Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: WPA2 handshake capture

  1. #1
    Junior Member whiterabbit7500's Avatar
    Join Date
    Feb 2010
    Location
    in your server
    Posts
    33

    Default WPA2 handshake capture

    I'm running a series of test on my own lab-network WPA2 AP. I seem to be having trouble capturing the correct handshake. The handshake always comes back as the exact same sequence of characters as the BSSID of the AP. I've tried this on both my normal home-network router, as well as my test AP. Any ideas as to why this might be happening? It seems to be throwing off aircrack significatly as well, since it is simply passing over the correct password time and time again.

    Also, I'm getting notification sometimes in aireplay when trying to deauthenticate a client that the wireless adapter is set to a different channel then the AP, even though I have it set to sniff on the AP's specific channel.

    Any ideas/comments are welcome. I know it's probably something I'm doing wrong, but I wasn't able to find any info on these topics elsewhere.

    Edit: Forgot to mention that it is a WPA2-CCMP setup, if that makes any difference.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Check your dictionary file for windows characters at the end (they should show up as ^M). I'd use vi to remove them but there are easier ways, I will leave it to you to choose.

    If you want, you can PM me and I'll send you a simple cap file from my dev network that you can try yourself against, just in case you actually do have something dodgy going on hardware wise.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by Gitsnik View Post
    Check your dictionary file for windows characters at the end (they should show up as ^M). I'd use vi to remove them but there are easier ways, I will leave it to you to choose.

    <snip>
    Yes, this is VERY good advice.

    If you open a huge wordlist file in vi, use this command to strip out all the Winblows carriage returns en masse:
    Code:
    :%s/.$//
    Another method: use the powerful, yet seldom known tr command:
    Code:
    tr -d '\r' < infile.txt > outfile.txt
    It works quickly, and tr is already installed on your BT4pf distro.

    Next, try again and let us know how it goes.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  4. #4
    Junior Member whiterabbit7500's Avatar
    Join Date
    Feb 2010
    Location
    in your server
    Posts
    33

    Default

    thanks for the advice guys. I'll be working on it more later in the day when I get home, and let you all know how it goes. The problem with the carraige characters sounds like its a possibility since I run my wordlist through brutus on windows (I know!!!) to premute them.

    My other question would be as to why the handshake is coming up as the exact same thing as the BSSID? If my BSSID is 55:55:55:55:55:55, I get 55:55:55:55:55:55 as my handshake also

  5. #5
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by whiterabbit7500 View Post
    thanks for the advice guys. I'll be working on it more later in the day when I get home, and let you all know how it goes. The problem with the carraige characters sounds like its a possibility since I run my wordlist through brutus on windows (I know!!!) to premute them.

    My other question would be as to why the handshake is coming up as the exact same thing as the BSSID? If my BSSID is 55:55:55:55:55:55, I get 55:55:55:55:55:55 as my handshake also

    Wait a sec... If you're using airodump-ng to sniff, then it reports that a WPA handshake was captured, and it reports in the upper right-hand corner of the display, right? Like this:
    Code:
    CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                                
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                                
     00:09:5B:1C:AA:1D   11  16       10        0    0  11  54. OPN              NETGEAR                         
     00:14:6C:7A:41:81   34 100       57       14    1   9  11  WEP  WEP         bigbear 
     00:14:6C:7E:40:80   32 100      752       73    2   9  54  WPA  TKIP   PSK  teddy                             
                                                                                                                
     BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                                
     00:14:6C:7A:41:81  00:0F:B5:32:31:31   51     2       14
     (not associated)   00:14:A4:3F:8D:13   19     0        4  mossy 
     00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1     0        5
     00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0       99  teddy
    What this shows you is that a WPA handshake was in fact captured, and reports this fact by displaying the MAC address of the AP. Is that clear? You are not being told what the handshake is, simply that one was captured.

    Now the task is to begin running it through your sanitized passphrase list.

    Let us know how it goes...
    You. Are. Doing. It. Wrong.
    -Gitsnik

  6. #6
    Junior Member whiterabbit7500's Avatar
    Join Date
    Feb 2010
    Location
    in your server
    Posts
    33

    Default

    Quote Originally Posted by kidFromBigD View Post
    Wait a sec... If you're using airodump-ng to sniff, then it reports that a WPA handshake was captured, and it reports in the upper right-hand corner of the display, right? Like this:
    Code:
    CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                                
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                                
     00:09:5B:1C:AA:1D   11  16       10        0    0  11  54. OPN              NETGEAR                         
     00:14:6C:7A:41:81   34 100       57       14    1   9  11  WEP  WEP         bigbear 
     00:14:6C:7E:40:80   32 100      752       73    2   9  54  WPA  TKIP   PSK  teddy                             
                                                                                                                
     BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                                
     00:14:6C:7A:41:81  00:0F:B5:32:31:31   51     2       14
     (not associated)   00:14:A4:3F:8D:13   19     0        4  mossy 
     00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1     0        5
     00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0       99  teddy
    What this shows you is that a WPA handshake was in fact captured, and reports this fact by displaying the MAC address of the AP. Is that clear? You are not being told what the handshake is, simply that one was captured.

    Now the task is to begin running it through your sanitized passphrase list.

    Let us know how it goes...
    ahh, gotcha. thats the answer i was looking for, ty

  7. #7
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by kidFromBigD View Post
    Code:
    :%s/.$//
    A stricter (more accurate) way would be to replace .$ with the key sequence control+V, control+M and then the dollar sign if you wish. It will show up looking like
    Code:
    :%s/^M$//
    Which is more accurate than removing any character from the end of the line.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #8
    Junior Member whiterabbit7500's Avatar
    Join Date
    Feb 2010
    Location
    in your server
    Posts
    33

    Default

    So i decided that I'll be making the list over from scratch this weekend, since it's rather unorganized and hard to manage between windows and BT. I'll be re-writing it in all BT to avoid windows commands, and to learn premuting in linux in general.

    I'll be letting you all know how it goes. TY again guys :-)

  9. #9
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default

    Quote Originally Posted by Gitsnik View Post
    A stricter (more accurate) way would be to replace .$ with the key sequence control+V, control+M and then the dollar sign if you wish. It will show up looking like
    Code:
    :%s/^M$//
    Which is more accurate than removing any character from the end of the line.
    Excellent. Thanks for the advice. I will take this into account in the future.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  10. #10
    Junior Member whiterabbit7500's Avatar
    Join Date
    Feb 2010
    Location
    in your server
    Posts
    33

    Default

    ok, I've tried vi, and various others methods of removing the cntrl characters, but none seem to work completly. I'm in the process of trying to find a linux tool that will premute a wordlist with l33t speak, and add various numbers and characters before and after words, etc. So far, I know of only Brutus in windows that does this exceptionally well, but that brings with it the problem of the cntrl characters after every line. Any suggestions?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •