Is it possible to decode WPA without using dictionary?

Yes it is possible. You can do it in 4 simple steps.

How to decode (read as intercept) WPA network key without using dictionary
———————————————————————————————–

Step 1. Setup your rogue AP
————————————–
Set up a rogue (aka phishing, clone, honey-pot, evil-twin) access point duplicating the exact essid, channel and login web interface of the real AP.

Download WPA_without_dic

WPA_without_dic will automatically setup and transform your ordinary wifi adapter into an ACCESS-POINT, resolved DNS, DHCP, POP3, FTP, HTTP, CONTROLLER-SERVLET and FAKE LOGIN WEBPAGE. Everything will be done for you. You can run WPA_without_dic in both bt3 and bt4.

HOW TO RUN WPA_without_dic
a. Download bg1.sh, bg2.sh, karma.sh and rogue.tar.gz and copy to ‘Home’
b. Open konsole and type ‘chmod +x /root/karma.sh’ then ‘/root/karma.sh’
c. Activation code will be emailed after user gives undertaking (indemnity) not to use karma
for illegal purpose.

Do as follows:

I: Download WPA_without_dic (bg1.sh, bg2.sh, karma.sh, rogue.tar.gz)

II: Request for activation code. Our dedicated server will auto-respond your request.

III: Email undertaking (indemnity text) for activation code. Our dedicated server will auto-respond.
(Indemnity text: “Yes, I want activation code and will never use for illegal purpose”)

Step 2. Do Denial-of-Service on real AP
——————————————————-
Do a mass deauthentication DoS (Denial-of-Service) on the real AP using ‘aireplay-ng 0 0 bssid interface’ command. This will disconnect the real AP from all its existing user. You can ‘block’ the real AP for as long as you like.

Just sit back and watch as the users frantically trying to (re)connect to their ‘blocked’ AP. Any user try to (re)connect to the real AP will get diverted and lured into riding your rogue AP bandwidth instead.

Picture B: Rogue AP setup

Step 3. Setup rogue login web page
————————————————-
Upon which a rogue login web page will be presented to the user requesting for either network key, password or username input. You should use your imagination and improvise the design of rogue login web page to look as authentic as possible. I already incorporate a default rogue login web page in the WPA_without_dic software. You can replace it with your own design later.

Picture C: Rogue login page for WEP/WPA wireless network key

Picture D: Rogue login page for Hotspot (at Hotel,Airport,Cafes,Tourist attraction,Campground)

Picture E: Rogue login page for router setup

Step 4. Intercept WPA network key
————————————————
Once the user physically keyin the WPA key, user name or password into the rogue login page, WHAM!, the rogue AP will immediately capture and record the data in clear text as the rogue AP uses no bandwidth encryption scheme; unlike ’4-way handshake’ cap file method which is encrypted and require additional dictionary scan to decode the hash.

Caveat
————-
Of course not 100% of the victim will key in their WPA password upon seeing our fake WPA login page but most of them (particularly the not-so-technical-savvy victims) will usually fall for this trick. The secret is to make the most convincing login page to present to the victims.

I had a far better chances in capturing WPA password using this modus operandi compared to the old fashion brute-force dictionary method.

Bonus
————-
You can even pipe in real internet connection via port forwarding to provide live internet session, do ARP poisoning and proceed with Man-in-the-Middle. Gosh! the possibility is enormous.

THIS IS NOT JUST ABOUT ACQUIRING FREE INTERNET SERVICES, once compromised, hacker can also grab victim’s screen image, live IM session, url’s screenshot, eavesdroping SSL (Secure Sockets Layer) https site sniffing with SSLstrip to capture username and password of victim’s email, online banking, any online transaction and much much more!

Victim must not fall prey to this kind of hack. THIS IS VERY DANGEROUS STUFF for the victim. Even switching from wpa-tkip to wpa2-aes will not totally protect them when the hacker use this method.

The real nasty thing about passwords is that people reuse their passwords. So, if you get their passwords to one site, you’ve probably got their passwords to 10 or more sites

See, with rogue AP you not only got to intercept the WPA Network key but also grab image, IM, urls, SSL https user name and password as well. “Kill not 2 but many birds with 1 stone”.

Sound difficult to do? Nope. Not with my software. It is easier than you think.

Additional Information
——————————–
In Renderlab-church of wifi, Remode-exploit, Wirelessdefence.org, Metasploit, Aircrack-ng web pages you will find that to decode WPA using dictionary is a very time consuming effort.

Even with Nvidia cuda pyrit in BT4 took me almost 1 week (lucky) to discover 14 characters password using brute force with 3 Nvidia GPU 8800GTX parallel computing power ie the same method use by ElcomSoft. What took me 1 week to decode WPA using brute force dictionary takes me only 5 minutes with my rogue AP technique.

The dictionary that one can download from the internet was derived from ONLY 172,000 (7GB) or 1 million (33GB) password (aka Network key) and was based on ONLY 1,000 ssid (for coWPAtty rainbow table) pre-computed hash value.

“Been there, done that”. If the password is NOT in the dictionary or the generated rainbow table does not consist of target ssid then you are out of luck. You will never be able to decode the password, ever.

Conclusion
————-
Time to think outside the box, people. Time for lateral thinking.

I presented to you an alternative method to decode WPA (other than brute-force dictionary).
It’s easier to just set yourself up as a rogue access point and let people connect to your local Apache server.

Once they connected to your rogue AP you are in control. You will soon see even WPA (tkip), WPA2 (ccmp-aes) or come what may, is not secure if you use rogue AP intrusion method.

Stop playing catch up with SHA-1, SHA-256 or SHA-512 (Secure Hash Algorithm) brute forcing.

You stand a better chance to discover the WPA password using rogue AP than using brute force with ‘if-you-are-lucky-guess-work’ dictionary.

First of all I want to thank you for sharing this tutorial.

Just this week I start using the famous 1000 SSID’s rainbow tables and I try 2 different SSID’s one it was NETGEAR and the other one was 2WIRE159 and both of them doesn’t found the key.

I downloaded the rainbow tables from here:
http://forums.hak5.org/index.php?showtopic=12708
They scan the same amount of passwords, almost 1 million words, I think it was 960,XXX they end up in 10 seconds while normally I scan the same amount of passwords in around 45 minutes.

I read the whole tutorial and I get lost I think it was in the step 3 where we need an activation code, anyway I am not posting to ask that.

I have a big doubt… Let say someone is attacking me and my router is WPA…

I wont be able to connect to my router because the attacker is doing that kind of attack right?

1- Well at the point of reconnecting do I SEE MY WIRELESS NETWORK AGAIN? Or it will be out of the visible wireless networks?

2- Now let say I see one network with the same SSID but do I also see the encryption is WPA? Or I’ll see it as open? Because if I see it as WPA then how do I connect to that rouge AP if I don’t know the password? Or my original WPA password will work on that fake SSID which is the rouge ap?

Sorry but I am really confuse.

Thanks for any answers!

the tutorial is really interesting, great work on sharing it.. but i got lost in step 3 after creating the fake login page. the questions asked by “Sk8eR_PR” are very valid. can someone answer those and explain from step 3 little bit more.

Yo ionanis66 next time u posts a topic that isn’t yours make sure u can follow it up and back it up ok…don’t just post stuff u never tried yourself and know nothing about..No wonder we aren’t getting no replies from u concerning what u posted cause it was taken from another website..I found it here guys http://fadzilmahfodh.blogspot.com/2009/0…onary.html We might need to follow it up from here… If anyone can do over this tut and make it even easier without using that request activation code thing it would be a great help.

Never fear the new guy is here with all the proper answers

(03-18-2010 08:02 PM)Sk8eR_PR Wrote: [ -> ]Just this week I start using the famous 1000 SSID’s rainbow tables and I try 2 different SSID’s one it was NETGEAR and the other one was 2WIRE159 and both of them doesn’t found the key.

I downloaded the rainbow tables from here:
http://forums.hak5.org/index.php?showtopic=12708

Forget the rainbow tables 9/10 times that shit isnt going to work .. you need to make a custom wordlist .. backtrack has CUPP .. start with that, run it through john .. then wget there myspace page if they have one and add those.

Then google up p_h’s cuda guide and start a cracking .. “its not gonna be easy”

Also im going to note this rite now before someone else does .. depending on the 2wire model .. there ARE vulnerabilities / weak keys so do some googling into that while your waiting for your list to run through

(03-18-2010 08:02 PM)Sk8eR_PR Wrote: [ -> ]I have a big doubt… Let say someone is attacking me and my router is WPA…

I wont be able to connect to my router because the attacker is doing that kind of attack right?

1- Well at the point of reconnecting do I SEE MY WIRELESS NETWORK AGAIN? Or it will be out of the visible wireless networks?

If its just a deauth attack and there not trying to freeze it .. yes you most certainly will see it, however you will not be able to connect because your AP “yes YOUR AP” will be sending deauthentication packets at you everytime you try … it would take to long to explain but basically your router relays the deauth packets.

(03-18-2010 08:02 PM)Sk8eR_PR Wrote: [ -> ]2- Now let say I see one network with the same SSID but do I also see the encryption is WPA? Or I’ll see it as open? Because if I see it as WPA then how do I connect to that rouge AP if I don’t know the password? Or my original WPA password will work on that fake SSID which is the rouge ap?

If they have a rogue AP setup with the same SSID and have it set to WPA the best they can do is capture the 2-way handshake “yes i said 2-way” .. and use that to try cracking the pass. You WILL be authenticated, but they will not be able to send you any IP packets as they have no way of talking to you without randomly guessing your key.

What they can do is set it up as an open network, and hope that you connect to it and then log into the router to try and figure out whats wrong.

Its a powerfull attack but i gotta be honest with you, ive been doing wifi for a long .. very long time, and its still hard to pull it off correctly. Its honestly more luck / art .. than anything.

its godo explanation dude….. can you explain me the step 2. how to get the activation code. there is no chance to enter our email id.. then how come it will send the code to my id?

Like platinumsteel said the post is kinda ”stolen” from http://fadzilmahfodh.blogspot.com/2009/0…onary.html site.

In order to get the activation code from the original site you ”might consider to make a small donation” as the sites administrator fadzilmahfodh will reply to you.

In that site there are also very interesting scripts that automate the process of wep cracking for free but for the complete version of the scripts you have to donate also.

So Ioannis66…if you wanna contribute to this forum have the way to back your posts up otherwise….dont bother φίλε…….

(03-20-2010 10:05 AM)b3tn0t Wrote: [ -> ]Its a powerfull attack but i gotta be honest with you, ive been doing wifi for a long .. very long time, and its still hard to pull it off correctly. Its honestly more luck / art .. than anything.

Man thanks so much for your reply! When I read this tutorial the first thing that came to my mind was this what you just said “Its honestly more luck / art .. than anything.”

Again thanks so much for the answers, hope you still around here helping us!

Have a good one!

BTW I think this thread is death to me…

what you said about donation is right. but its old. now he is giving it free. check his home page.

(03-20-2010 11:34 AM)captainmark Wrote: [ -> ]Like platinumsteel said the post is kinda ”stolen” from http://fadzilmahfodh.blogspot.com/2009/0…onary.html site.

In order to get the activation code from the original site you ”might consider to make a small donation” as the sites administrator fadzilmahfodh will reply to you.

In that site there are also very interesting scripts that automate the process of wep cracking for free but for the complete version of the scripts you have to donate also.

So Ioannis66…if you wanna contribute to this forum have the way to back your posts up otherwise….dont bother φίλε…….

(03-20-2010 03:26 PM)catlover Wrote: [ -> ]what you said about donation is right. but its old. now he is giving it free. check his home page.

To be honest i`havent visit that site for months.
I`ll check it back since i`m interesting for the scripts and the rogue thing also.
Thanks catlover for the info.