|
Pages: [1] 2 3
|
 |
|
 Author
|
Topic: Aircrack can not find WPA passphrase (Read 12223 times)
|
limitlessouljah
Newbie
Posts: 21
|
Aircrack-ng 1.0rc1 may not find WPA passphrases in dictionary.
I capture a WPA handshake from my AP and Windows client.
The AP is a Linksys 300N and the Windows client is an XP box with
an onboard Intel 2200 Card.
My Attack workstation is running Ubuntu 8.04 with a madwifi card and madwifi-ng driver
0.9.3 with patch.
The AP was configured with the inherently weak passphrase "password" for a demo for
one of classes. After verifying that my chosen passphrase was in my chosen dictionary,
I ran aircrack-ng and waited for the SUCCESS screen, but much to my surprise, I received
the "passphrase not found" screen.
I ran aircrack-ng 0.7 against this WPA capture, and within minutes it found the passphrase.
I even created a five word dictionary list containing "password" and ran the crack again on both
version. The same results were produced.
I will test some theories I have on why aircrack-ng WPA crack is broken and report them back here.
PS. I tried to go to TRAC to enter this, but the site kept timing out.
[edit]
Attached WPA_eapol_filtered.cap. The SSID is "Red Apple" and the passphrase, again, is "password".
|
|
|
« Last Edit: August 28, 2008, 06:54:50 pm by limitlessouljah »
|
Logged
|
|
|
|
green-freq
Newbie
Posts: 9
|
I know that cowpatty has a problem with dictionary files that are not in unix format.. did you create the dictionary on a windows machine or your unix machine?
you can reduce your cap file to 4 or 5 frames by only including the handshake itself and the appropriate probe response. (probe response isnt necessary but it guarantees that the ssid will be known)
|
|
|
|
|
Logged
|
|
|
|
limitlessouljah
Newbie
Posts: 21
|
Linux (Unix)...
Also, the exact same dictionary that fails for 1.0rc1 was successful for aircrack-ng 0.7.
I also used john the ripper's built in lists to confirm, and again
aircrack-ng 1.0rc1 fails, but aircrack-ng 0.7 works...
[EDIT]
Clarity
|
|
|
|
|
Logged
|
|
|
|
|
|
|
|
limitlessouljah
Newbie
Posts: 21
|
Appears to be broken on Windows version 1.0rc1 as well... To be sure I used both a "Unix" formatted txt file and a "Dos" formatted textfile both with "password" blatantly in them. Oh and I guess aircrack needs to see the Beacon packet? Because my filtered cap won't work at all, Aircrack-ng reports it requires an ESSID, but the original cap will... I'll work on it... I promise  |
|
|
|
|
Logged
|
|
|
|
|
Mister_X
|
limitlessouljah, try using -e option
|
|
|
|
|
Logged
|
|
|
|
limitlessouljah
Newbie
Posts: 21
|
-e option doesn't work either...
And I tested to see if the [space] was throwing it off...
But no, even with an ESSID with no spaces, 1.0rc1 fails to find an obvious passphrase
|
|
|
|
|
Logged
|
|
|
|
|
darkAudax
|
limitlessouljah,
Does airdecap-ng decrypt the packets?
Does wireshark decrypt the packets?
Did you try the latest svn version of aircrack-ng? (It has worked for me. Try it with the test files/passphrases that comes with aircrack-ng.)
d.
|
|
|
|
|
Logged
|
|
|
|
MuffloN
Newbie
Posts: 6
|
I've had this problem as well, it appears most often if the correct password is the first one in the word list, usually changing it's position by 5-6 lines down works.
|
|
|
|
|
Logged
|
|
|
|
|
Jano
|
Hi limitlessouljah, - The file that you posted is not complete, contains ONLY "Handshake" (I have tested with Wireshark) - Why you have delete the packets to identify the "ESSID"? jano:~/prove$ aircrack-ng -w password.lst *.cap
Opening wpa2.eapol.cap
Opening wpa.cap
Opening WPA_eapol_filtered.cap
Read 40 packets.
# BSSID ESSID Encryption
1 00:14:6C:7E:40:80 Harkonen WPA (1 handshake)
2 00:0D:93:EB:B0:8C test WPA (1 handshake)
3 00:1D:7E:2C:B1:AF WPA (1 handshake)
Index number of target network ?
Quitting aircrack-ng... jano:~/prove$ aircrack-ng -w password.lst WPA_eapol_filtered.cap
Opening WPA_eapol_filtered.cap
Read 22 packets.
# BSSID ESSID Encryption
1 00:1D:7E:2C:B1:AF WPA (1 handshake)
Choosing first network as target.
Opening WPA_eapol_filtered.cap
An ESSID is required. Try option -e.
Quitting aircrack-ng... jano:~/prove$ aircrack-ng -w password.lst -e "Red Apple" WPA_eapol_filtered.cap
Opening WPA_eapol_filtered.cap
Read 22 packets.
Opening WPA_eapol_filtered.cap
No matching network found - check your essid.
Quitting aircrack-ng... - I tested your file .cap with Cowpatty, and i have same problem. jano:~/Pentest/cowpatty$ ./cowpatty -r WPA_eapol_filtered.cap -f dict -s "Red Apple"
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
End of pcap capture file, incomplete TKIP four-way exchange. Try using a
different capture. - The problem is NOT Aircrack-ng, but your file .cap is incomplete. Bye Jano |
|
|
|
« Last Edit: February 21, 2009, 05:11:16 pm by Jano »
|
Logged
|
Personal-Server (Online): http://jano.homelinux.netNotebook: ACER ASPIRE 5601 AWLMi - HDD Maxtor 1TB - Wireless: ALFA AWUS036H, AWUS050NH - Antennas: HyperLink 24-dBi Grid, Panel 14-dBi
|
|
|
|
Jano
|
Hello, - I read Ticket open by my friend Saxdax, http://trac.aircrack-ng.org/ticket/491#comment:1- And i noticed something interesting. - I tested the file .cap with Cowpatty and without " nonstrict patch", well Cowpatty find the password. jano:~/Pentest/cowpatty$ ./cowpatty -r Alice-9XXXXXX.cap -f dict -s Alice-9XXXXXX
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: appointment
key no. 2000: canonize
key no. 3000: contraceptive
key no. 4000: division
The PSK is "ulXnXX5iXXpxXXzmxgk2zXXX". - But if I use Cowpatty with the "patch" (to enable non-strict mode for handshake verification), then the program does not find the password: jano:~/Pentest/cowpatty$ ./cowpatty -n -r Alice-9XXXXXX.cap -f dict -s Alice-9XXXXXX
cowpatty 4.3 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: appointment
key no. 2000: canonize
key no. 3000: contraceptive
key no. 4000: division
Unable to identify the PSK from the dictionary file. Try expanding your
passphrase list, and double-check the SSID. Sorry it didn't work out.
4092 passphrases tested in 73.97 seconds: 55.32 passphrases/second - I think that looking at the patch, we can understand the problem. - For download the patch: http://www.mediafire.com/?m1yn5rzywfmBye Jano |
|
|
|
« Last Edit: February 22, 2009, 01:34:44 pm by Jano »
|
Logged
|
Personal-Server (Online): http://jano.homelinux.netNotebook: ACER ASPIRE 5601 AWLMi - HDD Maxtor 1TB - Wireless: ALFA AWUS036H, AWUS050NH - Antennas: HyperLink 24-dBi Grid, Panel 14-dBi
|
|
|
|
Mister_X
|
Jano, the issue you're describing is really different from the ticket 491. In this tickets, EAPOL frames contains QoS and not in your capture file. I created a ticket for your issue: http://trac.aircrack-ng.org/ticket/585 |
|
|
|
|
Logged
|
|
|
|
|
Jano
|
Hi Mister_X
- I know that is different, but Saxdax post you Ticket in number 491, and for this motive I have posted here.
- Now I have seen the new Ticket.
No problem, bye Jano
|
|
|
|
« Last Edit: February 22, 2009, 01:35:09 pm by Jano »
|
Logged
|
Personal-Server (Online): http://jano.homelinux.netNotebook: ACER ASPIRE 5601 AWLMi - HDD Maxtor 1TB - Wireless: ALFA AWUS036H, AWUS050NH - Antennas: HyperLink 24-dBi Grid, Panel 14-dBi
|
|
|
|
darkAudax
|
Jano,
I was unable to download your test file. However, I suspect that cowpatty is using packets from different handshake groups and thus fails. Even in non-strict mode, it must packets from the same handshake group. This is because the keying material changes for each handshake group. If there are multiple handshake groups in your capture, try removing the extras and leaving just one.
d.
|
|
|
|
|
Logged
|
|
|
|
|
|
Pages: [1] 2 3
|
|
|
 |
Aircrack-ng
WPA_eapol_filtered.cap
