This is my Tutorial for WPA/WPA2 Wireless Hacking... This guide is aimed to help you crack WPA/WPA2 Passwords.. As said, this is a Total n00b Guide to Wireless Hacking..
(4) A Dictionary that has the Password we are trying to get. But Obviously you wouldn't know it till you complete "The Dictionary Attack"..lol
Before we Start, I take it for Granted that you are aware of a Few things...
I Hope You already have a Live CD, Bootable USB or a Virtual Backtrack Installed in your System. In case of Virtual Machine, You will need an External Wireless Card. And in case you don't already have Backtrack, I suggest you bookmark this page and get it first.
Also, I hope you have googled by now to see if your Wireless Card will support Packet Injection or not. In case you are not sure, Use the Test Mode in Aireplay-ng (-9) to see if it supports packet Injection. Again, if you haven't already done that go and get this done first
Now that we are Ready.. Lets Begin..
If You are Using a Boot CD, As in my case, You will see the folllowing screen when the CD Loads.
After Your Desktop Loads. Open up a Konsole and type in "iwconfig" to see your Wireless Interfaces.
As you can see in the above Image, My Wireless Card Shows up as "wlan0".
Now, We will put the Wireless Card into Monitor Mode. In this Mode, Quite Simply, We will be able to monitor all the Traffic that flows around in our Scan Area.
TKIP uses a Ever Changing Key which makes it Usesless to Crack.
PSK - Pre Shared Key.
PSK uses a Key Defined by the Network Administrator. Hence, The Key remains the same. Unless the Administrator decides to change it.
Neck of it all, It is useless to crack a TKIP Authenticated WPA/WPA2. This Tutorial will only help you crack PSK Authenticated WPA/WPA2.
Now, We have taken care of What Our Target Should look like. So, We'll go ahead and Scan the Area.
The Command is airodump-ng --encrypt wpa mon0
Once, You Press Enter, You will see a Similar Screen.
What you are Seeing is A List of All the WPA/WPA2 Encrypted WIFI Networks around you. There are some details in there too. Here's a simple explanation of a few of them
BSSID = MAC Address of the slave (Most Important)
PWR = Signal Strength
CH = Channel Number
ENC = Encryption Type
ESSID= Name of Target's Network
#Data = Amount of IVS Collected (Most Important)
#/s = IVS Per Second
You Might just wanna copy the BSSID as it is going to be used a lot.
Our Target's Details
BSSID= 00:25:9C:EE:59:49
CH = 1
ESSID= {censored}
STATION= 00:17:C4:2C:8E:26
L'importance des Stations:-
You must have Noticed, The Column of Stations. Stations are the Computers/Smart Phones or any Wireless Devices currently connected to the BSSID they are Associated with.
While Stations are not necessary to crack a WEP Encrypted Network, Stations are a must have to crack a WPA/WPA2 Protected Network. In WPA/WPA2, We Need to get a Handshake in order to be able to Initiate a Dictionary Attack aganist that Network. And In order to get this Handshake, We need to De-Authenticate a Connected Client (Station).
Simply Put, In no Order of Importance..lol
To Get WPA Password, You need to do a Dictionary Attack.
To Do a Dictionary Attack, You need a WPA Handshake.
To Get a Handshake, You need a Connected Client (Station).
Since, In this case, We already have a Station connected to the Network. Lets Configure the airodump-ng command to focus Specifically on The Target Network.
The Command is Simply,airodump-ng --channel 1 --bssid 00:25:9C:EE:59:49 --write wep --ivs mon0
Our Wireless Interface "mon0" will now capture Packets only from Channel 1 from a Specific BSSID and write all the data to a File called "wep.ivs".
Now, We will initiate a De-Authentication Attack on the Target Wi-Fi Connection.
The De-Authentication Attack:-
Whenever, a Client connects to a WPA/WPA2 Encrypted Network, It exchanges a "Four-way Handshake" with the AP. Its an Authentication Process to allow the Client to be associated with the Access Point.
The Point in a De-Authentication Attack is to Forcefully De-Authenticate a Certain or All Stations from an Access Point. Forcing them/it to Re-Connect and hence, Exchange the Handshake Again. Which will enable us to Capture the Handshake and Initiate a Dictionary Attack.
So, Lets De-Authenticate the Client and Get the Handshake.
The Command is,
{If You wish to Target a Specific Client (-c)}
aireplay-ng --deauth 10 -a 00:25:9C:EE:59:49 -c 00:17:C4:2C:8E:26 mon0
{If You wish to make an Open-ended Attack. i.e. De-Authenticate all the Clients Associated with the AP.}
aireplay-ng --deauth 10 -a 00:25:9C:EE:59:49 mon0
NOTE: A Client Targeted De-Authentication Attack is more Successful than an Open-Ended Attack.
Deauth is Followed by "Attempt Counts" i.e 10 Attempts in my Case. You can make it "--deauth 100". "a" is simply the BSSID of the Target AP and "c" is the Client that is Associated with the AP and we wish to De-Authenticate this Client.
If You have Successfully, De-Authenticated the Client then You Should be able to see a "WPA Handshake" at the Top-Right Corner where You have the Targeted Airodump Running.
Here's What it Might Look Like.
Now, We have a Captured Handshake and It has been written to the "wep.ivs" file.
Now, We will use the Aircrack-ng Program and a Dictionary to Run a Dictionary Attack on the Captured Packet.
The Command is Simply,
aircrack-ng wpa-01.ivs -w /pentest/passwords/wordlists/darkc0de.lst
Here, "wpa-01.ivs" is the File to Which We (read airodump-ng) wrote the Handshake. "-w" tells aircrack-ng that We wish to Run a Dictionary Attack and The Path is the Path of the Dictionary File.
Dictionaries :-
For the Purpose of this Tutorial, I am using the Built-in Dictionary that comes along with BackTrack 5. Though, I Personally feel those Dictionaries are Useless. I nano(ed) the File to have my Password. If that File has Your Password, You Officially have the weakest Password Ever..lol.
Dictionary is the whole Essence in a WPA/WPA2 Cracking Scenario. You will Find a Lot of Great Dictionaries on the Net. Google is your Best Friend!!
Well, Run the Attack. If the Dictionary has the Password, You will see Something like this and Voila, Its Done!!
Have Dictionary, Need Speed??
Aircrack Sucks at Speed. You can never dream of Ploughing through a Dictionary if You are running Your Attack on Aircrack. Some Dictionaries have 3-Digit Million Words (Like 600 Million), With Speeds of 2000 K/s You will probably give up even if the Word is in the Dictionary. So, What you need is Your GPU Power not Just your CPU Power. You will have to Setup Pyrit + CUDA to get Speeds like 80,000 K/s that Some Hackers Manage. Again, Google is your Best Friend!!