Crack WPA2: Know Your Target

Discussion in 'Dictionary, Password & Wordlists' started by ImJoJo, 14 Nov 2012.

  1. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    121
    UPDATED 1/7/2013
    I created a simple tutorial on a different approach in cracking WPA2 on a specific ISPs like: Time Warner Cable (RoadRunner), Charter Cable, COX and Comcast.

    It may vary by where you live but, it is targeted at all cable companies that also offer telephone and internet services. You will have to do a bit of homework to make things easier for you, less time consuming and have a higher success rate.

    :? This is for educational purposes only! :?

    First we have to make sure we have a sniffing tool such as Airodump-ng or inSSIDer as we will need to know the SSID, ESSID and the channel of the AP we want to attack.

    Once you have your tool ready to go what you want to do is have it scan. In airodump-ng you type the following commands to get it in monitor mode:
    Code:
    Select All
    sudo airmon-ng start wlanX
    The X above is a variable. In terminal, your terminal command should look like this (as an example):
    airmon-ng start wlan1
    Start scanning the air for APs:
    Code:
    Select All
    airodump-ng mon0
    :? Helpful Tip: To stop scanning push Ctrl + C :?

    With inSSIDer, at the top right simply choose the adapter and click on START. The cool thing about inSSIDer is that it gives you the vendor information (through the MAC address) which is one of the things we will be looking for to make the attack more effective and precise while making it less time consuming.

    [​IMG]

    Notice all the APs in the image above? How can we tell which is which? Simple!

    I have sorted them out by Vendor. In this case we will try to crack one of the AP from the ISP TimeWarner (RoadRunner) (with owner’s permission I did this). In 90% of the time TimeWarner (RoadRunner) tend to operate their APs through channel 1 but, counting all the APs in channel one we can see a total of 8.

    They also use WPA2 encryption, so now we narrow things down to 4. To be more precise we will narrow things down by the vendor, in this case Gemtek Technology Co. Ltd. which is what TimeWarner (RoadRunner) uses.

    Another thing we can look at is that TimeWarner (RoadRunner) will use as an ESSID the customer’s First or Last name, making it still easier to spot. So now we narrow it down to 2 APs. Now we come to a conclusion that those 2 APs from operating in CHANNEL 1, under WPA2, Gemtek Tech. Co. Ltd are from TimeWarner (RoadRunner).

    NOTE: Notice one of the 2 AP’s has the Last name of the person while the other does not?

    What Does that mean? One major weakness in TimeWarner (RoadRunner) is the APs has been resetted at some point for whatever reason making it extremely vulnerable to a dictionary attack. Why? Unfortunately when you reset the modem by default the model of the modem is used as the ESSID.

    Yes, even though it shows Gemtek Tech. Co.Ltd. as vendor the actual gateway vendor is Motorola. As to why is this, I haven’t looked into that but, don’t get confused. I believe Gemtek is for LAN and Motorola is for WAN.

    Anyways, when you see an AP with Gemtek Tech. Co.Ltd. as vendor but with SBGxxxx as the ESSID know this, they are giving you part of the passphrase. How much to be exact? Well, every character is part of the passphrase. All you need to do is crack the remaing four. In this case the AP named SBG65800C is letting us know that SBG6580 is the model and SBG6580 is also half of the passphrase (KEY).

    sbgtest3.png

    sbgtest4.png

    The other half is the second half of the WAN MAC Address..as 0C being the last two…So what to do from here? Simple! Use Crunch and create a custom wordlist starting with SBG6580 and ends with
    0C.
    Code:
    Select All
    ./crunch 13 13 0123456789ABCDEF -t SBG6580@@@@0C -o SBG.txt
    Notice the wordlist I created was not even 1MB.
    So after I created the wordlist I simply ran Aircrack-ng and attempted to crack the Handshake and the results were as expected. Took Aircrack-ng only 20 seconds to find the Key. This applies only to Motorola.

    If you use airodump-ng you can go here http://www.macvendorlookup.com/ and simply type the first 6 characters and it will tell you which vendor it is. I would also like to point out that not all APs with TimeWarner (RoadRunner) will have Gemtek as vendor due to a feature that the Motorola surfboard has which is MAC Spoofing. But don’t let that fool you.

    [​IMG]

    Moving on to other ISP’s well it just requires you doing a bit a researching on your local ISP’s. Some might have Charter, others might have Comcast or COX. Whichever it is make sure to pay their support webpage a visit to see which Vendor’s they carry. Some ISP’s will let you know who they are like on the image above. ATT576…can you guess? Ding Ding Ding! Yes you got it right! It’s AT&T…TimeWarner does not carry 2WIRExxx and only being 2 ISP’s that cover that area. From the image above we now know that the 2WIRExxx are also from AT&T..Also cause they operate under channels 6 and 11. And TimeWarner(RoadRunner) only channel 1.

    Ok so once you know how to tell them apart one question arises, how will you attack it? Of coarse this tutorial is only for the Dictionary Attack but, you have to know which Dictionary/Wordlist you are going to use. Because it pointless to use a 50GB wordlist if the passphrase is only numbers. Cable companies that offer telephone service and internet will typically use the phone number as the KEY.

    So all you have to do is create a wordlist using the area code in which you live and within an hour BAMM! You have your KEY. To create a custom wordlist such as phone number and area code you have to use a tool such as Crunch which already comes in BackTrack 5R3. Here is the command to create a wordlist such as the one we will need to crack an AP that uses the phone number as the passphrase (key).

    Code:
    Select All
    /pentest/passwords/crunch/./crunch 10 10 1234567890 –t 878@@@@@@@ -o wordlist.txt
    Where in –t 878 = you are code..change 878 to whatever the target AP area code is.. and where –o wordlist.txt is the name of your wordlist. So you can change it to whatever you want like –o arealist.txt or whatever you want.

    An alternative to saving a wordlist which a wordlist using a phone number is not big at all not even 300mb would be this amazing tutorial frommrmanuelmtzma member at xiaopan.co/forums. He posted that amazing tutorial using Aircrack-ng and Crunch without having to save the dictionary/wordlist to your flashdrive or HDD. So it’s pretty much in BruteForce method..pretty cool huh!

    https://xiaopan.co/forums/threads/crunch-aircrack-ng-to-avoid-wordlists.809 Thanks mrmanuelmtzm!

    [​IMG]

    Above you can see that a Handshake has been acquired and the passphrase has been retreived using a dictionary that I custom made for this specific AP. As you can see it only took me 20 mins. and 40 seconds. Reaver could have taken longer. But know your target can save you lots of time.

    For ATTxxx AP’s many have thought that the phone number was used but, that is not true. It’s a 10 digit number placed on a sticker on the modem. ..so to attack this AP I suggest using the Aircrack-ng Crunch method above due to the extremely large file that will be created (over 100GB’s)

    Attacking the well know 2WIRExxx AP’s is almost the same as an ATT AP…same method is suggested to attack this Access Point as with the ATTxxx…but you can use this link provided here to help out…it is a pretty cool online tool for many types of AP’s such as 2WIRExxx, 3Com, Arris, Asmax, Belkin, Cisco, Comtrend, DD-Wrt, DLink, EasyBox, Fibrehome, Huawei, MiFi, Motorola, Netgear, Pirelli, RuggedCom, Sagem, Seagate, Siemens, Thomson, TP-Link, TRENDnet, Ubiquiti UTStarcom, Xavi, ZyXEL: http://routerpwn.com/

    An alternative for that you can check this out: https://xiaopan.co/forums/threads/android-thomson-key-solver.528 Thanks Mr. Penguin!

    Moving on to a different type of AP…this one we could say is the easiest to crack. Though it not the dictionary attack that will be used but, I thought it be cool to write about it in this tutorial. Verizon FiOS..most of nearly 95% of their AP’s are WEP and are know by their easy to tell five character ESSID

    [​IMG]


    And notice the vendor Actiontec Electronics Inc. As you may already know WEP can be cracked in a matter of seconds..But there are two alternatives to crack these AP’s. There are many online tools like this one: http://aruljohn.com/fios/

    or you can download an app for your Android phone: https://xiaopan.co/forums/threads/vz-wifi-connect.560/

    You can also check out this FREE online WPA2 cracker…they also offer a paid service for those interested: http://gpuhash.com/?menu=en-tasks-add

    So always do your homework, find out a bit about the target AP..don’t just shoot blindfolded. Know what you’re shooting at. (figure of speech) But if you have the option of using Reaver 1.4…go ahead and use it though at times Dictionary Attack can be faster if you know more about your target like the example shown above.

    Hope this tutorial may help in cracking WPA2 for those certain AP you been looking to crack.
     
    • Like Like x 3
    • Winner Winner x 2
    • Informative Informative x 1
    • Friendly Friendly x 1
  2. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    556
    Likes Received:
    163
    ImJoJo
    Nice tutorial. I run BT5 on live usb so whatever been done will not be save. If I save the cap file to my external hard drive, can I run it against my wordlists when I'm on BT5 again at another time?
     
    • Like Like x 1
  3. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    121
    ThankYou estimacamry! Many friends of mine have had lots of success as well by applying these rules. As to your question, Yes, you can always save it to an external drive to try to crack it anytime you want. There will be an update to this tutorial very soon. Keep posted! :D
     
    • Like Like x 1
  4. Shuren Flames

    Shuren Flames Active Member

    Joined:
    29 Jan 2013
    Messages:
    9
    Likes Received:
    2
    Thanks :)
     
    • Like Like x 1
  5. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    121
    You're welcome! ;)
     
    • Like Like x 1
  6. kumakita

    kumakita Member

    Joined:
    2 Feb 2013
    Messages:
    1
    Likes Received:
    0
    Thank. For answer
     
  7. Crackerz Wave

    Crackerz Wave The Dictator

    Joined:
    20 May 2012
    Messages:
    649
    Likes Received:
    132
    My new isp in malaysia,,they provide 8pin digit(all number) ..so i create the dictionary from 0x8-9x8..and u know what? it work

    the problem for me is getting the handshake,,and faster dic attack...as reaver only trying same pin
     
    • Like Like x 1
  8. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    121
    let me see if I understood..the new ISP provides an 8 digit pin or KEY?..all WPS is 8 digits..if its the KEY that is also 8 digits, you should try pyrit if you get the handshake...way faster than aircrack-ng..something 8 characters on a dictionary attack should take an average time of about 30-45 mins on decent hardware.
     
    • Like Like x 1
  9. Crackerz Wave

    Crackerz Wave The Dictator

    Joined:
    20 May 2012
    Messages:
    649
    Likes Received:
    132
    The isp set the default key is 8digit......the problem for me is to get the handshake...if people use the network..than i can get handshake
     
    • Like Like x 1
  10. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    121
    Oh thats not good...sometimes clients wont show or they will take a while to appear. Try sending 5 deauthenication packets to the AP and hopefully they'll show. It sometimes works for me..:)

    Sent from my LG-MS770 using Tapatalk 2
     
  11. -xyz

    -xyz Member

    Joined:
    6 May 2014
    Messages:
    1
    Likes Received:
    1
    Wow nice thread........could you give me any tips on creating a dic for Arris group, inc.
     
    • Like Like x 1

Share This Page

Loading...