The highest form of ignorance is when you reject something you don't know anything about.

Wayne Dyer (b 1940)
Showing posts with label Crack WPA. Show all posts
Showing posts with label Crack WPA. Show all posts

Kismac: The Ultimate WiFi Stumbler








How to Crack WEP / WPA Step by Step
KisMAC for Dummies & Step by Step KisMAC Tutorial
KisMAC Tutorials for dummies, beginners & advanced users 

Update of update : a Brand New Improved Video in HD, con la musica muy entertaining is available at the end of this post. it should cover KisMAC 101  and walk you trough WEP and WPA cracking

For the curious, advanced users and KisMAC geniuses , we have the following articles available:

Best Wifi Card for KisMac  about 20 X more powerful than Airport or Hawking 

Troubleshooting KisMAC
KisMAC Q&A
Cracking WPA with KisMAC
KisMAC Resources
KisMAC Deep Digging , Advanced Features
How To Install Aircrack On Mac



Before you post a question, PLEASE be sure to Read the 3 following post:
KisMAC + KisMAC troubleshooting + KisMAC Q & A

Once you are sure that the answer to your question can not be found, Please, Post your question in the Q&A Article: CLICK HERE.

ALL QUESTIONS WITHOUT KisMAC Version and OS Full Version will be ignored. Please  Include Model and FCC number of the Network Adapter (the USB thingy) if applicable. And YES the FCC number is on it! and NO, it's not the MAC address.












Cracking WEP with Injection
Cracking WEP without Injection (Airport, Airport Extreme)
Cracking WPA
KisMAC Troubleshooting Guide
KisMAC Resources Dictionary file, Password list, etc


KisMAC is a free WIFI Network discovery tool and has a large array of powerful features: Detection, Authentication, Injection, GPS, and the ability to crack WPA & WEP keys.
KisMac is really powerful and leave Windows based NetStumbler in the dust. By a large margin.

Kismac is not for absolute beginners and the first step with KisMAC is to read the FAQ. The second step is to read the FAQ again.


Just a little legal warning:
- It is illegal to download, possess, and/or use Kismac in Germany, Austria, Switzerland and Lichtenstein (StGB § 202c)*
- It is illegal, in most countries, including the USA, to crack or attempt to crack, penetrate, listen to, intercept, or “Inject” any WI-FI network others than yours, or Networks where the unequivocal permission was not given to you by the rightful owner.
- Kismac is a tool that should be used on the sole purpose to check and/or verify, audit your own network

Now that I warned you :-) you can enjoy it!


Cracking WEP with Re-Injection

Whatever you do, if you have an injection device (WIFI card or USB Adapter) DO NOT install the drivers of the card / USB adapter.
 DO NOT INSTALL DRIVERS FROM THE CD PROVIDED WITH THE DEVICE unless you have read this post

How to Crack WEP Step by Step

This tutorial is solely for you to audit your own network. I take no responsibility whatsoever, implied or not.
If you NEED an access, just ask politely your neighbor and either share the cost or discuss with him. A six-pack can be used as lubricant.

Cracking with Injection device




(Hawking HWUG1 shown here, RT73 Chipset.  DO NOT BUY THAT ONE

Read review and comparison before: best card is here 

Best Wifi Card for KisMac  about 20 X more powerful than Airport or Hawking 



The most successful method by far, with one little issue: you will NEED a Re-injection device: Either a USB WIFI Adapter or a WIFI card.

But, here comes the trick:
-You cannot use any WIFI card: You must use specific ones.
The list of “approved” hardware is here: http://trac.kismac-ng.org/wiki/HardwareList
As of today, you can NOT inject packet with your Airport / Airport Extreme Apple card alone.

Step 1
Download KisMAC from a trusted source such as: http://trac.kismac-ng.org/wiki/Downloads
Install KisMAC
Plug your Injection device, Whatever you do, DO NOT install the drivers of the card / USB adapter, or you may dearly regret it.
Start KisMAC

Step 2
On the Tab KisMAC >>> Preferences >>>Drivers
Select your Injection device i.e. : “USB RT73 device”
If you have a doubt on what to choose, check the "approved" hardware list.

Click on “Add”
Check box “Use as primary device”
Select “All Channels”   Correction:  Select only 1-11 If you are in USA, 1-13 If you are in Europe, 1-14 if You are in Japan.
In some Cases, Ch 12-14 can pick up interferences from other home devices:  Stay within 1-11 !
Check box “keep everything”
Close Dialog Box
















 

Step 3
On the main screen, select “Start Scan”
KisMAC is now listening to the accessible networks
Look for a network with a WEP key (column “ENC”), a good signal as well as traffic (see Packets and Data)
OR
Enter “WEP” on the search box (top right) and select “encryption” to filter the results


















If the Column ENC is “NO”, the network is OPEN: No need of cracking anything
Once you have selected a network, look for the CHANNEL of the network, i.e 1, 2 etc …
Go back to Preferences >>>> Drivers
Select only the Network selected i.e 1

Step 4
Let KisMac work for 5 minutes collecting data
On the “NETWORK” Tab, select “Reinject Packets”
KisMAC will now try to reinject packets to speed up the process
Keep an eye on the “Unique IV’s” number, once it has reach at least 130,000 (200,000 is recommended) you may start considering cracking.









 
Step 5
Once you have collected enough, On the NETWORK Tab, Select “Crack” >>> “Weak Scheduling Attack” >>> “Against Both”
KisMAC will now try to crack the key…
Reminder: the more Unique IV’s you have collected, the greater are the chances to crack the key.
I have experienced crack as fast as 10 sec with 200,000 Unique IV’s (on a 64 bit key) and sometimes 30 minutes with only 110,000














If you know for sure that the key is either 40 bit or 104 bit, then select the appropriate one. If you are not sure, select "both"
40 bit is a 64 bit (40+24)
104 bit is a 128 bit (104+24)


If you have followed the steps, you should see something like that appears :-)))
remove the semicolon, and there you have it, or take a look at the main screen under Key or ASCII Key









 
How to crack WEP / WPA with Airport Extreme, Passive mode
WITHOUT Injection Device (Airport, Airport Extreme Alone)


WEP attack

Step 1
Read the FAQ http://trac.kismac-ng.org/wiki/FAQ
Step 2
Read the “Newbie Guide” http://trac.kismac-ng.org/wiki/NewbieGuide
Step 3
Download KisMAC from a trusted source such as: http://trac.kismac-ng.org/wiki/Downloads
Last build is 0.3.3

Install KisMAC
Start KisMAC

Step 4 (without an Injection Device)
On the Tab KisMac >>> Preferences >>>Drivers
Select your card. (Capture devices) i.e : Airport Extreme Card, Passive Mode
Click on “Add”
Select Channels 1-11 
Close Dialog Box, and select “Start Scan” on the main window
A dialog box opens and load the card. Your Admin password may be required.

Step 5
KisMAC is now listening to the networks accessible
Look for a network with a WEP key (column “ENC”), a good signal as well as traffic (see Packets and Data)
If the Column ENC is “NO”, the network is OPEN: No need of cracking anything
Once you have selected a network, look for the CHANNEL of the network, i.e 1, 2 etc …
Go back to Preferences >>>> Drivers
Select only one Network selected i.e Channel 1

Step 6
Be patient: open a beer, pour yourself a nice glass of wine or have a nice cup of coffee.
Without an injection device, you will need to collect a minimum of 130,000 unique IV’s before you can start cracking a 40/64-bit WEP
Recommended:
200,000 Unique IV’s for weak scheduling attack on a 40/64-bit WEP
1,000,000 Unique IV’s for weak scheduling attack on a 104/128-bit WEP
It may take a long time (based on: Network traffic, re-injection or not)

Those are recommendations. Weak Scheduling is basically a statistical attack: The greater the number of IV's collected , the greater the chances.
Are you in a hurry? :  Capture with KisMAC, Crack with Aircrack-ng
You can have a successful recovery with as low as 21,000 IV's

Step 7
Once the packets are collected, Go to the tab “Network” >>> Crack and select the method,
For a start, I would suggest: “Crack” >>>”Weak Scheduling Attack” >>> “Against Both”
Once started, you’ll have to wait between 5 and 20 minutes depending on your machine for KisMAC to try all the keys.
The more packets you have collected, the better are your chances to be able to crack the key: The WEP Attack is Statistical, hence ....

WPA crack / Attack

>>>>> Packets RE-Injection DOES NOT WORK on WPA attack <<<<<<
>>> I said RE-Injection and not "Injection"

In order to crack a WPA key, you'll need the handshakes, a serious dictionary file or fileS and a LOT of CPU time. Hours and probably days of it. (read the "I am bored part" at the end)

You first need to capture 4-way EAPOL handshakes (connection between the computer and the network) -When captured, you'll see the Ch/Re red dot turns green. You are ready to try...



















To speed up the process of capturing the 4-way EAPOL handshakes, you can try a deauthenticate attack: it will force the network to shutdown and restart, hence speeding up the process.
Go to Network >>> Deauthenticate
Some network may recognize the attack and change channel.



















Once the Ch/Re is ready, Go to the tab "Network" >>Crack >>WPA
It will then ask you for the dictionary file, select the file you want to use, and start...








Nota Bene:
KisMAC will try every word (from the list provided) to attempt to crack the key, hence it may take a lot of time....if you have a slow machine, be really patient.
I have a not so bad machine, and I run about 170 words per second. You can leave a comment with your config and speed for me to compare.
Mine: MacBook Pro 2.5GHz Intel Core 2 Duo + 4GB DDR2 SDRAM : about 170 Word/sec

As for the Dictionary files, you can find links on the KisMAC website or take a look at the "RESSOURCES" post.

Note on dictionary files:
Wordlist = dictionary file
- The words are tested "as is" and not in combination.
Example: the password is "I love Kismac"
If your dictionary contains the words "I" + "love" + "Kismac" it will NOT work, your wordlist must contain the exact (verbatim) "I love Kismac" as a word to successfully attempt to crack.
The files must be a text format .txt and contain a empty line at the end. 

KisMAC Troubleshooting Guide , KisMAC Issues, KisMAC Ressources are on the NEXT post....
KisMAC for Windows, ditto...next post


WPA: Wordlist links and files Download are  here


141 comments Links to this post
Labels: , , , , ,

How to Install Aircrack on Mac


 How to Install Aircrack on Mac  in 3 Easy Steps

Installing Aircrack-ng can be a little confusing if you don't understand the lingo. 
Let me guide you trough those steps and you'll have Aircrack running natively in no time and almost no effort. 




Why Use Aircrack? 
Aircrack-ng is about up to 5 to 10 times faster than KisMAC when it comes to cracking WPA or WEP password.
KisMAC has an old Aircrack Engine and, honestly, it needs an update...

 


Aircrack-ng 1.1 churns about 1500 "WPA" keys per Second, or about 360 Passphrase/second  when KisMAC is left behind at 160/Sec on a dual core.
Aircrack-ng was tested on a MacPro at 1,800 passphrases/sec or 6,100 keys/ sec

Aircrack-ng can recover keys for WEP and WPA.  If you are interested in WPA only and want to use the NTWHM (Nukular Turbo Warp Hyperdrive Mode)  We would then suggest you to check this post and this post.  As a repeat, it's WPA only, but the speed is nothing short of phenomenal:




Yes, it's 1,576,213 PMK/S.
It means 1082.5 times faster than Aircrack.

Back to Aircrack:
On WEP, the difference is extremely noticeable, especially on low IV's captures. Aircrack-ng can work as low as ~23,000 IV's on a 64 bit WEP, and this in matter of seconds. KisMAC will churn for 10 min before giving you the "unable to find the key"
(Update: Success @ 20,566 IV's ;- )
Example here: 3 seconds with 22,566 IV's. Only 753 used. 



 









For Airport users, once decrypted, you have to enter the key without semicolons and space.
Example:    70:61:62:6C:6F  will be entered as 7061626C6F or 7061626c6f
If the key was entered as ASCII, Aircrack will also give you the ASCII value





If you are not familiar with the lingo, or wonder what does what, I would suggest reading the FAQ first.

There is multiple ways to install Aircrack-ng, this is one is the most straightforward way (that I am aware of.  Suggestions are welcomed in the comment section)

Installing Aircrack-ng on OS X

Gather what you need:  The Mise En Place 
You'll need:
  • The DVD or CD install that came with your Mac
  • A Copy of Aircrack-ng 1.1 (just download, Do NOT unzip)
  • A Copy of Macports, (OPTIONAL for Install #2)  you can download either directly from the website or choose between the following two:
  • MacPorts for OS X 10.6 (Snow Leopard)
  • MacPorts for OS X 10.5 (Leopard)
  • The Admin rights on your Mac, or at least the Admin Password. 
  • In Most Cases you will a Network Adapter to either Re-Inject packets, Flood or Dehauthenticate. You can do without, but you'll need a lot of patience.  I only recommend one specific one. If you already have one, well..too bad. if you are going to buy one, you better use the one recommended: Better Value and beat the shit out of the competition
The Installation 



Put the Snow Leopard DVD in, and select Optional Installs
Select "Install Xcode " and continue. 
When Xcode is fully installed, Remove the DVD and continue with MacPorts






  

Click on the previously downloaded MacPorts dmg file and let it mount








Select "Standard Install" if asked, and click to continue. 
It may take more than 5 minutes to install, don't panic! 
While waiting, read the FAQ! 
when done, go to the next step



Open Terminal 
Go to the folder where Aircrack-ng was downloaded, i.e "Downloads"
Note: Avoid the use of folder names with spaces or you'll make it difficult with Terminal 
cd Downloads
sudo port install aircrack-ng  
Enter your password as requested, then hit Enter, and let it run.... 

Voila! 

FAQ &amp; RFAQ

Why use Aircrack and not KisMAC alone?
Aircrack-ng can churn 10 x faster than KisMAC alone for Key Recovery.

Can I dump KisMAC now? 
No! Aircrack alone can not re-inject or Monitor Wifi. "Mind you, airodump-ng and aireplay-ng are linux only and will not work under OSX native, so for reinjecting and sniffing you will have to use other means."   And that's from Aircrack-ng itself.  Hence, I'll advise to keep KisMAC.   Other tools are provided with the Aircrack-ng suite, but not the ones needed to re-inject. See list at the end.

I cannot find a .cap file 

.cap .pcap or dumplog are the same thing. KisMAC exports the file without an extension and Aircrack does not care. KisMAC let you choose the name of the file under  Preferences &gt;&gt; Drivers
The format by default is  ~/Dumplog year month day hours minutes
Select your options based on your preferences or make your own.






Can I merge Dumplogs / PCAP  / CAP  files?
Yes, You may use Wireshark ➟ File Merge

Can I convert Dumplogs / PCAP / CAP files?
 Yes, You may use ivstools, provided with Aircrack.
 ivstools --convert

Can I Merge IVS files?
 Yes, use --merge with ivstools:    ivstools --merge

Can I Open Multiple  Dumplogs / PCAP / CAP files? 
Yes, just use an asterisk (star) (*) with Aircrack
Example:  Aircrack-ng Dump*
-->

I can't has a krack! I can has a pazwort?
The subject was previously discussed, here again:  sudo make user -now RTFM&STFW.   Or box the Mac and ship to me: I'll deal with it.

Aircrack-ng options
Just type Aircrack-ng or Aircrack-ng --help  You'll have the whole list  

How do I start? 
Just start by a simple:  aircrack-ng dumplog (dumplog being the name of the capture file, with path if necessary)
Or, if you have opted for very long dumplogs names, with spaces, just drag the file into the Terminal window, and add "Aircrack-ng" before the path.  please don't type the quotes....
You'll see a list of APs, enter the network number, ... after that it's pretty straightforward.... 

Aircrack-ng Command Lines

usage: aircrack-ng [options] &lt;.cap / .ivs file(s)&gt;

Assuming that: 
dumplog  being the name of your dump file
dicfile.txt being the name of your dictionary files or wordlists , with path if necessary

WEP
aircrack-ng dumplog 
Select the number of the AP, then press Enter 

WPA 
aircrack-ng dumplog -w dicfile.txt
Select the number of the AP, then press Enter 

Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files,  on a single network, with automatic key recovery

Aircrack-ng -e   dump*


Please note that "dumplog" & "Dumplog" are different. -for aircrack-.   

It's easier to "regroup" your files in one directory than typing path long as your arm. 
Also, don't hesitate to rename the dumplogs / cap files: "dumplog" is easier to type than "DumpLog-11-02-17-17/40.pcap"
 aircrack-ng ~/Desktop/dumplog -w ~/Desktop/Dicfile.txt



If you have located your dumplog in a far far away folder, or have used spaces in your folder name, read again the previous paragraph.
If you decide against that advice, you'll need to include quotes in the file name, or use a backslash BEFORE the space.
Example with the folder Air Crack, the command line would be the following:
~/Desktop/Air\ Crack/Dicfile.txt


Examples:
Aircrack-ng Opening Multiple DumpLogs, PCAP, CAP files,  on a single network, with automatic key recovery
-->
Aircrack-ng -e   dump*




To Pause Aircrack-ng
Hold your horses! There is no real pause when running a Wordlist on Aircrack-ng
One solution is to stop Aircrack, note carefully the name of the last key checked, and edit your Wordlist few keys before, save under a temp name and restart when ready. 
To Stop, just do a CTRL-Z. 

To Quit Aircrack-ng  CTRL-C 

I have multiple Macs, can I speed up the key recovery? 
yes,  copy the Dumplog and the Dictionary(ies) and use as many as you want. It's called a distributed attack.  I would split the Dic in two and reverse one (start from bottom up) or use multiple dictionaries. - Your call.

What about Precomputed Tables?

Yes but no,
The precomputed PMK (Pairwise Master Key) has pros and cons.
The SSID is used as "salt" in the hash, hence you'll have to precompute a different one for each SSID. If you spend your days assessing networks, that, maybe, could be useful with SSIDs such as "Linksys"  etc ...   but you'll spend a lot of time computing. It is only worth it if you know that you are going to reuse the precomputed table over and over again.
The most used SSIDs are the following.
After many years, Dlink has started assigning different SSIDs to their router (Dlink.1234)
Nevertheless, they are still using very short default password. Thank you D-Link.  
no ssid21107606.571%
linksys20653566.429%
NETGEAR6789432.113%
default5950901.852%
Belkin54g2766670.861%
hpsetup2325180.723%
Wireless2258380.703%
no_ssid2113600.658%
DLINK1996680.621%
WLAN1201170.373%
home1071100.333%
Source: WiGLE

Aircrack-ng / KisMAC Speed Test
Test files of 100,000 lines were used:
One with 8 numerical digit, from 00000000 to 99999999
One with complex passphrase of 50 printable characters:  !@#$%....ABC....99999
One with 50,000 less than 8 ch and 50,000 more than 8 ch long 

Tests were done on a Intel Dual Core 2.5GHz, 4GB RAM



 



Aircrack Speed: 
100,000 Passphrases in 04' 42", or 354.61 Pswd/sec
~1450 K/s

Is Aircrack-ng slowed down by complex passphrase?
100,000 Passphrases in 04' 43", or 353.3 Pswd/sec
Result: difference is negligible:  1 sec overall

Is Aircrack-ng testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 2'12

KisMAC Speed:
100,000 Passphrases in 10' 18", or 161.8  Pswd/sec
2.2 times slower

Is KisMAC testing less than 8ch passwords?
No, the file containing 50% less than 8ch long passwords was done in 4' 27"

Is KisMAC slowed down by complex passphrase?
No, here again, results are almost the same. 



Common Aircrack-ng options:

      -a : force attack mode (1/WEP, 2/WPA-PSK)
      -e : target selection: network identifier
      -b : target selection: access point's MAC
      -p : # of CPU to use  (default: all CPUs)
      -q         : enable quiet mode (no status output)
      -C   : merge the given APs to a virtual one
      -l   : write key to file

  Static WEP cracking options:

      -c         : search alpha-numeric characters only
      -t         : search binary coded decimal chr only
      -h         : search the numeric key for Fritz!BOX
      -d   : use masking of the key (A1:XX:CF:YY)
      -m : MAC address to filter usable packets
      -n : WEP key length :  64/128/152/256/512
      -i : WEP key index (1 to 4), default: any
      -f : bruteforce fudge factor,  default: 2
      -k : disable one attack method  (1 to 17)
      -x or -x0  : disable bruteforce for last keybytes
      -x1        : last keybyte bruteforcing  (default)
      -x2        : enable last  2 keybytes bruteforcing
      -X         : disable  bruteforce   multithreading
      -y         : experimental  single bruteforce mode
      -K         : use only old KoreK attacks (pre-PTW)
      -s         : show the key in ASCII while cracking
      -M    : specify maximum number of IVs to use
      -D         : WEP decloak, skips broken keystreams
      -P    : PTW debug:  1: disable Klein, 2: PTW
      -1         : run only 1 try to crack key with PTW

  WEP and WPA-PSK cracking options:
        -w : path to wordlist(s) filename(s) 

Other Tools provided with the Aircrack-ng Suite

Ivstools-ng :  Merge and convert IV's 

Airbase-ng : "Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. Since it is so versatile and flexible, summarizing it is a challenge"

Airdecloak-ng : "Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. "
Source: Aircrack-ng.org.  Please refer to it for any information related to the Aircrack-ng Suite. 


New Rules for Comments:
  • UpdateSome people can read, some others can'tYour time is precious, so is ours:  If your question has been previously answered, you'll be asked for a $5 donation. Otherwise, just re-read again
  • Please use a name other than "Anonymous"  See Name/url . Any name, even Max the Cat will do.  Will do only once.
  • Please State your OS, Version, etc. Don't forget to state your OS.
  • Max 3 questions. If we need to ask you what is your OS, that will be one, 2 left. 
  •  

 
128 comments Links to this post
Labels: , , , ,
Subscribe to: Posts (Atom)