Crack WPA2: Know Your Target. Faster than Reaver!

Home   Reaver  WiFi Adapters  WPA2

     I will be creating a simple tutorial on a different approach in cracking WPA2 on a specific  ISP like Time Warner Cable (RoadRunner)  Charter Cable, COX or Comcast..It may vary by where you live but, it is targeted at all the cable companies that also offer telephone and internet services.  

You will have to do a bit of homework to make things easier for you, less time consuming and have a higher success rate. 

This is for educational purposes only!

First we have to make sure to have a sniffing tool such as Airodump-ng or insider as we will need to know the SSID, ESSID and the channel the AP is on. Ok so here we go! Once you have your tool ready to go what you want  to do is have it scan. In airodump-ng  you type the following commands to get it in monitor mode:

 airmon-ng start (interface)

 so your command should look like this: 

airmon-ng start wlan1  

the following command will start scanning the air for AP’s:

 airodump-ng mon0 

 To stop scanning push ctrl+c 

On inSSIDer at the top right simply choose the adapter and click on START. The cool thing about inSSIDer is that it gives you the vendor information which is one of the things we will be looking for to make the attack more effective and precise while making it less time consuming. 

Notice in the image above all the AP’s…how can we tell which is which? Simple! I have sorted them out by Vendor. In this case we will try to crack one of the AP from the ISP TimeWarner (RoadRunner) (with owner’s permission I did this). In 90% of the time TimeWarner (RoadRunner) tend to operate their AP’s through channel 1 but, counting all the AP’s in channel one we can see a total of 8. They also use WPA2 encryption, so now we narrow things down to 4. To be more precise we will narrow things down by the vendor, in this case Gemtek Technology Co. Ltd. which is what TimeWarner(RoadRunner) uses. Another thing we can look at is that TimeWarner(RoadRunner) will use as an ESSID the customer’s First or Last name making it still easier to spot. So now we narrow it down to 2 AP’s which now we come to a conclusion that those 2 AP’s from operating in CHANNEL 1, under WPA2, Gemtek Tech. Co. Ltd are from TimeWarner(RoadRunner).

NOTE: Notice one of the 2 AP’s has the Last name of the person while the other does not. What Does that mean? One major weakness in TimeWarner(RoadRunner). The AP has been resetted at some point for whatever reason making it extremely vulnerable to a dictionary attack. Why? Unfortunately when you reset the modem  by default the model of the modem is used as the ESSID. Yes, even though it shows Gemtek Tech. Co.Ltd. as vendor the actual gateway vendor is Motorola. As to why is this, I haven’t looked into that but, don’t get confused. I believe Gemtek is for LAN and Motorola is for WAN. Anyways, when you see an AP with Gemtek Tech. Co.Ltd. as vendor but with SBGxxxx as the ESSID know this, they are giving you part of the passphrase. How much to be exact? Half of the passphrase. In this case the AP named SBG65800C is letting us know that SBG6580 is the model and SBG6580 is also half of the passphrase. The other half is the second half of the WAN MAC Address…NOT the SSID. I’m not sure if with a tool such as Wireshark can get the MAC of of the WAN but, if you know how to get it then you are in luck cause you have the full passphrase (key). So if the MAC of WAN is something like 00:20:40:F2:A0:D1 then the passphrase will be SBG6580F2A0D1. This applies only to Motorola.

If you use airodump-ng you can go here http://www.macvendorlookup.com/ and simply type the first 6 characters and it will tell you which vendor it is. I would also like to point out that not all AP’s with TimeWarner(RoadRunner) will have Gemtek as vendor due to a feature that the Motorola surfboard has which is MAC Spoofing. But don’t let that fool you.

Moving on to other ISP’s well it just requires you doing a bit a researching on your local ISP’s. Some might have Charter, others might have Comcast or COX. Whichever it is make sure to pay their support webpage a visit to see which Vendor’s they carry. Some ISP’s will let you know who they are like on the image above. ATT576…can you guess? Ding Ding Ding! Yes you got it right! It’s AT&T…TimeWarner does not carry 2WIRExxx and only being 2 ISP’s that cover that area. From the image above we now know that the 2WIRExxx are also from AT&T..Also cause they operate under channels 6 and 11. And TimeWarner(RoadRunner) only channel 1. 

Ok so once you know how to tell them apart one question arises, how will you attack it? Of coarse this tutorial is only for the Dictionary Attack but, you have to know which Dictionary/Wordlist you are going to use. Because it pointless to use a 50GB wordlist if the passphrase is only numbers. Cable companies that offer telephone  service and internet will typically use the phone number as the KEY…So all you have to do is create a wordlist using the area code in which you live and within an hour BAMM! You have your KEY. To create a custom wordlist such as phone number and area code you have to use a tool such as Crunch which already comes in BackTrack 5R3. Here is the command to create a wordlist such as the one we will need to crack an AP that uses the phone number as the passphrase (key).

/pentest/passwords/crunch/./crunch 10 10 1234567890 –t 878@@@@@@@ -o wordlist.txt

Where in –t 878 = you are code..change 878 to whatever the target AP area code is.. and where –o wordlist.txt is the name of your wordlist. So you can change it to whatever you want like –o arealist.txt or whatever you want.

An alternative to saving a wordlist  which a wordlist using a phone number is not big at all not even 300mb would be this amazing tutorial from mrmanuelmtzm a member at xiaopan.co/forums.  He posted that amazing tutorial using 

Aircrack-ng and Crunch without having to save the dictionary/wordlist to your flashdrive or HDD. So it’s pretty much in BruteForce method..pretty cool huh! 

http://xiaopan.co/forums/threads/crunch-aircrack-ng-to-avoid-wordlists.809/ 

Thanks mrmanuelmtzm!

Above you can see that a Handshake has been acquired  and the passphrase has been retreived using a dictionary that I custom made for this specific AP. As you can see it only took me 20 mins. and 40 seconds. Reaver could have taken longer. But know your target can save you lots of time. 

For ATTxxx AP’s many have thought that the phone number was used but, that is not true. It’s a 10 digit number placed on a sticker on the modem. ..so to attack this AP I suggest using the Aircrack-ng Crunch method  above due to the extremely large file that will be created (over  100GB’s). 

Attacking the well know 2WIRExxx AP’s is almost the same as an ATT AP…same method is suggested to attack this Access Point as with the ATTxxx…but you can use this link provided here to help out…it is a pretty cool online tool for many types of AP’s such as 2WIRExxx, 3Com, Arris, Asmax, Belkin, Cisco, Comtrend, DD-Wrt, DLink, EasyBox, Fibrehome, Huawei, MiFi, Motorola, Netgear, Pirelli, RuggedCom, Sagem, Seagate, Siemens, Thomson, TP-Link, TRENDnet, Ubiquiti UTStarcom, Xavi, ZyXEL. 

http://routerpwn.com/ 

An alternative for that you can check this out http://xiaopan.co/forums/threads/android-thomson-key-solver.528/ 

Thanks Mr. Penguin!

Moving on to a different type of AP…this one we could say is the easiest to crack. Though it not the dictionary attack that will be used but, I thought it be cool to write about it in this tutorial. Verizon FiOS..most of nearly 95% of their AP’s are WEP and are know by their easy to tell five character ESSID

And notice the vendor Actiontec Electronics Inc.  As you may already know WEP can be cracked in a matter of seconds..But there are two alternatives to crack  these AP’s.  There are many online tools like this one:

http://aruljohn.com/fios/ 

or you can download an app for your Android phone:

http://xiaopan.co/forums/threads/vz-wifi-connect.560/ 

You can also check out this FREE online WPA2 cracker…they also offer a paid service for those interested.

http://gpuhash.com/?menu=en-tasks-add 

So always do your homework, find out a bit about the target AP..don’t just shoot blindfolded. Know what you’re shooting at. (figure of speech) But if you have the option of using Reaver 1.4…go ahead and use it though at times Dictionary Attack can be faster if you know more about your target like the example shown above.

Hope this tutorial may help in cracking WPA2 for those certain AP you been looking to crack.

UPDATE: December 11, 2012
 
      Here is the link to a super cool tool called WEPWAP 1.5  
      I would like to point out that it only works on a 32 bit and not a 64bit..download it, you will love it.

Best WiFi Adapters for Hacking

Home    Reaver  WiFi Adapters  WPA2

   Ever wonder which wireless adapter to purchase when you want to inject packets using your favorite tool?...e.g.Backtrack 5R2, Beini 1.2.3 and so on. I will rate a few adapters on a scale of 1-10, 10 being the best and 1 the worst on an general overall rating based on actual signal reception and on speed of packket injection. Don't expect a detailed professional description as I am NOT technician. Only an ordinary person just to give out my honest opinion of adapters I have purchased and tested using Backtrack 5R2.
I personally have tried a few of them out and have found some pretty interesting facts. One, american made adapters are NOT the best and they tend to have a weak signal reception. Not necessarily american made but, products that are in the american market and that you would find in your local Walmart, Target, Kmart or whichever store you would find electric devices.

  The TL-WN822N from TP LINK High Gain USB Adapter is a 300Mbps wireless client, which allows users to connect a desktop or notebook computer to a wireless network and access a high-speed Internet connection. It is fully interoperable with IEEE 802.11 b/g/n wireless devices, delivering speedy 11n speeds and reliable signal for lag-free online gaming, Internet calls or even HD video streaming.(source) $25U.S.

   In  it you will find the ATHEROS AR7010 and AR9287 (source) This beautiful white adapter has looks and compatibility but, what it has in looks lacks in performance. With it's dual 3 bdi antennas it delivers little power only increasing about 10% at most, it will certainly disappoint you. So, when it comes to trying out packet injectiion you really can't expect much. Certainly the manufacturer gives a beautiful and attractive description. You will not hear or see them describing their product as "the worst", so always do a bit of research on it first.

RATING: 4




So moving on, next on the list is one that I purchased due to it's high power description and eye-catchig device. They too made a claim of it being "the best".Here's their description of it:


   C. Crane US3 Super USB Wifi Antenna 3 his is one of the best home, mobile, or RV WiFi Antennas made. Just plug it into the USB port on your computer for powerful WiFi reception. We have incorporated the newest WiFi wireless "N" technology with a connection rate up to 150Mbps for lightning fast file transfers.
This antenna comes with a special USB split cable that offers two plugs to your computer to increase power. Normally one plug works well for a powerful reception. If you need more powerful reception and you have an extra USB port, then plug both into your computer. $100.00


                          

 Antenna Gain: 4.5 dBi
 Chipset Gain: 25 dBm

It mounts easily to your window with suction cups or to the wall using the supplied lanyard and "hook and loop" material. If you are trying to receive a far away signal from outdoors, then the best place for mounting is above the peak of your roof so that signals can be received from miles in every direction. This antenna is made weatherproof, while bouncing harmful UV rays. A standard 15-foot split USB cable is included but you can purchase an optional 30-foot USB cable to reach the peak of your roof. Outdoor mounting is easy with the included cable-tie to secure the antenna to your plastic pole.

While testing it in the small town of Fortuna, California, we were able to see more than 25 different wireless networks and even connect to one over a mile away! Normally, we could only see about 6 networks within range. In further tests we were able to connect to a small wireless router from over 100 yards away, keeping 80% signal strength through several walls and obstructions. You may be surprised at what the Super USB WiFi Antenna 3 can do for you.

But when it comes down to the real thing, a real opinion, here goes mine. As a signal reception device it does pretty good put signal is not stable. It tends to drop and rise, drop and rise..but when it comes to packet injection..this baby is pretty damm good...Signals that are weak, using this and combination of Backtrack 5R2 will get you cracking in no time...I recommend it only for packet injection. But it will create a dent in your wallet.
RATING: 8



Another WiFi adapter I tested is the Kasens 990WG 60dbi 6000mw..one word I could say about this adapter "CRAP"...Though it claims to be a high power adapter, there is nothing high power about it. It only detected one WiFi signal while my surroundings is infested by WiFi..I was disappointed by the flat panel high gain antenna.. $21

   In it you will find the 3070 chipset from Ralink, not as good as the 8187 but I did something that made the bad be a good, instead of screwing in the flat panel antenna to the adapter I screwed in a regular 5 dbi antenna, so it looked like the one below. Once I did that the signal increased tremendously! It could have been the flat panel antenna part that was defective but with the little alteration I made on it the rating went up.


So bottom line is this: the adapter is good but, the antenna is not..so I will give 2 different ratings, one with the flat panel antenna and the other with the regular antenna.
RATING w/flat panel: 1
RATING w/regular antenna: 7

                                     
Moving on to the next contender, well known ALFA AWUS036H 1000mW Long-Range with Realtek RTL8187L. "The ALFA AWUS036H is by far the best wireless usb device used for hacking and wireless penetration testing. Here at Top-Hat-Sec, it is the only WI-FI USB Adapter worth selling. It is our number one pick! It has the unique ability to be modified, adjusted for signal strength, and accessorized with other antenna's and accessories." according to top-hat-sec.com

7dbi antenna

5dbi antenna

Alfa AWUS036H is one of the best Wi-Fi cards available in the market. There are many cheap solutions but their reliability is always questionable. At $28, it just doesn’t have any competition. It performs way better than the inbuilt Wi-Fi cards in the laptops. It functions nicely with Win98SE/200/ME/XP, Windows Vista, Windows 7, Linux and Macintosh (OS version 10.4). And the required drivers for ALL of these operating systems ships with the CD-ROM. The drivers are also available at vendor’s site. (This card is one of the best card for Wi-Fi hacking, wardriving and Penetration testing.It comes with a 5 dbi antenna which is detachable. The same manufacturer produces 7 dbi and 9 dbi antenna also. They cost around $8-$10. So if we want increase the range, we can remove the 5 dbi antenna and put the 9 dbi one. This Alfa card has amazing 1000mW output power. We can use Alfa AWUS036H for many purposes. E.g. if we want get a better signal strength at a place where it is difficult to get signals through inbuilt Wi-Fi cards in laptop, we can use it. We can combine it with Alfa r36, and make our own mini hotspot in our house. We can use it for wardriving. Packet injection works fine. Itcan use USB 2.0 as well as USB 1.1. It connects with full 54 Mbps. For security it has WEP, WPA and WPA2 (personal as well as enterprise) My personal opinion, this is the best adapter for war driving, hacking, pentesting or however you wish to call it. No problems injecting packets or associating as a client. Two thumbs up!

RATING: 10

Wish to know more about other wireless adapters? Visit xiaopan.co/forums
Great tutorials, hacking tools, scripts and much much more.

Crack WPA/WPA2 with Reaver 1.4

Home         Reaver          WiFi Adapters WPA2
Many tools have been out there for network penetration testing, pentesting or hacking...many ways of seeing this..anyways one tool that has been updated not to long ago is REAVER 1.4
Reaver focuses in WPA/WPA2 using BruteForce Attack not the famous Dictionary/Wordlist attack. Though many tools work BUT are very time consuming, taking forever. Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin

 



The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

My personal experience with Reaver the first time I used it was a bit frustrating because unlike others I've heard about that takes them about 2-3 hours, even a case that i saw in Youtube about this guy cracking the PIN in an instant,very first attempt (5 seconds to be exact)...PIN happened to be 12345670 which happens to be the first PIN it tries...but it can happen and it did...as for me, it took me 60 hours NON-stop 2 1/2 days..but..Reaver did its job..the good thing is that you can pause your session by using pushing CTRL + C....(NOTE: if running from live cd or USB it will NOT save if you turn off the computer) 

So lets move on to the commands...if you don't have Backtrack 5R2 you will have to upgrade or simply download and install it..super easy..Backtrack 5 R2 has Reaver 1.4 already, so no worries..

airmon-ng

then place your interface into monitor mode by typing

airmon-ng start (type your interface name)

example: airmon-ng start wlan0

Scan for AP's

wash -i mon0 (or your monitor mode interface) add -C at the 

end if you get some kind of error.

Press CTRL C to stop the scan, copy the Target BSSID

now for the attack I used the following:

reaver -i mon0 -f -c (TYPE IN THE CHANNEL #) -b 

(PASTE TARGET BSSID) -vv -x 60 

Ex:    reaver -i mon0 -f -c 1 -b 11:22:33:BB:55:AA -vv -

x 60

As you may already know that different commands can be given..each may work better for one than it did for another. The command I normally use is as follows..do be aware that by giving this command you run the risk of getting locked out. Not all Access Points like this..it will speed up the cracking process but you run that lockout risk so here it goes

reaver -i mon0 -f -c 6 -a -b 00:11:22:33:44:55 -v -d 0

After -c just put the channel of the AP and after -b just put the bssid of the AP
You will notice the difference in speed.

And the final step is to sit and wait for reaver to do it's magic...

This article is something basic..but there are some out there that are different but just a small addition to either of the commands. 

So please comment if you have any questions and comment about your experience with Reaver.

Here is something that could happen to you just as is happened to me. Notice in the image below how it shows 4.85% complete and it made a huge leap to 90.93% complete in only 14 seconds. The reason for this is as fallows, as Reaver was trying to crack the PIN by Bruteforce the first half of the PIN was changing and suddenly the first 4 numbers are not moving anymore, only the last 4, the second half. What happened here is that it cracked the first half of the PIN and I was only about 7 minutes into the session. So 7 mins. to crack the first half is pretty good. Notice the first 4 PIN numbers are 0524 and from there it only tried the other half which is cut the time it would take Reaver to crack the PIN in more than half the time.  

As you can see above, it took Reaver about 2 hours to acquire the PIN along with the PSK (PreSharedKey)...

I would like to invite all readers to check out my other posts that are of great help for those that want to learn how Network Penetration Testing...It touches the basics and are are rich in facts. Find out which WIFI adapters work good and which ones are NO good for packet injection. All adapters metioned have been tested by me. (LINK WILL BE POSTED LATER)

July 2, 2012 UPDATE: Ok, so as I continued to test and play around with Reaver I found out first hand that using the -L command might give you a hard time down the road. What happens is that it gets stuck at 90.90% trying out the same PIN for a very long time.

I saw this happening and has been mostly reported in Belkin routers

(Source: http://code.google.com/p/reaver-wps/)

Some say that by removing the -L command will cause Reaver to continue trying pins but, I personally had no luck by removing the -L command..so heads up, don't be shocked or surprised when and if this happens to you.

July 9,2012 UPDATE: Ok to those that want Reaver PRO ISO. I managed to get my hands on a copy and now I will share it with everyone. Just make a bootable USB or disc but, a USB is recommended because it's faster than the live disc. DOWNLOAD REAVER PRO HERE

July 12, 2012 UPDATE: A few days back I placed an order for a Kasens 680WN 36 dbi adapter 3070 Ralink chipset...Many Reaver users claimed it did not work...curious about it I went ahead and tested it myself and my results are different. 3070 chipset 100% working using Xiaopan OS...reason why it would not work for others is most likely the AP is too far from them...and most likely if it's too far from them it is not their own...which comes to this conclusion "cracking some else's AP is ILLEGAL" 

UPDATE: 

Here is the link to a super cool tool called WEPWAP 1.5  

I would like to point out that it only works on a 32 bit and not a 64bit..download it, you will love it.