(08-02-2017, 03:22 AM)braxxox Wrote: The -b option (beaconing on the last 10 probes) will seduce clients which do not send probes, yet, to probe us and then to connect us.
I'm having a bit of trouble parsing out what exactly this means. I am aware that many clients do not send probes, but if they don't send probes how can we beacon for them? Do we assume that they may "bite" at a beacon that matches a probe of a nearby (different) device just by chance? Or am I missing something?
The answer you gave is very helpful. It sounds like wlandump-ng is already doing what I was asking about, which is great news. I also had no idea about Alex's project. That is a wonderful idea, I am interested in contributing. Do you know where the product of much of that research goes? Like are there downloadable wordlist files or blog posts etc about the statistical analysis of passwords uploaded so far etc?
Well there are 2 possibilities:
1) we hit exact the networkname and send a beacon with this name - This is pure coincidence!
2) we make some more traffic on the channel to bring "silent" clients out of their shell - This is realistic.
The statistics can be found here:
http://wpa-sec.stanev.org/?stats
The product goes into new keygens and a wordlist (every time a new password was found, this list receives an update):
http://wpa-sec.stanev.org/dict/cracked.txt.gz
If you use this script (where $HOME/wordlists is the place of your wordlist folder):
(you need to create an empty foundstanev in your $HOME/wordlists folder bevore the first run!)
#!/bin/bash
cd /tmp
if [ -f "cracked.txt" ]
then
rm cracked.txt
fi
wget -N
http://wpa-sec.stanev.org/dict/cracked.txt.gz
if [ -f "cracked.txt.gz" ]
then
sort $HOME/wordlists/foundstanev | uniq > foundstanev.tmp
gzip -k -d cracked.txt.gz
cat cracked.txt >> $HOME/wordlists/foundstanev
sort cracked.txt | uniq > cracked.tmp
echo "new words:"
diff foundstanev.tmp cracked.tmp | grep '^>' | sed -e 's/> //'
wc cracked.txt
fi
you can see the progress every day (new found words).
Alex is using newest hashcat with nonce-corr (internal). The script to contribute gpu power wasn't updated, yet and uses still old hccap format. But he's working on that.
His site is absolute free and the main purpose is
a community effort to study and improve security of WPA protected WiFi networks.
If you like to contribute gpu power (and receive a copy of every tested network) download his script:
http://wpa-sec.stanev.org/hc/help_crack.py
and modify it (for use with hashcat 3.6.0 - assuming hcxtools are installed):
198c198
< tl = ['hashcat-cli64', 'hashcat-cliAVX', 'hashcat-cliXOP', 'hashcat-cli64.bin', 'hashcat-cliAVX.bin', 'hashcat-cliXOP.bin', 'hashcat-cli64.app']
---
> tl = ['hashcat-cli', 'hashcat-cliAVX', 'hashcat-cliXOP', 'hashcat-cli64.bin', 'hashcat-cliAVX.bin', 'hashcat-cliXOP.bin', 'hashcat-cli64.app']
204c204
< tl = ['hashcat64.bin', 'hashcat64', 'oclHashcat64', 'oclHashcat64.bin', 'cudaHashcat64', 'cudaHashcat64.bin']
---
> tl = ['hashcat64.bin', 'hashcat', 'oclHashcat64', 'oclHashcat64.bin', 'cudaHashcat64', 'cudaHashcat64.bin']
if tool.find('ashcat') != -1:
try:
494a495,499
> os.system('mv help_crack.net alt.net')
> cracker = 'wlanhc2hcx -o help_crack.net alt.net'
> subprocess.check_call(shlex.split(cracker))
> os.system('cat help_crack.net >> stanevneu.hccapx')
> os.system('rm alt.net')
cracker = '{0} -m2500 -w 1 --potfile-disable --outfile-format=2 {1} -o{2} {3} {4} {5}'.format(tool, performance, key_file, rule, net_file, dictname)
You can also test if your own wordlists are good (list size shouldn't be greater than 1 GB):
Simply add them to one of the downloaded testwordlists (except cracked.txt)
for example:
cat your_wordlist >> pinyin.txt
cat your_second_wordlist >> cow.txt
and see if the incoming net is crackable using your added wordlist