ellimistx99 Posted October 27, 2011 Share Posted October 27, 2011 Hello everyone, I'm new to the forums and for the most part new to the show, so please forgive me if this as been asked before. I have a router on which I managed to install the DD-WRT firmware. I was looking for scripts or addon's to the firmware that would log connection attempts, and capture the password. Something similar to the Jasager implementation. Basically I would change my SSID to the targets' and then just hope (or send deAuth packets to the original router) till a user attempted to connect to my router, at which point I would hope to capture the password. Does such a script exist for DD-WRT? Or perhaps point me in the correct general direction. Thanks. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 27, 2011 Share Posted October 27, 2011 You wont be able to allow them on the internet unless you are forwarding it through your laptop. So then you mine as well just do old fashioned MITM. Quote Link to comment Share on other sites More sharing options...
ellimistx99 Posted October 27, 2011 Author Share Posted October 27, 2011 You wont be able to allow them on the internet unless you are forwarding it through your laptop. So then you mine as well just do old fashioned MITM. Hmm I mean, I'm actually attempting to capture the WiFi password. I'm going under the assumption that if they have a profile setup with an SSID that has, say WPA encryption, that when they see a similar SSID name on my router, the device will attempt to connect, send their passphrase which I'd like my router to capture. After which, I'd like to be able to connect to their own router to setup a potential MITM attack. Are you suggesting that there is a method that will allow them to connect to my router as long as I simply have the same SSID, no password, and later do a MITM attack to capture their WiFi password? To be clear I'm just looking for a way to get WPA passwords, after learning WEP attacks here, I figure I'd try to think of a way to get WPA passwords without having to do a dictionary attack on a captured handshake. Since I live in a country where the first language is not english, dictionary attacks are very very hard to do. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 28, 2011 Share Posted October 28, 2011 If you hook up your card in monitor mode you can see the packets, but they are encrypted. You can't just spoof an AP with the same SSID and somehow log the password the user tries. I am sure it is a checksum pass/fail type argument anyways. Brute force would be the way to go. Or beat them with a wrench until they give up all their passwords :P Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted October 28, 2011 Share Posted October 28, 2011 That's a really interesting idea. It has to be possible in some way. I personally don't know enough about the hardware aspects of WPA connections and what is happening on layer 2 and 3 besides ARP, but there has to be a "simplistic" social engineering approach. Alternatively, you could deauth the client and get them to connect to your AP, get a meterpreter session (shouldn't be too hard) then from there dump the wifi password lists. Quote Link to comment Share on other sites More sharing options...
ellimistx99 Posted October 28, 2011 Author Share Posted October 28, 2011 If you hook up your card in monitor mode you can see the packets, but they are encrypted. You can't just spoof an AP with the same SSID and somehow log the password the user tries. I am sure it is a checksum pass/fail type argument anyways. Brute force would be the way to go. Or beat them with a wrench until they give up all their passwords :P Haha fair enough. I'm trying it on my own router anyway, for fun, so there isn't a need to use a wrench haha. Brute forcing a non-english password will take forever, I mean AFAIK currently it's just dictionary attacks on a captured handshake to crack WPA. I was kinda hoping there was some other way sneaky way I could get the passphrase. I found some scripts that attempt to log invalid log in attempts, I can't make heads or tails of the script, maybe someone can actually tell if it's a checksum pass/fail type argument or something else that's workable Script 1 and Script 2. Quote Link to comment Share on other sites More sharing options...
ellimistx99 Posted October 28, 2011 Author Share Posted October 28, 2011 That's a really interesting idea. It has to be possible in some way. I personally don't know enough about the hardware aspects of WPA connections and what is happening on layer 2 and 3 besides ARP, but there has to be a "simplistic" social engineering approach. Alternatively, you could deauth the client and get them to connect to your AP, get a meterpreter session (shouldn't be too hard) then from there dump the wifi password lists. Yea that's what I was thinking. I don't think they would connect to my AP like that though. I mean, if my AP has the same SSID but unencrypted, and their device is looking for an encrypted AP will it still connect? I don't think it will. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted October 28, 2011 Share Posted October 28, 2011 From what I understand of what you want to do, you want to get the clear text WPA key right? That happens somewhere in the 4-way handshake which are encrypted/ciphered. I THINK that this would be a pretty complicated attack because during I think 3 out of the 4 steps for 4 way handshakes are that the client can authenticate info from the AP (to make sure it isn't bogus). I researched 4 way handshakes a few months ago and they can be quite complicated. Then there are group key handshakes, preauthentication protocols, etc. It isn't impossible, but it does show that these protocols are some of the more secure ones in this field : P * 4-way handshake message 1 In the first message, the authenticator sends the supplicant a nonce. This is referred to as the ANonce. * 4-way handshake message 2 The supplicant creates its nonce. This is referred to as the SNonce. The supplicant can now calculate the PTK. In the second message, the supplicant sends the SNonce to the authenticator. The supplicant also sends the security parameters that it used during association. The entire message gets an authentication check using the KCK from the pairwise key hierarchy. The authenticator can then verify that the information, including the security parameters sent at association, are valid. * 4-way handshake message 3 In the third message, the authenticator sends the supplicant the security parameters that it's sending out in its beacons and probe responses. The authenticator also sends the GTK encrypted using the KEK. Again, the entire message gets an authentication check, which allows the supplicant to verify that the information, such as the authenticators security parameters, is valid. * 4-way handshake message 4 The fourth message indicates that the temporal keys are now in place to be used by the data-confidentiality protocols. Quote Link to comment Share on other sites More sharing options...
ellimistx99 Posted October 29, 2011 Author Share Posted October 29, 2011 Yea that does seem quite complicated. Perhaps the other solution seems more plausible then. Figure out a way to have the user connect to your AP and then use a MITM and meterpreter to figure out a way to get their wifi password list. I was just looking for a way to get a WPA password without having to rely on brute forcing and dictionaries ^_^ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.