First, let me stress that there is NO difference between cracking WPA and WPA2 networks, they are cracked the EXACT same way! This method is totally different than cracking WEP networks.
First, please look at the thread I created about cracking WEP Networks, the first couple steps are very similar, id say step 4 is where it starts to change.
Read It Here
What is WPA/WPA2?
WPA is Wi-Fi Protected Access, one of several popular standards for wireless network security. This WPA is not to be confused with Windows XP Product Activation, a separate technology that is also included with the Microsoft Windows operating system.
WPA/WPA2 differs from WEP in the fact that WPA/WPA2 requires an actual password, where WEP requires a key generated by a password, you never type the real password in with WEP.
In my WEP Tutorial, I showed you how to install the tools, in this tutorial, I use a Live KDE distro called Back Track 3 (remote-exploit.org)
NOTE: The reason this is different from WEP, is because in WEP cracking, you simply crack the key, you don't need to intercept the key, its already there, you just decrypt it with enough IV's. However, in WPA/WPA2, you need to wait for a handshake to authenticate, this means you need to wait for someone to successfully join the network using the password, and aircrack will grab the handshake encryption, and use that.
1) First, you need to bring down your wireless interface so you can modify it. Mine is rausb0, so I would type 'ifconfig rausb0 down' (That part I cut out of the image below, oops). My commands are explained below.
With my wireless card, I need to activate the drivers, most of you will not need to do this.
modprobe -r rt73
Bring the wireless interface back up
ifconfig rausb0 up
Change the rate of the wireless interface to 1M, this helps a lot, but its not required. It does solve some other problems you would encounter if you don't do this.
iwconfig rausb0 rate 1M
Bring rausb0 into monitoring mode
airmon-ng rausb0 start
Picture of all commands:
2) Look for your network, I am doing this at my own house, with another computer on the LAN, thus I know exactly what I am looking for.
Type the following command into the CLI to start monitoring the network(s).
This command will list the networks around you, there mac addresses, there network names, and there security method/encryption type (WPA, WPA2, WEP, OPN, we are looking for WPA or WPA2). Here is a screenshot of what you should see, it wont be exact, obviously, because you aren't in my house ;-)
See the MAC 00:1D:7E:98:30:F1, thats my network! Once you see the network you are looking for, hit ctrl+c to stop the search, so you can copy the MAC.
NOTE: See below the list of networks, you see MAC address 00:1C:10:EA:03:31 is connected to AP 00:1D:7E:98:30:F1. That is the other wireless laptop, on the network. You can view all network connections. For WPA, you will need to intercept the authentication.
3) Focus and capture packets of the AP you are looking at (Leave running open new terminal for further commands). Type the following command
Where -c specifies the channel 1, psk is the file it will write the data to, and --bssid is the MAC of the AP. Screenshot of result below
airodump-ng -c 1 -w psk --bssid 00:1D:7E:98:30:F1 rausb0
4) This is the tough part.. You need to either wait for someone to try to connect to the network and type the password, or you need to try a de-authentication attack against a client that is already connected.
I have tried a de-authentication attack, but it seems my wireless card is unable to do so. But to try it, this is the following command.
so if I were to try it, with 1 try (you can even try 10, whateve you want), with the AP 00:1D:7E:98:30:F1, and the client 00:1C:10:EA:03:31, it would look like this:
aireplay-ng -0 <tries> -a <AP MAC> -c <Client MAC> <wifi interface>
What this does exactly is attempts to kick the user off of the network, thus forcing them to rejoin the network, that is where you will capture the HANDSHAKE. Screenshot of attempted de-authentication attack below:
aireplay-ng -0 1 -a 00:1D:7E:98:30:F1 -c 00:1C:10:EA:03:31 rausb0
5) Once you see "WPA Handshake <AP MAC>" in the upper right of the monitor mode, then you have successfully captured a handshake, which means someone else joined the network while you were monitoring it, and you captured the encrypted password! Check the screenshot below, this is what it will look like
6) Cracking the password.. You will need a password list. A good one too! Here is the cool thing, you are not actually trying to join the network with your passwords, you are simply encrypting the passwords in your password list in the same way your handshake is encrypted, and comparing them.
I set my router password to "AmpHosted" without quotes, here is a screenshot of my password list, you will notice it is well into the password list, the password list is an ENTIRE dictionary...
Remember earlier we named the file that the data was being written to 'psk'?... alright, just making sure, because you are going to need the name of whatever you named it, (name doesnt matter).
Type the following command into your CLI:
So my password list is called english.txt, and my filename is psk, thus I can use psk*.cap. (I add a * after the psk, because it will have a number after the file).
aircrack -ng -w passwordlist.txt <AP MAC> filename*.cap
Here is a random screenshot of it going through the password list, currently on the letter B
Once it hit AmpHosted, it cracked it!
I think thats about it