Scribd Logo
Upload

Welcome to Scribd!

  • 50 views

    To Crack WPA / WPA2 (2012) - Active Attack, 4 Way Handshake

    Uploaded by

    ALFAK
    This document discusses how to perform an active attack to crack WPA/WPA2 security by capturing the 4-way handshake. It explains how to bring down the managed interface, start monitor mode, simultaneously deauthenticate a client and capture the reauthentication using airodump-ng and aireplay-ng. It also describes how to use Wireshark to filter for the EAPOL packets in the 4-way handshake between the client and access point.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd

    To Crack WPA / WPA2 (2012) - Active Attack, 4 Way Handshake

    Uploaded by

    ALFAK
    50 views5 pages
    This document discusses how to perform an active attack to crack WPA/WPA2 security by capturing the 4-way handshake. It explains how to bring down the managed interface, start monitor mode, simultaneously deauthenticate a client and capture the reauthentication using airodump-ng and aireplay-ng. It also describes how to use Wireshark to filter for the EAPOL packets in the 4-way handshake between the client and access point.

    Original Description:

    crack wpa2

    Original Title

    crack wpa2

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses how to perform an active attack to crack WPA/WPA2 security by capturing the 4-way handshake. It explains how to bring down the managed interface, start monitor mode, simultaneously deauthenticate a client and capture the reauthentication using airodump-ng and aireplay-ng. It also describes how to use Wireshark to filter for the EAPOL packets in the 4-way handshake between the client and access point.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    50 views5 pages

    To Crack WPA / WPA2 (2012) - Active Attack, 4 Way Handshake

    Uploaded by

    ALFAK
    This document discusses how to perform an active attack to crack WPA/WPA2 security by capturing the 4-way handshake. It explains how to bring down the managed interface, start monitor mode, simultaneously deauthenticate a client and capture the reauthentication using airodump-ng and aireplay-ng. It also describes how to use Wireshark to filter for the EAPOL packets in the 4-way handshake between the client and access point.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    of 5

    To Crack WPA / WPA2 (2012) - Active Attack, 4 Way

    Handshake
    WPA, WiFi, Security, Hacking, How To, WPA2
    FRI, 26 OCT 2012 12:40
    SCOTT DELEEUW

        
    << Prev - Page 2 of 5 - Next >>

    Active Attack
    Passive attacks have the advantage of being undetectable because they only listen to traffic from the target network. But if
    your target doesn't have a lot of traffic, you can wait a long time to capture the four-way handshake. Fortunately, you have
    the faster, but less-stealthy option of running an active attack.
    Using the information we gathered with Kismet during the recon step, we can send associated client(s) of the target AP
    forged deauthentication packets, which should cause the client(s) to disassociate from the AP. We then listen for the
    reassociation and subsequent authentication.

    After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection.
    The aircrack suite has a little bash script to do just that.

    First bring down the managed VAP (Virtual Access Point) with:
    airmon-ng stop ath0

    Figure 2: Bringing down the managed interface

    Next, start up a VAP in "Monitor" mode:


    airmon-ng start wifi0

    Figure 3: Creating a monitor mode interface

    Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal
    windows. Start airodump-ng in one terminal:

    General Form:
    airodump-ng -w capture_file_prefix --channel channel_number interface

    Example:
    airodump-ng -w cap --channel 6 ath0
    Figure 4: airodump-ng, up and running

    Note: You can find the interface that is in monitor mode by using iwconfig.
    Next, run the deathentication attack with aireplay-ng in the other terminal:
    General Form:
    aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface

    Example:
    aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0

    Figure 5: A successfully sent deathentication packet


    If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. If remaining undetected is
    important, send only one deauth and be patient. This helps keep you under the radar, since programs like Kismet can detect
    deauthentication floods.
    If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in
    red in Figure 6).
    Figure 6: Successful WPA handshake capture

    Finding the Four-way Handshake


    To make sure we captured an authentication handshake, we can use the network protocol analyzerWireshark (formerly
    Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.
    Open up Wireshark (Backtrack > Privilege Escalation > Protocol Analysis > Network Sniffers > WireShark) and open
    the Kismet capture "dump" file (Kismet-.dump) to view all the captured packets. The WPA four-way handshake uses the
    Extensible Authentication Protocol over LAN (EAPoL).

    Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field
    (Figure 7).
    Figure 7: EAPoL filter applied to captured packets

    Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in
    Figure 7). 

    Now that we've confirmed that we've captured a four-way handshake, it's time to perform the crack.

    You might also like