Wireless network password cracking WPA/WPA2 tutorial

Source: Internet
Author: User
Tags bssid

This tutorial is used to explore wireless route security vulnerabilities. It is prohibited for illegal use. Violators are legally required (not related to me)

Before cracking WPA/WPA2, you should first understand the basic knowledge. This article is suitable for beginners to read.
First, you must understand a mathematical operation calledHash Algorithm (hash ),This is a non-inverse operation. You cannot use the calculation results to determine the number of the original unknowns. Sometimes we need different unknowns and the results obtained after calculation by this algorithm cannot be the same, that is, you are unlikely to find two different values to obtain the same result through hash. Hash is a general term for a type of algorithms. Generally, hash algorithms are public, such as MD5 and SHA-1 .;

The WPA password we usually callPSK (pre-shared key ),The length is usually 8-63 bytes. With the ssid, the PMK (pairwise master key) can be obtained through a certain algorithm ).PMK = SHA-1 (ssid, psk), The PMK length is fixed length, all are 64 bytes.Because the process of calculating the PMK is costly, it is the key for us to take a long time to crack. Therefore, we use the space-for-time principle to generate the PMK in advance, this pre-generated table is often referred to as a HASH table (the algorithm used to generate PMK is a HASH). This job is done using the airlib-ng tool, this is how we crack quickly.

APTK (pairwise temporary), This is a group of keys. The specific details are not detailed. Its generation method also uses hash, the parameters are the client MAC address of the connection, the BSSID of the AP, A-NONCE, S-NONCE, PMK, where the A-NONCE and S-NONCE are two random numbers, ensure that each connection generates A different PTK. The PTK computing consumption is small. PTK and packet data use certain algorithms (AES or TKIP) to obtain the ciphertext and a signature calledMIC (message integrality check),The reason why tkip is cracked is closely related to this mic..
What are the above contained in the four handshakes? Client MAC address, ap bssid, A-NONCE, S-NONE, MIC, most critical PMK and PTK are not included in the grip package!
8 A2 m6 T &}) the principle of U2 J authentication is that after obtaining all the above parameters, the client calculates a MIC and sends the original text together with the MIC to the AP, the AP uses the same parameters and algorithms to calculate the MIC and compare it with those sent from the client. If they are the same, the authentication passes. Otherwise, the verification fails.

The current method of cracking is to use the PSK + ssid in our dictionary to form a PMK (if there is a HASH table, it will be skipped) after we obtain the handshake packet, and then combine the (client MAC, ap bssid, A-NONCE, S-NONCE) to calculate the PTK, coupled with the original packet data to calculate the MIC and compared with the MIC sent by the AP, if consistent, then the PSK is the key.
Currently, the most time-consuming task is to calculate the PMK, which is a bottleneck for cracking. Even if the calculation workload is fixed, massive key storage is also a problem (PMK is 64 bytes in length )!
The latest tkiptun-ng can only unbind data packets encrypted with tkip, not to mention the ability to quickly calculate PMK or PSK. If you are interested, you can go to the bookstore to check out the HASH books. Maybe you have cracked all these HASH algorithms.

The wpa_supplicant kit has a small tool called wpa_passphrase, which is similar to airolib-ng and is used to generate PMK. This tool should be provided in backtrack. For example, there is a ssid for the TP-LINK, PSK is 12345678, then the method of generating PMK is wpa_passphrase TP-LINK 12345678, the result should be like this:
Network = {ssid = "TP-LINK"
# Psk = "12345678"
Psk = Signature
Psk = keystore is actually PMK. Generally, this is the result of running the software on the computer to view the wireless password. You can directly input the keystore to the wireless client to connect the ssid, equivalent to 12345678 input, the PMK generation process is irreversible,That is, the 12345678 error cannot be obtained through reverse push.. We can see that the same psk is 12345678. If the ssid name is changed, the pmk will change. This is why tables created using airolib-ng can only be generated based on the ssid.

Enter the subject
First download "cdlinux- ISO wireless cracking system"

Then prepare the virtual machine. I used the vm7

If you like running a virtual machine, you can directly burn the disc to load and start it.

However, it is easier to use virtual machines in Windows to run packets (brute-force password cracking ).

In terms of hardware, I use the card King and the chip is 8187
You can arrange it according to your actual situation.

Part 1: Set up a virtual machine (the VM can be directly started by the CD)
First, install the vm (directly run the green version ).
The following figure is displayed:

1. First create a virtual machine

Then, click Next.
2. continue to the next step

Next step

3. Is this the default option? Go to the next step.
Select linux as the client operating system,
4. It is very important to select the operating system and kernel.

5. Give him a name.

6. I will continue.

7. Because the cd capacity is very small and there are more than MB of files, you can just give it MB! I gave him 1 GB.
Up to now, a prototype of virtual machine is basically born.
Next step
It is also the most important step
Give him an iso package

8. Give him a path to know where your iso is! That's simple.
Now you can start the VM!

Select Chinese here. Do you know?
Start the system and select the language interface. Here you choose Chinese. If you are a foreigner and select a foreign language, I believe you are Chinese here?

VM startup ing
It is exciting to start.
Part 2: cracking wep/wpa2

System started successfully, desktop
1. The system is started. This is the desktop! What? Familiar with it? Like win! Easy to use

2. Open the first software minidwep-gtk ~~ in the second row ~~ In this dialog box, click OK! It's over.

3. Check the drop-down menu in the upper left corner and find your Nic !!! Then, in the upper right corner !! Scan !!! Then we started to get excited !~

4. Are you excited? No?
Sssid --- scan the mac address pwr: signal strength data of the wireless access point. This is the essid at the end of the so-called data packet? That is the route name you have scanned! So I can understand it, right? Of course, if there are no data packets, you can save it! After all, it is a cracking! If no data packet exists, the handshake packet cannot be captured. How can this problem be solved? So the data volume is still required! Then, after the handshake packet is captured, the attack starts!

5. How is it? Hey, you see it? The software has found the vro encrypted in wpa2! Of course, the search method of the software is to search together, that is, wep and wpa2. Let's see the "encryption method" on the Left bar of the software. If you select wep, the wep-encrypted route is displayed, if you select wpa2, The wpa2-encrypted route will be displayed. Here we will talk about cracking the wpa2-encrypted route! That's why wep was taken! If you are cracking the wep route, click the "Start" button on the right bar, And the rest do not need to automatically search for the password (the premise is that there are packets !)

6. Capture the handshake package, read the last line of the image, and capture a handshake package. The handshake package is waiting for authentication. You will be prompted after authentication! Tell you have caught a handshake package and you can crack it! (Of course, it takes patience to capture the handshake package. Sometimes the rp may surge and I will catch it after 10 minutes)

7. Basically, it has been successful, and the rest is cracking! Start to crack the first part, run the package, and test the password!

8. Next, contribute your dictionary to minidwep-gtk! Hey, will this happen? I will give him a dictionary and the last wordlist.txt. You can select a dictionary based on the actual situation. In fact, I have stored more than 3G dictionaries! Hey, but this route is weak! So this dictionary is enough!

9. decrypt it now. It's successful !!! Hey, haha !!! We can see wpakey: 0123456789. This is the password! What is the password? Is it mentally retarded ?! Hahaha
10. I wrote a rush yesterday. I forgot to tell you that running cd on a virtual machine does not support the built-in Nic, so you need to set it up! It's easy. I can't do it! After opening the vm, check that there is a "Virtual Machine" in the top menu bar and then you can see the "Removable device". Then you can check your usb Nic and check it! Easy! Hey

Hey, comrades, don't shoot! Cracking wpa is not a joke! The key is whether your machine is powerful enough! Are there enough dictionaries !!!
If your machine is strong enough to run the package to hundreds of thousands! Several hundred Gbit/s are added to the dictionary. It is estimated that there are not many passwords you can't crack! There are many "heroes" who tell me that they cannot be cracked, and that they are deceiving me! Then I asked people, how old is your dictionary? I already have a dictionary !!! 3 M txt files are used as dictionaries !!!! Comrades !!! Do you think he can crack this "hero?

I have read the record! If you think it is useful, you can reply to it all at once! Hey! Haha

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.