Sector.Xero Posted January 7, 2010 Share Posted January 7, 2010 I'm pen testing my home networks. I've noticed that there are alot of WPA / WPA2 cracks that involve capturing the handshake and running it against a dictionary. Has there been any other attacks that have come out? I've been Googling it crappy results? Is there any other methods? Quote Link to comment Share on other sites More sharing options...
taiyed14 Posted January 7, 2010 Share Posted January 7, 2010 brute forcing wpa handshakes is abou all I've heard of. there might be some wpa rainbow tables that's make the process more bareable. Quote Link to comment Share on other sites More sharing options...
digip Posted January 8, 2010 Share Posted January 8, 2010 There are wpa tables out there, but not like the general public is downloading terabytes of this info. Most people who have the storage for this also have the ability to do the cracking, so most home users arent going to benefit with trying to download them to their home desktops. Just too large for the average home users. There is the http://www.wpacracker.com/ Darren reviewed which you can upload to and pay for the results, but their is a new ph33rbot from PureHate over at http://ph33rbot.com/wpa-password-cracker/ which does this as well. Both I think are pay for, with the one actually showing you most recently cracked keys, as the wpacracker.com one I dont think shows them to you until you pay for results, the other shows results for people who have paid I guess. Quote Link to comment Share on other sites More sharing options...
Seph Posted January 8, 2010 Share Posted January 8, 2010 I think he means by other methods instead of capturing the handshake. Answer, No. You HAVE to capture the handshake to crack the wireless encryption, the handshake is the only time the key is shared between the client and AP, which is what password crackers need. WPA encyption is pretty strong and really the only way to get in is if your is lame like "password" or "wireless" the greater the complexity of the password the harder it is to crack. Quote Link to comment Share on other sites More sharing options...
Sector.Xero Posted January 8, 2010 Author Share Posted January 8, 2010 I have one more question. Can you crack all WPA handshakes? Or is it more like specific types of WPA handshakes? Quote Link to comment Share on other sites More sharing options...
The Game Posted January 10, 2010 Share Posted January 10, 2010 Anyone is welcome to correct me. I have cracked my own home WEP & WPA Network. Only PSK can be cracked ( Pre-Shared Keys). - Deauth a client - Capture 4 way handshake as he reconnects - Download a good dictionary file (eg passwords.txt) The handshake is salted with the essid, so you can use a tool like airolib-ng to build your own database from your passwords.txt file and your targets essid. In turn instead of cracking at a rate of ~500keys/sec we can get to well over 100,000keys/sec & up to 300,000/sec has been reported. My pc does 1 million keys in about 5-10 seconds compared to an hour the normal way. Bottom line, if the password isn't in the dictionary it just doesn't work. With TKIP its my understanding you can only inject packets, i think its 7 in total. But they could be malicious if someone was to be so devious. You cannot get a key form this. Other methods? What about Rogue AP. Setting up a fake access point to imitate the targets own, once they enter the key it gets passed in clear text because its not encrypted in anyway. I havent tried this yet, but looks promising, Cracking WPA Without a Dicitonary Quote Link to comment Share on other sites More sharing options...
barry99705 Posted January 10, 2010 Share Posted January 10, 2010 What about Rogue AP. Setting up a fake access point to imitate the targets own, once they enter the key it gets passed in clear text because its not encrypted in anyway. No. The rogue access point wouldn't ask for the key, since it won't have one. Quote Link to comment Share on other sites More sharing options...
digip Posted January 10, 2010 Share Posted January 10, 2010 No. The rogue access point wouldn't ask for the key, since it won't have one. The page he linked to, from what I browsed over, doesnt just set up a rouge acces point, but impersonates their routers login page. Not that you should connect and then see it when you open a browser by default anyway, that would be a big red flag for me, like, why is my router redirecting internet access to its login page? But anyway, you could probably do the same thing with jasegar + ettercap or something similar, clone the html from most common wifi routers, then serve them to anyone trying to reach their own router, kind of social engineer them into logging into their own router(giving you the password in the clear) then server fake pages that mimic the router and ask for them to set a new wep/wpa key, or whatever they choose, then capture that in the clear as well. I dont think it would be too successfull though, because how many people see their routers login page as soon as they open a browser? Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted January 10, 2010 Share Posted January 10, 2010 Then again, how many people would go "Oh? Alright..." and put in their password... ;) I bet that could be quite successful. Also, if they weren't allowed access until after, say a certain amount of time or login attempts, you might phish yourself multiple passwords. Just my thoughts... Quote Link to comment Share on other sites More sharing options...
The Game Posted January 11, 2010 Share Posted January 11, 2010 No. The rogue access point wouldn't ask for the key, since it won't have one. Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text. My understanding is you can make it look like anything, a router login, a wep/wpa login or a hotspot login Look at Step #3 and go down to Picture C http://fadzilmahfodh.blogspot.com/2009/07/...dictionary.html Quote Link to comment Share on other sites More sharing options...
macrohard Posted January 12, 2010 Share Posted January 12, 2010 Game, Thanks for the link on cracking WPA without a dict, I found it interesting. I have also done some cracking as well with my own wireless access point in the past. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted January 12, 2010 Share Posted January 12, 2010 Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text. My understanding is you can make it look like anything, a router login, a wep/wpa login or a hotspot login Look at Step #3 and go down to Picture C http://fadzilmahfodh.blogspot.com/2009/07/...dictionary.html This may work at a public hotspot, maybe. Would most likely never work at a home or corp wireless network. Quote Link to comment Share on other sites More sharing options...
The Game Posted January 12, 2010 Share Posted January 12, 2010 This may work at a public hotspot, maybe. Would most likely never work at a home or corp wireless network. You have a lot of faith in the public. Usually each household has 1 person who knows a little about PC's & Networking and that's it. They can follow simple and basic instructions to get the net working or install windows. If your router asks you for the wep/wpa key and you as an average user want to use the internet, your going to trust that the router wants your wpa/wep key and think nothing of it. As for hot spots, well again you put faith in the public. Imagine you make your own hotspot page that looks similar to the hotels website, with pictures, contact numbers etc and ask them to put in say # Room Number # Credit Card # First Name # Last Name And then say that it will be 5$/hour or something, 2 or 3 out of 10 people will actually do that... Quote Link to comment Share on other sites More sharing options...
Sector.Xero Posted January 12, 2010 Author Share Posted January 12, 2010 Wow, that is a really interesting link. Thank you for that. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted January 13, 2010 Share Posted January 13, 2010 Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text. Okay, so you give your fake access point, called "Bob's home network" a fake password. You then set it to broadcast at a higher wattage than the real "Bob's home network". Now when Bob tries to connect to his network, your spoofed router is what he's going to connect to. The beginning of the four way handshake isn't going to be the same as his real access point because the password is different. The exercise stops right here. You're not going to get the correct password this way. You have a lot of faith in the public. Usually each household has 1 person who knows a little about PC's & Networking and that's it. They can follow simple and basic instructions to get the net working or install windows. If your router asks you for the wep/wpa key and you as an average user want to use the internet, your going to trust that the router wants your wpa/wep key and think nothing of it. Usually in these cases it's only that one person that knows the password! I know my wife and our room mate have no clue what the password for our wifi is. Hell, I don't know what it is unless I look at the txt file on my thumb drive. It's hard to remember 64 random characters. Now this might work for a public hotspot. But then most public hotspots are open to the world anyway. You'd have to be careful with how long you run the rogue access point though. It's going to break a lot of folks' connections. They are going to complain to the owners, and when they can't get a connection they're going to start messing with the real access point's config. Quote Link to comment Share on other sites More sharing options...
hitthemlow Posted January 14, 2010 Share Posted January 14, 2010 I registered just for this post lulz @ The Game, TKIP is just the encryption not the authentication, I believe you were thinking about RADIUS, which cannot be attack in the same manner as PSK, or perhaps LEAP/EAP @Barry, what happens is: The AP waits for a client to connect, upon connecting he can instantly browse the internet, except for one small problem, via some nice grep skills, the program intercepts the GET's Responses ans delivers a broken page along side a: "<script>window.open(blah)</script>" that has one input field and one message, "We're sorry, due to ongoing technical difficulty, we require you to reenter your Wireless passphrase" I have personally tested this tecnique on.... about 100 clients, 90 of which did it :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.