I
noticed a strange behaviour. A lot of people were into cracking WEP,
but still had a lot of questions on WPA. After these findings, I decided
to just write my own tutorial :-) Knowledge
If you look at the attacks closely, you'd think WPA was very easy to
crack. Well, some people say it is, some don't agree. The fact is, that
if the password is in some sort of dictionary, the password can be
cracked. you'll need a 4-way handshake from a client connecting to an
AP. The 4way handshake holds an encrypted algorithm which can be
cracked by dictionary attack. you'll need a huge list and some luck
that the password is in the list, or you can make a personal list
created with a password tool of your choice (like john), which will not
be discussed in this tutorial ;-).For this tutorial, of course I'll be
using the Aircrack-ng suite. Optional: lazyness
sudo su
you
might need root access to run these applications. For example, if you
are using Ubuntu and you don't want to type "sudo" in front of every
line, you could use this optional command. knowing what interface to use
first of all, you'll have to know what the name of your wireless interface is, thats why you type:
iwconfig
Identifying your victim
airmon-ng start interface
you'd get a small message saying: (monitor mode enabled on [i]spoofedinterface[/i] ) //In my case, interface was "mon0"..
airodump-ng spoofedinterface
The
next step would be choosing your victim. Obviously we would be looking
for someone with wpa encryption now. since you want to crack someone
with wpa. write down his BSSID and his CHANNEL.
rebooting the network card to fit in the right Channel
this
will start airodump-ng on your specific channel (-c). It will search
handshakes of the specifief bssid and will write this all to a capture
file named psk (-w).
Notice! You might ask yourself, but how do I know when I captured a
handshake? -> Well, aircrack thought of that, if you managed to
capture a handshake, a message appears in the upper right corner. Optional!, but very helpful when speeding up the process
So you need to capture a handshake, but the people who are connected of
course won't be giving out the handshake, since this event only takes
place during authentication. If we could just boot them for a small
second off their network, so they could reconnect, that would be
perfect!
aireplay-ng -0 10 -a BSSID -c CLIENTBSSID spoofed interface
This
would do 10 "deauthentication" attacks (-0) with the AP being BSSID and
client being booted CLIENTBSSID. You can check if a client is
connected by looking at your Airodump-ng screen again. If you see on the
bottom of that screen that someone is connected to the ESSID of your
victim, simply use the STATION BSSID as CLIENTBSSID in this example.
This
would crack the actual capture file that was being created by
airodump-ng. notice! You can only try to crack when a handshake
actually took place. Don't forget, -w needs the path to your wordlist,
so remember where you saved it!
Optional security
As a scriptkiddy, you might want to remain a bit anonymous, so here's
how you would change your mac.. Try to implement it yourself ;-)
sudo ifconfig spoofedinterface down && sudo macchanger -r interface && sudo macchanger -r spoofedinterface && ifconfig spoofedinterface up
Wordlists
If you ever needed some good wordlists, I suggest checking here first: wordlists
Qkyrie