Return to site
Return to site

Aircrack No File To Crack Specified

broken image


It does not overwrite existing session file.R file or -restore-session file Restore and continue a previously saved cracking session. This parameter is to be used alone, no other parameter should be specified when starting aircrack-ng (all the required information is in the session file). Aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key.

Aircrack-ng No File To Crack Specified Complexity Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. Now, if successful in capturing the handshake, stop airodump and begin cracking the file. To be sure the handshake was captured, run the following in terminal. Aircrack-ng FILENAME-01.cap. Replace FILENAME with whatever you chose to name your file while running airodump. If you are unsure, look in your home directory for the.cap file.

by hash3liZer . 09 September 2019

WPA/WPA2 cracking has been a focus point in the community since many years. And we have tools to aim that focus like aircrack and hashcat. Some new advancements have been made to aid that focus in the past couple of years.

So, Cracking WPA/WPA2 has been quite a topic now. In this tutorial, we are going to cover one of the infamous tools 'hashcat' for cracking WPA/WPA2.

Hashcat which is primarily built for brute forcing different kind of hashes using different kind of attack vectors, supports cracking for two of badly known WPA/WPA2 attacks. Well, for the list of available hashes, you can check the hash modes section in the manual:


In previous, you might have seen or even worked with aircrack to crack WPA/WPA2 by capturing a 4-way handshake. But that was not anywhere close to how perfect could this tool be for the purpose. Besides, hashcat is a GPU + CPU maintained tool which makes it a lot more faster.

In short, if you own a GPU, always go for hashcat or else you could use an online service or buy out some GPU based server on Internet.

We will cover up with two famous WPA/WPA attacks, precisely the cracking of MIC (4-way handshake) and PMKID (1st packet/handshake). So, let's begin.

Installation

Hashcat is built to work on Windows, Linux and as well as on Mac. You can go to hashcat.net and download the binaries and follow the instruction for your operating system. What we are going to do here is clone a fresh copy of hashcat from github and manually install it on a debain based linux.

Preferably, you should use Kali Or Parrot but a similar distro like Ubuntu will work as well.

Update Your Repo's and install the following dependencies:

Clone hashcat from github and move to directory: Block font for mac.

Finally, compile the binaries and we are all set with hashcat.

You may try printing the help manual for hashcat to check whether you have it installed perfectly or not.

Hcxtools:

Now, let's clone and compile hcxtools from github. It is basically a set of various files to convert and generate another version of the supplied input. We will use it to convert the captured traffic into a format understandable by hashcat.

First, clone the repo and move the hcxtools directory:

And finally, run the make command to compile binaries and make necessary changes in path.

After having the requirements installed, we move to the cracking part. Below this, i am dividing the tutorial into two parts, first we will crack the WPA/WPA2 using MIC aka 4-way handshake. While in second, i'll do cracking using PMKID.

PART A

Let's clear how the MIC cracking actually works. So, in this case, we need a valid 4-way handshake. The handshake consists of many keys that are interchanged during the authentication between the client and access point.

These independent keys are used to generate a common key named 'Message Integrity Code (MIC)'. This generated MIC is used to validate the given password by cracker.

Aircrack Ng File To Crack Specified

The algorithm to compute MIC is quite long and tricky and i've have covered that up in another tutorial here. So, let the cracking begin.

STEP 1

Conversion to hccapx format

Supposing you already have a captured 4-way handshake using some tool like airodump, but you still need the proper format to supply it to hashcat. To convert it to a proper format (hccapx), you need another tool.

There are already some online services that you may use: https://hashcat.net/cap2hccapx/

But still in case you are wondering to do it locally, clone the hashcat-utils repo from github:

Finally, compile the binaries. After compiling, you will have the binaries under same directory. The binary file that we need is cap2hccapx.bin. To make sure, you have it correctly compiled, try to execute the file, it will throw you back the syntax:

So, after having it installed, use the below given syntax to convert the .cap file to .hccapx hashcat capture format.

So, this will generate a file by the name 'hashfile.hccapx', which is what we are going to use with hashcat. Now, you may move to whatever directory you want, since will be cracking the final format now.

STEP 2

Cracking WPA/WPA2 (handshake) with hashcat

With hashcat, there is a possibily of various attack vectors. We could do a straight dictionary attack, brute-force attack, combinator attack or even masks attack, i.e. making rules to find various possibilities of trying different characters at different positions.

Anyhow, let's study the actual cracking of WPA/WPA2 handshake with hashcat.

Aircrack No File To Crack Specified Server

Dictionary Attack:

As named, you need a wordlist for it to work. Considering you have solid list of possible wifi passphrases, or if not, you can download the famous ones: https://www.wirelesshack.org/wpa-wpa2-word-list-dictionaries.html

Launch the following command for dictionary attack:

  • -a: specifies cracking mode. In our case it's dictionary mode and '/path/to/dict.txt' is complete path to the wordlist.
  • -m: hash mode. Specifies what type of hash we are dealing with.

In Case You Receive issues regarding Intel CPU or 'No devices found/left', use --force argument to force the usage of your device.

Brute-Force Attack:

The Brute-force is different than the dictionary attack. Here, we try to replace every character at every possible position in a specified length from a given charset. For example, in a string of length 8, we can try every character from A-Z at every postion in this string.

That's how brute-forcing works and hence very time-consuming. Launch the following command to start your first attempt for brute-forcing:

  • -a: specifies the cracking mode and here the value 3 indicates, we are running a brute-force attack.
  • ?d?d?d?d?d?d?d?d: is the brute-forcing rule here. It specifies what kind of values to check, where to replace and also assumes how much time could it take to crack the key.

The above mask i.e. '?d?d?d?d?d?d?d?d' states to check a string of length 8 with a digit at every position. You can study about mask attack here: Hashcat Mask Attack.

PART B

Part A was about the handshake cracking. Whilst now, we are going to crack PMKID with hashcat. The PMKID is located in the 1st packet of 4-way handshake and hence it's kind of more useful because we don't need a complete handshake.

The algorithm to compute PMKID is given which is quite easier than that of MIC.

Let the cracking begin for PMKID.

STEP 1

Getting the PMKID hash

The first thing to proceed with PMKID cracking is the pmkid hash. To generate it we need the first packet of the 4-way handshake. Considering you already have that, we will extract the hash from the captured file.

If you are not aware of how to capture the first packet of 4-way handshake, follow this tutorial.

Let's do the conversion. Execute the below command

This will generate a file by the name pmkid.hash that we will use with hashcat to do the cracking.

STEP 2

Cracking WPA/WPA2 (PMKID) with hashcat

Just like previous part, we will apply the same rules here except for the hash mode argument. The hash mode value for PMKID cracking is 16800.

Dictionary Attack:

As per syntax we have back in the PART A section for dictionary attack, we will use that very same syntax except for the -m argument which defines what kind of hash we want to crack. We will be cracking pmkid (16800) this time.

While this would crack the key by looping through each line given in the wordlist.

Brute-Force Attack:

We will do same here as last section i.e. providing a mask to crack the hash. This time, just to show how powerful these masks could be, i'll use a different one. So, execute the command for brute-force attack:

The above mask will create combinations of string of length 8 with every alphabet at every possible position. And this sounds like a huge combination that may take a lot of time to complete. To make the attack more faster, we can use the GPU.

CPU/GPU

Now, getting into CPU/GPU thing, we just need to know that GPU is a lot more faster than CPU and hashcat have the ability to do cracking on your GPU. Hashcat has following three device modes which can be changed via -d argument:

  • 1: CPU which is by default, selected.
  • 2: GPU
  • 3: DSP, Co-processor.

You can use one of these devices according to what's more suitable for you. For example,

To accomplish PMKID attack on GPU. That's it, i.e. cracking WPA/WPA2 via hashcat.

Conclusion

The conclusion that can be drawn out of all above is that hashcat is not just limited for a number of hashes, infact it's applicable to a wide range of hashes and other possibilities including mixes and concatenated strings. We learned to crack WPA/WPA2 using hashcat.

Besides, hashcat is known of it's power, stability and speed by operating on GPU. It also gives us the possibility of mask attack which let us play with possibilities of testing thousand of thousands strings against the hash.

For Any Questions, Queries, mistakes, you can comment down.

Yesterday, my friend Victor wanted to crack a wifi network (his, of course) using his MacBook Pro.

I told him to use the excellent VirtualBox images of Kali Linux from Offensive Security and aircrack-ng.

I had just forgotten that:

  • Using advanced wireless features is impossible from a virtual machine
  • Even if he used Kali Linux with a dual boot, installing the wireless drivers to make it work with the airport card is tiresome.
  • Most (not airmon-ng) aircrack-ng tools can be installed on macOS with MacPorts, but airodump-ng and aireplay-ng crash.

So PLEASE, if you want to do other advanced networking things than network sniffing or what is described in this article, do yourself a favour and buy an USB adapter to use with the virtual machine.

There is a list on the website of aircrack-ng, and I think the Alfa AWUS051NH v2 is great.Some people say it is expensive, but last time I checked on Google Shopping, it cost less than half an Apple mouse.

There are 3 steps:

  • Identify the target acces point: name (= BSSID), MAC address (= SSID) and channel (~ radio frequency)
  • Sniff the channel in monitor mode to retrieve:
    • a beacon (easy)
    • a handshake (= four-way handshake), or some frames of it (hard)
  • Crack the password using the dump

What makes the retrieval of the handshake hard is that it appears only when somebody connects to the access point.

The good news is that you can deauthentificate people from the wifi network - it's called wifi jamming and it's useful to impress a girl and piss off people at Starbucks.When they reconnect, they re-send the handshake. That adds a Deauth step.

'Install'

Scan

It saves the .cap capture file and displays the path.

If you don't have the beacon or the handshake, it will fail accordingly.

Mta sa rpg gamemode download. For wordlists, see below.

As I said, aireplay-ng doesn't work on a MacBook Pro.The catch is that aireplay-ng can do a lot of other things besides deauth attacks.

You might read that airport cards do not support packet injection, but packet injections are for WEP attacks and nobody uses WEP anymore. We only want to send some deauthentification frames.

Use JamWiFi. A ready-to-use application is provided there.

In fact, you can indentify the target with it too, and it has a really nice GUI.

Once you have selected the access point, you can deauth one or multiple users. Stop after about 50 'Deauths', or else the persons might have trouble to reconnect during several minutes.

It might not work it you are too far from the target as your airport card is far less powerful than the router.

Using airport presents some issues. You cannot know if you got the beacon and the handshake until you stop the capture and try with aircrack-ng.

You capture a lot of unuseful packets too.

Using tcpdump is more efficient.

When you launch those lines, the first tcpdump easily captures a beacon and the second waits for the handshake.

Aircrack No File To Crack Specified Version

Use JamWiFi to deauth some users, and when tcpdump shows you it got 4 frames or more, Ctrl-C. It appears you can use less that 4 frames, but it depends on the frames you got (for instance 1,2 or 2,3 are sufficient). Anyway you should normally get at least 4. If nothing shows, try to deauth another user.

Now you have everything in capture.cap. You can also run aircrack-ng on it.

Like aireplay-ng, aircrack-ng offers so many features that it cannot be the best in everything.

Specified

We can really speed up the process by using hashcat.

Install with brew

Convert with cap2hccapx

hashcat doesn't take cap files, only hccapx files.

Aircrack No File To Crack Specified 64-bit

Just install hashcat-utils and use cap2hccapx

Alternatively, use this online tool.

Crack

This page provides some examples.

To use with a dictionnary:

You have a lot of other options, like brute force:

Refer to the documentation fot more patterns.

Speed

hashcat works on the GPU.

On my MacBook Pro, it yields a performance of 5kH/s: it tests 5000 passwords in a second.

On a Tesla K20m, the speed is 75kH/s. I managed to crack the 5 last lowercase letters of a wifi password in about 1 minute (26**5 // 75000 = 158 seconds to test them all).

We can see here that a GTX 1080 breaks 400kH/s.

I recommend:

For more efficiency, target the networks with silly names (good examples are 'mozart', 'I love cats', 'Harry and Sally'), and avoid the ones called 'National Security Agency', 'sysadmin' and 'sup3r h4x0r'.

To find a password, you have to be lucky and have a good idea of its shape.

A lot of default wifi passwords are composed of 8 or 10 hexadecimal digits.

Aircrack No File To Crack Specified Key

In average (worst case divided by 2) and according to the above benchmark, with a GTX 1080:

  • 8 hexadecimal characters take 90 minutes.
  • 10 hexadecimal characters take 16 days.
  • 12 hexadecimal characters take 11 years.

If you only want free wifi, just do MAC spoofing on a hotspot that uses web login.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save