for sure, but you can't hide your laptop behind a switch like you can with a NANO, or have 2 high-gain dual-band radios with amps on each antenna with the same portability as a TETRA. You also don't get a community of module developers, video makers, and the overall "community vibe" of the WiFi Pineapple if you have a "WiFi Card with monitor mode and Kali Linux...". You don't get a team like Darren and Seb who go to every effort possible to provide each and every pineapple owner with a great product and good satisfaction.

Saying that. The project began in 2008 with Digininjas Karma patches to hostapd and a fon. The platform has changed ultimately from just a "Jasager" box to a small and compact pen-test box, something that anyone who looks at these forums should be proud of. Who knows what the future has in-store for us.

/rant

Edited by Foxtrot
0

Share this post


Link to post
Share on other sites

It's not supposed to be used a super computer to crack passwords. Sure, the pineapples can, but it will be slower than a laptop because its not designed to crack passwords, it's designed as a WiFi audit tool that can recon, report, and MITM. And it does a pretty good job.

As for doing "all of this" with a linux box and a card that does monitor mode (incorrect, you'd need a card that supports packet injection, too.) You're probably going to run into some trouble getting pinejector running on your kali box.

You can use your laptop to do some of the things the Pineapple does for sure, but you can't hide your laptop behind a switch like you can with a NANO, or have 2 high-gain dual-band radios with amps on each antenna with the same portability as a TETRA. You also don't get a community of module developers, video makers, and the overall "community vibe" of the WiFi Pineapple if you have a "WiFi Card with monitor mode and Kali Linux...". You don't get a team like Darren and Seb who go to every effort possible to provide each and every pineapple owner with a great product and good satisfaction.

Saying that. The project began in 2008 with Digininjas Karma patches to hostapd and a fon. The platform has changed ultimately from just a "Jasager" box to a small and compact pen-test box, something that anyone who looks at these forums should be proud of. Who knows what the future has in-store for us.

/rant

Sure, and I love the forum. I know that the Pineapple is not a super computer for cracking the passwords (I'm a noob - not dumb), why do you think that I been on the forum like crazy and finally got AlfAlfa and Whistle Master to make the module to send the WPA .cap file to be cracked online and sent to my priovided e-mail? As you can see in Whistle Master's latest module that has now been finalized and he deserves KUDOS for that. I have both the NANO and the TETRA - But still not been able to crack any WiFi networks with it. I can't even get the Pineapples to use Wifite once connected to my laptop running Kali Linux over VMware Fusion. I was able to do this using a cheap Alfa dongle bought from the Hakshop however, and I really do wish that Wifite or Airodump-ng / Aireplay-ng was possible to use together with my Pineapple...

0

Share this post


Link to post
Share on other sites

thanks Whistle Master ... but I get an error:

Unknown package 'mdk3' 

and then

* opkg_install_cmd: Cannot install package mdk3

Am I missing something?

thanks for your help.

i have the same problem, using a pineapple mark5 and when i type from the console

opkg update && opkg install mdk3

i get the same message:

Unknown package 'mdk3'

and then

* opkg_install_cmd: Cannot install package mdk3

any ideas ?

looks like removed from the repository

Thanks

0

Share this post


Link to post
Share on other sites

Most likely the repository isn't available right now.

Had the same problem a couple of days ago. Try it every now and then.

As it's not hosted on Hak5 servers it's not their fault. They're working on a solution for this right now.

0

Share this post


Link to post
Share on other sites

Sorry I've been gone so long everyone. Unexpected events.

...Besides the Pineapple doesn't even work with Wifite! ...

Wifite works just fine for me. Both the normal one as well as the ones by aanarchyy and the one from psyvision. Which is great because Wifite can also handle pixie attacks. (No bruteforce required if the ap is vulnerable)

I've also stated in a previous post that I had my Mk5 use a list of the 1000 most common WPA passwords, and it only took 30 seconds for it to finish. Probably less with something like the Tetra.

0

Share this post


Link to post
Share on other sites

I can't get airomon-ng to mount my Pineapple or start Wifite using the Pineapple. Would love to see a video on this!

Sorry I've been gone so long everyone. Unexpected events.

Wifite works just fine for me. Both the normal one as well as the ones by aanarchyy and the one from psyvision. Which is great because Wifite can also handle pixie attacks. (No bruteforce required if the ap is vulnerable)

I've also stated in a previous post that I had my Mk5 use a list of the 1000 most common WPA passwords, and it only took 30 seconds for it to finish. Probably less with something like the Tetra.

0

Share this post


Link to post
Share on other sites

I can't get airomon-ng to mount my Pineapple or start Wifite using the Pineapple. Would love to see a video on this!

Mount your pineapple? The pineapple is not a WiFi adapter, its a router.

0

Share this post


Link to post
Share on other sites

...Would love to see a video on this!

I'm a bit busy at the moment as I haven't had a proper internet connection in way too long, but I'll try to put out a video as soon as I can.

UPDATE: https://www.youtube.com/watch?v=Upf8bO7YuAU

Edited by Fallen Archangel
2

Share this post


Link to post
Share on other sites

Mount your pineapple? The pineapple is not a WiFi adapter, its a router.

Oh I just noticed what he was saying.

Yeah, the pineapple is an entire standalone device. It doesn't need to be plugged in to a laptop or anything.

It's easiest to think of it as a computer that doesn't have a monitor or keyboard. It's an entire computer on it's own, but since there are no input devices, you have to control it with another device. (For example, I control it from my phone using an SSH app.)

0

Share this post


Link to post
Share on other sites

Fallen you are my new idol! Thanks for making this clear and the great video. Really appreciated.

Oh I just noticed what he was saying.

Yeah, the pineapple is an entire standalone device. It doesn't need to be plugged in to a laptop or anything.

It's easiest to think of it as a computer that doesn't have a monitor or keyboard. It's an entire computer on it's own, but since there are no input devices, you have to control it with another device. (For example, I control it from my phone using an SSH app.)

1

Share this post


Link to post
Share on other sites

Fallen you are my new idol! Thanks for making this clear and the great video. Really appreciated.

Yes I agree, Fallen Archangel, we need more clear concise videos like yours..... Please keep it up and post more.

0

Share this post


Link to post
Share on other sites

Yes I agree, Fallen Archangel, we need more clear concise videos like yours..... Please keep it up and post more.

If anyone has any requests let me know. I can't promise I'll know how to do it, but if it's within my abilities I'll make a video for it.

0

Share this post


Link to post
Share on other sites

Oh I just noticed what he was saying.

Yeah, the pineapple is an entire standalone device. It doesn't need to be plugged in to a laptop or anything.

It's easiest to think of it as a computer that doesn't have a monitor or keyboard. It's an entire computer on it's own, but since there are no input devices, you have to control it with another device. (For example, I control it from my phone using an SSH app.)

What is the name of the SSH app you use with your phone?
is root needed?
Seems interesting and useful i want to try it.
0

Share this post


Link to post
Share on other sites

What is the name of the SSH app you use with your phone?

is root needed?

Seems interesting and useful i want to try it.

There are tons of great ones, but the one I use is called JuiceSSH.

You don't need root.

It also supports keys as well which is a nice plus.

Once you've logged in, tap of the terminal part to bring up extra keyboard commands. Such as the Control key.

Edited by Fallen Archangel
2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.