Jump to content

Capturing WPA/WPA2 passwords with the NANO/TETRA


Recommended Posts

Greetings!

I really hope this isn't a silly question. I was talking with my friend about the NANO and how it can deauth clients on a network, then convince those clients to connect to the NANO as a rogue access point. I realize that it is not difficult to capture and rebroadcast SSIDs, but they are always open access points. If I wanted to capture the WPA or WPA2 handshake, is there a way to either log it and send it to another machine to be cracked, or just grab whatever information the device sends to the NANO, and use that to create a copy of the original SSID complete with its password?

Basically, what I am trying to figure out is if the NANO can capture data that will assist in knowing the password to a particular network.

I am still learning how handshakes, frames, and beacons work, and although I have a basic understanding, I am not sure if this is feasible or not. I know WPA and WPA2 passwords are hard to crack, but would it help if the device connecting to the rogue AP tried to give that rogue AP its part of that handshake?

Would it be easier (or even feasible) to just go into that client system and take whatever the saved password is and store it for future use?

Any clarity or resources on this subject would be appreciated.

Cheers,

Dez

Link to post
Share on other sites

Hello Dez,

I have some experience with this on Kali.

For cracking WPA2 you will need to have some good CPU or GPU power...

Let me explain a litle bit about hacking WPA2 as far as my experience reaches.

First you need to set your WLAN card to promiscious mode ( airmon-ng command )

Then you will need to capture the handshake ( airodump-ng command)
This could take some time, to capture it faster you could disassociate current clients so they reassociated and you capture their handshake ( aireplay-ng command)

Once captured, you can crack it with a bruteforce or dictionary ( aircrack-ng command ).

However, the pineapple has to less power to do this, I would recommend to create a custom dictionary on a kali machine and import the airodump file to the kali machine and run a dictionary attack. If that won't work you could try a brute force, however, as the minimum password length for WPA2 is 8 chars, it could take at least a couple of days. If you try to crack a 9 char password and they use special chars or numbers, forget it, this will take to long.

My advice is to first install kali on a laptop, do the above commands, once you master it, use the nano to capture a handshake and crack it on the laptop, server.

If you need any additional info, please let me know :)

  • Upvote 1
Link to post
Share on other sites

Hello Dez,

I have some experience with this on Kali.

For cracking WPA2 you will need to have some good CPU or GPU power...

Let me explain a litle bit about hacking WPA2 as far as my experience reaches.

First you need to set your WLAN card to promiscious mode ( airmon-ng command )

Then you will need to capture the handshake ( airodump-ng command)

This could take some time, to capture it faster you could disassociate current clients so they reassociated and you capture their handshake ( aireplay-ng command)

Once captured, you can crack it with a bruteforce or dictionary ( aircrack-ng command ).

However, the pineapple has to less power to do this, I would recommend to create a custom dictionary on a kali machine and import the airodump file to the kali machine and run a dictionary attack. If that won't work you could try a brute force, however, as the minimum password length for WPA2 is 8 chars, it could take at least a couple of days. If you try to crack a 9 char password and they use special chars or numbers, forget it, this will take to long.

My advice is to first install kali on a laptop, do the above commands, once you master it, use the nano to capture a handshake and crack it on the laptop, server.

If you need any additional info, please let me know :)

Well put.

Yes, you can capture all the data required to get a password for a wifi network with the nano. Then you could go home and get the password using your computer

I have some tutorials for this in the Pineapple University section, but the commands it boils down to are these:

airmon-ng start wlan1
airodump-ng -w PacketCapture wlan1mon

(Then just do near the AP you're wanting to crack and wait for someone to connect to it.)

(You could speed this up with a deauth attack as mentioned above.)

Once someone has connected to the network, you might want to make sure it was piked up by the nano in case you were too far away or something.

To do this, stop the airodump. (Control + C) Then run aircrack-ng PacketCapture-01.cap (It will give you a list of networks. If it says you have handshakes beside it, you're good to go. if not, try again.)

You'll need to convert your PacketCapture to a different format using the command

aircrack-ng -J Capture.hccap PacketCapture-01.cap

Now go how, take the Capture.hccap file off of your pineapple and store it somewhere on your computer.

You'll need to get a large password dictionary.

Now that you have all the information recorded in the Capture file, you'll need to crack it.

Next, download oclHashCat and we'll use it to crack the password. (Linux will be harder since you'll have to install the right things to get your video card working right, Windows will also work.)

Once it's downloaded, move your password dictionary and Capture.hccap to the oclHashcat folder.

Make a new file called Crack.bat

Open it with notepad and type one of these, depending on if your computer is 32 bit or 64.

32:

oclHashcat32.exe -m 2500 Capture.hccap NameOfYourPasswordDictionary.txt

64:

oclHashcat64.exe -m 2500 Capture.hccap NameOfYourPasswordDictionary.txt

And of course replace the last part with the actual name.

Then it will work through the list and try to find the password.

This is just an extremely brief example. Make sure to find out what's going on, and why you are doing all of this if you really want to understand what's going on.

Edited by Fallen Archangel
  • Upvote 4
Link to post
Share on other sites

Wordlist attacks are pretty much pointless these days now that passwords are so strong. You can run darkc0de and rockyou all day and probably have less than a 10% chance... I mean, LanTurtle123@ isn't gonna be in there, and those are the kind of passwords you're dealing with these days. I think a lot of people get mislead on wordlist/brute force attacks. Watching a couple YouTube videos of some guy who stuck his router password in a small word list gets people all excited. Hashcat is good because it uses hash algorithms to speed things up, and allows rules for brute force attacks but again, if you have no recon and using all wild cards, you better have 100 years to sit around. Of course this is all my opinion, maybe others have raging success with BF attacks.

It's still fun to learn. I'm just saying, unless you're lucky, don't get too keen on brute forcing 4-ways. This is why tools like the pineapple exist. If it were easy, everyone would do it. You can still wander around older apartment complexes and find the odd man out with wep and crack for fun if you want :p

I wish reaver worked better.

Edited by jermzz
  • Upvote 1
Link to post
Share on other sites

Wordlist attacks are pretty much pointless these days now that passwords are so strong. You can run darkc0de and rockyou all day and probably have less than a 10% chance... I mean, LanTurtle123@ isn't gonna be in there, and those are the kind of passwords you're dealing with these days. I think a lot of people get mislead on wordlist/brute force attacks. Watching a couple YouTube videos of some guy who stuck his router password in a small word list gets people all excited. Hashcat is good because it uses hash algorithms to speed things up, and allows rules for brute force attacks but again, if you have no recon and using all wild cards, you better have 100 years to sit around. Of course this is all my opinion, maybe others have raging success with BF attacks.

It's still fun to learn. I'm just saying, unless you're lucky, don't get too keen on brute forcing 4-ways. This is why tools like the pineapple exist. If it were easy, everyone would do it. You can still wander around older apartment complexes and find the odd man out with wep and crack for fun if you want :p

I wish reaver worked better.

There are also masks that can help. Especially when a vender has a set default, like 8 numbers.

And you have attacks like WPS Pins, and Pixie.Also tools like WiFiphsher,

And sure it could take time, but I usually just start it before I go to bed, when I wake either I have the password or I don't.

And even if I haven't captured the handshakes yet, I can still be generating tables overnight. I could be generating the times at home, while I'm out sniffing the handshake.

With enough password modulation, you could get any password. The main thing is the time it takes to do it.

I used to keep a list of the top 1000 ap passwords on my mk5. It would take about 30 seconds for the pineapple to go through them.

Set up a dip switch for

airmon-ng start wlan1 && wifite-ng -all -mac -strip -aircrack -dict 1000.txt -crack -i wlan1mon

And suddenly you have a WiFi autopwn device. Flip the power switch, set it down, and wait for it to do it's thing.

It might not be very fast or work all the time, but I don't believe bruteforce is dead.

Edited by Fallen Archangel
  • Upvote 3
Link to post
Share on other sites

Why bother making tables? Isn't it just as fast to just run your list? Tables were only convenient when ssids were the same. Like... "Linksys" now they're even wise to that and distribute different names for every router. End of the day, all that matters is if that password is in your list file. Doesn't matter how fast you can crack off attempts. That's the hard part. ThemDamComplexPasswords986361@--

Edited by jermzz
Link to post
Share on other sites

Because you can generate the tables before you have the handshake.

If it takes me 2.5 hours to generate the tables, and 0.5 to test it.

I can do the 2.5 while I'm at school or work or wherever. And then whenever I do get a handshake, it's only going to hake me half an hour to test it.

You don't really save any time, but you do get faster results.

But like you said, my main use it for things like 'dd-wrt'. I see those all the time.

Link to post
Share on other sites

Wordlist attacks are pretty much pointless these days now that passwords are so strong. You can run darkc0de and rockyou all day and probably have less than a 10% chance... I mean, LanTurtle123@ isn't gonna be in there, and those are the kind of passwords you're dealing with these days....

The default lan turtle password, "sh3llz", was cracked by rockyou dictionaries in much less than a day, if i remember correctly.

Link to post
Share on other sites

The default lan turtle password, "sh3llz", was cracked by rockyou dictionaries in much less than a day, if i remember correctly.

Which is why you're forced to change that password on first login which can only be achieved from the USB side of the device. :tongue:

Still beats admin/admin (or pineapplesareyummy)

  • Upvote 2
Link to post
Share on other sites

Sh3llz is probably in rockyou, along with a bunch of other dictionary words with hax0r talk. :p. I wouldn't consider it a strong password. But look online.... Social media, banks, pretty much anywhere with sensitive information. They're now all requiring upper and lower case, a number and special symbol with at least 8 characters. Now, I'm not saying everyone is necessarily putting those as their router password. But, I promise you a lot of them are. Just because we know people like to have the same passwords for everything, In the 90 / 2000s my passwords were all dictionary crackable.

I know it can work, definitely. And maybe I'm just pessimistic about it because of the lack of success I've had over the past couple years. Hopefully everyone else is doing better. Im not very patient though, either. :)

Link to post
Share on other sites

I've noticed a trend where residences are now more secure than a lot of corps. (small businesses I should state and not large ones).

Residences will leave the default WIFI password that came on the router, alot of the time this is on a sticker on the bottom of the device and will be 10+ chars in mix of upper lower and numbers,

Small Corps will change this default WIFI password for ease of use for their staff, so something like businessname+random number (or even just businessname) also the buinessname is usually also the SSID name :-)

However on the counter side the admin account to access the router settings once on network is usually left as default on residences while it is changed on Corps.

So Corp easier to crack WIFI password , and Residences easier to get access to admin panel of Wifi Access point.

Edited by zoro25
Link to post
Share on other sites

Probably best to start with the 3 parts of this tutorial, it goes over some of the basics you will need to get started:

https://forums.hak5.org/index.php?/topic/37108-using-the-pineapple-without-modules-or-infusions-part-one-ssh/

You're most likely going to capture handshakes with the pineapple and then you will have to bruteforce them on another system as this process will take some time and power. There's a lot more behind that second subject you can find more information about on the forums and elsewhere to make it a little easier for your particular situation.

Link to post
Share on other sites
  • 1 month later...

So how does one go about getting a handshake capture with the NANO or TETRA, beyond using Airmon via command line? Is there a module intended to do this on the MKV that hasn't been ported? Can it be done using the tcpdump module?

Edited by purrball
Link to post
Share on other sites

You could use command from your phone (whatever), make a little bash script.

* Login

* Create a small bash script (1 line even?)

* Each time you login just run script "./script"

You'd only need to type ./script-name (could make it easier still by throwing it into /bin).

Script can be something like; (at it's simplest)

#!/bin/bash

airmon-ng start wlan1 && wifite-ng -all -mac -strip -aircrack -dict 1000.txt -crack -i wlan1mon

(airmon code from Fallen Archangel above)

Link to post
Share on other sites

Script can be something like; (at it's simplest)

#!/bin/bash

airmon-ng start wlan1 && wifite-ng -all -mac -strip -aircrack -dict 1000.txt -crack -i wlan1mon

(airmon code from Fallen Archangel above)

Word of warning, doing it this way will only allow wifite to scan for 5 seconds before attempting to start attacking networks. 5 seconds isn't long enough, I'd say 20-30 would be a better choice. 120 would be even better.

  • Upvote 1
Link to post
Share on other sites

Thanks!

I just used that as an example for a quick a dirty script.

I didn't know that the Nano had aircrack installed. Is it installed by default?

I havnt used the pineapple too much since I got it. Mostly just scanning - have not found much use for it, yet - fun toy to have still.

Link to post
Share on other sites

Thanks!

I just used that as an example for a quick a dirty script.

I didn't know that the Nano had aircrack installed. Is it installed by default?

I havnt used the pineapple too much since I got it. Mostly just scanning - have not found much use for it, yet - fun toy to have still.

It's installed.

Airmon-ng is part of the aircrack-ng suite.

  • Upvote 1
Link to post
Share on other sites

Greetings!

I really hope this isn't a silly question. I was talking with my friend about the NANO and how it can deauth clients on a network, then convince those clients to connect to the NANO as a rogue access point. I realize that it is not difficult to capture and rebroadcast SSIDs, but they are always open access points. If I wanted to capture the WPA or WPA2 handshake, is there a way to either log it and send it to another machine to be cracked, or just grab whatever information the device sends to the NANO, and use that to create a copy of the original SSID complete with its password?

Basically, what I am trying to figure out is if the NANO can capture data that will assist in knowing the password to a particular network.

I am still learning how handshakes, frames, and beacons work, and although I have a basic understanding, I am not sure if this is feasible or not. I know WPA and WPA2 passwords are hard to crack, but would it help if the device connecting to the rogue AP tried to give that rogue AP its part of that handshake?

Would it be easier (or even feasible) to just go into that client system and take whatever the saved password is and store it for future use?

Any clarity or resources on this subject would be appreciated.

Cheers,

Dez

Hi Dez,

Actually I wouldn't say WPA/WPA2 passwords are hard to crack. It all depends on the set password of course. I've cracked WPA2 passwords in 2 seconds on my server with GPU's. Just because the password was made up with a word and numbers. Of course I then used my own wordlist together with some own rules in cudahashcat.

So sometimes it's not that hard, but sometimes you won't crack the password at all. Completely depends on the complexity of the set password.

Soon enough my server will do 1mH/s so crunching through a big wordlist together with some good rules won't take much time. But still all it comes down to is if I'm smarter than the one who set the password :P When cracking clients wireless networks I create own wordlists based on data about that client, like scraping words from their website, different languages etc.

/crashie

Link to post
Share on other sites
  • 8 months later...

I know this is an old thread, but after reading it, I really have to ask those having problems cracking via dictionary; are you just stopping after trying the rockyou list or other small, built-in lists that come with Kali?  Up your game and make a mondo beast of a list (1billion+), or just scour p2p sites and download one of the many gigantic lists that are out there.  Heck, here's a link to a really effective one here on hak5.

I guess it depends on where you live, but seriously, don't overestimate residential security in regards to secure password generation.  Most people aren't harboring nuclear bomb plans; an easy-to-remember password is almost always chosen over having a complicated pain-in-the-ass when guests ask you for your wifi password.  The 10% success rate someone mentioned above just sounds lazy; try harder!

 

Link to post
Share on other sites
1 hour ago, Fuylo said:

I know this is an old thread, but after reading it, I really have to ask those having problems cracking via dictionary; are you just stopping after trying the rockyou list or other small, built-in lists that come with Kali?  Up your game and make a mondo beast of a list (1billion+), or just scour p2p sites and download one of the many gigantic lists that are out there.  Heck, here's a link to a really effective one here on hak5.

I guess it depends on where you live, but seriously, don't overestimate residential security in regards to secure password generation.  Most people aren't harboring nuclear bomb plans; an easy-to-remember password is almost always chosen over having a complicated pain-in-the-ass when guests ask you for your wifi password.  The 10% success rate someone mentioned above just sounds lazy; try harder!

 

The only problem with running dictionary attacks for days on end is the power bill that comes with it.  There are other ways to crack a residential wifi without having to pay for it when the Power bill comes.  Have you tried Fluxion yet? 

  • Upvote 1
Link to post
Share on other sites

 

6 hours ago, b0N3z said:

The only problem with running dictionary attacks for days on end is the power bill that comes with it.  There are other ways to crack a residential wifi without having to pay for it when the Power bill comes.  Have you tried Fluxion yet? 

That power bill is for real; made that mistake once.

I've not tried fluxion yet, It's been a good while now since I've taken a crack at WPA2 cracking, so I'll have to check it out.

Aircrack with the list I posted earlier takes like 2 weeks on a clunky core i3 office-style workstation, but OCL Hashcat with a newer Nvidia quadro took under 3 hours around 250k a second and higher (done in Windows; blegh I know but it's so much easier to use Hashcat for Windows per not having to go through Nvidia cuda setup on a Linux box.  I'm lazy too I guess)

What is this, fluxion you speak of?

Link to post
Share on other sites

I just have an i7 3770k not overclocked and it was going to take forever and i said hell with it. my gpu went out about a year ago and I dont play games so it really wasnt worth replacing.

 

Fluxion is a tool to crack wifi passwords.  It uses a lot of tools and I recommend using it with Kali as all the dependancies are already installed.  Ive set it up on Mint but was a total pain in the butt.   It gets a handshake and then makes a rogue AP for the client to connect to while deauthing the real AP.  Then when the target connects they are brought to a captive portal which asked for the password and once the password is entered, fluxion uses that password against the handshake to see if that was the correct password.  short version.

https://github.com/deltaxflux/fluxion

Ive tried this on my old netgear wifi router, my TP-link Archer c7, and my comcast router,  and it worked as expected.

  • Upvote 2
Link to post
Share on other sites
6 minutes ago, b0N3z said:

I just have an i7 3770k not overclocked and it was going to take forever and i said hell with it. my gpu went out about a year ago and I dont play games so it really wasnt worth replacing.

 

Fluxion is a tool to crack wifi passwords.  It uses a lot of tools and I recommend using it with Kali as all the dependancies are already installed.  Ive set it up on Mint but was a total pain in the butt.   It gets a handshake and then makes a rogue AP for the client to connect to while deauthing the real AP.  Then when the target connects they are brought to a captive portal which asked for the password and once the password is entered, fluxion uses that password against the handshake to see if that was the correct password.  short version.

https://github.com/deltaxflux/fluxion

Ive tried this on my old netgear wifi router, my TP-link Archer c7, and my comcast router,  and it worked as expected.

that sounds pretty awesome; I've tried to get away from password cracking and pursue exploits/rouge APs a bit more; this looks like a great place to start.  Thanks for the info.

Link to post
Share on other sites
  • 3 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...