Bruteforce attack useless
By creating a dictionary containing strings of fixed length of 24 characters based alphanumeric (1234567890abcdefghijklmnopqrstuvwxyz)
es.: ad78 u7g5 m0m1 jqwe bb61 naq2
given the enormity of the possible combinations would give 36 ^ 24 as the number of strings 22,452,257,707,354,600,000,000,000,000,000,000,000
By a dictionary attack to 10,000 keys per second with the number of keys you want about 71,195,642,146,608,800,000,000,000
years, without considering that contain a dictionary of that length that is 445.729.734.805.631 Yottabytes or 501,847,066,894,648,000,000,000,000,000 Gigabytes.
Done this premise my question is:
Who uses WPA keys as described above and a dictionary attack would be folly;
There is another method for discovering a key WPA? Or this connection it can define safe to 99.9%?
Your assumptions are correct, based on what I know and the numbers you provided. I'm not sure how you calculated how big the dictionary would be (file size wise) but that seems like too big a number.
Essentially, if you use something like this for the passphrase:
https://www.grc.com/passwords.htm
With a unique (as in not in a dictionary somewhere) SSID, no one will break it. Period.
Of course, then you would just go and install a keylogger and not worry about breaking it
Thanks for your answer Woistfred and the new method of attack,
although it is somewhat complicated ...
has already been tried? Does it work?
Thanks for the explanation, I would say very interesting.
I wish you a good work
For sure, woistfred, that's very interesting. I had an idea using the same scheme (evil ap) but with a dnssppof redirecting the client to a webpage asking him to enter his wpa key, saying something like "update successful, please enter your wpa key to connect the network"...
Please keep us up to date about your interesting work.
--~ Internet is in the air we are breathing, so it should be free for everyone. We'll get there, just wait and see... ~--
It was only an idea I had, but I don't really have worked on it yet. Here what I think I will do:
I have a website which will host some webpages that the script will automatically download by wget.
The pages (in php) will include a variable that the user of the script will modify to have a specific essid displayed on his rogue ap, according to his needs. The script will first install itself, downloading all the php files in differents folders (one folder for each kind of access point, containing specific webpages. For example, one folder for "livebox, one folder for "neufbox" (french access points I'm working with)). The script will modify the httpd.conf so that apache will serve the webpages the user needs.
Here is an example of the features I think this will provide:
The user launches the script.
-First, he download the necessary files
(the script download everything by wget)
-Then, he choose the kind of AP he wants
(the script will copy the webpages from the specific folder to the root where apache will serve the webpages)
-He enter the essid
(the script will modify the files in the root of the apache server, automatically replacing the default essid with the chosen essid)
-The script starts the apache serverCode:sed "s/defaultssid/$newssid/g" defaultindex > index.php
-He enter some informations required by airbase-ng to make the rogue ap functionnal, such as the interface, bssid, channel...
-Then the script will launch the rogue ap
-That's where I don't have decided what to do about the dhcp configuration. If the client is using a static IP, the feature will not work. I think I will set up the rogue ap with an ip in 192.168.1.x, it should be good in most cases.
-The script launches ettercap and dnnsspoof to redirect the client to our webpages that will ask for the wpa key. For example, if we decide the rogue ap is 192.168.1.1 and the dhcp server will only give one ip which will be 192.168.1.91, we already know before anyone connects that the client will be 192.168.1.91, so we can use this ip for the mitm attack with ettercap.
-We wait a little, someone comes. He connects and open a web browser. He goes directly to the webpage asking him about his key, saying " $essid Update successful, please enter your WPA key to authenticate", and displaying some pictures as if the client was on his usual router administration panel.
-The client enter his key manually, then a php function with fopen fwrite & fclose will write the $essid and the key in a txt file...
For the next usage, the script will first delete the index.php in the apache server root, so we can again create a new indx.php
Maybe the script will have an "initialise" mode to delete those files, or maybe it will do it everytime it launches, I don't know yet.
I hope everything is clear enough... This can be done, but it needs some time to work on all those things. Your idea of letting the client upload a conf file is very good, I didn't thought about this... I think this could be adde when the script will be functionnal, just by modifying the php files of the rogue webpages, and maybe the httpd.conf (I'm not familiar about fils uploads, but i will make a few searches about it).
You're right, we probably should work together to make a next generation wpa key catcher, working with airbase-ng, your part of the work will be to implement the "exploit/root access/getting the wpa key from the registry", and I will work on the "fake administration panel asking for his wpa key" when I will have a few free time
--~ Internet is in the air we are breathing, so it should be free for everyone. We'll get there, just wait and see... ~--
This might sound dumb, but can you weed out the ones that don't have alot of probes, as network admins will only have one site, and you don't won't to be making them see a web page saying login, instead of yahoo.com.
I might not fully inderstand you setup, but what I understand it as, A person at a company trys to say surf the web and gets sent a login page for the router, they enter settings then get forward to the real AP or disconnected from you ap and they connect to the real Ap> you have the infomation that they entered.
What I'm saying that at a company what if the network admin sees that page, with out trying to enter the AP ip, they might find it weird. I just thought that if you could some how work out if its the admin, like postion the rogue ap so the signal want override the real one for the admin, or use probes etc.
Interesting....
this is what I had running
airbase-ng, when windows probes for known ssid's airbase-ng changes it accordingly
victim is then deauth'ed from router, and hopefully connects to the evil ap.
now they are on your network and you effectively the man in the middle, what you do from here is up to you
why don't you dump the whole registry to your local drive and worry about the searching of hash' later? Size of my registry and thats with lots of junk is about 60meg, nothing compared to brute forcingOriginally Posted by woistfred
yap
my focus is/are the registry tools of meterpreter and the usability of wzcook.exe of the (no longer existing) win32Version of aircrack for the issue of recovering WPA keys etc.
stored in " HKLM\SOFTWARE\Microsoft\WZCSVC\"
The main problems in developing a kind of universal payload for this issue:
-Different SP versions of XP use to hash the keys in different ways / store them in different reg subkeys.
-If a third party/vendor tool/driver is used to establish the wifi connection the hashing+storing is done in a different way/in diffrent locations too !
-Windows wireless zero config / registry is well documented.
Third party/vendor tools/drivers are not.
It'll take a while to create a stable payload that covers all that !
I'll start with the "XP SP3 built in wifi (no 3rd party tool) -thing"
If anybody reading this thread has any informations that might help me with this task,
please don't hesitate to post or message me !
BEST REGARDS
woistfred
Posting Permissions
