This tutorial will walk you through a step by step guide to crack WPA2 and WPA secured wireless networks. Please note that this is not the Reaver attack. If you want to crack WPA/WPA2 using Reaver then read this post. The process is done by airmon-ng suite. Many steps are same for WEP cracking and WPA/WPA2 too.
What You’ll Need
For this you will require all the basic things like a computer, spare time, etc. But important things are as follows:
- BackTrack OS. Backtrack is a bootable Linux distribution with lots of pen-testing tools and is almost needed for all my tutorials. So, if you have not installed it please read this article on how to install it.
- A compatible wireless network adapter. If you are live booting BackTrack then the internal adapter will work but I recommend an external wireless adapter.
Let’s Get Started
Step 1:Boot into BackTrack
You can use any method to boot into backtrack; like from live cd, VMware, dual boot, etc. So, just boot it first into the GUI mode and open up a new console(command line) which is in the taskbar.
Step 2: Gather Information
Before launching the attack you need to know about your wireless network interface name, make your wireless card is in monitor mode. Then get the BSSID ( it is the series of unique letters and number of a particular router) of the access point. So let us do all these things.
First lets find your wireless card. Inside terminal or console, type:
Press Enter and there you should see a list of interface names of different devices. There should be a wireless device in that list you you have connected it to BackTrack. Probably it may be wlan0 or wlan1.
Enable monitor mode. Supposing your wireless card interface name as wlan0, type this command in that same console.
airmon-ng start wlan0
This code will create a new monitor mode interface mon0 like in the screenshot below which you want to keep note of.
Search the BSSID and channel of the Access Point (router) you want to crack. Now let us find the information. For this type the following and press Enter
Then you will see a list of Wireless Networks available around you and please keep note of the BSSID and channel of the ESSID (wireless network) you want to crack. Please note that the less the number is in the PWR column the close you are to the router; example mine is (-42) which means i am quite near to the router. When you find it hit CTrl+C to stop it scanning and enter the following:
airodump-ng --bssid (AP BSSID address) -c (chaneel no) -w (file name you want to save with) (monitor interface
So, in my case it will be
airodump-ng --bssid 54:E6:FC:E0:AC:FC -c 1 -w WPAcrack mon0
Then the screen will look like this:
Step 3: Let’s Get Cracking
Now, its time to capture a 4-way handshake so that we can use it to get the plain password of the network. Here is a little tricky part, if there is a client connected to the network then there will a mac address listed in the “station column” like in the screenshot below and if not then you will have to wait for someone to connect it to get 4-way handshake.You will get the handshake if anyone tries to connect to that network.
But, if there is someone is connected on the network then you can deauthenticate him so that he will try to reconnect and you will be able to get the handshake. To deauthenticate him enter the following code in new console. But, before take note of the Mac Address of the station.
aireplay-ng -a (BSSID of the network) -c (MAC address of the client) -0 20 (for deauntheticate "20" for no of packets to send) (monitor interface)
You can send any no of packets but few packets would be enough. In the image I have send 0 packets which is unlimited but it is better you send few packets and only and if you don’t get the handshake you can hit Ctrl+C to stop the process and redo it again.
aireplay-ng -a 54:E6:FC:E0:AC:FC -c 9C:4E:36:4E:F5:F0 -0 20 mon0
Now it will send deauthentication packet and if you are close to the network and if everything goes right then he will get disconnected and will try to connect again and we will get the 4-way handshake file in the top right corner of the airodump screen as shown below. But, the client should also be physically close to your wireless adapter network range so that it can deaunthecate them.
Step 4: Cracking The Password
Now its time to crack the 4-way handshake which is little difficult to do. There are lots of ways to do it but I will show you the simple one.
First let us see where is our saved .cap(4-way handshake) file so please enter the following :
It will show you the list of files in your Desktop. The screen would look like this.
Now, lets bruteforce the .cap file using aircrack-ng. You will need a Dictionary or word list file to get it work. There are few of them already in the BackTrack but you can download more. Aircrack simply tries to match the word from the dictionary to the .cap file and if matched then it will show the password but if the word is not in the dictionary then it will fail. We are using the darkc0de.lst password list which can be found in “/pentest/passwords/worldlists/darkc0de.lst” of BackTrack. Enter the following command
aircrack-ng -w (location of the password list) (cap file *.cap)
In my case,
aircrack-ng -w /pentest/passwords/worldlists/darkc0de.lst" WPA2crack-01.cap
Depending upon the speed of your CPU and the size of the password file it could take a lot of time. The -01 is automatically added by the BackTrack and everything is case sensitive. After executing this command the screen will look like this.
If the key is found then it will say, “KEY FOUND!” like in the screenshot below and if not it will say, The pass-phrase is not in the Dictionary or something like this. So, if it is not found then you can try to bruteforce it by trying every combination of word which will take lots of time. I will teach the other methods soon like brute forcing .cap by using Graphics card and so on. So, stay tuned.
NOTE: It is not guaranteed that you will get the 4-way handshake. It depends upon various factors. But the main thing is that the physical distance between your wireless adapter, the access point and the client should be close to work for it.
- Do not put the password that are in the dictionary. Use combination of alphabets, letters and symbols too
- In your router setting you can hide your ESSID (the name of your wireless network)
- In your router there will probably be a mac-address filtering service where you can specify the mac addresses that are allowed to connect to your router and no other will be able to connect to it but it is a little irritating if any of your guests wants to connect to your Wifi.