This is tutorial on how to crack WPA/WPA2 keys of a wireless network
WPA is a security technology for Wi-Fi wireless computer networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). In fact, WPA was developed by the networking industry in response to the weaknesses of WEP. WPA provides stronger encryption than WEP
the process are given as follows:
First you need to determine your devices names and modes. This is easily done by opening Konsole and using the following command
Here we can see all of my wireless devices and their chipsets. The first one is AWUS036H, The second one is the inbuilt wireless card. [You can tell by the RTL8187 chipset]
We now need to put it into monitor mode; we do this by using the following command. Where i put <interface> you need to put the name given to your RTL8187. As you can see mine is "wlan0"
As you can see "monitor mode has been enabled on mon0" from now on the interface that you should use is "mon0"
Now moving on to hiding your ass
You should see something like this
Viewing available networks
Now we are ready to search for networks to target; type the following command to scan for networks
here we dump the wireless networks around us with the airodump-ng
command, the switch "-a" searches only for networks that have people
connected to them, which is what we want, --encrypt WPA Shows only WPA
networks and mon0 defines what interface to use.
Target acquisition
Once we have a WPA/WPA2 network that has someone connected to it. We need to 'lock on'. To do this we run:
You will also need to filter the list by the channel to do this add
You also critically need to add
This saves the handshake to your desktop
All of that together looks like this for my example:
Obtaining the WPA hand shake
This is the most important part of the process, as it is the only thing that involves the users of the network. What we are trying to do is disconnect a client from the access point and then wait for them to reconnect. When they do this they have what is called a 4 way handshake; what we are trying to do is witness the handshake so that we can crack it and obtain the network key.
We do this by using aireplay-ng to kick the user offline and then wait for them reconnect. By doing this we can capture and analyse the handshake. Use the following command:
In my example the bssid of my access point is 00:23:4E:55:B3:84 and the client i want to kick of is DE:03:74:C7:33:8E
--deauth means "deauthenticate" [kick off] the number after it defines how many times to do this, i set it at 10, but you only really need one. Also if you are feeling mischievous you can set it to something like 10Billion to deny someone wifi access! Not the most effective but still lol worthy. Wait till you mate has a 24 kill streak on MW2 and kick him....
So i will open a new window and leave airodump-ng running and in the new window type
Cracking
Now that you have your handshake you need to crack it. And this is a very popular subject in regards to wireless hacking as there are a few ways to go about it, all with varying opinions.
Dictionary attack
This is the standard method of cracking and is a very easy and simple method.
For this we use:
WPA is a security technology for Wi-Fi wireless computer networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). In fact, WPA was developed by the networking industry in response to the weaknesses of WEP. WPA provides stronger encryption than WEP
the process are given as follows:
First you need to determine your devices names and modes. This is easily done by opening Konsole and using the following command
Here we can see all of my wireless devices and their chipsets. The first one is AWUS036H, The second one is the inbuilt wireless card. [You can tell by the RTL8187 chipset]
We now need to put it into monitor mode; we do this by using the following command. Where i put <interface> you need to put the name given to your RTL8187. As you can see mine is "wlan0"
Code:
airmon-ng start <interface>
As you can see "monitor mode has been enabled on mon0" from now on the interface that you should use is "mon0"
Now moving on to hiding your ass
Code:
ifconfig mon0 down
macchanger -s mon0
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up
Viewing available networks
Now we are ready to search for networks to target; type the following command to scan for networks
Code:
airodump-ng --encrypt WPA -a mon0
Target acquisition
Once we have a WPA/WPA2 network that has someone connected to it. We need to 'lock on'. To do this we run:
Code:
--bssid <bssid of the access point you wish to target>You will also need to filter the list by the channel to do this add
Code:
-c <channel>
Code:
-w <filename>All of that together looks like this for my example:
Code:
airodump-ng --bssid 00:23:4E:55:B3:84 -c 1 -w WPA mon0
As you can see there are 3 Clients connected. We now need to kick one off!Obtaining the WPA hand shake
This is the most important part of the process, as it is the only thing that involves the users of the network. What we are trying to do is disconnect a client from the access point and then wait for them to reconnect. When they do this they have what is called a 4 way handshake; what we are trying to do is witness the handshake so that we can crack it and obtain the network key.
We do this by using aireplay-ng to kick the user offline and then wait for them reconnect. By doing this we can capture and analyse the handshake. Use the following command:
Code:
aireplay-ng --deauth 10 -a <bssid of access poin> -c <mac address of client> <interface>--deauth means "deauthenticate" [kick off] the number after it defines how many times to do this, i set it at 10, but you only really need one. Also if you are feeling mischievous you can set it to something like 10Billion to deny someone wifi access! Not the most effective but still lol worthy. Wait till you mate has a 24 kill streak on MW2 and kick him....
So i will open a new window and leave airodump-ng running and in the new window type
Code:
aireplay-ng --deauth 10 -a 00:23:4E:55:B3:84 -c DE:03:74:C7:33:8E mon0
If it is successful the airodump windows will be displaying the wpa
handshake in the top right of the screen. You can see this in the image
below.
Now that you have your handshake you need to crack it. And this is a very popular subject in regards to wireless hacking as there are a few ways to go about it, all with varying opinions.
Dictionary attack
This is the standard method of cracking and is a very easy and simple method.
For this we use:
Code:
aircrack-ng <filename-01.cap> -w <file path of wordlist>
There
is a small dictionary that comes with aircrack-ng - “password.lst”. This file
can be found in the “test” directory of the aircrack-ng source code
or you can download wordlist hre;
if the dictionary file is in the same directory,then only give the filename.
hope you like this..
No comments:
Post a Comment