[Cracking WPA2 2/2] Cracking the Handshake

How long did it take to crack the handshake?

  • Within 5 minutes (crappy password)

    Votes: 2 20.0%
  • Within an hour (normal password)

    Votes: 2 20.0%
  • Within a day (okish password)

    Votes: 3 30.0%
  • Within a week (above average password)

    Votes: 0 0.0%
  • Never (The password was too good)

    Votes: 3 30.0%

  • Total voters
    10

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
And then the password is vendor generated like TZ4GZ7J4KL7P9UT1B36Q9 xD
 

kingston

Contributor
Feb 10, 2016
243
151
128
I read somewhere a couple of years ago that ATI cards were not only faster than nvdia, BUT SIGNIFICANTLY faster lol. If I remember the performance were at least doubled.
I actually cracked all the wifi networks near my house. The hardest password I have found on WPA took me 2 days and it was "spirou75". LOL

I have a GTX980ti AMP EXTREME, it would be fun if you could provide a cap file and actually make a contest on who finds the pass first :p!
Oh wow, that sounds pretty cool in my ears :D

And then the password is vendor generated like TZ4GZ7J4KL7P9UT1B36Q9 xD
Indeed that's in fact possible and e.g. UPC routers are mostly like that unless user messed with defaults.
 
Last edited:

kingston

Contributor
Feb 10, 2016
243
151
128
But first things first... i have 2 major problems: 23 out of 28 APs discovered are like -80 to -92. So i will definitely need a better antenna. The other problem is TX which is capped to 100mW and i can't fix that. I have read all night and the final conclusion is that it is locked on firmware level so there is no point in playing with drivers or kernel as it just won't work and the card will simply ignore those settings. Tried in many ways and no go. The BO trick is a laugh (without modified firmware at least) and so are many others. I don't know how to sort this out but for Atheros it seems hard. Ralink and Realtek is easier but they have issues with rates, deauth and such. And no card will go higher by default because it is required by law. So all those stories about Alfas doing 2 or even 5 watts... pure bullshit. They all need to be modded. So it is not really about the brand but particular chipset. My cheap dongle can also do 2W instead of 0.1W if i find a away to uncap it. Anyway 1W+ would possibly fry it :D

This seems very important because anything below -75 seems tough to work with - WPS wise and deauth wise. Just not enough power or antenna gain. And even if it eventually worked the bandwidth would be pretty low as i wouldn't see more than 1/3 of link quality.
 
Last edited:

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
FYI some realtek drivers (their own drivers, not the linux blobs) have a wifi certification test mode that you can enable at compile time and/or as a argument when loading the module. I believe that this mode allows you to use extraordinary powers and channels :)
 

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
But first things first... i have 2 major problems: 23 out of 28 APs discovered are like -80 to -92. So i will definitely need a better antenna.
You can work something out with a dish satellite and an external wifi usb dongle with usb extension to get low signal. I did it in my 8 feet long fishing boat, far from civilization, trying to get internet access from a house nearby. My setup gave me a boost of about 30 feet.
 

0day

Contributor
Oct 16, 2015
140
268
148
Lots of routers still vulnerable to reaver attacks, usually use this method in my imaginary hacking adventures that never happen ever.
 
Last edited:

swarmdeco

Member
Feb 27, 2016
25
48
48
Lots of routers still vulnerable to reaper attacks, usually use this method in my imaginary hacking adventures that never happen ever.

Reaver [1], for the people who does not know, it's a brute force tool for routers that have WPS (Wi-Fi Proteted Setup) enabled. The WPS technology it's used to easily setup new clients to Wireless Networks using a PINCode (There are other mechanisms like NFC, PBC and USB [2], but I'm not going into that now).

Reaver takes around 8 hours to complete, but not every router with WPS is vulnerable. There are some manufacturers that establish a cooldown between attempts, making the attack impossible to develop. But it always worth the try.

Common reaver usage [3]:
Code:
reaver -i <monitor_iface> -c <wifi_channel> -b <access_point_MAC> -vv

Recommendation against reaver attacks:
  • Disable WPS (Warning, there are reports of firmwares that allows you to disable WPS via WebInterfaace but they don't do anything)
  • Try Reaver on your own Router to check if it's vulnerable, don't wait until someone else tries it.
  • I don't know how Reaver manages to simulate the "button-pressing", but for people saying: "You are secure as long as you don't press the button", it's not true.
- Swarm!


[1] http://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver
[2] https://es.wikipedia.org/wiki/Wi-Fi_Protected_Setup
[3] https://www.pwnieexpress.com/wps-cracking-with-reaver/
 

kingston

Contributor
Feb 10, 2016
243
151
128
I know of a case when reaver took just a few seconds to finish. Still not sure how was that possible but it worked. Sadly, in many other cases there was a cooldown and some also went into locked mode after short time and never got back to normal mode since. A few more cases were even less optimistic - there were loops consisting of timeouts, repeats and some error codes (mostly in TP-LINK routers) and nothing seemed to help. Also, many routers seem to kinda freeze reaver - it will wait forever on "waiting for beacon" even though those APs actually push lots of beacons which is easy to see with other tools. Not sure what's wrong there.

I found this interesting comment somewhere:
Nirvana1327 says:
August 18, 2015 at 4:17 pm

Reaver is dead. All new routers stop Reaver in its tracks. Yes there are some legacy old crappy routers out there still vulnerable to the WPS attack but they are becoming less and less common with time. Consider the Reaver code hasn’t been updated in 3 years now. You’ll have rely on more serious methods to break WPA encryption which isn’t as cookie cutter newbie friendly like Reaver was. Reaver was great for its time but alas all good things come to an end.
I might agree with that guy. That's exactly what i noticed, too. So either luck with crappy device/admin or no banana.
 
Last edited:

0day

Contributor
Oct 16, 2015
140
268
148
Why I typed reaper is beyond me, maybe I was thinking about music editing lol. Anyways there are a lot of routers out there with default or easy pins like 12345678 etc, reaver tries all of the well known ones first and that is probably why you got a fast entry :) Meh if you are within range or feel like getting frisky with a raspberry pie, reaver can be worth your time and save a few pesos on the electricity bill :-D. The flip side, if you hit a brick wall, that is wasted time. Nice to have options though. Thanks for clarifying swarm and making me aware of my typo :).
 

swarmdeco

Member
Feb 27, 2016
25
48
48
I know of a case when reaver took just a few seconds to finish. Still not sure how was that possible but it worked. Sadly, in many other cases there was a cooldown and some also went into locked mode after short time and never got back to normal mode since. A few more cases were even less optimistic - there were loops consisting of timeouts, repeats and some error codes (mostly in TP-LINK routers) and nothing seemed to help. Also, many routers seem to kinda freeze reaver - it will wait forever on "waiting for beacon" even though those APs actually push lots of beacons which is easy to see with other tools. Not sure what's wrong there.

I found this interesting comment somewhere:
Nirvana1327 says:
August 18, 2015 at 4:17 pm

Reaver is dead. All new routers stop Reaver in its tracks. Yes there are some legacy old crappy routers out there still vulnerable to the WPS attack but they are becoming less and less common with time. Consider the Reaver code hasn’t been updated in 3 years now. You’ll have rely on more serious methods to break WPA encryption which isn’t as cookie cutter newbie friendly like Reaver was. Reaver was great for its time but alas all good things come to an end.
I might agree with that guy. That's exactly what i noticed, too. So either luck with crappy device/admin or no banana.

Altough I'm agree with you and Nirvana1327 comment, in my experience it's always worth the try since the attack it's a matter of seconds, and as @0day says there are still some vulnerable routers out there and it's a cheap attack.

On my years as a pentester, believe me... I had faced companies that had invested millions on new software/hardware for their company, but there is always some legacy shit lying around, default passwords and even TELNET backdoors available. So if the attack is cheap, fast and easy (and anonymous, you don't want to be discovered) it's worth the try.

- Swarm
 
Top