Any Other ways of cracking Wpa2
#11
(07-30-2024, 07:19 PM)drsnooker Wrote: The uncleaned file sometimes contains the brand name and model (and even serial numbers) hence that can be important.
16 char password is not reasonable to brute force within a lifetime.

I looked on the MarocTelekom website and found:
https://www.iam.ma/particulier/catalogue...ments-adsl

A few of those models could have included a keygen in their firmware. But if you think it's ZTE, you are out of luck. They have never included a keygen (and I've looked at about 100 of them)
You might want to examine the uncleaned file to confirm the brand name.

I took a look at the cap file using wireshark and I think its ZTE router , and I know that the local ISP gives this router away ( its a fibre optic router ). here is the original cap file if someone wanna take a look .

how do you find the  serial number using wireshark ? I've never used it before .
Reply
#12
(07-30-2024, 07:49 PM)ZerBea Wrote: @Brian
...but I already convert the cap file now cracking it is the main problem.

A successful attack should always start "on the air":
request all information from the AP
request all information from all the CLIENTs connected to the AP
make sure you use tools (e.g. angryoxide https://github.com/Ragnt/AngryOxide) which are able to request all this information (injecting hundreds of stupid DEAUTHENTICATIONs to get a 4way handshake is far away from that).


If the cap has been recorded and it has been converted to a hc22000 file, it's too late to get this information. It is gone forever.
Now you have to run a mask attack if the PSK use a small pattern,
you have to use a keygen if the algo is know or
you have to brute force it (not feasible on 16 a-zA-Z09).

As @drsnooker wrote: analyze the uncleaned traffic to get more information.
As I worte: make sure the dump file contains all information you can get.

I still have the uncleaned file  but I can't figure nothing out of it ,except the router name , but speaking of PSK attack is it the same as WPA2 ?
Reply
#13
PSK == PreSharedKey == WPA Password

I took a look at the uncleaned dump file. It reflects exactly what I wrote:
894233 stupid DEUTHENTICATION frames have been injected:
Code:
DEAUTHENTICATION (total).................: 894233
...
Warning: excessive number of deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT change channel, reset EAPOL TIMER, renew ANONCE and set PMKID to zero. This could prevent to calculate a valid EAPOL MESSAGE PAIR, to get a valid PMKID or to decrypt the traffic.
Mostly this DEAUTHENTICATION frames are useless, because they are addressed to broadcast FF:FF:FF:FF:FF:FF.

More than half an hour your attack tool flooded the entire channel (transmitting mostly useless DEAUTHENTICATION frames):
Code:
timestamp minimum (timestamp)............: 22.07.2024 09:25:51 (1721640351)
timestamp maximum (timestamp)............: 22.07.2024 10:01:51 (1721642511)
to get a single EAPOL MESSAGEPAIR:
Code:
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL M32E2 (authorized).................: 1

Please take a look at packet 67210 -> you got an EAPOL M1
But instead of waiting to get an EAPOL M2 to complete the handshake, the attack tool injected hundreds of stupid DEAUTHENTICATION frames. The CLIENT has no chance to reply.

The same on packet 80985. Again no chance for the CLIENT to reply.
The same on packet 96062. Again no chance for the CLIENT to reply, because the attack tool still floods the channel with DEAUTHENTICATION frames.......

No undirected PROBEREQUESTs inside the dump file from which you can "possible" get more information:
Code:
Information: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK. It always happens if the capture file was cleaned or it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.https://hashcat.net/forum/thread-12096-post-61265.html#pid61265
https://hashcat.net/forum/thread-12096-p...l#pid61265

Your attack device can either transmit or receive (but not both at the same time on the same channel).
At the time your attack tool transmitted this 894233 stupid DEUTHENTICATION frames you have received nothing(!) from the target.

BTW:
This "noisy" attack can be easy detected by every intrusion detection system.

Please note:
hashcat does not attack a NETWORK! It is only able to recover the PSK from a hash (brute force by word list, by rule, by mask or by a combination of them).
The real attack has to be done on the air. If this attack failed, hashcat will fail, too (or it will take a long time to brute force the PSK).


BTW 2:
The RADIOTAP header has been not recorded:
Code:
Information: radiotap header is missing!
Radiotap is a de facto standard for 802.11 frame injection and reception. The radiotap header format is a mechanism to supply additional information about frames, from the driver to userspace applications.
https://www.radiotap.org/

You can get some good information of the quality of the packet from it.
Example what is missing in your dump file:
Code:
Radiotap Header v0, Length 24
    Header revision: 0
    Header pad: 0
    Header length: 24
    Present flags
        Present flags word: 0xa000402e
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..1. = Flags: Present
            .... .... .... .... .... .... .... .1.. = Rate: Present
            .... .... .... .... .... .... .... 1... = Channel: Present
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 0... .... .... = Antenna: Absent
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .1.. .... .... .... = RX flags: Present
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..1. .... .... .... .... .... .... .... = Radiotap NS next: True
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            1... .... .... .... .... .... .... .... = Ext: Present
        Present flags word: 0x00000820
            .... .... .... .... .... .... .... ...0 = TSFT: Absent
            .... .... .... .... .... .... .... ..0. = Flags: Absent
            .... .... .... .... .... .... .... .0.. = Rate: Absent
            .... .... .... .... .... .... .... 0... = Channel: Absent
            .... .... .... .... .... .... ...0 .... = FHSS: Absent
            .... .... .... .... .... .... ..1. .... = dBm Antenna Signal: Present
            .... .... .... .... .... .... .0.. .... = dBm Antenna Noise: Absent
            .... .... .... .... .... .... 0... .... = Lock Quality: Absent
            .... .... .... .... .... ...0 .... .... = TX Attenuation: Absent
            .... .... .... .... .... ..0. .... .... = dB TX Attenuation: Absent
            .... .... .... .... .... .0.. .... .... = dBm TX Power: Absent
            .... .... .... .... .... 1... .... .... = Antenna: Present
            .... .... .... .... ...0 .... .... .... = dB Antenna Signal: Absent
            .... .... .... .... ..0. .... .... .... = dB Antenna Noise: Absent
            .... .... .... .... .0.. .... .... .... = RX flags: Absent
            .... .... .... .... 0... .... .... .... = TX flags: Absent
            .... .... .... ..0. .... .... .... .... = data retries: Absent
            .... .... .... .0.. .... .... .... .... = Channel+: Absent
            .... .... .... 0... .... .... .... .... = MCS information: Absent
            .... .... ...0 .... .... .... .... .... = A-MPDU Status: Absent
            .... .... ..0. .... .... .... .... .... = VHT information: Absent
            .... .... .0.. .... .... .... .... .... = frame timestamp: Absent
            .... .... 0... .... .... .... .... .... = HE information: Absent
            .... ...0 .... .... .... .... .... .... = HE-MU information: Absent
            .... .0.. .... .... .... .... .... .... = 0 Length PSDU: Absent
            .... 0... .... .... .... .... .... .... = L-SIG: Absent
            .... ..0. .... .... .... .... .... .... = Reserved: 0x0
            ...0 .... .... .... .... .... .... .... = TLVs: Absent
            ..0. .... .... .... .... .... .... .... = Radiotap NS next: False
            .0.. .... .... .... .... .... .... .... = Vendor NS next: False
            0... .... .... .... .... .... .... .... = Ext: Absent
    Flags: 0x00
        .... ...0 = CFP: False
        .... ..0. = Preamble: Long
        .... .0.. = WEP: False
        .... 0... = Fragmentation: False
        ...0 .... = FCS at end: False
        ..0. .... = Data Pad: False
        .0.. .... = Bad FCS: False
        0... .... = Short GI: False
    Data Rate: 1,0 Mb/s
    Channel frequency: 2412 [BG 1]
    Channel flags: 0x00a0, Complementary Code Keying (CCK), 2 GHz spectrum
        .... .... .... ...0 = 700 MHz spectrum: False
        .... .... .... ..0. = 800 MHz spectrum: False
        .... .... .... .0.. = 900 MHz spectrum: False
        .... .... ...0 .... = Turbo: False
        .... .... ..1. .... = Complementary Code Keying (CCK): True
        .... .... .0.. .... = Orthogonal Frequency-Division Multiplexing (OFDM): False
        .... .... 1... .... = 2 GHz spectrum: True
        .... ...0 .... .... = 5 GHz spectrum: False
        .... ..0. .... .... = Passive: False
        .... .0.. .... .... = Dynamic CCK-OFDM: False
        .... 0... .... .... = Gaussian Frequency Shift Keying (GFSK): False
        ...0 .... .... .... = GSM (900MHz): False
        ..0. .... .... .... = Static Turbo: False
        .0.. .... .... .... = Half Rate Channel (10MHz Channel Width): False
        0... .... .... .... = Quarter Rate Channel (5MHz Channel Width): False
    Antenna signal: -70 dBm
    RX flags: 0x0000
        .... .... .... .... .... ..0. = Bad PLCP: False
    Antenna signal: -70 dBm
    Antenna: 0

BTW: 3:
The format of your dump file is cap. This file format is a very basic format to save captured network data.
It is recommended to use PCAP Next Generation dump file format (or pcapng for short) instead. The PCAP Next Generation dump file format is an attempt to overcome the limitations of the currently widely used (but very limited) libpcap (cap, pcap) format.
https://www.wireshark.org/docs/wsug_html...lesSection
https://github.com/pcapng/pcapng

State of the art dump file format is pcapng. The leading network analyzer tools (Wireshark, tshark) use this format as default.


But in the end your attack was successful (if it was only the goal to get an EAPOL 4way handshake) you got a it (packets 66396-66400). It can be converted to a hc22000 file hashcat can work on.
Unfortunately (on that entire key space) it will take a human life time to get the PSK by brute force methods.
Reply
#14
Finding information (if present in a BEACON) via Wireshark is simple:
Get example dump file (pmkid-not-recognized.cap) from here:
https://github.com/aircrack-ng/aircrack-...aster/test

Open it in Wireshark
Search for a BEACON
Open "IEEE 802.11 Wireless Management"
Open "Tag: Vendor Specific: Microsoft Corp.: WPS"
Open "Model Name:"
Code:
Model Name: RA69
    Data Element Type: Model Name (0x1023)
    Data Element Length: 4
    Model Name: RA69

Or use hcxtools:
Code:
$ hcxpcapngtool -D devinfo pmkid-not-recognized.cap
$ cat devinfo
8cdef9d0b461    xiaomi    RA69    12345    XiaoMiRouter    876543219abcdef012348cdef9d0b461    WML

BTW: If you run hcxpcapngtool and if you wonder why the PMKID (packet 16789) has not been converted, take a look at packet 16792:
Code:
Authentication Algorithm: Simultaneous Authentication of Equals (SAE) (3)
It is WPA3 - hascat can't do it.
Reply
#15
(07-31-2024, 11:20 AM)ZerBea Wrote: Finding information (if present in a BEACON) via Wireshark is simple:
Get example dump file (pmkid-not-recognized.cap) from here:
https://github.com/aircrack-ng/aircrack-...aster/test

Open it in Wireshark
Search for a BEACON
Open "IEEE 802.11 Wireless Management"
Open "Tag: Vendor Specific: Microsoft Corp.: WPS"
Open "Model Name:"
Code:
Model Name: RA69
    Data Element Type: Model Name (0x1023)
    Data Element Length: 4
    Model Name: RA69

Or use hcxtools:
Code:
$ hcxpcapngtool -D devinfo pmkid-not-recognized.cap
$ cat devinfo
8cdef9d0b461 xiaomi RA69 12345 XiaoMiRouter 876543219abcdef012348cdef9d0b461 WML

BTW: If you run hcxpcapngtool and if you wonder why the PMKID (packet 16789) has not been converted, take a look at packet 16792:
Code:
Authentication Algorithm: Simultaneous Authentication of Equals (SAE) (3)
It is WPA3 - hascat can't do it.

thanks for the the detail explanaition .I realliy appriciate it . 
the reason I left it run for half an hour is I thought more information is better and also for the first 3 tries I couldn't capture the handshake for some reason even after sevral minutes of monitoring .
and I'm just following tutorials on youtube I have no idea on what I'm doing .

so there is no hope finding the password ?
Reply
#16
Good job getting this far, there's always lot more to learn with this hobby! I'm thinking most of us got started with K_a_l_i and wifite, but the tools have gotten much better since then. Not in the least thanks to @ZerBea!
Here's to hoping other new users will find this thread and learn from it!

As far as this particular password, there's always hope! The keygen might be discovered or leaked by a disgruntled former employee. A new attack vector might be found for the network.
But lastly there's always social engineering! You don't even have to dress up as a MarocTelekom engineer to "inspect" a wireless device for "interference", a simple phone call will usually do... But this might be frowned upon in your part of the world. Alternatively, a bottle of wine and being a friendly neighbor might be enough for them willing to share their connection! But that's not hashcat related, so perhaps a different forum is a better place for that discussion.
Reply