Results 1 to 10 of 12

Thread: BT4 Brute Force...

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    3

    Default BT4 Brute Force...

    I am trying to crack a WPA-PSK key in my Basic Offensive Security Class using BackTrack 4 Beta Release. I have a dict file over 80MBs, but I STILL cant get the pass... The password might be something completely random like "aw91t@$l2".

    The goal of the assignment is to use all available resources to get that pass, even if we haven't learned the techniques as yet. (We were basically instructed for 2 weeks on the basics, the popped with this for two test grades... T_T)
    What should I do?

  2. #2
    Junior Member
    Join Date
    Oct 2008
    Posts
    86

    Default

    I am a noob too but i think bruteforce wont be the best way..

    you could try this way: (but it will be a bad way too, it is just an idea i've never tried before)

    -Kill the true AP with MDK3
    -create a fake AP with the same BSSID and a fake WPA encryption (i dont remember if the fake encryption is possible)
    -route the traffic through this new connection (victims will have an internet access)
    -create a fake Router Home page (you must know the brand and model of this one) or a Provider home page and start it on the apache server
    -dns spoofing and sniffing with ettercap to grab login and password to try to enter the router and read the wpa key


    Second idea: (a remote keylogging)
    create a trojan with the metasploit meterpreter and link it with a document or a file (where you ask the victim to go in the router and retype its security parameters or its wpa key). Send it to your victim. Start a keylogging to grab the wpa key....


    with my two methods you will have 2 chances on 1 million to grab the wpa key but i really think "social engineering" will be easier.

  3. #3
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by murdock69 View Post
    -Kill the true AP with MDK3
    -create a fake AP with the same BSSID and a fake WPA encryption (i dont remember if the fake encryption is possible)
    -route the traffic through this new connection (victims will have an internet access)
    -create a fake Router Home page (you must know the brand and model of this one) or a Provider home page and start it on the apache server
    -dns spoofing and sniffing with ettercap to grab login and password to try to enter the router and read the wpa key
    You forgot something important... He can't access the router setup pages if he doesn't has the WPA key... So this method is worthless. A possible way would be:

    Quote Originally Posted by murdock69 View Post
    -Kill the true AP with MDK3
    -create a fake AP with the same BSSID and a fake WPA encryption (i dont remember if the fake encryption is possible)
    -route the traffic through this new connection (victims will have an internet access)
    -use Wireless Key Grabber

  4. #4
    Junior Member
    Join Date
    Oct 2008
    Posts
    86

    Default

    Quote Originally Posted by Snayler View Post
    You forgot something important... He can't access the router setup pages if he doesn't has the WPA key... So this method is worthless. A possible way would be:
    is it possible to know the model and the brand by a sniff with wireshark in promiscious mode and a filter on wifi headers to create a fake setup page?

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by murdock69 View Post
    is it possible to know the model and the brand by a sniff with wireshark in promiscious mode and a filter on wifi headers to create a fake setup page?
    Go read some more about networks, i think you're not understanding how it works.

  6. #6
    Junior Member
    Join Date
    Oct 2008
    Posts
    86

    Default

    Quote Originally Posted by Snayler View Post
    Go read some more about networks, i think you're not understanding how it works.
    It was just a question, not a method...


    That's why i post in this area...But you're right there are lot of things to learn about networks and i have a lot of lacks. I know it is impossible to enter the victim's router without the Wpa Key on its network but i thought it was possible to redirect the victim on the Fake AP to a "fake router setup page".


    ............MDK3
    ..............|
    Victim----X---WPA encryption-----router------"Setup page"
    |
    |
    |
    Fake AP---------Fake encryption------>Fake setup page(started on apache,dns spoofing ettercap)
    (same essid)
    (same bssid)


    I do this method to create fake Hotspots(wpa encrypted) to grab passwords and logins and it works. In this case it is possible to know the manufacturer of the router with the router mac address (macchanger) and imagine a fake "error page" where the victim have to reenter login, password and WPA key to reset the network (the victim is on your network so you can grab them)

    sorry my english....it is difficult for me to explain my idea

  7. #7
    Just burned his ISO Wolfheart's Avatar
    Join Date
    Dec 2009
    Posts
    19

    Default

    Yes there is an update in the aircrack suit that finds the psk without a dictionary/wordlist attack. Its just recently been added. This would likely be your best avenue.

    Check out the link for details

    bit-tech.net/news/2008/11/07/wpa-crackable-in-fifteen-minutes/1

    wolf

  8. #8
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    3

    Default

    Quote Originally Posted by Wolfheart View Post
    Yes there is an update in the aircrack suit that finds the psk without a dictionary/wordlist attack. Its just recently been added. This would likely be your best avenue.

    Check out the link for details

    bit-tech.net/news/2008/11/07/wpa-crackable-in-fifteen-minutes/1

    wolf
    That sounds like my solution, do you have any more info?

  9. #9
    Just burned his ISO
    Join Date
    Dec 2009
    Posts
    1

    Default

    I will try also, last time I couldn't generate handshake

  10. #10
    Junior Member
    Join Date
    Oct 2008
    Posts
    86

    Default

    man tkiptun-ng
    but i dont know if it is easy to use. there is a document to read on aircrack-ng website from the author

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •