blackhathacker: March 2013

Exploit + Zero Day

Behind This Mask There Is An Idea And All Ideas Are BulletProof

WPA-TKIP

Chris Defaulter Valentine

Hey guy's.

iv been searching around all ends of the internet looking for more information on breaking TKIP,
my search has found that it is more then completely possible.

i thought id share some link's i found interesting, as i havent seen much on TKIP in hackforum's.

Hacking TKIP with the aircrack suite "TKIPTUN-NG"

http://www.aircrack-ng.org/doku.php?id=tkiptun-ng

Falsification attack & Types of attack's and implmentations on WPA-TKIP (2001-2006-2009?)

http://www.youtube.com/watch?v=JRVsAhe8h...re=related

Some extra reading material, This attack being implemented , =< 1 min

http://www.net-security.org/secworld.php?id=7962

I realize tkip is now quite outdated, but iv seen some tkip floating around, maybe you guy's will also find this topic interesting.

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

WPA with Gerix Wifi Cracker

Chris Defaulter Valentine

Anonymous

★★★ NOOB PROOF Cracking WPA with Gerix Wifi Cracker ★★★

So you tired of the Konsole window huh? Well here is a easier way to perform several attacks with a tool called Gerix in the BT suite. This tool performs the same commands as if you were to do in a konsole wireless attack. Now its easier than ever there is a GUI for such a attack. This tool covers several different WEP/WPA/2-PSK and FakeAP attacks. Today we are going to do your basic WPA dictionary attack. I recommend doing this on your OWN network, so that way you have some pratice and you dont get into trouble. This tutorial is noob proof, I had no idea about this tool in BT until now. I just hopped right in and got to cracking that is how SIMPLIFIED wifi-cracking with Gerix is, so lets get started. Navigate to your backtrack menu and go into 802.11 attacks and goto cracking tools, forgive but some of you might have BT5 so I dont know where it would be located.

1. Goto cofiguration tab and click on your wireless interface, it should be highlighted.

2. click enable/disable monitor mode button, another interface should show up mine is mon0.

3. Click on the interface you made a click on set random mac address button to change your mac, to cover your tracks.
4. Select your mon0 interface and then click Rescan networks, give it a couple of seconds and a bunch of networks should show up

5. Im going to rescan with some different options here im going to set the seconds to 5 and the channel to 6 and rescan.

6. Now click on the the network you want to crack, Im going with the first one because it is my own. It should be highlighted, then goto the wpa tab cause thats what we are going to be cracking. Now click the perfom a test injection and you should get something like this. Then click the Start Sniffing and Logging button to start the sniffer.

7. Now click on the wpa attacks towards the bottom and click auto load button find the mac of the person that was connected to it, then change the deauth amount to 10 then click deauth button, if successful you should get a handshake if someone is connected to the network.

8. Now once you have your Wpa handshake goto the cracking tab and select WPA bruteforce cracking if you have a dictionary file or click the wpa rainbow tables cracking , we are just going to use a dictionary attack because that is the most common. Give the path name to your dictionary file, mine is on the desktop so the path is /root/your password file.

9. Success you have just cracked wpa, well its not that easy you need a good dictionary to crack wpa.

Well hope this makes cracking WPA easier for the newbies to wifi-cracking. I will be doing a full series on how to use every part of this tool "Gerix", so till next time and Happy Hacking!

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

Cracking WPA/WPA2 - Any OS - Tools included

Chris Defaulter Valentine

**This guide is intended for the sole purpose of penetration testing only**

First of all here is what you need. I will cover all of these in more detail later.

You need:
-A wireless adapter with the RTL8187 chipset
-To be able to run Backtrack 4
-A good wordlist
-Access to a WPA/WPA2 Network
-Network Traffic (People connected to the network)
-A weak wireless key

Having the correct chipset

You need to have a RTL8187 chipset for the method that i am going to show for it to work. The easiest method of doing this is buying an ALFA AWUS036H Wireless adapter; these are very popular amung the hacker community as they have excellent range and they have the all important RTL8187 chipset, that allows it to work with the aircrack-ng suite. They cost around £30 so if you are not prepared to get one stop reading now.

However if you are then here is a link to the manufacturers website: Alfa

And here is a link to amazon [UK]: Alfa on Amazon UK

This adapter is compatible with all OS =]
Once you have your shiny new adapter, install the driver and have a play about!

If you don't want to get an Alfa you can look here, to try to find another compatible card.

Running Backtrack 4
Backtrack 4 is a Linux distro that specialises in penetration testing, not only is it good for wireless hacking it has a large collection of tools for all sorts of activities. There are three easy ways to run this OS.

Bootable USB drive
This method is probably the easiest and quickest method however it does mean sacrificing a 4GB USB stick! This is great if you have one lying about if not you will need to buy one or use the other method.

Ok first you need to install LiLi USB Creator; this allows you to burn .iso images onto your memory stick. The program allows you to select download and install many different Linux distros but what we are interested in is Backtrack 4 [That i will now refer to as BT4]

Here is the download link: LiLi Live USB
Once downloaded install the program and run it. I would create screen shots and a walk through of how to create the stick, but it would take a long time, and if you are unable to figure it out you shouldn't be here.

Creating a live CD
First you must download the BT4 .iso image [Or the Backtrack 4 R1 .iso; However this tutorial will be using BT4]

You can download it from here: Backtrack

Because i have never done this myself i will just give you this link [ulr=http://www.google.co.uk/#sclient=psy&hl=en&safe=off&q=how+to+burn+.iso+&aq=f&aqi=g4g-o1&aql=&oq=&gs_rfai=&pbx=1&fp=818a8bd2053ae4a6] .iso on a DVD[/URL] the rest is up to you.

Booting BT4
Once you have created your bootable device you need to boot into BT4, this is simply done by turning on your computer with your device inserted and pressing F[something - depends on your computer] to access the boot menu. Once you have done this select your USB stick your your CD and hit enter.

Once in BT4 you may need to login; to do this use the username "root" and the password "toor". To load the GUI [Desktop] you need to type the command "startx". Now is also a convenient time to type the following command "/etc/init.d/wicd start" this starts the inbuilt wireless manager.

Now that you are in BT4 the fun can commence! Oh wait, you may need to install the drivers for the AWUS036H Wireless adapter into BT4... [Just forgot about that step - figure it out yourself!]

Plug you adapter in and lets get going!

You will also need a good wordlist, i tried to upload one for you but my computer had a sapz attakc so i am going to let you find one for yourelf ;0

Safety First!!!
If you are practicing on a network that you do not have permission to test on [I don't know why you would ;)] Then it may be a good idea to spoof your mac address. This is like an IP address for your computer.

First you need to determine your devices names and modes. This is easily done by opening Konsole and using the following command

Code:

airmon-ng

You should see something like this

Here we can see all of my wireless devices and their chipsets. The first one is my AWUS036H, The second one is my inbuilt wireless card. [You can tell by the RTL8187 chipset]

We now need to put it into monitor mode; we do this by using the following command. Where i put <interface> you need to put the name given to your RTL8187. As you can see mine is "wlan0"

Code:

airmon-ng start <interface>

As you can see "monitor mode has been enabled on mon0" from now on the interface that you should use is "mon0"

Now moving on to hiding your ass

Code:

ifconfig mon0 down

macchanger -s mon0

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up

You should see something like this. Your mac address will be different to mine of course.

Viewing available networks
Now we are ready to search for networks to target; type the following command to scan for networks

Code:

airodump-ng --encrypt WPA -a mon0

here we dump the wireless networks around us with the airodump-ng command, the switch "-a" searches only for networks that have people connected to them, which is what we want, --encrypt WPA Shows only WPA networks and mon0 defines what interface to use.

In this example "BTHomeHub2-NM6K" is my home hub that i am trying to obtain the network key for. As you can see there is one client connected to it (DE:03:74:C7:33:8E)

Target acquisition
Once we have a WPA/WPA2 network that has someone connected to it. We need to 'lock on'. To do this we run:

Code:

--bssid <bssid of the access point you wish to target>

You will also need to filter the list by the channel to do this add

Code:

-c <channel>

You also critically need to add

Code:

-w <filename>

This saves the handshake to your desktop

All of that together looks like this for my example:

Code:

airodump-ng --bssid 00:23:4E:55:B3:84 -c 1 -w WPA mon0

And this is what it should look like:

As you can see there are 3 Clients connected. We now need to kick one off!

Obtaining the WPA hand shake
This is the most important part of the process, as it is the only thing that involves the users of the network. What we are trying to do is disconnect a client from the access point and then wait for them to reconnect. When they do this they have what is called a 4 way handshake; what we are trying to do is witness the handshake so that we can crack it and obtain the network key.

We do this by using aireplay-ng to kick the user offline and then wait for them reconnect. By doing this we can capture and analyse the handshake. Use the following command:

Code:

aireplay-ng --deauth 10 -a <bssid of access poin> -c <mac address of client> <interface>

In my example the bssid of my access point is 00:23:4E:55:B3:84 and the client i want to kick of is DE:03:74:C7:33:8E

--deauth means "deauthenticate" [kick off] the number after it defines how many times to do this, i set it at 10, but you only really need one. Also if you are feeling mischievous you can set it to something like 10Billion to deny someone wifi access! Not the most effective but still lol worthy. Wait till you mate has a 24 kill streak on MW2 and kick him....

So i will open a new window and leave airodump-ng running and in the new window type

Code:

aireplay-ng --deauth 10 -a 00:23:4E:55:B3:84 -c DE:03:74:C7:33:8E mon

It will look like this:

If it is successful the airodump windows will be displaying the wpa handshake in the top right of the screen. You can see this in the image below.

If not successful, wait for a while, as what we are waiting for is the client to reconnect. If they do not reconnect then try kicking a different client.

Cracking
I have made another in depth thread about cracking the WPA handshake, it was originally going to be here but it ended up too long! You can view the next part here

Thanks for reading.

Read More...

Cracking the WPA handshake

Chris Defaulter Valentine

This is Part 2 of my guide on cracking WPA handshakes, I had to make it 2 parts as it was too long! You can find the first part here

Also this is a good summary of the methods available to us!

Cracking
Now that you have your handshake you need to crack it. And this is a very popular subject in regards to wireless hacking as there are a few ways to go about it, all with varying opinions.

Dictionary attack
This is the standard method of cracking and is a very easy and simple method.

For this we use:

Code:

aircrack-ng <filename-01.cap> -w <file path of wordlist>

So for my example i would use:

Code:

aircrack-ng WPA-01.cap -w Pass/Example

For my example i made a wordlist that consisted only of my wireless key, so the result was instant, however when doing this in the real world it will take you many hours or even days to run through a decent wordlist.

When using a live CD/USB stick to boot BT4 save your wordlist to your desktop and use

Code:

-w <wordlist>

However the problem with this method is that it will take a VERY long time to go through a word list of any decent size. In my example i was only going through 350 keys a second, that may seem fast but if you think that a 1GB word list would contain about 100 million words you can see that it would in fact take a very long time.

So here is what you want to see:

An alternative bit of software that has more features, including the usage of rainbow tables, but also uses this method but a tad faster is coWPAtty. It is included in Backtrack, so open it up and have a look at what it can do.

Here's some example syntax for cracking a 4way handshake.

Code:

cowpatty -f <word list> -r <handshake>.cap -s <essid>

"Rainbow" tables
Now this is an interesting method that a lot of people have misunderstood. Basically the idea is that if you had a rainbow table that had a list of words that had all been precomputed for a WPA handshake you can go through them a lot faster. Now this is true, you can go through rainbow table at say 40,000 keys a second compared to 350 keys a second in the prior example. However the WPA handshake has been salted with the ESSID of the network. THis means that a rainbow table that has been generated for "johns network" will not work for "Erics network" as the ESSID is different so there is a different salt on the handshake.

That means for every different ESSID a new rainbow table has to be produced to be used with it. It is like multiplication tables, everything has been worked out prior. Now this is where a few people get confused....

It is possible to create your own rainbow tables for networks with unique ESSID's however the rate at which you create them (the speed at which you precompute keys for the table) is exactly the same as the rate at which keys can be tested against a word list. So for me it was 350 keys a second being added to the table each second. You can then go through the word list at a very fast rate, i was able to go at 40,000 keys a second after i had generated the table. But the key point was that the time it took to generate the table could have been used to just go through the word list! So creating your own tables for unique ESSID's is just ridiculous!

However the idea about these tables is that someone with a large amount of computing power could generate tables for a list of popular ESSID's and then make the available for download. So the idea is that you capture a handshake from "WirelessHotspot" then check on the list of rainbow tables, you see that "WirelessHotspot" has a rainbow table, you download it and then you run through the word list at an accelerated rate. And believe it or not someone has done this!

In this thread you can see links to all of the tables for the most popular ESSID's if the network you are trying to crack has an ESSID in the list then you can download the table and run it through at great speed!

I will not cover the commands and screen shots of how to do this, as i have no need for this method, and there are no wireless networks with an ESSID in the list for me to crack; so you will just have to google it out for your self. It shouldn't be hard!

Accelerated word list with pyrit
Now this is the method that i believe is the best however it does require a decent graphics card! This method uses the power of your GPU (Graphics Processing Unit) in your graphics card to test a handshake against a word list at a very fast rate. This is the method i use as it makes the most sense to me, and i have a good graphics card! This method does still require a word list to work but it allows you to go through the word list A LOT faster than before. Here you can see that on my new system i am going at 5480 keys a second with the standard aircrack-ng dictionary attack:

Now when i use pyrit and my GPU i can get up to 56,000 keys a second!:

That makes a big difference!! Again i won't show you how to do all this as it is quite complex to set up and there are already a few guides out there. Look here for more info.

Online services
There are services online that use various techniques to crack WPA keys, although they do charge money! The best site is most likely to be http://www.recoverwpa.com as they do not charge an upfront deposit; you only pay if they find your key. However i do believe that this and a few other website are doing nothing more than what i would do, i do recall one website that charged $10 for <1 billion words in 2 hours, something i can do myself in 6 hours! So that option is there if you don't have the hardware or the time but do have the money! This is also a good test if you are a White hat, as it is possible that the blackhats would use a similar/same service.i recommend you google a round looking for the best service or maybe even ask me!

Bruteforcing
Now here is another method that is a tad ridiculous, basically what happens is that you pipe the out put of a program called crunch directly into a WPA cracker like aircrack-ng or pyrit. The idea is that it generates a wordlist as it cracks, and you can define the word list. so if you used:

Code:

8 10 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!?-_

With crunch and aricrack-ng you would be generating a list of all of the 8 to 10 character combinations of those characters. Me and a friend worked this out to be something like 84 Petabytes! And as you can imagine, not only is that impractical it would take an impossible amount of time to crack, even with a high end setup.

The only legitimate use for crunch and WPA cracking that i can see is that if you know that the wireless key is only numeric or you know that it is a certain length and contains certain characters that way you can cut down massively on the amount of words generated. So for example 0-9 for 8 letters long may only take a day to do, and that is very plausible, but only if you know that it is only 8 letters long and only numeric.

Read More...

Guide to WPA/WPA2 Hacking

Chris Defaulter Valentine

[NOTE: The Information contained in this Article is only Intended for Educational Purposes. I take no Responsibility for the misuse of this information and the harm brought to you or any one else (specially your neighbour...

Hello Everyone..

This is my Tutorial for WPA/WPA2 Wireless Hacking... This guide is aimed to help you crack WPA/WPA2 Passwords.. As said, this is a Total n00b Guide to Wireless Hacking..

The Stuff that you are going to need is

(1) Backtrack (You can get it here)

(2) Wireless Card that Supports Packet Injection

(3) A Wireless WPA/WPA2 Connection that uses PSK Mode (Pre-Shared Key)

(4) A Dictionary that has the Password we are trying to get. But Obviously you wouldn't know it till you complete "The Dictionary Attack"..lol

Before we Start, I take it for Granted that you are aware of a Few things...

I Hope You already have a Live CD, Bootable USB or a Virtual Backtrack Installed in your System. In case of Virtual Machine, You will need an External Wireless Card. And in case you don't already have Backtrack, I suggest you bookmark this page and get it first.

Also, I hope you have googled by now to see if your Wireless Card will support Packet Injection or not. In case you are not sure, Use the Test Mode in Aireplay-ng (-9) to see if it supports packet Injection. Again, if you haven't already done that go and get this done first :)

Now that we are Ready.. Lets Begin..

If You are Using a Boot CD, As in my case, You will see the folllowing screen when the CD Loads.

[Image: bootscreen.png]

Just Select "BackTrack Text - Default Boot Text Mode"

When the Screen Loads, Input "startx" to move on to Graphical Mode.

After Your Desktop Loads. Open up a Konsole and type in "iwconfig" to see your Wireless Interfaces.

[Image: iwconfig-1.png]

As you can see in the above Image, My Wireless Card Shows up as "wlan0".

Now, We will put the Wireless Card into Monitor Mode. In this Mode, Quite Simply, We will be able to monitor all the Traffic that flows around in our Scan Area.

To put the card in Monitor Mode, We need to use a program called "airmon-ng"

The Command is Simply,

Code:

airmon-ng start wlan0

This is what it may look like if Your Wireless Interface is Successfully put into Monitor Mode.

[Image: airmon-1.png]

As evident from the Image, My Wireless Interface "wlan0" has been enabled for monitor mode at "mon0"

Now, We will Scan the Area for Presence of WPA/WPA2 encrypted Networks. Before we Scan for WPA/WPA2 Networks, There is something I want to make a note of here.

WPA/WPA2 stands for Wireless Protected Access. WPA is a notch up in Security when compared to WEP which was cracked in 2000. WPA/WPA2 uses Two types of Authentication Methods

TKIP - Temporal Key Integrity Protocol.
TKIP uses a Ever Changing Key which makes it Usesless to Crack.

PSK - Pre Shared Key.
PSK uses a Key Defined by the Network Administrator. Hence, The Key remains the same. Unless the Administrator decides to change it.

Neck of it all, It is useless to crack a TKIP Authenticated WPA/WPA2. This Tutorial will only help you crack PSK Authenticated WPA/WPA2.

Now, We have taken care of What Our Target Should look like. So, We'll go ahead and Scan the Area.

The Command is

Code:

airodump-ng --encrypt wpa mon0

Once, You Press Enter, You will see a Similar Screen.

[Image: scanimage-1.png]

What you are Seeing is A List of All the WPA/WPA2 Encrypted WIFI Networks around you. There are some details in there too. Here's a simple explanation of a few of them

BSSID = MAC Address of the slave (Most Important)

PWR = Signal Strength

CH = Channel Number

ENC = Encryption Type

ESSID= Name of Target's Network

#Data = Amount of IVS Collected (Most Important)

#/s = IVS Per Second

You Might just wanna copy the BSSID as it is going to be used a lot.

Our Target's Details

BSSID= 00:25:9C:EE:59:49

CH = 1

ESSID= {censored}

STATION= 00:17:C4:2C:8E:26

You must have Noticed, The Column of Stations. Stations are the Computers/Smart Phones or any Wireless Devices currently connected to the BSSID they are Associated with.

While Stations are not necessary to crack a WEP Encrypted Network, Stations are a must have to crack a WPA/WPA2 Protected Network. In WPA/WPA2, We Need to get a Handshake in order to be able to Initiate a Dictionary Attack aganist that Network. And In order to get this Handshake, We need to De-Authenticate a Connected Client (Station).

Simply Put, In no Order of Importance..lol

To Get WPA Password, You need to do a Dictionary Attack.
To Do a Dictionary Attack, You need a WPA Handshake.
To Get a Handshake, You need a Connected Client (Station).

Since, In this case, We already have a Station connected to the Network. Lets Configure the airodump-ng command to focus Specifically on The Target Network.

The Command is Simply,

Code:

airodump-ng --channel 1 --bssid 00:25:9C:EE:59:49 --write wep --ivs mon0

Our Wireless Interface "mon0" will now capture Packets only from Channel 1 from a Specific BSSID and write all the data to a File called "wep.ivs".

[Image: Screenshot-ScanStatus-1.png]

Now, We will initiate a De-Authentication Attack on the Target Wi-Fi Connection.

Whenever, a Client connects to a WPA/WPA2 Encrypted Network, It exchanges a "Four-way Handshake" with the AP. Its an Authentication Process to allow the Client to be associated with the Access Point.

The Point in a De-Authentication Attack is to Forcefully De-Authenticate a Certain or All Stations from an Access Point. Forcing them/it to Re-Connect and hence, Exchange the Handshake Again. Which will enable us to Capture the Handshake and Initiate a Dictionary Attack.

So, Lets De-Authenticate the Client and Get the Handshake.

The Command is,

Code:

{If You wish to Target a Specific Client (-c)}

aireplay-ng --deauth 10 -a 00:25:9C:EE:59:49 -c 00:17:C4:2C:8E:26 mon0

{If You wish to make an Open-ended Attack. i.e. De-Authenticate all the Clients Associated with the AP.}

aireplay-ng --deauth 10 -a 00:25:9C:EE:59:49 mon0

NOTE: A Client Targeted De-Authentication Attack is more Successful than an Open-Ended Attack.

Deauth is Followed by "Attempt Counts" i.e 10 Attempts in my Case. You can make it "--deauth 100". "a" is simply the BSSID of the Target AP and "c" is the Client that is Associated with the AP and we wish to De-Authenticate this Client.

[Image: deauth-1.png]

If You have Successfully, De-Authenticated the Client then You Should be able to see a "WPA Handshake" at the Top-Right Corner where You have the Targeted Airodump Running.

Here's What it Might Look Like.

[Image: wpahandshake-1.png]

Now, We have a Captured Handshake and It has been written to the "wep.ivs" file.

Now, We will use the Aircrack-ng Program and a Dictionary to Run a Dictionary Attack on the Captured Packet.

The Command is Simply,

Code:

aircrack-ng wpa-01.ivs -w /pentest/passwords/wordlists/darkc0de.lst

Here, "wpa-01.ivs" is the File to Which We (read airodump-ng) wrote the Handshake. "-w" tells aircrack-ng that We wish to Run a Dictionary Attack and The Path is the Path of the Dictionary File.

[Image: aircrack-1.png]

For the Purpose of this Tutorial, I am using the Built-in Dictionary that comes along with BackTrack 5. Though, I Personally feel those Dictionaries are Useless. I nano(ed) the File to have my Password. If that File has Your Password, You Officially have the weakest Password Ever..lol.

Dictionary is the whole Essence in a WPA/WPA2 Cracking Scenario. You will Find a Lot of Great Dictionaries on the Net. Google is your Best Friend!!

Well, Run the Attack. If the Dictionary has the Password, You will see Something like this and Voila, Its Done!!

[Image: password-1.png]

Aircrack Sucks at Speed. You can never dream of Ploughing through a Dictionary if You are running Your Attack on Aircrack. Some Dictionaries have 3-Digit Million Words (Like 600 Million), With Speeds of 2000 K/s You will probably give up even if the Word is in the Dictionary. So, What you need is Your GPU Power not Just your CPU Power. You will have to Setup Pyrit + CUDA to get Speeds like 80,000 K/s that Some Hackers Manage. Again, Google is your Best Friend!!

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

Cracking WPA/WPA2 on Linux

Chris Defaulter Valentine

I recently noticed a strange thing on this forum, everyone likes WEP-cracking tutorials a lot,
but it seems like a lot of people have questions about WPA/WPA2 cracking too. After these findings,
I noticed that there weren't any tutorials yet on HF.net, or I didn't check very well, that would be
option two :D.

Knowledge

If you look at the attacks closely, you'd think WPA was very easy to crack. Well, some people say it is,

some don't agree. The fact is, that if the password is in some sort of dictionary, the password can be cracked.

Just for the record: when it comes to cracking WPA(2), they are cracked the same way ;-).

you'll need a 4-way handshake from a client connecting to an AP.

The 4way handshake holds an encrypted algorithm which can be cracked by dictionary attack.

you'll need a huge list and some luck that the password is in the list,

or you can make a personal list created with a password tool of your choice (like john),

which will not be discussed in this tutorial ;-).For this tutorial, of course I'll be using the Aircrack-ng suite.

!Optional: "lazyness"

Code:

sudo su

you might need root access to run these applications. For example, if you are using Ubuntu and you
don't want to type "sudo" in front of every line, you could use this optional command.

Knowing what interface to use

first of all, you'll have to know what the name of your wireless interface is, thats why you type:

Code:

iwconfig

In my case, the interface was wlan0, as you can see that's the only one that can connect to anything..

Identifying your slave

Code:

airmon-ng start INTERFACE

you'd get a small message saying:
(monitor mode enabled on SPOOFEDINTERFACE ) //In my case, interface was "mon0"..

Code:

airodump-ng SPOOFEDINTERFACE

The next step would be choosing your slave. Obviously we would be looking for someone with wpa encryption now.

since you want to crack someone with wpa.
write down his BSSID and his CHANNEL.

rebooting the network card to fit in the right Channel

Code:

airmon-ng stop SPOOFEDINTERFACE

Code:

airmon-ng start INTERFACE CHANNEL

Start the dumping of the file

Code:

airodump-ng -c CHANNEL --bssid BSSID -w psk SPOOFEDINTERFACE

This will start airodump-ng on your specific channel (-c). It will search handshakes

of the specifief bssid and will write this all to a capture file named psk (-w).

Notice! You might ask yourself, but how do I know when I captured a handshake?

-> Well, aircrack thought of that, if you managed to capture a handshake, a message appears in the upper right corner.

!Optional, but very helpful when speeding up the process

So you need to capture a handshake, but the people who are connected of course won't be giving out the

handshake, since this event only takes place during authentication. If we could just boot them for a small second

off their network, so they could reconnect, that would be perfect!

Code:

aireplay-ng -0 10 -a BSSID -c CLIENTBSSID SPOOFEDINTERFACE

This would do 10 "deauthentication" attacks (-0) with the AP being BSSID and client being booted CLIENTBSSID.

You can check if a client is connected by looking at your Airodump-ng screen again. If you see on the bottom of that

screen that someone is connected to the ESSID of your slave, simply use the STATION BSSID as CLIENTBSSID in this example.

Code:

aircrack-ng -w /pentest/wordlist.lst -b BSSID psk*.cap

This would crack the actual capture file that was being created by airodump-ng.
notice! You can only try to crack when a handshake actually took place.

Don't forget, -w needs the path to your wordlist, so remember where you saved it!

-> Aircrack-ng while attempting to crack a password

!Optional: "security"

As a scriptkiddy, you might want to remain a bit anonymous, so here's how you would change your mac..

Try to implement it yourself ;-)

Code:

sudo ifconfig SPOOFEDINTERFACE 
down && sudo macchanger -r INTERFACE && sudo macchanger 
-r SPOOFEDINTERFACE && ifconfig SPOOFEDINTERFACE up

Wordlists

If you ever needed some good wordlists,

thx for your time guys ;-)

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

WPA Handshake Analysis and Processing

Chris Defaulter Valentine

How to use wireshark to analyze and extract valid WPA/2 handshakes from capture files. This check could save you countless wasted hours.

You Must Already Have A Handshake

Step 1:

Open your capture file with wireshark.
COMMAND: wireshark capture.cap

[Image: image.jpg]

Step 2:

Part 1--Apply a display filter to the .cap file so we only see what wee need. We need to see beacon and eapol frames. The filter for wireshark is:

wlan.addr==00:8E:F2:4F:F7:8F && eapol or wlan.fc.type_subtype==0x08
Replace 00:8E:F2:4F:F7:8F with the MAC of your AP.

Part 2--Locate a beacon frame in the info column.

Part 3--Right click the beacon frame, and select "Mark Packet (Toggle)".
[Image: image.jpg]

Now the beacon frame should be black beause it is marked.

[Image: image.jpg]

Step 3.

Now that we have a becaon selected, we need two more packets (you could do all four, but it isn't necessary). These packets will come from the four way handshake. You can see parts of the handshake in the info column, labeled "key (msg 1/4)"...etc. You must have the beacon we already marked, and additionally mark key msg 1/4 and key msg 2/4 by right clicking the packet and slecting Mark Packet toggle.

Parts 1 and 2 of the handshake must be in the correct order or the handshake will be invalid and never crack. Typically you want part 1 and 2 to be beside each other in a sequence. Dont mix key parts from multiple sequences. Sequences start at 1/4 and end at 4/4. In the image, any part 1 in the upper sequence will go with part 2 in the upper sequence. Avoid out of order sequences. You should now have three packets marked, a beacon, msg 1, and msg 2.

[Image: image.jpg]

Now that the packets are marked, click the file menu at the top of wireshark and select "save as". Give the new file a name with or without an extension. Select "Marked Packets Only" to save only the good handshake packets.

[Image: image.jpg]

Next you can check the new capture file with aircrack-ng. If all went well you will see 1 handshake because that is all that is in the pcap file. If there is no essid it means you didn't get the beacon packet. If there is no handshake it means you didn't get the right key me]ssages.

[Image: image.jpg]

Now that you have a cleaned capture file, you can convert it to an hccap file for use with hashcat. Aircrack does the conversion.

COMMAND: aircrack-ng clean.cap -J clean

[Image: image.jpg]

Aircrack-ng, Pyrit, and Handshake Validity

As many of you know, Pyrit can analyze handshake files and tell you in a rather cryptic way if your handshake is good or not. It isn't always right. Aircrack-ng also has some problems checking if handshakes are valid. I will use the same techniques discussed above to extract and modify the contents of .cap files. Regardless of what the programs report I've tested every example below and every example is crackable except example 4.

Example 1:

Our previously cleaned cap file which we know has a good handshake.

[Image: image.jpg]

Pyrit says its no good.
COMMAND: pyrit -r capfile.cap analyze

[Image: image.jpg]

Aircrack-ng says its good. (aircrack is correct because it cracks successfully)
COMMAND: aircrack-ng capfile.cap -w wordlist.txt

[Image: image.jpg]

Example 2:
Pyrit loves its message 3 and 4 packets, so we will give it some--from the same sequence as message 1 and 2 of course.

[Image: image.jpg]

Pyrit is happy to have all four parts of the handshake, but labels the capture file as "workable". Aircrack was able to crack it as before.

[Image: image.jpg]

Example 3:

By selecting packets located closer together, pyrit now reports the capture as "good" instead of "workable".

[Image: image.jpg]

Pyrit likes this better...

[Image: image.jpg]

Example 4:
In this example, I chose key message 2 from a different sequence from 1,3 and 4. YOU SHOULD NOT DO THAT.
This time, Pyrit says its bad. Aircrack-ng cant tell that the m1 and m2 packets are out of sequence and thinks there is a valid handshake. It will run forever or until it exhausts the wordlist.

[Image: image.jpg]

Conclusion:

Pyrit often reports good cap files as bad, and thats a bad thing. Aircrack-ng can report bad files as good, and thats worse. Check your own cap files and weed out what you don't need. Stay in one sequence.

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

WPA Cracking tutorial (Android Download)

Chris Defaulter Valentine

Description ?

The Art Of Hacking WPA Exploitation.

This series is a walk threw like guide, Teaching you as in depth as possible
from a beginner point of view, On how to exploit a WPA-WPA2 (AES-CCMP) wireless network.
This tutorial, will presume you have completed and read my previous free
Tutorial OS_Preparation.

This Guide Will teach you to use the Aircrack-ng suite efficiently to compose an effective exploit on a WPA

Network, And Crack the WPA Key.

***************Disclaimer***************

These tutorial series, was made with the intention solely to teach you how a hacker would exploit and hack

secure credential's from an hacker point of view.
These intention's are educational related and must not be used on any network rather then your own.
This Series, will contain a strong in depth explanation of cracking and exploiting, In which any knowledge attained from this series must be used only, to understand how a hacker will break security, in order for you to prevent it.

PandaStudio's and all affiliates will not inherit ANY responsibility for ANY damages caused.
PandaStudio's is not liable for the information you will learn from any of the tutorial set's provided, now and in the future releases.

By downloading this series, you agree to the term's and condition's.

************************************

Click Here To Download

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...

Facebook Cracker Private Tool

Maya Badmash

I Don't Think I Need To Elaborate This More As You Can Clearly See In The Image Itself How It Works.
Still If You Can't Understand Then Seriously You Don't Deserve This.

Download It From Below Link
Click Me To Download

Additional Download Link In Case If You Don't Have Any Good Wordlist.
Mine Contain More Then 1 Lakh Passwords.

Click Me to Download

Read More...

Wi-Fi Hacking (WEP) Without Dictionary (Only Pictures) ?

Chris Defaulter Valentine

Step 1:-

Step 2:-

Step 3:-

Step 4:-

Step 5:-

Step 6:-

Step 7:-

Step 8:-

Step 9:-

Step 10:-

Step 11:-

Step 12:-

Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.

Read More...