Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Cracking WPA/WPA2 networks

encryption authentication

  • Please log in to reply
11 replies to this topic

#1 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 09 February 2009 - 08:51 PM

This is a short tutorial showing you how to secure your own WPA/WPA2 network. First let me say, the only 100% sure way to secure your wireless network, is to disable wireless, but if you use it, then you can't.

First, let me stress that there is NO difference between cracking WPA and WPA2 networks, they are cracked the EXACT same way! This method is totally different than cracking WEP networks.

First, please look at the thread I created about cracking WEP Networks, the first couple steps are very similar, id say step 4 is where it starts to change.

Read It Here


What is WPA/WPA2?
WPA is Wi-Fi Protected Access, one of several popular standards for wireless network security. This WPA is not to be confused with Windows XP Product Activation, a separate technology that is also included with the Microsoft Windows operating system.

WPA/WPA2 differs from WEP in the fact that WPA/WPA2 requires an actual password, where WEP requires a key generated by a password, you never type the real password in with WEP.

In my WEP Tutorial, I showed you how to install the tools, in this tutorial, I use a Live KDE distro called Back Track 3 (remote-exploit.org)

NOTE: The reason this is different from WEP, is because in WEP cracking, you simply crack the key, you don't need to intercept the key, its already there, you just decrypt it with enough IV's. However, in WPA/WPA2, you need to wait for a handshake to authenticate, this means you need to wait for someone to successfully join the network using the password, and aircrack will grab the handshake encryption, and use that.

1) First, you need to bring down your wireless interface so you can modify it. Mine is rausb0, so I would type 'ifconfig rausb0 down' (That part I cut out of the image below, oops). My commands are explained below.

With my wireless card, I need to activate the drivers, most of you will not need to do this.

modprobe -r rt73
modprobe rt73


Bring the wireless interface back up

ifconfig rausb0 up


Change the rate of the wireless interface to 1M, this helps a lot, but its not required. It does solve some other problems you would encounter if you don't do this.

iwconfig rausb0 rate 1M


Bring rausb0 into monitoring mode

airmon-ng rausb0 start


Picture of all commands:
Posted Image

2) Look for your network, I am doing this at my own house, with another computer on the LAN, thus I know exactly what I am looking for.
Type the following command into the CLI to start monitoring the network(s).

airodump-ng rausb0

This command will list the networks around you, there mac addresses, there network names, and there security method/encryption type (WPA, WPA2, WEP, OPN, we are looking for WPA or WPA2). Here is a screenshot of what you should see, it wont be exact, obviously, because you aren't in my house ;-)
Posted Image
See the MAC 00:1D:7E:98:30:F1, thats my network! Once you see the network you are looking for, hit ctrl+c to stop the search, so you can copy the MAC.
NOTE: See below the list of networks, you see MAC address 00:1C:10:EA:03:31 is connected to AP 00:1D:7E:98:30:F1. That is the other wireless laptop, on the network. You can view all network connections. For WPA, you will need to intercept the authentication.

3) Focus and capture packets of the AP you are looking at (Leave running open new terminal for further commands). Type the following command

airodump-ng -c 1 -w psk --bssid 00:1D:7E:98:30:F1 rausb0

Where -c specifies the channel 1, psk is the file it will write the data to, and --bssid is the MAC of the AP. Screenshot of result below
Posted Image

4) This is the tough part.. You need to either wait for someone to try to connect to the network and type the password, or you need to try a de-authentication attack against a client that is already connected.

I have tried a de-authentication attack, but it seems my wireless card is unable to do so. But to try it, this is the following command.

aireplay-ng -0 <tries> -a <AP MAC> -c <Client MAC> <wifi interface>

so if I were to try it, with 1 try (you can even try 10, whateve you want), with the AP 00:1D:7E:98:30:F1, and the client 00:1C:10:EA:03:31, it would look like this:

aireplay-ng -0 1 -a 00:1D:7E:98:30:F1 -c 00:1C:10:EA:03:31 rausb0

What this does exactly is attempts to kick the user off of the network, thus forcing them to rejoin the network, that is where you will capture the HANDSHAKE. Screenshot of attempted de-authentication attack below:
Posted Image

5) Once you see "WPA Handshake <AP MAC>" in the upper right of the monitor mode, then you have successfully captured a handshake, which means someone else joined the network while you were monitoring it, and you captured the encrypted password! Check the screenshot below, this is what it will look like
[IMG]http://http://amphosted.com/aircrack/wpa/snapshot5.png[/IMG]

6) Cracking the password.. You will need a password list. A good one too! Here is the cool thing, you are not actually trying to join the network with your passwords, you are simply encrypting the passwords in your password list in the same way your handshake is encrypted, and comparing them.

I set my router password to "AmpHosted" without quotes, here is a screenshot of my password list, you will notice it is well into the password list, the password list is an ENTIRE dictionary...
[IMG]http://amphosted.com/aircrack/wpa/snapshot6.png[/IMG]

Remember earlier we named the file that the data was being written to 'psk'?... alright, just making sure, because you are going to need the name of whatever you named it, (name doesnt matter).
Type the following command into your CLI:

aircrack -ng -w passwordlist.txt <AP MAC> filename*.cap

So my password list is called english.txt, and my filename is psk, thus I can use psk*.cap. (I add a * after the psk, because it will have a number after the file).
Screenshot below:
[IMG]http://amphosted.com/aircrack/wpa/snapshot7.png[/IMG]

Here is a random screenshot of it going through the password list, currently on the letter B
[IMG]http://amphosted.com/aircrack/wpa/snapshot8.png[/IMG]

Once it hit AmpHosted, it cracked it!
[IMG]http://amphosted.com/aircrack/wpa/snapshot9.png[/IMG]

I think thats about it :)
  • 0

#2 John

John

    CC Mentor

  • Moderator
  • 4450 posts
  • Location:New York, NY

Posted 09 February 2009 - 09:01 PM

VERY Nice!
  • 0

#3 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 09 February 2009 - 09:04 PM

Thank you sir :)

Oh... um...

THIS IS NOT TO BE USED ON ANY PERSONAL NETWORK NOT OWNED BY YOURSELF! I AM NOT TO BE HELD LIABLE FOR YOUR STUPIDITY


k, im safe
  • 0

#4 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 10 February 2009 - 05:24 AM

Wow, very nice indeed! Did you learn all of this by just messing around?
  • 0

#5 Egz0N

Egz0N

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1155 posts

Posted 10 February 2009 - 06:16 AM

Wow .. nice one php.. :P .. +rep :)
  • 0

#6 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 10 February 2009 - 12:04 PM

Wow, very nice indeed! Did you learn all of this by just messing around?

yes, I might make a tutorial later about hacking into LAN computers, if I can get it to work on my LAN

Wow .. nice one php.. :P .. +rep :)


Thank you :)
  • 0

#7 amrosama

amrosama

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 2765 posts

Posted 10 February 2009 - 09:46 PM

awsome! thank you, very nice
  • 0

#8 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 14 February 2009 - 05:11 PM

has anyone else tried this? I wanna know if I need to make some changes to the tutorial so it will be easier to follow
  • 0

#9 miniprint

miniprint

    CC Lurker

  • Just Joined
  • Pip
  • 1 posts

Posted 15 February 2009 - 01:13 PM

Thanks for article
  • 0

#10 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 16 February 2009 - 06:21 AM

you is welcome
  • 0

#11 Sky

Sky

    CC Resident

  • Just Joined
  • PipPipPipPip
  • 72 posts

Posted 13 July 2010 - 06:29 AM

Thank you very much.
  • 0

#12 Psynic

Psynic

    CC Resident

  • Advanced Member
  • PipPipPipPip
  • 67 posts

Posted 17 February 2013 - 04:48 PM

This works good, you just need a really good dictionary which i dont have.


  • 0





Also tagged with one or more of these keywords: encryption, authentication

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download