Crack Wifi Backtrack 5
Backtrack is one of the most popular Linux distributions used for Penetration testing and Security Auditing. The Backtrack development team is sponsored by Offensive Security. On 13th August 2012, Backtrack 5 R3 was released. This included the addition of about 60 new tools, most of which were released during the Defcon and Blackhat conference held in Las Vegas in July 2012. In this series of articles, we will look at most of the new tools that were introduced with Backtrack 5 R3 and look at their usage. Some of the notable changes included tools for mobile penetration testing, GUI tools for Wi-fi cracking and a whole new category of tools called Physical Exploitation.
There are two ways to get up and running quickly with Backtrack 5 R3. If you are already running Backtrack 5 R2, you can upgrade to Backtrack 5 R3 by following the steps described on this page. Or you can do a fresh install of Backtrack 5 R3 from the downloads section on Backtrack s official website.
A list of the new tools released with Backtrack 5 R3 according to Backtrack s official website are libcrafter, blueranger, dbd, inundator, intersect, mercury, cutycapt, trixd00r, artemisa, rifiuti2, netgear-telnetenable, jboss-autopwn, deblaze, sakis3g, voiphoney, apache-users, phrasendrescher, kautilya, manglefizz, rainbowcrack, rainbowcrack-mt, lynis-audit, spooftooph, wifihoney, twofi, truecrack, uberharvest, acccheck, statsprocessor, iphoneanalyzer, jad, javasnoop, mitmproxy, ewizard, multimac, netsniff-ng, smbexec, websploit, dnmap, johnny, unix-privesc-check, sslcaudit, dhcpig, intercepter-ng, u3-pwn, binwalk, laudanum, wifite, tnscmd10g bluepot, dotdotpwn, subterfuge, jigsaw, urlcrazy, creddump, android-sdk, apktool, ded, dex2jar, droidbox, smali, termineter, bbqsql, htexploit, smartphone-pentest-framework, fern-wifi-cracker, powersploit, and webhandler. We will be discussing most of these tools in this series.
Fern Wi-fi cracker is a program written in python that provides a GUI for cracking wireless networks. Normally, you need to run aireplay-ng, airodump-ng and aircrack-ng separately in order to crack wireless networks, but Fern-Wifi-cracker makes this job very simple for us by acting as a facade over these tools and hiding all the intricate details from us. It also comes with a bunch of tools that helps you perform attacks like Session Hijacking, locate a particular system s geolocation based on its Mac address etc.
Fern Wi-fi cracker can be found under the category Wireless Exploitation tools as shown in the figure below.
Before starting with Fern Wi-fi cracker, it is important to note that you have a Wi-fi card that supports packet injection. In my case, i am running Backtrack 5 R3 as a VM and i have connected an external Alfa Wi-fi card to it. You can verify if your card can be put into monitor mode by just typing airmon-ng and it will show you the list of interfaces that can be put in monitor mode. Once this is done, open up Fern Wi-fi cracker.
Select the appropriate interface on which you want to sniff on.
Once you have selected it, it will automatically create a virtual interface mon0 on top of the selected interface wlan0 as is clear from the image below.
Now, click on Scan for access points. As you can see from the results, it found 4 networks with WEP and 1 network with WPA.
In this case, we will be cracking a WEP network named Infosec test which i set up for testing purposes. Click on the network Infosec test and it will show you its specific information like the BSSID of the access point, the channel on which the Access point is transmitting on etc. On the bottom right, you can select from a variety of attacks like the Arp request replay attack, caffe latte attack etc. In my case, i will be going for an Arp request replay attack. Once this is done, click on Wi-fi attack and this will start the whole process of cracking WEP.
You will now see that some IV s are being captured as shown in the image below. The tool will also tell you if your card is injecting arp packets properly or not as shown in the bottom right section of the image below.
Once enough IV s have been collected, it will start cracking the WEP key automatically.
Similarly, Fern Wi-fi cracker can be used to crack WPA. It just makes the whole process so simple for us. It also provides some extra functionality for hijacking sessions and locating a computer s geolocation via its Mac address. I recommend you check it out.
Imagine you have to scan a huge network containing thousands of computers. Scanning via nmap from a single computer will take quite a long time. In order to solve this problem, Dnmap was created. Dnmap is a framework which follows a client/server architecture. The server issues nmap commands to the clients and the clients execute it. In this way, the load of performing such a large scan is distributed among the clients. The commands that the server gives to its clients are put in a command file. The results are stored in a log file which are saved on both the server and the client. The whole process of running Dnmap follows these steps.
Create a list of commands that you want to run and store it in a file, say commands.txt. Note the IP address of the server.
Run the dnmap server and give the commands file as an argument.
Connect the clients to the server. Note that the server should be reachable from the client.
Let s do the demo now. I have 2 virtual machines both running Backtrack 5 R3. I am going to run the Dnmap server on one of the virtual machines and a client on the second one.
Open dnmap under the category Information Gathering – Network Analysis – Identify Live hosts. The next step is to create a commands.txt file. As you can see from the image below, i have 3 commands in the commands.txt file.
Now type the command as shown in the image below to start the dnmap server. I have started the dnmap server to listen on port 800. As you can see, it currently detects no clients. Hence the next step is to get some clients to connect to this dnmap server. Also, it is better to specify the location of the log file that will be holding all the results.
On my other BT machine, i run the following command to connect the client to the server. Note that the internal IP address of my dnmap server is 10.0.2.15 and since my other virtual machine is also in the same internal network, it is able to reach to the server. You also need to specify the port to which you are connecting to on the server. Also, it is optional to specify an alias for the client.
Once the client establishes connection with the server, you will see that the client starts executing the commands that it is getting from the server.
On the server side, you will notice that it recognizes this client and shows it in the output. It also keeps giving you regular information like the number of commands executed, uptime, online status etc.
Once the scans are completed, dnmap stores the results in a directory named nmap_output. The results are saved in. nmap. gnmap and xml formats. There are separate output files for each command. It is advisable to clear all the previous files in the nmap_output directory or save them somewhere else before starting a new scan. Here is what a sample response file looks like.
In this article, we looked at a couple of the most popular tools that were introduced with Backtrack 5 R3. In further articles in this series, we will be discussing about many other new tools that were shipped with Backtrack 5 R3. If there is a particular tool that you want me to write about or if you have any questions, comments, suggestions regarding this series, please write them down in the comments below.
A step by step guide to cracking WPA and WPA2 Wifi passwords. Backtrack is a bootable Linux distribution with lots of pen-testing tools and is almost needed for all my. . How to Install BackTrack 5 R3 in VMWare – Step by Step Guide.
Backtrack is one of the most popular Linux distributions used for Penetration testing and Security Auditing. The Backtrack development team is sponsored by Offensive.
How to use Reaver to crack WPA2 Passwords with a 99 success rate. Step 2: Install Reaver Skip this step if you are using BackTrack 5. Reaver should be.
Today I am going to teach you how to easily hack WPA/WPA2-PSK enabled network using reaver. But, for that the targeted router should support WPS WiFi Protected Setup which is supported by most of the router nowadays. WPS is an optional device configuration protocol for wireless access points which make it really easier to connect.
This feature exist in most of the router for the easy setup process through the WPS pin which is hard-coded into the wireless access point. Reaver takes the advantage of a vulnerability in WPS. Thanks to Craig Heffner for releasing an open-source version of this tool named Reaver that exploits the vulnerability. In simple tone, Reaver tries to bruteforce the pin; which in result reveal WPA or WPA2 password after enough time.
You do not have to be a expert at Linux or in even using computer. The simple command-line console will do all the things. But you may need a lot of time for this process and also some luck. The brute force may take from 2 hours to more than 10 hours too sometimes. There are various ways to set up reaver but here are the requirement for this guide.
Backtrack OS. Backtrack is a bootable Linux distribution with lots of pen-testing tools. You can use various other Linux distribution but I prefer backtrack. If you don t know how to install backtrack then please check this link first.
A computer and wireless network card. I cannot guarantee if this will work with all the internal wireless card but i recommend a external wireless card.
A lot of Patience. The process is simple but brute forcing the PIN takes a lot of time. So you have to be patience. Kicking the Computer won t help you this time.
Now you should have a backtrack OS ready for action.
You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc. So, just boot it first into the GUI mode and open up a new console command line which is in the taskbar. So just boot into backtrack. During the boot process, BackTrack will prompt you to to choose the boot options. Select BackTrack Text – Default Boot Text Mode and press Enter.
After some time Backtrack will take you into a command line prompt where you should type startx and press Enter. BackTrack will boot will into Graphical User Interface GUI mode.
Step 2: Install Reaver Skip this step if you are using BackTrack 5
Reaver should be already installed in the Backtrack 5 but if you are using older backtrack or any other Linux distribution you can install Reaver by using few steps below.
First Connect your BackTrack to the internet. For WiFi connection go to Application Internet Wicd Network Manager
Select your network and click connect and input your password if necessary, click OK and click CONNECT the second time.
Now that you are connected to internet its time to install Reaver. Click the terminal icon in the menu bar. And at the console type the following:
Now if everything worked fine you will get a freshly installed Reaver tool. Now if you are testing it in your own system then please go to Wicd Network Manager and Disconnect yourself first.
Before launching the Reaver attack you need to know your target wireless network name, BSSID it is the series of unique letters and number of a particular router and its channel number. So to know this make your wireless card into monitor mode and gather the required information of the access points. So let us do all these things.
First lets find your wireless card. Inside terminal or console, type:
Press Enter and there you should see a list of interface names of different devices. There should be a wireless device in that list you you have connected it to BackTrack. Probably it may be wlan0 or wlan1.
Note: To connect your wireless network card into WMware. Firstly, connect it to the USB and then you will see a small USB icon like in the figure in the top right of VMware. Then, right click on it and click connect. At last, USB sign will turn into green colour and start to glow.
Enable monitor mode. Supposing your wireless card interface name as wlan0, type this command in that same console.
This code will create a new monitor mode interface mon0 like in the screenshot below which you want to keep note of.
Search the BSSID of the Access Point router you want to crack. There are few ways to search for the Access Point BSSID but I prefer to use the inbuilt reaver search method which shows the list of WPS vulnerable BSSID only.
In the console type this following command and press enter:
You will see the list of wireless networks that support WPS which are vulnerable to Reaver as seen in the screenshot below. After few minutes you can stop the scan by pressing Ctrl C.
I suggest you to try to crack the ones which have WPS lock disabled or say NO in WPS Locked column. It may also work if it says YES but I am not sure of that. For that, copy the BSSID of the target AP and also keep note of its channel and in the console and type the following and Enter:
reaver -i monitormode -c channel -b targetbssid -vv
For My Case the monitor mode will be mon0 channel would be 1, targetbssid would be C8:3A:: and -vv is written to show the current statistic of the attack like percentage completed, currently brute forcing PIN and so on; so we will type the following and enter:
reaver -i mon0 -c 1 -b C8:3A:: -vv
Press Enter and if everything goes right then you will see the attack process like in the screenshot below. Please note that you will not get Restore previous session like me because I have already tried to crack it so, it is prompting me to either to resume from that paused point or not. Your progress will also be saved if your press Ctrl C. It will prompt you the same if you again hit the same above command and you can resume it from there.
Now just wait or have some coffee and let Reaver do its magic. It might take from 2 hours to 10 hours or more. There are 8 numeric digits of WPS but due the fact that WPS authentication protocol cuts the pin in half and validates each half separately. Since the last digit of pin is a cheksum value which can be calculated on the basis of previous value there are 10 4 10,000 possible values for first half and then 10 3 1000 values for the last pin. So the WPS pin code can be calculated in 11,000 possible pin code. Some AP can check the WPS pin in the rate of 1 pin per second and some take more so the time depend upon the AP and even the network connection strength depends too.
When the PIN is successfully brute-forced Reaver will show you the WPS PIN and the plain password of the AP like in the below screenshot.
I recommend you to keep note of the WPS pin so that if the password is changed again you can hack that in few seconds the next time by using the following process.
reaver -i monitor interface -b BSSID -c channel --pin 8 digit pin -vv
reaver -i mon0 -b :: -c 1 --pin 12345678 -vv
So now the error part as you might get a bunch of error depending upon your conditions. You might get some timeout but it is normal but if you are getting other errors then see the below Error section for that
If you are getting the following error then check the corresponding solution for that.
If 10 consecutive unexpected WPS errors are encountered, a warning message will be shown. Since this may be a sign that the AP is rate limiting pin attempts, a waiting command can be issued that will occur whenever these warning messages appears by issuing the following command:
reaver -i mon0 -b :: --fail-wait 360
The default receive timeout period is 5 seconds. This timeout period can be set manually if necessary minimum timeout period is 1 second :
The default delay period between pin attempts is 1 second. This value can be increased or decreased to any value. Please note that 0 means no delay:
So here ends the tutorial on how to crack wireless network easily using reaver. Good Luck Hacking
WPA WPA2 cracking with BackTrack 5 R3 New Video https://www.youtube.com/watch.v Y5_-OW1OQPQ.
This tutorial explains in detail how to hack WPA / WPA2 encrypted networks using Backtrack 5. Detailed.
Jan 07, 2012 Dans cette vidéo vous allez apprendre comment cracker un mot de passe wifi de type WPA ou WPA2 en utilisant BackTrack5. Pour télécharger des wordlist.
