5 minutes hack WPA2 password (turn)

Source: Internet
Author: User
Tags gtk bssid

First of all, we need to understand a mathematical operation calledhashing Algorithm (hash),This is a non-inverse, you can not calculate the results of the original unknown is how much, and sometimes we need a different unknown by the algorithm after the results can not be the same, that is, you are unlikely to find two different values through the hash to get the same result. Hashing is a generic term for a class of algorithms, usually hashing algorithms are public, such as Md5,sha-1 and so on. The WPA password that we usually say is actually calledPSK (pre-shared key),The length is typically 8-63 bytes, and it adds the SSID through certain algorithms to get the PMK (pairwise master key).pmk=sha-1 (SSID,PSK), the PMK is fixed length and is 64 bytes long.because the process overhead of calculating PMK is relatively large, it is the key to solve the long time spent, so the use of the principle of space-time to generate the PMK in advance, this pre-generated table is often said hash table (the algorithm generating PMK is a hash), This work is done with the Airlib-ng tool, and our quick crack is the way it is.
The certification will generate aPTK (pairwise temporary), this is a set of keys, the details are not detailed, its generation method is also the use of the hash, parameters are connected to the client MAC address, AP Bssid, A-nonce, S-nonce, PMK, wherein A-nonce and s-nonce is two random number, Make sure that each connection generates a different PTK. The calculation of PTK is very small. PTK plus the message data using a certain algorithm (AES or TKIP), get the ciphertext, and will get a signature, calledMIC (Message integrality check)Tkip has been cracked and has a lot to do with this mic.。 9 N, b# r/y ' k& T (Z
what does the four-time handshake pack contain? The MAC address of the client, the bssid,a-nonce,s-none,mic of the AP, the most critical pmk and PTK are not included in the handshake package!
8 A2 M6 t&}) U2 J Authentication principle is that after obtaining all of the above parameters, the client calculates a mic, the original text together with the mic sent to the AP,AP using the same parameters and algorithms to calculate the mic, and the client sent over the comparison, if consistent, the certification passed, otherwise failed. # ^% L-n "b! T7 U4 e# ' 4]
The current method of cracking is that we get the handshake package, using Mr. Psk+ssid in our dictionary as a PMK (if there is a hash table), and then combine the handshake package (client Mac,ap bssid,a-nonce,s-nonce) to calculate PTK, Together with the original message data to calculate the mic and compare it to the mic sent by the AP, the PSK is the key if it is consistent. -u# {6 b& ^; [% H3 ~ |] A9 T
At present the most time-consuming is to calculate the PMK, is a crack bottleneck. Even if the computational problem is fixed, a huge amount of key storage is a problem (PMK is 64 bytes long)!
The most recent tkiptun-ng is simply the ability to unlock data packets encrypted with TKIP, not to say that the PMK or PSK can be calculated quickly. If you are interested, you can go to the bookstore to read the book about hashing, perhaps you have cracked the hash algorithm.
The Wpa_supplicant Kit has a gadget called Wpa_passphrase, which works almost like Airolib-ng and is used to generate PMK, which should be brought in backtrack. For example, there is an SSID of TP-LINK,PSK is 12345678, then the method of generating PMK is Wpa_passphrase tp-link 12345678, the result should be this: $ g5 ~ ' G ' m% y (^; H (_, F
network={ssid= "Tp-link"% u "y" A, j:p
#psk = "12345678"
Psk=1eecc652f354863e9f985a96d48545c4994e0d21b04955432b60c2600c0743da is actually the PMK, generally run on the computer to view the wireless password software is to get this, The 1eecc652f354863e9f985a96d48545c4994e0d21b04955432b60c2600c0743da directly into the wireless client can be connected to the SSID, the equivalent of 12345678 input, The process of generating the PMK is irreversible,that cannot be reversed by 1eecc652f354863e9f985a96d48545c4994e0d21b04955432b60c2600c0743da to get 12345678。 You can see that the same PSK is 12345678, and if the SSID name changes, then the PMK will change, which is why using Airolib-ng to build a table is only possible by SSID.

All the text of the tutorial to their own original

Reprint Please specify: Ouyang Bingfeng produced

This tutorial is designed to explore non-line security vulnerabilities, prohibited for illegal use, violators law (not my concern)

Get down to the chase.

First download "cdlinux- ISO wireless hack system"

HTTP://U.115.COM/FILE/F7650106DD Cdlinux_- wireless hack system. ISO

And then get ready for the virtual machine, I'm using the VM6

If you do not like the virtual machine to run, you can burn the CD directly to load the boot

But in order to facilitate the running of the package (brute force password), or in win under the virtual machine is more convenient

In terms of hardware, I use Carro, chip 8187

Everyone can arrange according to their own situation

First: Set up a virtual machine (CD-ROM can be directly passed through this part)

First install the VM (green version directly run) I am the green version

The following screen appears

1. First set up a virtual machine

Photo name: Then punch the next step directly

2. Continue to the next step

Photo Name: Then the next step

3, this is the default, direct next

Photo Name: Here the client operating system chooses Linux,

4, this is the choice of operating system and kernel, it is important, according to my choice on OK

5. Give him a name.

6, I will be the next step

Photo name: I give him 1g space

7, because CD capacity is very small, 130mb more files, you give him 200MB is enough! I'll give him 1g.

By now basically a virtual machine prototype was basically born

The next final step

And one of the most important steps.

Give him an ISO package.

8, give him a path, let him know where your ISO is! It's so simple.

Then you can start the virtual machine!


Photo Name: Choose Chinese here, you should know?

System start, select the Language interface, here you choose Chinese, if you are a foreigner, choose a foreign language, I believe see here are Chinese?
Photo name: System start ing

Virtual machine start ing

It's an exciting time to start.



Part II: Crack WEP/WPA2
Photo Name: System started successfully, desktop

1, the system started, this is the desktop! How? Are you familiar? Very much like Win's! It's easy to get started

2, then open the second row of the first software minidwep-gtk~~ this dialog box appears, direct point ok! It's gone.

3, look at the top left corner of the drop-down menu, find their own network card!!! Then the upper right corner!! Scanning!!! And then it started to get exciting! ~

4, enough excitement, right? Do you see it?

Sssid---is the MAC address of the scan to the wireless access point PWR: Signal strength Data: This is the so-called packet at the back of the Essid you know it? That's the name of the route you scanned! That makes sense, right? Of course, if there is no packet, you still save it! After all, it's cracked! No data packet represents the handshake package, can not grasp the handshake package how to crack it? So we still need the amount of data! And then grab the handshake bag and start cracking!

5, how? Hey, did you see that? The software has searched for the WPA2 encrypted way of the router! Of course, the software search method is a search, that is, WEP,WPA2 search together, see the software on the left column of the "Encryption" you choose WEP will show the WEP encrypted route, you choose WPA2 will show WPA2 way encrypted route, What we're talking about here is the way to hack the WPA2 encryption route! So WEP took a stroke! If it is to crack the route of WEP, the "Start" button on the right side of the bar, the rest is almost no automatic search password (if there is a packet Oh!). )

6, the next start grab handshake package, look at the last line of the picture, caught a handshake package, is waiting for certification, waiting for certification will give you a hint! Tell you that you have caught a handshake bag, and then you can crack it! (of course, grasping the handshake package is to be patient, sometimes the RP burst, can catch up, I grabbed more than 10 minutes to catch)

7, basically has been successful, the rest is cracked! Here begins to hack the first part, run the package and start the test password!

8. Next, contribute your dictionary to minidwep-gtk!. Hey, is this going to be all right? I gave him a default dictionary, which is the last wordlist.txt. You can choose the dictionary according to the situation, in fact, I hid a 3g dictionary! Hey, but this route is a weak password! So this dictionary is enough!

9, this is decrypted, success!!! Hey, haha!!! See wpakey:0123456789 This is the code! This code, Bull cunt? Retarded enough?! Ha ha haha

10, yesterday wrote the hasty, forgot to tell everyone, the virtual machine running CD is not support the internal network card, so need to set up a bit! Very simple, I will not! After opening the VM, look at the above menu bar there is a "virtual machine" and then come down to see "mobile device", then see your USB card, and then hit the check on the OK! It's simple! Hey

Hey, comrades don't shoot bricks, don't scold! Cracking WPA is not a joke! The key is whether your machine is tough enough! Dictionary is not enough!!!

If your machine is tough enough, run the bag and run to hundreds of thousands of! Dictionary collection Hundreds of G, it is estimated that you can not crack the password is not much! There are a lot of "heroes" told me that can not be cracked, said I lied! Later asked, how old are your dictionary? People said, my dictionary super-cool!!! There is a 3m TXT file as a dictionary!!!! Comrades, Ah!!! Do you think he can crack this "hero"?

I've seen the names! Feel the benefit of the reply to a sudden! Hey! Ha ha!

The software used in this tutorial

Vmware6.0.rar (software used in this tutorial)

VMware7.0 green version. rar


Cdlinux_- wireless hack system. ISO

The legendary bottle

Beini-1.2.1 Integrated 500W password-enhanced version. ISO

Attached to my favorite dictionary: compressed after 80 MB, uncompressed after 3g space!

WPA2 cracked dictionary (extracted after 3g file). rar

All_birth (VIP). rar

A new dictionary in beini-1.1_. rar




0-9.8-bit pure number password. rar


Birthday 1980-2010. rar

Weak password set. rar

Super dictionary. rar

WPA English Dictionary. rar


10-bit number. rar

Two lossless albums included

"A network feeling Deep" Up-dts.rar

ABC album "The Voice of the West"-The King of the Horn-German version. rar

Invincible • Love song. rar

Shi-The car lover Dsd.rar

about cracking dictionaries

In fact, crack is the simplest but also the most complex, simple is only a few steps to set up after the violence can be cracked, complex is the need for excellent patience and luck to crack success, the higher the machine configuration, the more the dictionary, the faster you run the package, you crack the higher the probability, so don't ask me how long I can crack a WPA2 , I can not answer, because there are many factors to crack it! Let's start by telling you how to run a bag under win!

First need to prepare the software: EWSA (the usual, lazy to download the back of the message, I sent) a number of dictionaries

First Open the EWSA

And then import the handshake package you caught.

Then create a new dictionary option

Then add the path to your dictionary

Then OK to start attacking the handshake package to crack

Want to get a video tutorial, do not know which screen video to use, who recommend all of a sudden ah? Have the address to me to reply in the back! Thank you.

I especially despise those who do not reply to the direct reprint does not cherish my labor results! May these people xxxxxx ~ ~ Oh, God.

5 minute hack WPA2 password (GO)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.