Description: Welcome to Part 26 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will pick from where we left out and actually crack a WPA2-PSK network using just a client.
We first run airodump-ng to find a roaming client and a SSID it has stored in the preferred network list and it is probing for. We find an iPhone probing for a "Wireless Lab" network. We immediately setup an Open/WEP/WPA/WPA2 network with the same SSID on the same channel. Its not long before our victim connects to our network. Unfortunately, as we do not know the WPA2-PSK passphrase for the "Wireless Lab" network, the client sends a De-authentication packet and disconnects. However, this does not happen before it exchanges the first 2 packets in the WPA-Handshake. From previous videos, we know that with just packet 1 and 2, we can launch a Dictionary attack on PSK. We do just this and within minutes the WPA2-PSK key is revealed.
Enjoy! and do leave your comments behind!
Tags: wpa-psk , wireless , wifi , security , megaprimer , pbkdf , ptk , pmk , anonce , snonce ,
vivek, first. thanks for the awesome video :) next thing. when your doing a man in the middle attack, you have to have an external wireless card as well as your internal wireless card with your laptop right ? in vmware it wont open a wlan0 if there's only 1 wireless adapter. i just tested it. so therefore you have to have 1 online, then 1 broadcasting right ?
using the alpha card plus your inbuilt wifi
@allisonmagiccelite - I think he's only using the one alfa card for everything with a bunch of mon interfaces. Leads to some packet loss, but it can be successful.
@Vivek - just trying to get an answer out there as soon as possible. if i'm incorrect plz correct me.
nice vid, short and sweet. keep up the good work i love all your videos.. I do 2nd the MITM attacks with just a splash of squid.. maybe upside down net.. lol
thanks for the great video!
quick and clear!
awesome! :)
Thanks, very good!
Right on the money. Somehow, WPA & WPA2 will never be the same again :-)
I think there is nothing new in this video.....i mean as usual it's informative brilliant and sharp mentality
Thank You ....VIVEK
Another great explanation. Looking forward to playing with it more in a couple weeks.
Nice video! Thank you Vivek!
One question, I have an android smartphone with many AP in memory, when i start the whifi i can't see any Probe, the phone appear not associated but in the probe column no AP name, so I can't do anything. any suggestion?
@allisonmagicelite, BoNk3rZz I have already demoed a MITM attack, the principles remain the same. You could use your inbuilt card in an interesting way - connect it to the legitimate WiFi network, set your Virtualbox to to bridge through it, and then setup an internal bridge in the VM between the Alfa card created WiFi interface and the virtual network device (which bridges to the legitimate authorized Wifi).
@Andrew, yes its possible to create multiple virtual devices, but as you have rightly pointed out, its a bit unstable and does not work properly. The best would be to use 2 Alfa cards if you have them. Alternates include as I have mentioned above to Allisonmagicelite
@x17, 3IL060, m0ei, Blackmarketeer, Ahmadqdemat, WCNA, in0cula Thanks Guys! Appreciate it :)
@in0cula Unfortunately, there could be a million things going wrong. It will be impossible for me to debug your problem remotely :(
I have posted the next video in the series, announcing a Q&A:
http://www.securitytube.net/video/1922
vivek sir, i am a student of MIEL PRISM 2 batch, and have heard many things abt u from ravi sir and some seniors...and after joining and watching videos on security tube...i really MISS U @ miel as a faculty...
Really nice video, nice explained, good made...good tutorial.
Keep up the good work!
is that u show how to find other way to got handshake ?
I've just released this script to automate the process of setting all this up:
http://www.digininja.org/projects/wifi_honey.php
Something I've noticed is that with WPA and WPA2 sometimes it fails and the client ends up on WPA when it should be WPA2 then won't move over. Sometimes it works though so not sure what the problem is.
I looked your security tube and i followed aircrack WPA2. lot of thanks your lesson.
I got Handshake but i cant find the key because the key length 12 Charters Exp ( 5QVAYO2IS261 ) ( modem Name HITRON )
please sir can you give me the 12 Charters password list or how to create the password list explain to me
i know i'm almost 1 year late but i still want to give all my regards to vivek an his amazing series.
still i have one unsolved problem (to be honest i did not find the q&a thread): 1/4 and 2/4 should be sufficient to get all the needed information to have a valid (crackable) handshake and indeed i captured my "2-way" handshake - well airodump said, and i verified it by lookin at the dump in wireshark (packets never lie). But if i feed the cap file to aircrack or cowpatty they cannot find the correct password and complain that i have an incomlete handshake. any hint?
I am so sure that WPA/WPA2 PSK is already beaten, because, when using a fake access point, the fake access point is able to prompt the client or the victim to enter a the PSK. I am sure that, there is something you can do from there to obtain the passphrase in clear text.
sir i would like to know tat can we fine the WPK KEY of the router in any means ........if so can u state it how to do ........or else please post the video link which it describes...............................and is there any possibility to reset the router using backtrack sir
and also please explain EVIL TWIN METHOD for cracking wpa s WITH A DEMO PLZ.........