Seguridad Wireless - Wifi
General => Universo Wireless => Mensaje iniciado por: Hwagm en 30-09-2018, 08:12 (Domingo)
-
We are pleased to announce our third release this year. It focuses a lot on code quality and adds a few visible features:
PMKID cracking
Crack 802.11w capture files
Speed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ng
Packages for Linux distributions and Windows
While we didn't bring as much as in the previous release, we keep on improving continuous integration/delivery tools and our code quality keep increasing.
Other notable changes in this release:
Fix building on various platforms
Improved and tweaked our CI/CD processes
Using new CI/CD tools for our buildbots and packaging, PyDeployer
Almost doubled the amount of tests
PMKID
On routers with 802.11i/p/r, the AP can cache an "ID" for the connection so roaming clients don't have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).
Calculation is of the PMKID is done this way:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)
A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.
A few caveats about this attack:
Sometimes APs send empty PMKID
It doesn't work on WPA/WPA2 Enterprise networks
When loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the "with PMKID" on the same line:
(https://1.bp.blogspot.com/-Xt_rnNcb_SA/W62QM0VOjMI/AAAAAAAAAHA/NPghIpo1q2g8guCmg385Y7PLsMhEV-P9gCK4BGAYYCw/s1600/1.4.png)
When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).
If you'd like to test, two capture files with PMKID are available in our test files:
test-pmkid.pcap
test1.pcap
More details about the attack itself can be found in this post.
Packages
Distros often have old versions of Aircrack-ng in their repository. Sometimes a few years old. We recently decided to tackle this issue to provide recent versions, and for multiple OSs.
For CI/CD, we have been using buildbots, on top of Travis CI and AppVeyor, to automatically build aircrack-ng on multiple platforms and multiple distros. It happens to every commit done to the master branch in our GitHub repository.
We recently added packages building to the buildbots for a bunch of different distro: Debian, Ubuntu, Mint, SLES, OpenSuse, Fedora, RHEL, CentOS, Amazon Linux and Elementary OS. Stable release packages will be available shortly.
More details will be provided in a separate blog post.
https://aircrack-ng.blogspot.com/2018/09/aircrack-ng-14.html?m=1
-
https://github.com/aircrack-ng/aircrack-ng/raw/master/test/test-pmkid.pcap
https://github.com/aircrack-ng/aircrack-ng/raw/master/test/test1.pcap
-
primer archivo crackeado ;D ;D ;D ;D
aries@aries:/opt/crack-keys$ aircrack-ng '/home/aries/Descargas/test-pmkid.pcap'
Opening /home/aries/Descargas/test-pmkid.pcap
Read 2 packets.
# BSSID ESSID Encryption
1 00:12:BF:77:16:2D WLAN-771698 WPA (0 handshake, with PMKID)
[00:00:06] 16056 keys tested (2477.03 k/s)
KEY FOUND! [ SP-91862D361 ]
Master Key : 79 7D 07 FA A7 64 19 5C AB E5 F6 29 2D 0E DE E1
B1 04 7B B4 02 F8 AF DE E0 C4 97 C4 59 66 15 E1
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 segundo archivo crackeado
[00:00:08] 15408 keys tested (1865.60 k/s)
KEY FOUND! [ 15211521 ]
Master Key : 6D 0B 22 77 1F 24 4A 2A D7 23 50 3D A5 00 26 E1
AC 23 1A 5A 90 CD 9E F8 56 7F D9 58 BA 0A CB 94
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>:( >:( >:( >:(
-
Supongo que seguimos con la limitación del diccionario.
Pero no deja de ser sorprendente que, la en primera red crackeada la clave es conpleja, necesitaría de un diccionario muy grande y en 16000 intentos ya da con la clave.
Si realmente es tan bueno, los desarrolladores deberían incluir ests suite en la nueva versión de fifislax.
-
Supongo que seguimos con la limitación del diccionario.
Pero no deja de ser sorprendente que, la en primera red crackeada la clave es conpleja, necesitaría de un diccionario muy grande y en 16000 intentos ya da con la clave.
Si realmente es tan bueno, los desarrolladores deberían incluir ests suite en la nueva versión de fifislax.
la limitación del diccionario para fuerza bruta la vas a tener siempre.
no te hace falta diccionarios muy grandes. solo buenos algoritmos a la hora de crear diccionarios al vuelo.
P.D. aquí tienes un decrypter para generar ese algoritmo del primer archivo .cap
edit; las combinaciones que hace el decrypter son de 4096. osea que en unos segundos esta comprobado el diccionario.
para crearlo en .txt es necesario poner [>] en la terminal
ejemplo:
speedport_gen > diccionarioesto creará el diccionario con nombre diccionario.
https://github.com/shilch/speedport_gen
son routers alemanes, Speedport devices (Telekom) modelo W700V
(https://bilder.markt.de/images/2013/07/07/13/47ff4bc4/medium_image_5.jpg?lastModified=1373196221000)
solo hay que buscar un poco de información por la red..
-
Pues para Telekom de Alemania existe ese decrypter. Pero yo no encuentro nada similar para las redes de Movistar o MiFibra de España.
Un saludo.
-
bueno eso es porque la gran mayoría no comparte datos de las redes para ver como hacer un decrypter o si es posible hacerlo.
no en todos los routers modernos se pueden hacer un decrypter, con el paso del tiempo han aprendido a que las contraseñas sean completamente aleatorias y no seguir ningún tipo de patrón.