this article and all of my others can also be found at http://www.secusoft.be
I recently noticed a strange thing on this forum, everyone likes WEP-cracking tutorials a lot,
but it seems like a lot of people have questions about WPA/WPA2 cracking too. After these findings,
I noticed that there weren't any tutorials yet on HF.net, or I didn't check very well, that would be
option two :D.
Knowledge
If you look at the attacks closely, you'd think WPA was very easy to crack. Well, some people say it is,
some don't agree. The fact is, that if the password is in some sort of dictionary, the password can be cracked.
Just for the record: when it comes to cracking WPA(2), they are cracked the same way ;-).
you'll need a 4-way handshake from a client connecting to an AP.
The 4way handshake holds an encrypted algorithm which can be cracked by dictionary attack.
you'll need a huge list and some luck that the password is in the list,
or you can make a personal list created with a password tool of your choice (like john),
which will not be discussed in this tutorial ;-).For this tutorial, of course I'll be using the Aircrack-ng suite.
!Optional: "lazyness"
sudo su
you might need root access to run these applications. For example, if you are using Ubuntu and you
don't want to type "sudo" in front of every line, you could use this optional command.
Knowing what interface to use
first of all, you'll have to know what the name of your wireless interface is, thats why you type:
Code:
iwconfig
In my case, the interface was wlan0, as you can see that's the only one that can connect to anything..
Identifying your victim
Code:
airmon-ng start INTERFACE
you'd get a small message saying:
(monitor mode enabled on SPOOFEDINTERFACE ) //In my case, interface was "mon0"..
Code:
airodump-ng SPOOFEDINTERFACE
The next step would be choosing your victim. Obviously we would be looking for someone with wpa encryption now.
since you want to crack someone with wpa.
write down his BSSID and his CHANNEL.
rebooting the network card to fit in the right Channel
Code:
airmon-ng stop SPOOFEDINTERFACE
Code:
airmon-ng start INTERFACE CHANNEL
Start the dumping of the file
Code:
airodump-ng -c CHANNEL --bssid BSSID -w psk SPOOFEDINTERFACE
This will start airodump-ng on your specific channel (-c). It will search handshakes
of the specifief bssid and will write this all to a capture file named psk (-w).
Notice! You might ask yourself, but how do I know when I captured a handshake?
-> Well, aircrack thought of that, if you managed to capture a handshake, a message appears in the upper
right corner.
[Image: handshake.jpg]
!Optional, but very helpful when speeding up the process
So you need to capture a handshake, but the people who are connected of course won't be giving out the
handshake, since this event only takes place during authentication. If we could just boot them for a small second
off their network, so they could reconnect, that would be perfect!
Code:
aireplay-ng -0 10 -a BSSID -c CLIENTBSSID SPOOFEDINTERFACE
This would do 10 "deauthentication" attacks (-0) with the AP being BSSID and client being booted CLIENTBSSID.
You can check if a client is connected by looking at your Airodump-ng screen again. If you see on the bottom of that
screen that someone is connected to the ESSID of your victim, simply use the STATION BSSID as CLIENTBSSID in this example.
Code:
aircrack-ng -w /pentest/wordlist.lst -b BSSID psk*.cap
This would crack the actual capture file that was being created by airodump-ng.
notice! You can only try to crack when a handshake actually took place.
Don't forget, -w needs the path to your wordlist, so remember where you saved it!
[Image: aircrack-ng.jpg]
-> Aircrack-ng while attempting to crack a password
!Optional: "security"
As a scriptkiddy, you might want to remain a bit anonymous, so here's how you would change your mac..
Try to implement it yourself ;-)
Code:
sudo ifconfig SPOOFEDINTERFACE down && sudo macchanger -r INTERFACE && sudo macchanger -r SPOOFEDINTERFACE && ifconfig SPOOFEDINTERFACE up
Wordlists
If you ever needed some good wordlists, I suggest checking here first:
wordlists
Bye
thx for your time guys ;-)
this tutorial was also hosted here
[Image: logo%20header.png]
0 comments:
Post a Comment