Jump to content

Wireless Cracking


ParMan
 Share

Recommended Posts

I might be way of on this but i was wondering if it would work. say you want to crack a WPA or WPA2 key.

the network has an access point and 3 clients.

You get your PC to act as a fake access point.

Then you sent death packets to the clients to get them to disconnect from Access point.

Then have your Fake access broadcast "I am your Access Point"... if the client tries to connect to you wouldn't the client send you the access key. Which you could use to connect to the real access point?

Link to comment
Share on other sites

if you sent the exact information that you capture from the client to the real access point. Then the access points sends you the response. The response is sent from you to the real client. the client replies back to the fake access point. then you reply back to the real access point. so on and so forth till its completed?

Link to comment
Share on other sites

WPA requires a 4 way handshake to authenticate yourself, and is also what you need in order to crack it, so no, you can't just intercept the key in the open. Doesn't work like that.

As for WEP, you can inject and replay arp packets, which cause the router to continually increase the number of IVS going back and forth with the client(s), and in turn, after 10,000 to 20,000 captured IVS of data, you can then crack it with aircrack.

Link to comment
Share on other sites

As for WEP, you can inject and replay arp packets, which cause the router to continually increase the number of IVS going back and forth with the client(s), and in turn, after 10,000 to 20,000 captured IVS of data, you can then crack it with aircrack.

Umm, you can actually crack WEP with a capture that contains very few IVS of data. There is a video in the securitytube that demonstrate this.

Edited by Infiltrator
Link to comment
Share on other sites

I like it, the more packets you have the faster you can crack the key, but in order to get more packets you need to sniffer for longer, so what do you do, get less packets and take longer to crack, or wait longer for the packets ad spend less time cracking, :| the decisions i tell you, how do you expect people to work with these decisions,

Link to comment
Share on other sites

Umm, you can actually crack WEP with a capture that contains very few IVS of data. There is a video in the securitytube that demonstrate this.

You can, but only if the password is weak. Usually, aircrack can start cracking 5000 data packets and up, but more than likely will need more than 10,000 data packets.

More IVs the faster cracking. Also the more accurate. You still need like 40,000 I think.

The most you should need is 20,000 data packets(which I assume has more than enough IVS) and often work between the 10-20,000 range. Anything over 20,000 data packets should yield a result, depending on the level of encryption in the key, might take over 40,000. I always get IVS and DataPackets mixed up, but what I stated in the thread above, I was referring to DataPackets. The number of IVS in those data packets would be considerably higher.

http://www.aircrack-ng.org/doku.php?id=faq#how_many_ivs_are_required_to_crack_wep

How many IVs are required to crack WEP ?

WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more.

There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with ”-n 64” to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP.

The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it.

Link to comment
Share on other sites

I like it, the more packets you have the faster you can crack the key, but in order to get more packets you need to sniffer for longer, so what do you do, get less packets and take longer to crack, or wait longer for the packets ad spend less time cracking, :| the decisions i tell you, how do you expect people to work with these decisions,

Through injection and arp replay,you can increase the packets and IVS in a manner of minutes. If the AP is vulnerable and your injection is working, you should be able to crack wep in under 5 minutes. Its one of the reasons people are told, don't use WEP, it can be cracked too easily.

Link to comment
Share on other sites

  • 3 weeks later...

Through injection and arp replay,you can increase the packets and IVS in a manner of minutes. If the AP is vulnerable and your injection is working, you should be able to crack wep in under 5 minutes. Its one of the reasons people are told, don't use WEP, it can be cracked too easily.

Can you help me? How can i inject packets? Please reply to this topic: http://forums.hak5.org/index.php?showtopic=20929

Link to comment
Share on other sites

Can you help me? How can i inject packets? Please reply to this topic: http://forums.hak5.org/index.php?showtopic=20929

In order to do packet injection you need a wireless card that is capable of doing packet injection.

The best one out there, is the ALFA awus036h

Edited by Infiltrator
Link to comment
Share on other sites

I'm finally starting to get into wifi security after putting together some useful kit, (budget constraints).

Im slowly working my way through things and ive found working through an ebook copy of Hacking Exposed WiFi 2010 is really a great help in explaining all the security aspects and in and outs of all the details.

I thoroughly recommend it as a primer if you like on eerything you need to know.

Its awesome.

Link to comment
Share on other sites

I'm finally starting to get into wifi security after putting together some useful kit, (budget constraints).

Im slowly working my way through things and ive found working through an ebook copy of Hacking Exposed WiFi 2010 is really a great help in explaining all the security aspects and in and outs of all the details.

I thoroughly recommend it as a primer if you like on eerything you need to know.

Its awesome.

What part of Australia are you from?

Link to comment
Share on other sites

You are doing it wrong. First, make sure your card is associated with the AP, I think its arpeplay -1. In doign so, you should see the letters opn or open next to it in airodump and say associated under aireplay. Then, do aireplay -3, and the iv's will jump, takes about 3-5 minutes and you should have enough to start cracking.

Link to comment
Share on other sites

Mackay in Queensland dude...you?

I'm from Darwin, brooo!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...