When Wi-Fi was introduced in the late 1990s, Created Equal Wireless Privacy to provide wireless communication privacy. WEP, as it is known, proved to be flawed and easily broken.
As a substitute, most wireless access points now use Wi-Fi Protected Access II with a pre-shared wireless security key, known as WPA2-PSK. WPA2 uses a powerful encryption algorithm, AES, which is very difficult to break through - but it is not possible.
The weakness in the WPA2-PSK system is that the encrypted password is assigned to what is known as 4-way handshake. When the client authorizes in the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can catch the password right away, we can try to crack it.
In this tutorial from our Wi-Fi Hacking series, we will look at using aircrack-ng and dictionary attacks on a password encrypted after grabbing it by hand in 4 ways. If you are looking for a faster way.
Step 1: Install Wi-Fi Adapter in Airmon-Ng monitoring mode
Let's start by putting our wireless adapter in monitoring mode.
For this to work, we will need to use a compatible wireless network adapter. Buy The Best Supported WiFi Adapters Here.
- Leoxsys LEO-HG150N 150Mbps Wireless USB Wi-Fi Adapter LAN Card with External Antenna (Black)
- Alfa AWUS036NHA 150Mbps Wireless USB Adaptor
This is similar to putting a corded adapter in a malicious mode. It allows us to see all the wireless cars passing by us in the air. Let's open the ending and type:
- airmon-ng start wlan0
Note that airmon-ng has renamed your wlan0 adapter to mon0.
Step 2: Capture Traffic with Airodump-Ng
Now that our wireless adapter is in alert mode, we can see all wireless routes passing through the air. We can control that traffic by simply using the airodump-ng command.
Don't Miss: Turn Your Android Phone into Hacking Device
This command captures all the traffic your wireless adapter can see and display important information about, including BSSID (AP MAC address), power, number of frames, data boxes, channel, speed, encryption (if any), and finally, ESSID (most of us refer to as SSID). Let's do this by typing:
- airodump-ng mon0
Note all visible APs listed at the top of the screen and clients are listed at the bottom of the screen.
Step 3: Focus on Airodump-Ng in One AP on One Channel
Our next step is to focus our efforts on a single AP, a single channel, and take important data from it. We need BSSID and the channel to do this. Let's open another signal and type:
- airodump-ng --bssid 08: 86: 30: 74: 22: 76 -c 6 - write WPAcrack mon0
- 08: 86: 30: 74: 22: 76 by BSSID for AP
- -c 6 is the AP channel in which it operates
- WPAcrack is the file you want to write
- mon0 is a wireless monitoring adapter *
As you can see in the picture above, we are now focused on extracting data from one AP with Belkin276's ESSID in channel 6. Belkin276 is probably the default SSID, which is the main target of wireless hacking as users who leave ESSID by default often do not use much effort to protect its AP.
Step 4: Aireplay-Ng Deauth
In order to retrieve encrypted password, we require the client to authorize against the AP. Once verified, we can authenticate them (uninstall them) and their system will automatically authenticate them, where we can retrieve their encrypted password. Let's open another signal and type:
- aireplay-ng --deauth 100 -a 08: 86: 30: 74: 22: 76 mon0
- 100 is a de authentication number of Frames you can submit
- 08: 86: 30: 74: 22: 76 by BSSID for AP
- Mon0 is a wireless monitoring adapter
Step 5: Take the Handshake
In the previous step, we removed the user and removed his AP, and now when they re-confirm, airodump-ng will try to grab their password in the new 4-way interaction. Let's go back to our airodump-ng airport and check if we were successful or not.
Note in the top right-hand line, the airodump-ng says "WPA handshake." This is how we tell you we have succeeded in holding the encrypted password! That is the first step to success!
Step 6: Let's Aircrack-Ng That Password!
Now that we have a password encrypted in our WPAcrack file, we can run that file against the aircrack using the password file of our choice. Remember that this type of attack is similar to your password file. I will use a list of default passwords included with aircrack-ng in BackTrack called darkcOde.
Don't Miss: How to Hack Facebook Account Without Phishing SOP
We will now try to crack the password by opening another terminal and typing:
- aircrack-ng WPAcrack-01.cap -w/pentest/passwords/wordlists/darkc0de
- WPAcrack-01.cap is the file name we wrote in the airodump-ng command
- /pentest /passwords/wordlist/darkc0de is the perfect way to access your password file
How long will it take?
This process can be slow and tedious. Depending on the length of your password list, you may have to wait a few minutes to a few days. On my 2.8 gig Intel core processor, it is able to scan more than 500 passwords per second. That applies to about 1.8 million passwords per hour. Your results will vary.
When a password is found, it will appear on your screen. Remember, the password file is sensitive. Try the default password file first and if it doesn't work, move on to a larger and more complete password file like this one.
Stay tuned for more wireless hacking guides
Keep coming back, as I promise the most advanced methods of hacking in future tutorials.
0 Comments