No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds) No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more eventual invalid passwords sent by the regular user No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more waiting for a complete 4-way handshake between the regular user and the AP No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack) Further details are in the hashcat link below.
Note: The following method does not change the time in takes to crack the password, it simply makes the method to obtain the password much easier. PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA) We receive all the data we need in the first EAPOL frame from the AP. Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector.
The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC address. One of the RSN capabilities is the PMKID. The RSN IE is an optional field that can be found in 802.11 management frames. We can do that by using the program cowpatty.Ĭowpatty -f /usr/share/wordlists/rockyou.txt -r cowpatty-01.cap -s DKT_D24D81 Now that we have the handshake recorded we can start to crack it. That is our packet-capture, and you can open it and study it in wireshark if you like.
Now we can exit airodump, and we can see that we have a cap-file with the name cowpatty-01.cap. We know that we have recorded a handshake when this appearsĬH 11 ][ WPA handshake: A7:B6:68:D4:1D:91 And when he/she does we will record that handshake. Now we just have to wait for a user to connect to that network. and -w cowpatty means that we are going to save the packet capture with that name.
#Data - The number of data-packets that has been sent.ĬIPHER - One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. If you are curious you can just analyze the beacons in wireshark after you have captured them. It contains the SSID, timestamp, beacon interval. The beacon contains information about the network. In the example above it is myrouter that has the strongest signal.īeacon - This is kind of like a packet that the AP sends out periodically. The higher (closer to 0) the strength the stronger is the signal. Run airodump to see what is passing through the air You see the name when you run the command. This interface is usually called mon0 or something like that. This will create a network interface that you can use to monitor wifi-action.This puts the network card in monitoring mode.The bad part is that if you run a dictionary attack there is always the possibility that the password just isn't in the list. The good part about this strategy is that you won't have to interfere to much with the network and thereby risk of taking down their wifi. What we are going to to here it basically just to record the 4-way handshake and then run a dictionary attack on it. Sudo iwlist wlan0 scanning - scans for wifis Hacking WPA2-wifis Using airmon-ng and cowpatty This is a great guide to the many different ways to hack wifi. This article outlines the different strategies quite well. And each of them require a different tactic.
There are quite a few different security mechanism on wifi. MS Advanced Threat Protection and Advanced Threat Analytics Evasion Metasploit Web Delivery (Meterpreter Session)
Common ports/services and how to use themīroken Authentication or Session Managementĭefault Layout of Apache on Different Versions