Tool of choice is still Beini, the latest (and last ever) version being 1.2.5. Alternative are Xiaopan OS and Backtrack, but I'm too lazy to experiment.
As discussed in a previous post, WEP networks are easiest to hack because all Feeding Bottle needs to do is to collect enough IVs, and the password is eventually revealed. Protip: Instead of using the default ARP Replay Attack, try using P0841 Replay Attack or even Fragmentation Forge Attack as the attack parameter (with Fake Auth by force enabled). This gets you lots of IVs in a short time.
WEP is one thing, and WPA/WPA2 is another. Basically, what we're after is to capture a 4-way handshake between the WiFi router and the client(s). If you can't wait for the authentication to happen, just press the Deauth button (every few minutes) to force the step. That said, sometimes the client just drop out with authenticating again (for some reason). Once the handshake is captured, we can then try to crack the password using dictionaries. For my testing purposes, I have Beini running on a 256MB USB stick. Not enough to host those 13GB dictionaries. What I have on hand are darkcode.lst and rockyou.txt (from Backtrack and Kali) and a small dictionary set called fcicq-dict-unidct-20100410.tce. So far, can't find a match for my WPA2 password. Either the dictionaries are crap, or my password is very secure.
Technically, it IS possible to crack WPA/WPA2 without using dictionaries. Instead of cracking the WPA password, you crack the WPS PIN, and get in that way. Using the open-source reaver, Inflator scans for a WPS-enabled AP, then uses brute-force attack to guess the WPS PIN. It does take a couple of hours minimum, especially if the router has AP rate-limiting feature, but Inflator/reaver will get the password eventually.
No comments:
Post a Comment