*obtaining the WPA key via Rogue access point.

What you need.
You need a brain. That's one of the most important as not anyone could accomplish this without reading and learning first. You also need two wireless network devices. I recommend the RTL8187L chipset. A well known name is the "Alfa AWUS036H 1000mW" with a 9dBi Alfa antenna. However in this tutorial I will be using my laptop "WiFi Link 4965AGN" as my fake AP (Access Point) and my USB "RTL8187L" with a 5dBi antenna as my device to disconnect the user from the original AP.

dowwnload 

Watch

Install

NEW CRACK VERSION DOWNLOAD 2024

NEW CRACK VERSION DOWNLOAD 2023

NEW CRACK VERSION DOWNLOAD 2022

NEW CRACK VERSION DOWNLOAD 2020

You need the files which I provide the link to download in the third spoiler of this tutorial.

You need LIVE Backtrack 5 R3 KDE version. Void using GNOME because some users have reported problems following this tutorial while trying to use GNOME.

But if you want to use other Linux distro or other Backtrack version then you are in your own.

The reason I said "LIVE" is because you need to change some files and you don't want to screw your Backtrack installation plus this tutorial is made to work with a LIVE version in about 5 minutes.

Very important. You need BASIC KNOWLEDGE of Backtrack because I'm not explaining how to create a LIVE USB/DVD to run Backtrack and I will be skipping how to access the downloaded files in Backtrack and a few other basic steps like "startx" etc.

But don't be scared. This tutorial is EXTREMELY NOOB FRIENDLY.

Sorry if I'm missing anything but anyway the most important is just the 2 wireless adapters and the Backtrack 5 R3.

Why I create this tutorial.
The reason I did this tutorial is because I've been searching for a tutorial like this for the past few months and everything what I found was tutorials with broken links, missing information, not updated, missing files and all what you can imagine that will be enough to make the tutorial useless... And those tutorials were very hard to follow and not noob friendly at all.

Also here in HF everyone talks about this attack but no one teach how to actually do it and there is like 2 or 3 tutorials here in HF that teach how to do it but with the same issues mentioned above.

Also another reason for this tutorial is for those impossible to crack WPA handshakes when reaver is useless and the WPA key of the networks are non dictionary passwords like in example this key "&my!name123*here" that you will never be able to crack. It doesn't matter you have a $10,000 dollars computer even smaller keys like this one "Myname@2013" are almost impossible to crack in a rasonable time. So in those cases where you don't have physical access to the devices that connect to that network the last resort is this attack.

Keywords for this tutorial are:
fake ap - fake access point - evil twin attack - eviltwin - rogue ap - rogue access point

How it works.
Simple and easy... You create a fake AP hosting a fake page with your first wireless device. Then you disconnect the user from the original AP with your second wireless device and the user can't do anything but connect to your fake AP where it wont be able to do anything but type the WPA key.

Inside the next spoiler it's a HUMONGOUS text. Please don't be scared. This is a very long and sophisticated tutorial but after you read everything you will see you might not even need to read the tutorial again. In my case I do this attack in a matter of 5 minutes but for you it could take hours if not days to understand everything to be able to do it fast and easy like I do. The process that takes the most is the waiting for the users to do what we want them to do which sometimes they never do as they not that fool.

In those cases when you are attacking advanced network users, you will see they reset their router to factory settings getting your fake AP caught and they will do whatever they need to do but they will never type the key in the fake AP as they are not dumb.

Maybe you receive a response in your data text file with the following message:

Code 

get out of my wireless you idiot

If you receive something like this in your "data.txt" file consider this is a message to you and is not the network key and consider this network the one you will never get access to. But anyway try to see if that's the actual key! LOL! We never know...

I'm sorry for the HUMONGOUS text for those experienced network readers but I had to do this tutorial this way to make it noob friendly otherwise noobs will be totally lost and this tutorial will be only for those who don't need that much to explain.

And for the not so experienced readers please READ EVERYTHING and try to UNDERSTAND EVERYTHING if you really want to make this work.

Time to start setting up the attack.

Download the zip file and extract the folder in the root of your Windows OS or somewhere that you can access easy and fast from Backtrack.

DOWNLOAD LINK: http://sdrv.ms/YDeeTc

When extracting the folder don't remove the folder from the zip file, just make a copy because the copy is the one you will modify and every time you want to use this method with a different network you can extract the folder again from the zip file and modify the text document and the blacklist text file that you need to modify with the new network specifications.

Should look like this:


Run "WifiInfoView" and copy your target BSSID (BSSID = MAC address) and make a note of the channel and ESSID (ESSID = Network name).
To copy the target BSSID easier you can click on "Options"
then point your cursor to "MAC Address Format"
and you will see the first format is selected and it looks like this XX-XX-XX-XX-XX-XX
what you want to do is select the second one that looks like this XX:XX:XX:XX:XX:XX...

Now you "Secondary Click" on top of the network you desire to attack and select "Properties".
Then you can copy the BSSID "00:16:01:14:22:4A".

You will need to paste this BSSID in the "blacklist.txt" file located in the following directory:
"[TUT] Grab WPA Key With Fake AP/files/files to copy in root Desktop".
When you finish with the BSSID hit enter at the end of the BSSID like if you want to start typing something under the BSSID.
This is to leave an empty line at the bottom so MDK3 can read the BSSID. Otherwise it wont read the BSSID and your MDK3 will never start.

Picture here for those who are lost at the very beginning of this tutorial. LOL!


Continue to modify the text document named:
"Modify This Text Document For Copy Pasting".
Yes open the text document...
You will find this document inside the folder you extracted earlier.
In this tutorial I will be explaining you what to modify in that text document, how and why.

I did it this way because I don't want you to read this whole tutorial again.
Just read it once and the next time you want to attack a WPA network using this method you just need to modify the text document and the blacklist text file from the extracted folder and you will be good to go.

You will see! This is very easy!

NOTE: The first step from the text document have 4 questions that you will have to memorize how to do them.
Don't worry there is a little reminder in the bottom of each question.
And if you forget just come here again and look at the pictures from here from the third spoiler.

In the text document you will find the following steps to follow:
##
### 1- Get ready before copy pasting the commands.
##
Right here are the 4 questions to remind you to setup the room to work with Backtrack and to copy the files to the directories.

##
### 2- Paste the following commands in terminal 6.
##
This commands are to install DHCP3, configure DHCP3, set the first interface to monitor mode,
change MAC address (BSSID), configure and start Apache2 and also start the fake AP (Access Point).

##
### 3- Paste this commands in terminal 5.
##
This commands are just to setup and start running DHCP3.

And the title is pretty self explanatory for the rest.
##
### 4- Start the DNS spoof in terminal 4.
##
### 5- Start monitoring your fake AP in terminal 3.
##
### 6- Start monitoring the target AP in terminal 2.
##
### PERFECT! TIME TO START THE ATTACK...
### 7- Disconnect everyone from your target AP.
##

Now the 4 questions.
This is one of the steps I am not explaining.
You need to use the folder browser from Backtrack to get access to the downloaded files.
Yes I'm talking about the folder you extracted earlier in a easy to access directory.
I don't know in GNOME version but in KDE is called "Dolphin - File Manager".
When you get to Backtrack you need to open the text document "Modify This Text Document For Copy Pasting"
located in the extracted folder which name should be "[TUT] Grab WPA Key With Fake AP".

Code 

1- Did you modified the taskbar to make room?

How you modify the taskbar?
Secondary click at the bottom and click "Remove this System Tray". Look at the picture for a better understanding.
Why? Because you need to open a lot of terminals and you need room so you don't get lost and frustrated in the middle of the process.

You need to secondary click at the very very bottom. Otherwise you won't see the right option.

Remove the clock. If you want to...
Same thing, secondary click but this time in top of the clock and click on "Remove this Digital Clock"


Remove the 4 squares. I really never use this thing but consider to use this if your monitor is not big enough to make the 6 terminals to fit in only one screen. It's a really nice feature when your resolution is not spacious.

You might ask yourself which 6 terminals I was talking before?
Well keep reading. I will explain about that soon.

Make the taskbar longer. You need to click the icon that looks like a fireball.
Then click and hold the minus (-) icon and drag it all the way to the right.
And finally click the [X] to close.

Next question will be:

Code 

2- Did you modified the terminals window sizes?

How you modify the window sizes?
Nice question... You don't really need to do this. I just recommend you to do it this way because it's always good to be aware of what's happening everywhere. However I know a lot of people might have the resolution problem I mentioned before and wont be able to do this. If this is your case you will have to deal switching between terminals. Anyway if this is your case don't worry. You don't really need to monitor all of the terminals.

First, click the terminal in the taskbar at the left side. It's the black icon.
When it opens modify the size as shown in the picture.

So to spot the half of the screen you need to click and hold the window in the top where the title is located and drag the cursor all the way to the right and you will see the window autosize splitting the screen in a half. When you see the autosize happen release the click and close the window to save the size configuration. Then open the terminal again and place it in the right side and pull the window from the top to the bottom to make it smaller making the exact or pretty similar size as in the picture.

Then open the second terminal and you will notice a big half screen terminal open on the left side. Just resize it again then the third and the rest of the terminals will open with the right size. You just need to place them in the same position and order as shown in the following picture:

You should end up with a total of 6 terminals.

Another thing is... I don't like when the tabs in the taskbar gets merged into one single tab so if this happen to you and you want to separate them again you can secondary click in that tab and select "Do not allow this program to be grouped" to get your terminals separated again.

But there's a little problem. When you do this the tabs will shuffle the sequence in the taskbar but that's okay. This is just Linux behavior and you can keep following the tutorial with that exception using your brain or you can close the last 5 terminals and reopen them again to get the 6, 5, 4, 3, 2, 1 sequence in the taskbar.

Third question...

Code 

3- Did you drag and dropped the files?

Drag and drop the following files into directory /var/www/ using the shortcut named "[Drag and Drop var www".
Select the option "Copy Here".
"data.txt" - "index.html" - "login.php" and "rebooting.php".

At this point a popup window should ask you what to do with an already "index.html" existing file. Select "Overwrite". Sometimes this overwrite step freeze my laptop for like 3 to 5 seconds. Again this is Linux behavior. If this happen to you wait the 3 to 5 seconds without clicking anything else. You don't want the system to go crazy when it start responding again. Also remember you are running live and sometimes it takes a few seconds before performing some of the actions. 

Then enter in folder "files to copy in root Desktop" and drag and drop the following files
into directory /root/Desktop/ using the shortcut named "[Drag and Drop root Desktop".
Once again select the option "Copy Here".
"blacklist.txt" - "dhcp3-server_3.1.3-2ubuntu3.3_i386.deb" and "spoof.txt"...

Code 

4- And do you have the little window to monitor the "data.txt" file?

Return to the previous folder "files" using the "BACK" button and click in top of the shortcut named "[Drag and Drop var www" to get access to the folder where the "data.txt" file is located.

Once there secondary click in a empty space of the folder and select "View Mode" then select "Details" and finally make the window size small.


And that's it setting up the room and placing the files for this attack.
The next steps are to modify the text document so you can go to Backtrack to just copy paste the commands and start running the tools.