+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Support (https://hashcat.net/forum/forum-3.html)
+--- Forum: hashcat (https://hashcat.net/forum/forum-45.html)
+--- Thread: Any Other ways of cracking Wpa2 (/thread-12096.html)
Pages:
1
2
RE: Any Other ways of cracking Wpa2 - Brian - 07-30-2024
(07-30-2024, 07:19 PM)drsnooker Wrote: The uncleaned file sometimes contains the brand name and model (and even serial numbers) hence that can be important.
16 char password is not reasonable to brute force within a lifetime.
I looked on the MarocTelekom website and found:
https://www.iam.ma/particulier/catalogue-des-equipements/equipements-adsl-et-fibre-optique.aspx?fiche=4-equipements-adsl
A few of those models could have included a keygen in their firmware. But if you think it's ZTE, you are out of luck. They have never included a keygen (and I've looked at about 100 of them)
You might want to examine the uncleaned file to confirm the brand name.
I took a look at the cap file using wireshark and I think its ZTE router , and I know that the local ISP gives this router away ( its a fibre optic router ). here is the original cap file if someone wanna take a look .
how do you find the serial number using wireshark ? I've never used it before .
RE: Any Other ways of cracking Wpa2 - Brian - 07-30-2024
(07-30-2024, 07:49 PM)ZerBea Wrote: @Brian
...but I already convert the cap file now cracking it is the main problem.
A successful attack should always start "on the air":
request all information from the AP
request all information from all the CLIENTs connected to the AP
make sure you use tools (e.g. angryoxide https://github.com/Ragnt/AngryOxide) which are able to request all this information (injecting hundreds of stupid DEAUTHENTICATIONs to get a 4way handshake is far away from that).
If the cap has been recorded and it has been converted to a hc22000 file, it's too late to get this information. It is gone forever.
Now you have to run a mask attack if the PSK use a small pattern,
you have to use a keygen if the algo is know or
you have to brute force it (not feasible on 16 a-zA-Z09).
As @drsnooker wrote: analyze the uncleaned traffic to get more information.
As I worte: make sure the dump file contains all information you can get.
I still have the uncleaned file but I can't figure nothing out of it ,except the router name , but speaking of PSK attack is it the same as WPA2 ?
RE: Any Other ways of cracking Wpa2 - ZerBea - 07-31-2024
PSK == PreSharedKey == WPA Password
I took a look at the uncleaned dump file. It reflects exactly what I wrote:
894233 stupid DEUTHENTICATION frames have been injected:
Code:
DEAUTHENTICATION (total).................: 894233
...
Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.More than half an hour your attack tool flooded the entire channel (transmitting mostly useless DEAUTHENTICATION frames):
Code:
timestamp minimum (timestamp)............: 22.07.2024 09:25:51 (1721640351)
timestamp maximum (timestamp)............: 22.07.2024 10:01:51 (1721642511)Code:
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL M32E2 (authorized).................: 1Please take a look at packet 67210 -> you got an EAPOL M1
But instead of waiting to get an EAPOL M2 to complete the handshake, the attack tool injected hundreds of stupid DEAUTHENTICATION frames. The CLIENT has no chance to reply.
The same on packet 80985. Again no chance for the CLIENT to reply.
The same on packet 96062. Again no chance for the CLIENT to reply, because the attack tool still floods the channel with DEAUTHENTICATION frames.......
No undirected PROBEREQUESTs inside the dump file from which you can "possible" get more information:
Code:
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.https://hashcat.net/forum/thread-12096-post-61265.html#pid61265Your attack device can either transmit or receive (but not both at the same time on the same channel).
At the time your attack tool transmitted this 894233 stupid DEUTHENTICATION frames you have received nothing(!) from the target.
BTW:
This "noisy" attack can be easy detected by every intrusion detection system.
Please note:
hashcat does not attack a NETWORK! It is only able to recover the PSK from a hash (brute force by word list, by rule, by mask or by a combination of them).
The real attack has to be done on the air. If this attack failed, hashcat will fail, too (or it will take a long time to brute force the PSK).
BTW 2:
The RADIOTAP header has been not recorded:
Code:
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/You can get some good information of the quality of the packet from it.
Example what is missing in your dump file:
Code:
Radiotap Header v0, Length 24
Header revision: 0
Header pad: 0
Header length: 24
Present flags
Present flags word: 0xa000402e
.... .... .... .... .... .... .... ...0 = TSFT: Absent
.... .... .... .... .... .... .... ..1. = Flags: Present
.... .... .... .... .... .... .... .1.. = Rate: Present
.... .... .... .... .... .... .... 1... = Channel: Present
.... .... .... .... .... .... ...0 .... = FHSS: Absent
.... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
.... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
.... .... .... .... .... .... 0... .... = Lock Quality: Absent
.... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
.... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
.... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
.... .... .... .... .... 0... .... .... = Antenna: Absent
.... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
.... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
.... .... .... .... .1.. .... .... .... = RX flags: Present
.... .... .... .... 0... .... .... .... = TX flags: Absent
.... .... .... ..0. .... .... .... .... = data retries: Absent
.... .... .... .0.. .... .... .... .... = Channel+: Absent
.... .... .... 0... .... .... .... .... = MCS information: Absent
.... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
.... .... ..0. .... .... .... .... .... = VHT information: Absent
.... .... .0.. .... .... .... .... .... = frame timestamp: Absent
.... .... 0... .... .... .... .... .... = HE information: Absent
.... ...0 .... .... .... .... .... .... = HE-MU information: Absent
.... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
.... 0... .... .... .... .... .... .... = L-SIG: Absent
.... ..0. .... .... .... .... .... .... = Reserved: 0x0
...0 .... .... .... .... .... .... .... = TLVs: Absent
..1. .... .... .... .... .... .... .... = Radiotap NS next: True
.0.. .... .... .... .... .... .... .... = Vendor NS next: False
1... .... .... .... .... .... .... .... = Ext: Present
Present flags word: 0x00000820
.... .... .... .... .... .... .... ...0 = TSFT: Absent
.... .... .... .... .... .... .... ..0. = Flags: Absent
.... .... .... .... .... .... .... .0.. = Rate: Absent
.... .... .... .... .... .... .... 0... = Channel: Absent
.... .... .... .... .... .... ...0 .... = FHSS: Absent
.... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
.... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
.... .... .... .... .... .... 0... .... = Lock Quality: Absent
.... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
.... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
.... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
.... .... .... .... .... 1... .... .... = Antenna: Present
.... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
.... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
.... .... .... .... .0.. .... .... .... = RX flags: Absent
.... .... .... .... 0... .... .... .... = TX flags: Absent
.... .... .... ..0. .... .... .... .... = data retries: Absent
.... .... .... .0.. .... .... .... .... = Channel+: Absent
.... .... .... 0... .... .... .... .... = MCS information: Absent
.... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
.... .... ..0. .... .... .... .... .... = VHT information: Absent
.... .... .0.. .... .... .... .... .... = frame timestamp: Absent
.... .... 0... .... .... .... .... .... = HE information: Absent
.... ...0 .... .... .... .... .... .... = HE-MU information: Absent
.... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
.... 0... .... .... .... .... .... .... = L-SIG: Absent
.... ..0. .... .... .... .... .... .... = Reserved: 0x0
...0 .... .... .... .... .... .... .... = TLVs: Absent
..0. .... .... .... .... .... .... .... = Radiotap NS next: False
.0.. .... .... .... .... .... .... .... = Vendor NS next: False
0... .... .... .... .... .... .... .... = Ext: Absent
Flags: 0x00
.... ...0 = CFP: False
.... ..0. = Preamble: Long
.... .0.. = WEP: False
.... 0... = Fragmentation: False
...0 .... = FCS at end: False
..0. .... = Data Pad: False
.0.. .... = Bad FCS: False
0... .... = Short GI: False
Data Rate: 1,0 Mb/s
Channel frequency: 2412 [BG 1]
Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
.... .... .... ...0 = 700 MHz spectrum: False
.... .... .... ..0. = 800 MHz spectrum: False
.... .... .... .0.. = 900 MHz spectrum: False
.... .... ...0 .... = Turbo: False
.... .... ..1. .... = Complementary Code Keying (CCK): True
.... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
.... .... 1... .... = 2 GHz spectrum: True
.... ...0 .... .... = 5 GHz spectrum: False
.... ..0. .... .... = Passive: False
.... .0.. .... .... = Dynamic CCK-OFDM: False
.... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
...0 .... .... .... = GSM (900MHz): False
..0. .... .... .... = Static Turbo: False
.0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
Antenna signal: -70 dBm
RX flags: 0x0000
.... .... .... .... .... ..0. = Bad PLCP: False
Antenna signal: -70 dBm
Antenna: 0BTW: 3:
The format of your dump file is cap. This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html_chunked/AppFiles.html#ChAppFilesCaptureFilesSection
https://github.com/pcapng/pcapng
State of the art dump file format is pcapng. The leading network analyzer tools (Wireshark, tshark) use this format as default.
But in the end your attack was successful (if it was only the goal to get an EAPOL 4way handshake) you got a it (packets 66396-66400). It can be converted to a hc22000 file hashcat can work on.
Unfortunately (on that entire key space) it will take a human life time to get the PSK by brute force methods.
RE: Any Other ways of cracking Wpa2 - ZerBea - 07-31-2024
Finding information (if present in a BEACON) via Wireshark is simple:
Get example dump file (pmkid-not-recognized.cap) from here:
https://github.com/aircrack-ng/aircrack-ng/tree/master/test
Open it in Wireshark
Search for a BEACON
Open "IEEE 802.11 Wireless Management"
Open "Tag: Vendor Specific: Microsoft Corp.: WPS"
Open "Model Name:"
Code:
Model Name: RA69
Data Element Type: Model Name (0x1023)
Data Element Length: 4
Model Name: RA69Or use hcxtools:
Code:
$ hcxpcapngtool -D devinfo pmkid-not-recognized.cap
$ cat devinfo
8cdef9d0b461 xiaomi RA69 12345 XiaoMiRouter 876543219abcdef012348cdef9d0b461 WMLBTW: If you run hcxpcapngtool and if you wonder why the PMKID (packet 16789) has not been converted, take a look at packet 16792:
Code:
Authentication Algorithm: Simultaneous Authentication of Equals (SAE) (3)RE: Any Other ways of cracking Wpa2 - Brian - 07-31-2024
(07-31-2024, 11:20 AM)ZerBea Wrote: Finding information (if present in a BEACON) via Wireshark is simple:
Get example dump file (pmkid-not-recognized.cap) from here:
https://github.com/aircrack-ng/aircrack-ng/tree/master/test
Open it in Wireshark
Search for a BEACON
Open "IEEE 802.11 Wireless Management"
Open "Tag: Vendor Specific: Microsoft Corp.: WPS"
Open "Model Name:"
Code:Model Name: RA69
Data Element Type: Model Name (0x1023)
Data Element Length: 4
Model Name: RA69
Or use hcxtools:
Code:$ hcxpcapngtool -D devinfo pmkid-not-recognized.cap
$ cat devinfo
8cdef9d0b461 xiaomi RA69 12345 XiaoMiRouter 876543219abcdef012348cdef9d0b461 WML
BTW: If you run hcxpcapngtool and if you wonder why the PMKID (packet 16789) has not been converted, take a look at packet 16792:
It is WPA3 - hascat can't do it.Code:Authentication Algorithm: Simultaneous Authentication of Equals (SAE) (3)
thanks for the the detail explanaition .I realliy appriciate it .
the reason I left it run for half an hour is I thought more information is better and also for the first 3 tries I couldn't capture the handshake for some reason even after sevral minutes of monitoring .
and I'm just following tutorials on youtube I have no idea on what I'm doing .
so there is no hope finding the password ?
RE: Any Other ways of cracking Wpa2 - drsnooker - 08-01-2024
Good job getting this far, there's always lot more to learn with this hobby! I'm thinking most of us got started with K_a_l_i and wifite, but the tools have gotten much better since then. Not in the least thanks to @ZerBea!
Here's to hoping other new users will find this thread and learn from it!
As far as this particular password, there's always hope! The keygen might be discovered or leaked by a disgruntled former employee. A new attack vector might be found for the network.
But lastly there's always social engineering! You don't even have to dress up as a MarocTelekom engineer to "inspect" a wireless device for "interference", a simple phone call will usually do... But this might be frowned upon in your part of the world. Alternatively, a bottle of wine and being a friendly neighbor might be enough for them willing to share their connection! But that's not hashcat related, so perhaps a different forum is a better place for that discussion.