How to crack WPA wireless networks
/* Posted April 4th, 2008 at 7:00am *//* Filed under Mods, Networking, Programming */
/* */
WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.
WPA Flavours
WPA basically comes in two flavours RADIUS or PSK. PSK is crackable, RADIUS is not so much.
PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). A robust dictionary attack will take care of a lot of consumer passwords.
Radius involves physical transferring of the key and encrypted channels blah blah blah, look it up to learn more about it but 90% of commerical APs do not support it, it is more of an enterprise solution then a consumer one.
The Handshake
The WPA handshake was designed to occur over insecure channels and in plaintext so the password is not actually sent across. There are some fancy dancy algorithms in the background that turn it into a primary master key, PMK, and the like but none of that really matters cause the PMK is enough to connect to the network.
The only step we need to do is capture a full authenication handshake from a real client and the AP. This can prove tricky without some packet injection, but if you are lucky to capture a full handshake, then you can leave and do the rest of the cracking at home.
We can force an authenication handshake by launching a Deauthentication Attack, but only if there is a real client already connected (you can tell in airodump). If there are no connected clients, you’re outta luck.
Like for WEP, we want to know the channel the WPA is sitting on, but the airodump command is slightly different. We don’t want just IVs so we don’t specify an IV flag. This will produce “lucid.cap” instead of “lucid.ivs”. Assume WPA is on channel 6 and wireless interface is ath0.
./airodump ath0 lucid 6
Dictionary Brute Force
The most important part of brute forcing a WPA password is a good dictionary. Check out http://www.openwall.com/wordlists/ for a ‘really’ good one. It costs money, but it’s the biggest and best I’ve ever seen (40 Million words, no duplicates, one .txt file). There is also a free reduced version from the same site but i’m sure resourceful people can figure out where to get a good dictionary from.
When you have a good dictionary the crack is a simple brute force attack:
./aircrack -a 2 -b 00:23:1F:55:04:BC -w /path/to/wordlist
Either you’ll get it or you won’t… depends on the strength of the password and if a dictionary attack can crack it.
Tags:
Related Stories
TYC Cabin Air Filter for HYUNDAI Azera (2006-2008), Sonata (2006-2008), Santa Fe (2007-2008); KIA Optima (2006-2008) A8034P
(Technology) TYC Cabin Air Filter for HYUNDAI Azera (2006-2008), Sonata (2006-2008), Santa Fe (2007-2008); KIA Optima (2006-2008) A8034P All TYC cabin air filters are manufactured with superior material and processes, with... Read more Dugg 1 timesTYC Cabin Air Filter for HONDA S2000 (2000-2008) A8034P
(Technology) TYC Cabin Air Filter for HONDA S2000 (2000-2008) A8034P All TYC cabin air filters are manufactured with superior material and processes, with workmanship and performance backed by a comprehensive product... Read more Dugg 1 timesTakeda Cold Air Intake for 2004-2008 Acura TL 3.2L V6 (Takeda Attack) TA-1006P Dyno
(Entertainment) Takeda Cold Air Intake for 2004-2008 Acura TL 3.2L V6 (Takeda Attack) TA-1006P DynoDugg 1 times
Related Tweets
(artnowsandiego) Thnx @mcasd: Photo: ART AUCTION 2012 Roman de Salvo, Air Boulder, 2008, ocks, steel, epoxy, 30 1/2 x 36 x 29... http://t.co/punIxnM8Wed, 16 May 2012 22:12:18 +0000 | Reply | View Tweet
(mcasd) Photo: ART AUCTION 2012 Roman de Salvo, Air Boulder, 2008, ocks, steel, epoxy, 30 1/2 x 36 x 29 inches,... http://t.co/dHEFOFTKWed, 16 May 2012 21:40:33 +0000 | Reply | View Tweet
Subscribe via email
[...] of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, …http://www.coderetard.com/2008/04/04/how-to-crack-wpa-wireless-networks/Enable WEP or WPA Encryption To Protect Your Wireless NetworkIt was found to contain some serious [...]
g
l
if pass of WPA/WPA2 don’t in dictionary. will…don’t be crack???
Yes, but u can use Burte-Force atack ;)
so, how can i use or make a brute force attack?
I have no internet and im tryin to crack a wep pass. So that I can gain access to the internet any help on doin that??
How are you supposed to do this all on the iPod Touch 2G? Im new to this stuff and just tryin to get internet. Are you supposed to download an app or something?
You do this crack primarily with a linux operating system. My favorite distribution is backtrack, just google it. Backtrack comes with all of these programs preinstalled
i didnt understand what program i should use ?
plz help me !
using BACTRACK will be your best bet
works like a charm in fact (first hand experience)
scooping up wep keys won’t be a problem
use any of the packet sniffers to get ssid and channel number
after that just input the information into a program called “SPOONwep”
to do all this of course you will need to use wireless adapter with the correct firmware….if you google it you can find lists of adapters that have a firmware allowing them to go into monitor mode
have fun!!!
where do i get it and how to use it
how to crack a person webcode on the wii so i can use the wireless enternet
Remember wireless hacking is not for noobs.
Were do you type this in on command prompt or in the password field
why the fuck can i do it i would say go to your mom room and try to rapppppppp her
You can use the QD Tools Online WPA Password Cracker to save time when running a dictionary attack against a WPA/WPA2 capture.
Directions on completing the WPA/WPA2 capture are available here.
I have captured wpa handshake and I tried some wordlist with aircrack
but aircrack didn’t find the password…
If anyone can help my here is my cap file http://www.4shared.com/file/195846133/1b793e0/cap_file.html
and this is my email : tony.nahhat@yahoo.com
please help me
If you need to execute a an anonymous function standalone, you have to wrap it in parens. That’s part of the syntax. Why? Ask Brendan Eich. :-D
For the 2 sources, besides having similar wavelength of light, they must be COHERENT..