Cracking WPA2 handshakes

[le5fhacker]

How can I crack the WPA2 handshake once I get it.

Ive tried brute force, Ive tried dictionary but they take AGES!

Is there another way to do this?

Thanks

[iTpHo3NiX]

No there's not. An alternative is to crack the WPS if enabled. Either by an online brute force (reaver) or offline brute force (pixiewps). However both rely on vulnerable/unpatched routers. Check the tutorials section man, I've posted pretty much how to crack all 3... WEP, WPA2, WPS...

https://evilzone.org/tutorials/wireless-auditing-with-kali-linux-aircrack-ng-reaver-and-pixiewps
This tutorial focuses on WPS via pixie, however it has the commands for reaver that you would need for an online brute force, you just wouldn't stop the online attack after a successful M3 message. Although I would highly recommend trying pixiewps first.

/move hacking newbies

[white-knight]

Like DeepCopy said try to crack the WPS but if they don't have it enabled then it will be alot harder..


A dictionary attack is only good if the password is actually in the dictionary file. They have tons out there for download. The time it take to go through the dictionary depends on you system.


Did they change the name or there AP ? Or is it still factory settings if so you might be able to gather more information to help with your cracking process. If the AP says 2WIRE293 ,belkin and so on try to google and see what the wifi password is from factory you might find some are just 10 digit numbers. that way you know to run a wordlist of numbers and not waist your time running Dictionaries that wont work.


Just a though

[le5fhacker]

Hey thanks for the replys guys!

Yea that what I figured, Check the router model or AP name etc and google a common wordlist based on that make/model for the default wifi passwords supplied. But most people set custom WPA/WPA2 passwords. But I couldnt find much word lists. Didnt look very hard though!

Ive tried reaver, and get lots of errors, Im guessing these are timeouts due to too many incorrect auth requests etc. It tries the same pin like 20 times, then moves to the next.

Ive managed to get a few WAP2 deatuh handshakes but thats where I get stuck, I got a 12Gb worklist and tried to crack the handshake but it went for like 4 days lol (guessing based on the size of the wordlist.) maybe try more specific wordlists.

The questions I keep asking, is are these methods up to date with todays technology? Is the security moving faster then these tools we use in Kali etc? like aircrack-ng?

For example, I tried a deauth on a rather new vodafone router (we have the same router) but got no deauth key in the capture.

Where im stuck right now is, and I know im new but how to stay ahead of security. Is it going deeper then linux based tools?

I know this is like a essay lol but I just havnt been able to find an answer to these questions!

Thanks guys!

[white-knight]

Wifi hasn't changed in years. They did finally catch on to the WPS vuln and some manufactures tried to fix it.


If you are getting timeouts and having issues with reaver try using more options.


If you want to go through wordlists faster or bruteforce faster you will need GPUs, but that still doesnt mean you will get the password cause it must be in the wordlist you are trying.


here is a free WIFI course http://www.securitytube.net/groups?operation=view&groupId=9


for wordlists you can do <apt-get install seclists> in terminal or get some from here https://wiki.skullsecurity.org/Passwords and many other places .

[sakaheroji]

There is one technique that doesnt need to brute force. Try search on Google: Twin Evil Attack Wifi

[iTpHo3NiX]

There is one technique that doesnt need to brute force. Try search on Google: Twin Evil Attack Wifi

Although this method can work, you need to have some good equipment and be really close to the AP. It will also require associated client(s) to deauth and connect to your evil twin AP

[g3nt0]

How can I crack the WPA2 handshake once I get it.

Ive tried brute force, Ive tried dictionary but they take AGES!

Is there another way to do this?

Thanks

try with linset

[Trogdor]

To launch an Evil Twin attack all you need is an injection card with a decent antenna for deauth, and a separate program to throw up an AP. If you want internet connection then it's much more difficult. I try to use Evil Twin as a last resort, as it's a very loud attack.

[frog]

You can brute force the handshake if you have a decent video card. https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

[iTpHo3NiX]

You can brute force the handshake if you have a decent video card. https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Lol fail. This thread was about alternatives to a bruteforce/dictionary attack

[Spacebadger]

I have a few method which you can do a read about

1. Reaver - brute attack but works most of the time and takes less than a day to go through all wps which is limited, depends on your connection (recommended!!!)

However depending on your service provider like mine has discovered the flaw and upgraded the firmware in most of their routers.

2. Evil twin method

3. Misassociation attack

4. hashcat gui - a whole lot faster than aircrack ng, depending on ur GC.

5. HSRP takeover

I did  a read about on getting wpa2 passwords , there has to be like 10 methods or so. I cant remember the other few.

[frog]

Lol fail. This thread was about alternatives to a bruteforce/dictionary attack

I didn't know this was a competition lol. More likely than not op did not use a gpu in his bruteforcing attempts.