NOTE: When cracking WPA/WPA2 passwords, make sure you check gpuhash.me first incase it's already been processed.

Home - Wireless Cracking - in Need of some educational resources or guidance to keep going.


4 Results - Page 1 of 1 -
1
Author Message
Avatar
Witchastronomer

Status: n/a
Joined: Mon, 02 Jul 2018
Posts: 4
Team:
Reputation: 0 Reputation
Offline
Tue, 03 Jul 2018 @ 17:59:01

Hey everyone, i won't take much of your time i'll get straight to the heart of it, ...As part of my self educational program on pentesting i've been trying lately on how to compromise my own WPA network but with no success, and these are the things that i've been trying.
First of all i've tried many password lists using pyrit, crunch passthrough pyrit and hashcat i've also tried aircrack-ng but none of them seemes to be practical in the kind of situation that im in and with the soo little time that i have, but having a weak nividialess GPU and crappy hardware, i see no chance in succeding with these type of attacks, so i've looked into reaver, bully and pixiewps but most of the techniques involved require WPS thing that i never encounter in network lists because as rumor has it the techniques are dead. My question is; is there some other ways other than the one that i've mentioned, which involves actively using the information that we have gathered and working on it the way reaver and bully does, kind of the weak wps bug but for WPA?
ps: i've tried fluxion also, but it wouldn't work without a wireless adapter.


Avatar
Purpleninja225

Status: n/a
Joined: Thu, 05 Jul 2018
Posts: 116
Team:
Reputation: 212 Reputation
Offline
Fri, 06 Jul 2018 @ 01:14:06

I'm still at noobish level of knowledge, but maybe I can help out a little. From what I've gathered in my experiences in WPA cracking is the first and most important set is info gathering. With proper info gathering you can cut down what wordlists to use and other stuff.

1. Obtain handshakes
I am a bit lazy so I use besside-ng (part of the aircrack-ng suite) It's a wonderful handshake grabber and its all automated. It snatches all the handshakes in the area, can auto crack WEP, and outputs everything formatted nicely into a log and cap files.

2. Examine the handshakes
Opening the besside.log file you see the SSID (NETGEAR72) and it's associated MAC Address (this is what I really want) with the Mac addresses we can use the first 3 pairs which are the vendor ID. You can check out all kinds of websites that tell you the vendor if you put in a mac address. Like mine is 10:da:43:c0:d4:92 which translates out to be made by NETGEAR.

3. Determine possible attacks
Now that we know who makes the router the easiest step is going to be trying to guess the default password for the router. Since the MAC and the SSID both point to a netgear router and the SSID looks to be default as well we can safely guess that the password will also be default. So next step will be what are default passwords for NETGEARXX routers. After some searching BlandyUK maintains a nice thread on exactly this and NETGEARXX routers use a simple generator for the default password (adj + noun + XXX) X=0-9 So now we have to make that wordlist, I use netgearkiller.dict that I found while googling. It has the adj and noun list separately as well as a list of them combined that I use with a hybrid attack in hashcat with the mask being ?d?d?d. With my rig it takes about 2-3 days to run the whole list with my gtx 550 and gtx 750 ti I get about 68,000 H/s.

4. What if that doesn't work

My next step is usually trying other wordlists with random passwords. This is the part i'm still working on. I've done a lot of gathering in the wordlists area and i'm finally getting them all combined together. Using tools like App.Merge has been a great help is compiling one central list of passwords devoid of dupes. Currently at 13 billion passwords that's too many to deal with my GPU's so we trim it out to smaller easily digestible lists. SO what do we know about WPA2 password requirements? The minimum length is 8 characters and the max is 64. I use app.merge to trim out everything that doesn't fit those parameters and BAM! trimmed out over 8 billion passwords. But that still leaves us with over 5 billion passwords. best advice at the moment is trying this or other smaller lists with different sets of rules. I've read articles on how effective rules are and I highly recommend it. Rules like Dive achieve good results, but take along time.

If that doesn't work it's time to for more info gathering and social engineering trying to find out more about the person behind the router. Facebook and other social media are a wealth of knowledge on things you can use to include in list builders. Good starting info snippets are:

First/Last Name
Birthday
Parents/Spouse's Names
Favorite [insert thing]
Pets
other important dates

5. Learn about what worked and why.

Also I'm still pretty new at this so I'm sure there are better ways of doing this. Interested if anyone else has other takes.


+rep if I helped. GTX 750 Ti & GTX 550
Github: https://github.com/PurpleNinja225/Hash-Cracking Discord: PurpleNinja225 #6785

Tipz Jar:
BTC 321aVnFwQrhZcHoCoPzp1Vh46rUiQmExzp
ETH 0xF5ab8429F6991f0232Dd4A0eB8318a4e172b1282

Avatar
kevtheskin

Status: n/a
Joined: Wed, 21 Feb 2018
Posts: 152
Team:
Reputation: 48 Reputation
Offline
Thu, 13 Sep 2018 @ 19:51:47

Purpleninja225 said:

I'm still at noobish level of knowledge, but maybe I can help out a little. From what I've gathered in my experiences in WPA cracking is the first and most important set is info gathering. With proper info gathering you can cut down what wordlists to use and other stuff.

1. Obtain handshakes
I am a bit lazy so I use besside-ng (part of the aircrack-ng suite) It's a wonderful handshake grabber and its all automated. It snatches all the handshakes in the area, can auto crack WEP, and outputs everything formatted nicely into a log and cap files.

2. Examine the handshakes
Opening the besside.log file you see the SSID (NETGEAR72) and it's associated MAC Address (this is what I really want) with the Mac addresses we can use the first 3 pairs which are the vendor ID. You can check out all kinds of websites that tell you the vendor if you put in a mac address. Like mine is 10:da:43:c0:d4:92 which translates out to be made by NETGEAR.

3. Determine possible attacks
Now that we know who makes the router the easiest step is going to be trying to guess the default password for the router. Since the MAC and the SSID both point to a netgear router and the SSID looks to be default as well we can safely guess that the password will also be default. So next step will be what are default passwords for NETGEARXX routers. After some searching BlandyUK maintains a nice thread on exactly this and NETGEARXX routers use a simple generator for the default password (adj + noun + XXX) X=0-9 So now we have to make that wordlist, I use netgearkiller.dict that I found while googling. It has the adj and noun list separately as well as a list of them combined that I use with a hybrid attack in hashcat with the mask being ?d?d?d. With my rig it takes about 2-3 days to run the whole list with my gtx 550 and gtx 750 ti I get about 68,000 H/s.

4. What if that doesn't work

My next step is usually trying other wordlists with random passwords. This is the part i'm still working on. I've done a lot of gathering in the wordlists area and i'm finally getting them all combined together. Using tools like App.Merge has been a great help is compiling one central list of passwords devoid of dupes. Currently at 13 billion passwords that's too many to deal with my GPU's so we trim it out to smaller easily digestible lists. SO what do we know about WPA2 password requirements? The minimum length is 8 characters and the max is 64. I use app.merge to trim out everything that doesn't fit those parameters and BAM! trimmed out over 8 billion passwords. But that still leaves us with over 5 billion passwords. best advice at the moment is trying this or other smaller lists with different sets of rules. I've read articles on how effective rules are and I highly recommend it. Rules like Dive achieve good results, but take along time.

If that doesn't work it's time to for more info gathering and social engineering trying to find out more about the person behind the router. Facebook and other social media are a wealth of knowledge on things you can use to include in list builders. Good starting info snippets are:

First/Last Name
Birthday
Parents/Spouse's Names
Favorite [insert thing]
Pets
other important dates

5. Learn about what worked and why.

Also I'm still pretty new at this so I'm sure there are better ways of doing this. Interested if anyone else has other takes.

Hi there, Purpleninja can you tell me how you extract a single handshake from the besside-ng multiple capture .

Cheers Kev


Avatar
freeroute
Moderator
Status: Trusted
Joined: Sat, 16 Jul 2016
Posts: 2185
Team:
Reputation: 7462 Reputation
Offline
Thu, 13 Sep 2018 @ 20:12:39

Without the right (injection needed for some attack, monitor mode needed) wifi-adapter you never will capture handshake.
https://www.aircrack-ng.org/doku.php?id=faq

Witchastronomer said:

Hey everyone, i won't take much of your time i'll get straight to the heart of it, ...As part of my self educational program on pentesting i've been trying lately on how to compromise my own WPA network but with no success, and these are the things that i've been trying.
First of all i've tried many password lists using pyrit, crunch passthrough pyrit and hashcat i've also tried aircrack-ng but none of them seemes to be practical in the kind of situation that im in and with the soo little time that i have, but having a weak nividialess GPU and crappy hardware, i see no chance in succeding with these type of attacks, so i've looked into reaver, bully and pixiewps but most of the techniques involved require WPS thing that i never encounter in network lists because as rumor has it the techniques are dead. My question is; is there some other ways other than the one that i've mentioned, which involves actively using the information that we have gathered and working on it the way reaver and bully does, kind of the weak wps bug but for WPA?
ps: i've tried fluxion also, but it wouldn't work without a wireless adapter.


If I helped a +rep is appreciated!

BTC donation: 13hDMK85KhVnPb2eTFBacHD6kDjKYFLudb
XMPP: freeroute@xmpp.jp


4 Results - Page 1 of 1 -
1

We have a total of 160059 messages in 20116 topics.
We have a total of 18822 registered users.
Our newest registered member is Valyast.