破解WPA/WPA2 for Non-Dictionary Passphrase
来源:互联网 发布:java开发环境下载 编辑:程序博客网 时间:2024/05/18 23:55
Cracking WPA/WPA2 for Non-Dictionary Passphrase
WPA/WPA2 password can be cracked simply by capturing WPA handshake and then apply dictionary. And if passphrase is in dictionary then password will be cracked. But what if password is not in dictionary? Are there other ways to crack the non-dictionary passphrases? Let’s see them…
First we will look the basics of WPA/2 cracking-
STEP 1: Start wireless monitor mode.
STEP2: Then capture the WPA handshake.
STEP3: And then apply dictionary
STEP4: Provide .cap file to aircrack-ng with darkc0de.lst dictionary.
Here we cracked the passphrase in around 9 mins.
If client are already connected, and not getting handshake, then use:
aireplay-ng --deauth 10 –a <bssid><interface>
But even after all the steps followed, if the passphrase in not in dictionary then you will get message as: “passphrase not in dictionary”
And the other interesting note while keeping WPA passphrase is:
The basic idea while cracking any passphrase comes is “Brute-Force attack.” So why not brute force the .cap file?
We can do the same by piping the crunch output with aircrack-ng tool as shown below:-
It cracked the password in about~ 23 mins.
But you can clearly see that I have provided only 6 small letters as input. What if you provided all alphabets?
With my single lapy I have to wait till 11 years! And again the passphrase may contain numbers, digits and special symbols too -
So brute-force would not be effective way with single system.
So here we will do something interesting…
WPS:- As per Wiki, Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network. By default this is enabled in most of routers.
Reaver is fantastic tool to crack this WPS pin written by Craig Heffner. It performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.
Here I am giving screenshot of my Dlink DIR-615 router.
Above screenshot is of default setting in the router. Here the pin is: 65020920
So here key concept is that we can brute-force that pin, and can get all the credentials kept for Access Point which can be any combination of digits, special symbols (simply no matter ) .
STEP1: Scan the air for these WPS systems with “wash”
So here two access points are available. We will go with first one.
After 23864 seconds…
Passphrase “R0ck$t@R” was cracked along with pin: 65020920
But this is not the end. What if victim gets suspected on suddenly decrease in bandwidth, and changed the passphrase. So again do we need to brute-force for 6-10 hours?
The answer is simply ‘No’
As along with passphrase we have also received the “pin.”
So from now apply pin and get the passphrase as below:
After only 3 seconds…
Passphrase: ‘N0nec@nh@ckthis1’
At first glance one may think that as I mentioned Dlink DIR-615 router but what about others?
So I scanned the air, and got Belkin!
So, most of the new routers are with this WPS facility. And WPS is enabled by default. So no matter which password you kept it can be cracked.
Countermeasures
1. Disable WPS
2. Keep non-dictionary passphrase with any combinations!
Ex: “R0ck$t@R”
References
1. SecuritytubeWlan security Megaprimer
2. Tactical Network Solutions articles
Swaroop D. YermalkaR
swaroop.wireless@gmail.com
Swaroop is a final year engineering student from M.I.T.College Of Engineering, Pune. He is a EC-Council Certified Ethical Hacker, enthusiastic and hobbyist for Infosec.
WPA/WPA2 password can be cracked simply by capturing WPA handshake and then apply dictionary. And if passphrase is in dictionary then password will be cracked. But what if password is not in dictionary? Are there other ways to crack the non-dictionary passphrases? Let’s see them…
First we will look the basics of WPA/2 cracking-
STEP 1: Start wireless monitor mode.
STEP2: Then capture the WPA handshake.
STEP3: And then apply dictionary
STEP4: Provide .cap file to aircrack-ng with darkc0de.lst dictionary.
Here we cracked the passphrase in around 9 mins.
If client are already connected, and not getting handshake, then use:
aireplay-ng --deauth 10 –a <bssid><interface>
But even after all the steps followed, if the passphrase in not in dictionary then you will get message as: “passphrase not in dictionary”
And the other interesting note while keeping WPA passphrase is:
The basic idea while cracking any passphrase comes is “Brute-Force attack.” So why not brute force the .cap file?
We can do the same by piping the crunch output with aircrack-ng tool as shown below:-
It cracked the password in about~ 23 mins.
But you can clearly see that I have provided only 6 small letters as input. What if you provided all alphabets?
With my single lapy I have to wait till 11 years! And again the passphrase may contain numbers, digits and special symbols too -
So brute-force would not be effective way with single system.
So here we will do something interesting…
WPS:- As per Wiki, Wi-Fi Protected Setup (WPS; originally Wi-Fi Simple Config) is a computing standard that attempts to allow easy establishment of a secure wireless home network. By default this is enabled in most of routers.
Reaver is fantastic tool to crack this WPS pin written by Craig Heffner. It performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values.
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually.
Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.
Here I am giving screenshot of my Dlink DIR-615 router.
Above screenshot is of default setting in the router. Here the pin is: 65020920
So here key concept is that we can brute-force that pin, and can get all the credentials kept for Access Point which can be any combination of digits, special symbols (simply no matter ) .
STEP1: Scan the air for these WPS systems with “wash”
So here two access points are available. We will go with first one.
After 23864 seconds…
Passphrase “R0ck$t@R” was cracked along with pin: 65020920
But this is not the end. What if victim gets suspected on suddenly decrease in bandwidth, and changed the passphrase. So again do we need to brute-force for 6-10 hours?
The answer is simply ‘No’
As along with passphrase we have also received the “pin.”
So from now apply pin and get the passphrase as below:
After only 3 seconds…
Passphrase: ‘N0nec@nh@ckthis1’
At first glance one may think that as I mentioned Dlink DIR-615 router but what about others?
So I scanned the air, and got Belkin!
So, most of the new routers are with this WPS facility. And WPS is enabled by default. So no matter which password you kept it can be cracked.
Countermeasures
1. Disable WPS
2. Keep non-dictionary passphrase with any combinations!
Ex: “R0ck$t@R”
References
1. SecuritytubeWlan security Megaprimer
2. Tactical Network Solutions articles
Swaroop D. YermalkaR
swaroop.wireless@gmail.com
Swaroop is a final year engineering student from M.I.T.College Of Engineering, Pune. He is a EC-Council Certified Ethical Hacker, enthusiastic and hobbyist for Infosec.
- 破解WPA/WPA2 for Non-Dictionary Passphrase
- 一分钟破解WPA/WPA2
- WPA/WPA2安全与破解
- WEP WPA WPA2 破解实验
- 破解WIFI(wpa/wpa2)
- Aicrack-ng破解WPA/WPA2
- utuntu破解wpa/wpa2无线破解
- WPA/WPA2安全与破解 2
- wpa/wpa2无线网pin码破解
- 无线网络密码破解WPA/WPA2教程(包教包会)
- aircrack-ng破解wpa/wpa2的命令
- CDLinux破解WPA/WPA2无线网络密码
- kali破解隔壁wif(字典破解WPA/WPA2加密)
- Ubuntu下利用QSS、WPS破解wpa/wpa2加密
- Kali linux & Aircrack-ng 破解 WPA/WPA2 无线网络
- ubuntu 下 Aircrack 破解wifi密码(wpa/wpa2)
- 用 BackTrack 5 破解 WPA/WPA2-PSK 密码
- 无线安全之破解WPA/WPA2 加密WiFi
- 2014年黑龙江省应用技术研究与开发计划重大项目招标公告
- 城里城外
- DownloadManager
- wpa_supplicant daemon server & GUI test message
- 练车经验
- 破解WPA/WPA2 for Non-Dictionary Passphrase
- iOS - self & super 理解的关键点
- Cocos2d-x Lua中实例:特效演示
- 黑马程序员——java语言基础部分——String、StringBuffer StringBuild学习笔记一
- js中将字符串转换成json的三种方式
- Log4j配置实例(log4j.xml)
- gloox消息发送与接受剖析
- hadoop2.6.0部署好环境后写的一个简单的test
- 最接近点问题
