Aircrack-ng forum
General Category => General help => Topic started by: nooby22 on July 14, 2015, 08:17:37 pm
-
I am still a relative newbie so please bear with me. I was able to capture WPA handshakes from 2 APs. I ran aircrack (on kali linux) using 5 wordlist which ranged in size between approx 50kb to 150 mb. Password was not found using all wordlists. I also tried an online cracker at http://wpa.darkircop.org/ with no luck.
I noticed the wordlists I've been using all have words. I need passwords which are a random combination of letters and numbers, lowercase and uppercase, 10 characters long. My second question is, is there a way to get the modem/router vendor and/or model number from the MAC address?
PS On a side note, I was having a hard time capturing wpa handshakes but when I started using interface wlan0 instead of mon0, it worked right away! jus a tip for u guys...
-
1. Look in the FAQ, there might be wordlists that match that. Or use crunch.
2. Yes, partially. The first few bytes of the MAC tell you who is the manufacturer. It is possible to fingerprint based on how they respond to different types of frames (there was a talk about it years ago) but I don't think it's maintained or updated.
-
Hello nooby22, I feel your pain! lol
I saw an access point named something like:
DG860AB1
I found that the default password was like this:
DG860A1CAAB1
In such cases you can make a small wordlist containing all the default passwords for routers starting with DB860A with "Cripple-Master". It also works on more than just the ARRIS model mentioned above! Check it out:
github.com/GuerrillaWarfare/Crippled
-
is there a way to get the modem/router vendor and/or model number from the MAC address?
If the router as the WPS enabled, have a look in the PROBES especialy to the category "WPS". You may see there the serial number and the exact model (it depends, some devices shows a minimal information, others gives away a lot of data)
You can do
sudo iw dev scan
And you will get directly the information in the shell.
Check what I get : (http://pix.toile-libre.org/upload/original/1441030938.png)
The only thing this technicolor' router doesn't give away is just the WPA key ;D
@ Hosehead1
This repository seems to be down.
According to this post crippled wpawpa2 default key generator/ (https://evilzone.org/scripting-languages/crippled-wpawpa2-default-key-generator/) the tool just included the algorithm revealed by Numlock in this PDF : Numlock PDF (http://www38.zippyshare.com/v/89004997/file.html)
Numlock didn't make any PoC but it is quite easy to do manually or you can use this simple bash script to generate the default WPA key: blk.sh (https://www.wifi-libre.com/img/members/3/blk.zip)
This webpage is quite interesting with a quite complete set of default WPA generators online : routerpwn (http://www.routerpwn.com) (and it includes this belkin generator )
Do you have more information about this arris default WPA? I was not able to find something and i am interested. Thanks in advance :)
-
Hello kcdtv,
Darn that page for going awol on us, I myself just downloaded Cripple-master only a few days ago! Here is some text off it's (now missing) page:
----------------------------------
Susceptible "Modems":
1. DDW365 - DDW365[XXXX]XX
2. SBG6580 - SBG6580[XXXX]XX
3. U10C022 - U10C022[XXXX]XX
4. DDW3611 - DDW3611[XXXX]XX
5. DDW3612 - DDW3612[XXXX]XX
6. TG852G - TG852G[XXXX]XX
7. DWG875 - DWG875[XXXX]XX
8. TG1672G - TG1672G[XXXX]XX - Proven, but not the highest success rate.
9. DVW3201B - DVW3201B[XXXX]XX - Proven, but not the highest success rate.
Belkin:
Vulnerable SSIDs:
1. Belkin.XXXX
2. Belkin_XXXXXX
3. belkin.xxxx
4. belkin.xxx
Vulnerable BSSIDs:
1. 94:44:52
2. 08:86:3B
3. EC:1A:59
Usage:
./crippled -e belkin.4e4 -b EC:1A:59:08:86:3B belkin
Generating all possible keys for belkin.4e4
Generated 8 keys for belkin.4e4
The file belkin.4e4.possible.keys has your generated keys.
----------------------------------
I saved the webpage, and could zip and upload the page plus the tool. (are noobs like me allowed to post download links here?)
-
Damned! :D
I am sure there is no problem to put a link ;)
Anyway this text file that you saved from destruction is already telling us a lot :) with this list of device with this very bad key structure.
Thanks a lot!
-
OK kcdtv I'm back. Here are download links for the Crippled-Master tool along with the saved webpage. It's about a 27.3 mb download:
http://filepi.com/i/aGpsT2g
but if that link dies you can get the same file from this other host:
http://www18.zippyshare.com/v/3PESEsdY/file.html
-
Great! Thank you so much. :)
-
Hello kcdtv,
Regarding your reply #3, I cannot get information to show in the terminal as you illustrate in the image. Exactly what steps are needed to get there?
and BTW, this:
iw dev scan
doesn't work for me in Kali 2.
Any help will be greatly appreciated!
-
>iw dev scan
make sure dev is the device to use
iw wlan0 scan
-
It seems the current location of the Crippled-Master tool on GitHub is: https://github.com/Konsole512/Crippled