Results 1 to 10 of 10

Thread: Cracking WPA2

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Posts
    54

    Default Cracking WPA2

    Hey,

    Recently I have tried my hand at breaking different types of wireless encryption using Backtrack 3 Final.

    I followed Xploitz tutorial and have a couple of questions, firstly, is there a way to brute force the collected packets instead of a dictionary attack, do I actually need to be near the AP to do the cracking after I have collected the packets and finally, is there a way to get the hash and then use something like online rainbow tables to test it?

    Thanks for any insight that is offered,
    Dave

  2. #2
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by Pureline View Post
    Hey,

    Recently I have tried my hand at breaking different types of wireless encryption using Backtrack 3 Final.

    I followed Xploitz tutorial and have a couple of questions, firstly, is there a way to brute force the collected packets instead of a dictionary attack, do I actually need to be near the AP to do the cracking after I have collected the packets and finally, is there a way to get the hash and then use something like online rainbow tables to test it?

    Thanks for any insight that is offered,
    Dave

    Have a look around the forums. There's a few hundred threads about this.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Pureline View Post
    Hey,

    Recently I have tried my hand at breaking different types of wireless encryption using Backtrack 3 Final.

    I followed Xploitz tutorial and have a couple of questions, firstly, is there a way to brute force the collected packets instead of a dictionary attack, do I actually need to be near the AP to do the cracking after I have collected the packets and finally, is there a way to get the hash and then use something like online rainbow tables to test it?

    Thanks for any insight that is offered,
    Dave
    1. No.
    2. No.
    3. No.

    What Barry said.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Pureline View Post
    Hey,

    Recently I have tried my hand at breaking different types of wireless encryption using Backtrack 3 Final.

    I followed Xploitz tutorial and have a couple of questions, firstly, is there a way to brute force the collected packets instead of a dictionary attack, do I actually need to be near the AP to do the cracking after I have collected the packets and finally, is there a way to get the hash and then use something like online rainbow tables to test it?

    Thanks for any insight that is offered,
    Dave
    It is possible to use bruteforce instead of a dictionary attack, for example pipe john into aircrack-ng. In most (read all) instances I would however not recommend this over using a dictionary. No you do not need to be near the AP after capturing the handshake. The hash will be salted with the ESSID of the Ap why a pre-generated rainbow table will not work unless it was computed especially for cracking WPA with that same essid.

    And as Barry said, using the search function would have gotten you the answer to these question in less time than it took me to type it out.
    -Monkeys are like nature's humans.

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by =Tron= View Post
    It is possible to use bruteforce instead of a dictionary attack, for example pipe john into aircrack-ng. In most (read all) instances I would however not recommend this over using a dictionary. No you do not need to be near the AP after capturing the handshake. The hash will be salted with the ESSID of the Ap why a pre-generated rainbow table will not work unless it was computed especially for cracking WPA with that same essid.

    And as Barry said, using the search function would have gotten you the answer to these question in less time than it took me to type it out.
    Good point, technically it is possible to bruteforce. But unless the passphrase is the same as streaker's luggage combination (123), it would be an exercise in masochistic behavior.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by Thorn View Post
    Good point, technically it is possible to bruteforce. But unless the passphrase is the same as streaker's luggage combination (123), it would be an exercise in masochistic behavior.
    I'd rather sit on a jar than try that.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Barry View Post
    I'd rather sit on a jar than try that.
    Don't you have snow to shovel?
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by streaker69 View Post
    Don't you have snow to shovel?
    Nope, we still don't have any. Had a pretty good ice storm the day before yesterday though. It's mostly melted now.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  9. #9
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    The distributed password recovery from Ercomsoft can brute wpa, however brute forcing wpa without knowing character case and how long the pass is, is pretty much pointless, your better off dict attacking it. I think wpa will be compomised using a diffrent technique soon though.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  10. #10
    Good friend of the forums gunrunr's Avatar
    Join Date
    Jan 2010
    Location
    shining my spoon
    Posts
    265

    Default

    2 words, client attacks

    why not just go after the clients, figuring you have some connected. Check out Mister X's presentation at defcon, on how to use airbase-ng, which is now included in the aircrack suite.
    Actually make sure you update aircrack-ng in BT3 because you may be missing a couple of the new attacks such as cafe latte, airbase-ng, airdecloak-ng, airtun-ng and easside-ng. make sure you pick up aircrack-ng-svn-trunk-current.tar.gz as well.




    king lurker,
    gunrunr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •