A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Brief introduction from scratch
High-speed cracking of WPA passwords
It can be said that few people who have been conducting cryptography research for a long time do not know about this. Many years ago, foreign hackers discovered that they had simply imported the dictionary and used the same algorithm as the target to crack the attack. The speed was actually
Very slow. In terms of efficiency, it cannot meet the actual needs. Later, through a large number of attempts and summaries, Hackers found that if a data file can be directly created, the adoption and target adoption are recorded in advance.
The hash Hash hash value generated after calculation by the same algorithm directly calls such a file for comparison when it is necessary to crack, so that the cracking efficiency can be greatly improved, even by nearly times, this structure is constructed in advance.
The Hash hash data file is called a table (File) in the security field ).
The most famous tables is Rainbow.
Tables is a rainbow table that is often mentioned in the security community. It uses the lm/NTLM hash column of the Windows User Account as the cracking object.
WPA-PSK hash tables
Tables creation is not as easy as you think. In terms of creation itself, tables is very inefficient. In addition, you need to specify the pre-attack AP.
To create a set of WPA-PSK hash for all common access points and using a simple password
Tables, which occupies at least one hard disk space ~~ 3G. To learn more about WPA table, go to
WiFi wireless hacker organization learn more, the organization's official site for http://www.churchofwifi.org, the organization has successfully established a huge
WPA table library and its simplified WPA-PSK hash
The table version provides free download, which is a good news for many wireless hackers. But unfortunately, even the simplified version has exceeded 30 GB.
Create WPA hash tables
Create a hash: genpmk
Note: The password dictionary is in Linux text format, with only line breaks (/n) in each line, while lines in Windows notepad format will encounter line breaks (/R/n) in pairs.
Text File Format Conversion: http://blog.csdn.net/zhangyang0402/archive/2010/01/07/5153649.aspx
Or use Vim to convert: http://hi.baidu.com/qq5910225/blog/item/4ccb2e98c2167bb9c8eaf458.html
GPU cracking WPA
Air cracking tool series
Enable aircrack-ng to use Hash Tables
Compatty in Windows:
End of pcap capture file, incomplete TKIP four-way exchange?
1. The WPA handshake package you captured is incomplete (4 handshakes should be performed), so PJ cannot be correct. We recommend that you capture it again.
2. Of course, there is another possibility of cowpatty's own problem. You can upgrade to the latest version 4.6 and try again, or put it under aircrack-ng PJ.
Aircrack-ng doesn't need as much packets as cowpatty needs. That's why a capture that works with aircrack-ng might not work with cowpatty
High-speed cracking (loading GPU, using HashTables, cowpatty not needed due to instability)
Install pyrit using Python
Obtain the WPA handshake verification package
To facilitate the acquisition of WPA handshake verification packets, deauth authentication attacks must be performed to force the AP to re-perform handshake verification with the connected legal client, and obtain the verification data packet during the re-handshake verification.
Input: aireplay-ng-0 10-A <AP Mac> wifi0
Alternatively, enter aireplay-ng-0 10-A <AP Mac>-C <my Mac> wifi0.
Explanation:-0 refers to the deautenticate attack mode, followed by the number of sending times.
Crack key (dictionary): aircrack-ng/ewsa + Dictionary (Note: The ewsa speed is slow because password change is enabled. Just disable it)
Dictionary cracking is required for WPA password cracking.
Input: aircrack-ng-W password.txt-B <AP Mac> 12345 *. Cap
(-W: dictionary cracking mode)
Password.txt is a dictionary you have prepared in advance.
Note: In addition to dictionary cracking,The other is to use airolib to construct the dictionary into a WPA table.
Then use aircrack to crack the attack. Building a WPA table is the hash Hash hash value generated after calculation using the same algorithm as WPA encryption. In this way, such a file is called for comparison when cracking is required, the cracking efficiency can be greatly improved.
Crack key (hash): cowpatty + hash
WPA cracking does not need to wait until the data reaches tens of thousands, because itOnly one packet containing the WPA handshake verification package
Which one of the four handshakes is the most important?
The 2nd handshake information is relatively important. The password can be cracked only when combined with the 1st or 3rd handshake information.
A possibility that an AP cannot be connected after the WPA password is cracked:
A handshake packet is generated when the client uses the wrong password to connect to the wireless router. If the dictionary contains the wrong password, a wrong wireless access password will be obtained.
Verify the correct WPA password: the client uses the wrong password to connect to the wireless router. After four handshakes, the wireless router sends deauthentication packets to the client and rejects access from the client.
Deauth attacks are often not successful once. To ensure successful interception, they must be repeated, during the attack, other wireless clients of the AP may be unable to access the Internet, which means the network is disconnected frequently. In addition, some low-end APs may cause the wireless function to be suspended and cannot be pinged. Therefore, the AP must be restarted.
However, when a handshake packet is obtained, do not perform too many-0 attacks. Otherwise, they are counterproductive. Some APs may be considered attacked when they shake hands several times. Disallow the connection between the client and the AP for 30 seconds.
How WPA works
The brute-force cracking of WPA mainly involves the following two calculation methods. Of course, this is also the method for WPA authentication:
1: PMK (PSK) <-pdkdf2_sha1 (passphrase, SSID)
2: PTK (PMK, "pairwise key expansion", AA, SA, anonce, snonce)
Brief description of the four handshakes:
1: The Wireless Access Point AP sends a random number anonce to the client Sta.
2: STA receives anonce
Then, select a random number snonce, calculate the PMK (PSK) using the WPA password (passphrase) and the ap ssid, and use
The PRF-X function is used to calculate the PTK, and the first 16 bytes of the PTK and the information sent to the AP are used to calculate the mic authentication value. Add snonce and
Send the MIC to the AP.
3: The AP receives information from the STA and computes the mic using the same method above to verify the mic generated by the STA. If the match is found, the AP sends anonce and other information.
4: Load PTK.
The above description shows that,WPA authentication can be called mic authentication.
. The mic is generated by PTK, And the PTK calculation requires: anonce,
Snonce, MAC address SA of the client STA, MAC address AA of the Wireless Access Point AP, and PMK. The PMK consists of the SSID and
The WPA password (passphrase) is calculated. Assume that we know passphrase, And the handshake process is determined by the legal sta
Then, as long as the information of 1st and 2nd handshakes is obtained, the MIC value can be calculated. NOTE: If we know passphrase!
If we want to use the brute-force method to crack WPA, we can describe it in plain words:
Retrieve a passphrase password from the dictionary and use the ap ssid to calculate the PMK (PSK). You can use wpa_passphrase.
Command generation, and the result will be involved in the PTK calculation (Genpmk is used to call wpa_passphrase multiple times.
). One thing to note is that PMK (PSK) is white, that is, WPA.
The PMK (PSK) information is stored in the system of both sides of the authentication. Otherwise, the information is intercepted directly. See Figure 6:
2: intercept the MAC address of the client STA, the MAC address of the AP of the wireless access point, the random number anonce sent by the AP to the STA, and the random number snonce sent by the sta to the AP, in combination with the PMK (PSK) obtained in the previous step ), use these parameters to generate PTK.
3: Use the first 16 bytes of the PTK obtained in the previous step to calculate the mic value. Use this value to compare it with the mic value in the information sent from the sta to the AP in the 2nd handshake. If the value is the same, the passphrase obtained in step 1 is the actual PMK (PSK) password of WPA ).
Nowadays, the popular method to quickly crack hash tables is to use the specified SSID and dictionary file together to generate the PMK (PSK) corresponding to each password in the dictionary ). If
If the SSID is universal, the generated hash table can be shared with others. Otherwise, there is no practical value because PMK (PSK) is the SSID.
And the password. If you have a hash table corresponding to the target SSID, you can avoid calculating PMK (PSK) during the cracking process)
To save the crack time. See 7:
For ewsa 2.12 and aircrack-NG:
1: The Key to verifying that the password is correct is mic.
Information, originated from 2nd handshakes. Therefore, when the 2nd handshakes are lost, the program cannot crack the information. Correspondingly, if the 2nd handshake information is caused by an invalid sta
The cracked password is invalid and cannot be used because the wrong password will generate the wrong mic information. Although cowpatty 4.6
The mic information in the 4th handshakes is judged to be rigorous, but the actual results are not good. You may have found this problem:Some handshake packages use ewsa and aircrack-ng
But cowpatty cannot be used, because
. However, you can use the "-2" parameter to modify the mic information in the 2nd handshake for determination.
The random number anonce sent to the sta can be obtained from 1st or three handshakes, but the sta sends the random number anonce to the AP.
It can only appear in 2nd handshakes. Therefore, when 1st or 3rd handshakes are lost, the password can still be cracked using the information of 2nd handshakes combined with the information generated by 3rd or 1st handshakes. But when 1st times and
After 3rd handshakes are lost at the same time, the anonce information is missing, so the cracking cannot continue. Similarly, if the information of the 2nd handshakes is lost
3: Because the 2nd handshake is the information sent from the sta to the AP, it contains two important information: MIC and snonce.
. Therefore:As a network card in the hybrid mode, the effective working distance between the AP and the sta should be clarified.
Maybe you are far away from sta-your location is exactly where you can receive the AP
But cannot receive the sta signal. At this time, the MIC and snonce information cannot be obtained, which is why many IVS generated by the AP can be obtained.
Is one of the reasons why the handshake information cannot be obtained. Of course, the handshake information is generated during the establishment of the STA and AP authentication, and the timing is also very important. This is the day.
Two versions of WPA Encryption Algorithm
= 802.1x + EAP +TKIP + mic
= Pre-shared key + TKIP + mic
= 802.1x + EAP +AES + CCMP
= Pre-shared key + AES + CCMP
Here, 802.1x + EAP, pre-shared key is an Identity Verification Algorithm (WEP is not configured with an identity authentication mechanism), TKIP and AES are data transmission encryption algorithms (similar to WEP-encrypted RC4 algorithms ), MIC and CCMP data integrity verification algorithms (similar to CRC32 in WEP)
WPA authentication method
802.1X + EAP (industrial level, high security requirements. Authentication Server required)
Pre-shared key (for household use, used in places with low security requirements. No server required)
EAP expansion is a serious protocol architecture. Instead of defining algorithms. Common examples include leap, MD5, ttls, TLS, PEAP, SRP, Sim, and AKA. TLS and ttls are two-way authentication modes.
The reality of cracking WPA passwords: difficult
PSK = PMK = pdkdf2_sha1 (passphrase, SSID, SSID length, 4096)
In this function, the input values are all clear except this 4096. This is the precaution of the designers. He meansLet the function iterate 4096 times
. The main purpose is to greatly reduce the efficiency of dictionary attacks. It also increases the complexity of functions.The time consumed by this function accounts for 99.3% of the total time for deriving a mic.
That is, sha1_prf and hmac_md5 functions consume less than 0.7% of the total time. Here, you should also understand what the so-called database creation cracking is. That is, the task with a time of 99.3% is completed first. Generates a PMK library. At the time of cracking, only 0.7% of the work will be completed. This explains why database creation is slow. The library we created here is called the PMK library. Or HMAC pre-calculation library.
When PMK generation is so time-consuming, why is the AP with poor hardware conditions so fast during handshake? Actually after you choose to use WPA-PSK mode. The AP begins to generate PMK with the password and Essid (WPA-PSK initialization) and then it stores this PMK value.
Unless you change the Essid or password, the AP will not take the time to produce PMK. So the handshake between station and AP is so fast. Therefore, increasing the value of 4096 in the above algorithm only increases the initialization time and does not affect the handshake and data transmission at any time. However, it is different for attackers. If the attack speed is increased by 10 times, the dictionary attack speed is only 1/10.
The advantage of PMK is speed, but it sacrifices a long time for database creation, huge disk space, and the targeting of SSID is also the main problem of PMK library.
Therefore, PMK is mainly used to deal with the default SSID that is widely used. Generally, there is no need to create a PMK for a strange SSID. The SSID is also unique. As new as the TP-LINK, the SSID becomes the first six digits of the TP-LINK + Mac. This practice is undoubtedly to waste the PMK library we made for TP-LINK. From another perspective, TP-LINK is undoubtedly a very security-oriented producer ..
Web cracking WPA-PSK tutorials a lot. It takes several minutes to crack. Some passwords are strong. None of the tutorials are practical. They all know that the password is broken.So don't mislead those tutorials.
Think it is easy to crack the WPA-PSK. WPA-PSK password cracking for a long time do not come out do not drill corners.
Now we understand the attack against WPA-PSK is currently the only practical value of weak password dictionary attacks.
A good weak password dictionary is precise, not big.
Download in-depth principles of WEP and WPA passwords
Countermeasures against various situations when cracking WEP:
When data is increased to more than 15 thousand, aircrack-ng is used for cracking.
Position of the captured package:/tmp/feedingbottle
1. Clients with valid clients generate a large amount of valid data and can directly obtain a large number of IVs.
2. A valid client can only generate a small amount of IVs data.
A large number of ivs are generated by injecting attack acceleration.
If a small amount of data is available, the ARP request packet may be obtained (it may take some time). The-3 mode in ARP injection mode can be used to continuously send packets to the AP.
The same ARP request packet for injection attacks.
Aireplay-ng-3-B <AP Mac>-H <valid client Mac> wifi0
Alternatively, enter wesside-ng-I wifi0-V 01: 02: 03: 04: 05: 06 (apmac in this format ).
3. There is a client, but the client does not communicate at all, and ARP packets cannot be generated. -3 The injection mode fails.
-0 conflict mode force disconnect valid client and AP to reconnect
Use the-0 conflict mode to reconnect the handshake data generated so that-3 can obtain an effective ARP to complete ARP injection.
Aireplay-ng-3-B <AP Mac>-H <valid client Mac> wifi0
Aireplay-ng-0 10-A <AP Mac>-C <valid client Mac> wifi0
2. No client
Because there is no client, the first step is to establish a virtual connection with the AP.
This is a critical step. To allow the AP to accept data packets, you must associate your NIC with the AP. If no association exists, the target AP
All the packets sent from your NIC will be ignored, and the IVS data will not be generated.
Aireplay-ng-1 0-E <AP Essid>-A <AP Mac>-H <Mac> wifi0
If the echo virtual camouflage connection fails, there are many reasons for the failure, including the following:
1. The target AP performs MAC address filtering.
2. You are physically too far away from the target AP
3. The other party uses WPA encryption.
5. The NIC and AP may be incompatible. The NIC does not use the same working channel as the AP.
You can also run the tcpdump command to check whether the NIC is connected to the target AP.
After establishing a virtual connection, you can directly use the-2 interactive attack mode. This mode combines packet capture, data extraction, and attack packet generation capabilities.
Aireplay-ng-2-P 0841-c ff: FF-B <AP Mac>-H <my Mac> wifi0
Use the-5 fragment attack mode to obtain an available data file (XOR file) containing the key );
Then extract the prga from the XOR file to forge an ARP packet through the packetforge-ng program;
Finally, the interactive attack mode-2 Packet Attack is used.
Use the fragment Packet Attack Mode-5 to obtain a prga packet (XOR file ).
Enter aireplay-ng-5-B <AP Mac>-H <my Mac> wifi0
Use the-4 chopchop attack mode to obtain an available file containing key data (XOR file)
Extract the prga from the XOR file by using the packetforge-ng package manufacturing program to forge an ARP packet
Finally, the interactive attack mode-2 Packet Attack is used.
Use the-4 chopchop attack mode to obtain an XOR file containing key data
Enter aireplay-ng-4-B <AP Mac>-H <my Mac> wifi0
-B: Set the MAC address of the AP to be cracked.
-H: Set the MAC address of the wireless network card used for connection (self-network card)
Use packetforge-ng, a data packet manufacturing Program, to forge the XOR data packet obtained above into an available ARP injection package.
Enter packetforge-ng-0-A <AP Mac>-H <my Mac>-K accept 255.255.255-l accept 255.255-y
-Y (filename) is used to read prga files.
-W (filename) writes the ARP packet to the file. The file name I used is myarp.
Use interactive mode-2 to launch packet injection attacks.
Enter aireplay-ng-2-r myarp-x 256 rausb0
-R: reads ARP packets from a specified file.
[-X]: defines the number of data packets sent per second. To avoid network card crashes, you can select 256, up to 1024
Http://www.xxszxw.net/xx/ShowArticle.asp? ArticleID = 9325
Explanation of the attack modes in aireplay-ng 6
-0 deautenticate conflict Mode
Force disconnect a valid client from the vro to reconnect it. Authentication data packets are obtained during the reconnection process to generate valid ARP data.
If a client is connected to a vro but no one is on the Internet to generate valid data,-3 cannot generate valid ARP data, therefore, the-0 attack mode must be used in combination with-3 attacks to activate them.
Aireplay-ng-0 10-A ap_mac-C valid client Mac wifi0
Parameter description: 10 indicates the number of sending times (0 indicates cyclic attack, and the client cannot access the Internet normally)
-A sets the MAC address of the AP and-C sets the MAC address of the connected legal client (if-C is required, all clients connected to the AP are disconnected)
-1 fakeauth count disguises a client to connect to the AP
This is the first step in the study without a client, because there is no valid connection to the client, so you need a disguised client to connect to the router. To allow the AP to accept data packets, you must associate your NIC with the AP. -1 send the injection command only when the disguised client connection is successful enough
Aireplay-ng-1 0-e ap_essid-A ap_mac-H my_mac wifi0
Parameter description: 0 indicates that the rock is connected after 0 seconds;-e sets ap_essid;-A sets the MAC address of the AP-H sets the MAC address of the nic of the disguised client (that is, the MAC address of the NIC)
-2 Interactive Mode
This mode integrates three functions: Packet Capture and data extraction, and packet injection.
Aireplay-ng-2-P 0841-c ff: FF-B ap_mac-H my_mac wifi0
Parameter description:-P sets the information contained in the Control Frame (hexadecimal). The default value is 0841.-C: sets the target MAC address.-B sets the MAC address of the AP; -H disguise the MAC address of the client NIC (that is, the MAC address of the client)
Extract packets and send injection packets
Aireplay-ng-2-r myarp-x 1024 wifi0
Parameter description: myarp: file name set by myself;-x 1024: Packet sending speed (up to 1024)
-3 ARP-request Injection Attack Mode
This mode is a process of analyzing and resending packets after capturing packets.
Aireplay-ng-3-B ap_mac-H valid client Mac-x 512 wifi0
-4 chopchop attack mode, used to obtain an XOR file containing key data
Aireplay-ng-4-B ap-Mac-H my_mac wifi0
-5 fragment: fragment attack mode, used to obtain prga (files with the suffix XOR of the key)
Aireplay-ng-5-B ap_mac-H my_mac wifi0
Packetforge-ng data packet manufacturing Program
Packetforge-ng-0-A ap_mac-H my_mac wifi0-K packet 255.255.255-l packet 255.255.255-y niam_xor-W mrarp
Parameter description:-0: disguised ARP packet;-K: Set the IP address and port of the target file;-L: Set the source file IP address and port;-Y: Read prga from the XOR file; name: name of the XOR file;-W: Specifies the name of the disguised ARP packet.
Aircrack-ng-N 64-B ap_mac name-01.ivs
Parameter description:-N sets the key length.
Minidwep, A dumbler cracking tool than spoonwep2
Save the password in the keyfound file, find/-name keyfound *
Dictionary cracking tool
Windows: ewsa, elcomsoft Wireless Security Auditor
Step 1: Select Simplified Chinese
, GPU top, if the video card supports some optional items.
Step 2: select a handshake package.
Step 3: select a dictionary.
Step 4: Click Start attack.
Step 5: Wait for the password to be successfully resolved by P.
Http://www.anywlan.com/bbs/viewthread.php? Tid = 68106
Key in WPA: PSK-> PMK-> PTK -----> MIC
The WPA password is PSK (pre-shared key), which is usually 8-63 bytes in length. It can be used to obtain the PMK (pairwise master key) by adding the SSID ).
PMK = SHA-1 (SSID, PSK), the PMK length is fixed length, are 64 bytes.Because the process of calculating the PMK is costly, it is the key for us to take a long time to crack. Therefore, we use the space-for-time principle to generate the PMK in advance, this pre-generated table is a common hash table.
(The algorithm used to generate PMK is a type of hash.) This is done using the airlib-ng tool. This is the case for fast cracking.
A ptk (pairwise temporary) is generated during authentication, which is a set of keys. Its generation method is also used Hash, parameters are connected to the client MAC address, AP bssid, A-nonce, S-nonce, PMK, where A-NONCE and S-NONCE are two random numbers, make sure that different ptks are generated for each connection. The PTK computing consumption is small. PTK uses a certain algorithm (AES or TKIP) to add the message data to obtain the ciphertext, and a signature, called message integrality check, is obtained at the same time ), the reason why TKIP is cracked is closely related to this mic.
What are the above contained in the four handshakes?
Client MAC address, AP bssid, A-NONCE, S-NONE, mic, most critical PMK and PTK are not included in the grip package!
The authentication principle is that after obtaining all the above parameters, the client calculates a mic and sends the original text together with the mic to the AP. The AP uses the same parameters and algorithms to calculate the mic, it is also compared with the one sent by the client. If it is the same, the authentication will pass; otherwise, the authentication will fail.
The current method of cracking is to use the PSK + SSID in our dictionary to form a PMK (if there is a hash table, it will be skipped) after we obtain the handshake packet, and then combine the (client Mac, AP bssid, A-NONCE, S-NONCE) to calculate the PTK, coupled with the original packet data to calculate the mic and the MIC sent by the AP, if consistent, then the PSK is the key
Currently, the most time-consuming task is to calculate the PMK, which is a bottleneck for cracking. Even if the calculation workload is fixed, massive key storage is also a problem (PMK is 64 bytes in length )!
The wpa_supplicant kit has a small tool called wpa_passphrase, which is similar to airolib-ng and is used to generate PMK. This tool should be provided in backtrack.
Wireshark captures the WPA handshake packet
Extracting the WPA handshake package from the CAP file is actually extracting the eapol (EAP on the LAN) protocol package,Enter "eapol" in the filter of Wireshark"
However, if you use aircrack-ng to open the obtained cap file, you will find that Essid is lost. Note: The Essid that is not WPA-encrypted has disappeared.
Solution: Keep the beacon frame in the CAP package,Change the filter to "eapol or WLAN. FC. type_subtype = 0x08"
Where "0x08" is subtype, that is, "Beacon frame ".
Of course, you can also further remove the EAPOL-STAR package,Change the filter to "(eapol and eapol. type! = 1) or WLAN. FC. type_subtype = 0x08"
, Where, "type! = 1 "means to discard the Star Package, but in this case, Wireshark will give a warning. Solution: only keep the package containing the key information and change the filter to" eapol. type = 3 or WLAN. FC. type_subtype = 0x08 ", where,
"3" is the subtype of the key information package.
An error occurs when installing cowpatty In Debian. When making, the prompt "...: *** [md5.o] Error 1" is displayed ".
Cause: file dependency
Apt-Get install libssl-Dev
Apt-Get install libpcap0.8-Dev
Then try make.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service