can't manage to get this damn handshake

[sliders_alpha]

hi :

OS : backtrack4
card : alfa 500
AP : livebox (french popular AP) in the room next to mine
station : my iphone, on my desk

shell 1 :

iwconfig :i can see that my card is wlan0
airmon-ng wlan0 start : now she is called mon0
airodump-ng mon0 : i can see a lot of network, mine is on channel 10
CTRL+C
airodump-ng -w out -c 10 --bssid XX:XX:XX:XX:XX:XX mon0 : targeting my network

shell 2

aireplay-ng -0 0 -a XX:XX:XX:XX:XX:XX mon0

waiting a couple of seconds, i can see my iphone being disconnected, CTRL+C to stop the dehaut attack
my iphone is reconnecting

no handshake

tried more than 10 time, i have evn disconnected and reconnected manualy my iphone and tried to do it with a regular laptop instead of my iphone (you never know, apple could be using some weird handshake)

still no handshake

could you look at my capture file? : Index of /backtrack4/wpa

thanks

[sliders_alpha]

problem solved :

airodump and aircrack do not like apple handshack
i've tried with a laptop and i can get this handshake

but fot my iphone, airodump say no handshake, but if you use cowpatty, you'll see it

[hypervista]

sliders_alpha - it appears you have a good WPA handshake in that file. Run the following command:

Code:

cowpatty -c -r out-01.cap

You will see the message: "Collected all necessary data to mount crack against WPA/PSK passphrase."

Sometimes, airodump-ng doesn't always display "WPA Handshake Captured" message.

You should run aircrack-ng or cowpatty on your out-01.cap file to see if you can break the passphrase. Way to go, you're almost there.

[hurtincho04]

hypervista how can you tell whether a handshake it's good or not? I'm using Wireshark to open the out-01.cap file that sliders_alpha posted. On which packet you find the information required to know if the packet it's good


thanks

[exeption]

I found that this command help med catching those handshakes

aireplay-ng -0 30 -a (BSSID) -c (STATION MAC ADDRESS) Interface (e.g wlan0)

-0 (deauth attack)
30 (30 times)

PS.

Might be enough with -0 5 as well...

Good luck

[sliders_alpha]

it worked

i made a "false" dictionnary with my key inside and it found it

thank you

[hypervista]

hypervista how can you tell whether a handshake it's good or not? I'm using Wireshark to open the out-01.cap file that sliders_alpha posted. On which packet you find the information required to know if the packet it's good

thanks

using cowpatty, you can determine if the .cap file has all the necessary information needed to mount a dictionary attack.

Code:

cowpatty -c -r <capture_file_name.cap>

The output of this command will tell you whether you got the WPA handshake or not.

Interestingly though, as sliders pointed out, when I ran aircrack-ng against the file, it reported that no WPA handshake was present, but cowpatty recognized it...

[exeption]

Very interesting observation, found several times that aircrack-ng did not recconize the handshake. So next time Ill be sure to try cowpatty.

Thank you

[gunrunr]

can you just check the cap file with Wireshark and use the eapol filter to make sure the both sides of the handshake are there?

[hypervista]

can you just check the cap file with Wireshark and use the eapol filter to make sure the both sides of the handshake are there?

Sure, but I'm lazy and prefer typing one simple cowpatty command as opposed to firing up wireshark, creating a filter, and reading the individual packets, but that's just me.