Cracking a WPA or WPA2 wireless network is more difficult than cracking a WEP protected network because it depends on the complexity of the wireless password and on the attack method (Dictionary Attack or Brute Force Attack). Here you will learn step by step instructions how to crack the WPA2 which uses a pre-shared keys (PSK) of a wireless network. This also applies to WPA secured network.
Before you begin
You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”
Start Cracking the WPA/WPA2 Password
Here are the basics steps we will be going through:
Put your wireless interface in monitor mode on the specific AP channel
Start airodump-ng to collect authentication handshake from the AP
Use aireplay-ng to deauthenticate the wireless client to force a handshake with the AP
Run aircrack-ng to crack the pre-shared key using a dictionary file
Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.
BackTrack Konsole
Run the following command to get a list of your network interfaces:
airmon-ng
You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface.
In my case: (interface)=wlan0 (see image below)
Now run the following command to put your interface in monitor mode.
airmon-ng start (interface)
In my case
airmon-ng start wlan0
WPA2 Cracking 01
Now we can use the monitor interface which appears below the Driver column, call it (monitor). Most of the time (monitor)=mon0 as shown in the image above.
It’s time to view the list of available networks and pick one for cracking. Run:
airodump-ng (monitor)
In my case
airodump-ng mon0
Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WPA” or “WPA2″ encryption in the “ENC” column, and “PSK” in the “AUTH” column. “OPN” means that the network is open and you can connect to it without a key, WEP will not work here but you can check How to Crack WEP Wireless with BackTrack 4 running on Windows which takes less than 5 minutes to crack.
After selecting the network that you want to crack take note of the BSSID, and the channel (CH) values. In my case: (bssid)=68:7F:74:06:69:C7, and (channel)=11 as shown in the image below.
Now we are going to monitor and record the data passing through that network to a file. Run:
airodump-ng (monitor) --channel (channel) --bssid (bssid) -w (filename)
In my case
airodump-ng mon0 --channel 1 --bssid 68:7F:74:06:69:C7 -w linksys
Replace (monitor), (channel), and (bssid) with their respective values noted before. (filename) can be any name. I usually use a name similar to the name of the network which is “linksys” in this case.
WPA2 Cracking 02
The data is being collected and recorded now and you should get an output similar to the window in the background shown in the picture below. Leave that window running.
We now need to record the 4-way handshake that happens between the targeted wireless router (AP) and a client that is already authenticated.
We can either wait for a client to connect or disconnect an already connected user to force him to reconnect. In our case we are going to disconnect an already connected user. Don’t forget to note down the client mac address which we’ll call station. In my case (station)=00:C0:CA:25:AC:68. Launch a second Konsole window now and run:
aireplay-ng -0 1 -a (bssid) -c (station) (monitor)
In my case
aireplay-ng -0 1 -a 68:7F:74:06:69:C7 -c 00:C0:CA:25:AC:68 mon0
WPA2 Cracking 03
After you run this command you should see “WPA handshake: (bssid)” in the upper right corner of the first Konsole, in my case it is “WPA handshake: 68:7F:74:06:69:C7″. This means that you have collected the 4-way handshake, and you don’t need to be connected to the network anymore.
In case you didn’t see the handshake message try to run the same command again. It’s time to start cracking the collected password.
Cracking the Password
To crack the password you will need a file that contains list of passwords, this file is called a dictionary file. The more accurate the dictionary file and less complex the WPA or WPA2 wireless password; the better chance you have to crack the password. There are lots of dictionary files on the internet that you can download, for the purpose of the demo I am going to use the dictionary file that comes with aircrack-ng. It can be found under “/pentest/wireless/aircrack-ng/test”.
You can close all the Konsoles if you want and open a new one. Run:
aircrack-ng -w (passwordsfile) -b (bssid) (filename-01.cap)
In my case
aircrack-ng -w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F:74:06:69:C7 linksys-01.cap
The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.
This command will start trying the passwords listed in the dictionary file that you provided until it finds a match. If the password wasn’t found then you need to use a better dictionary file. It is possible that the password can not be found at all in case it was long and complex enough! But in case there was a match then you should see something like:
WPA2 Cracking 04
The WPA or WPA2 password is what you see besides “KEY FOUND!” inside the brackets. In my case: thisisatest
Conclusion
The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you have. Another brute force attack method would be to try all possible permutations of letters, numbers, and symbols possible to crack the password. Although it will surely find the password in the end but it might take hundreds of years for the cracking process to complete which is why a dictionary attack is considered more efficient approach, you can check John the Ripper if you are interested in this method.
Feel free to ask questions or let me know if I have missed something by leaving a comment below.
Before you begin
You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”
Start Cracking the WPA/WPA2 Password
Here are the basics steps we will be going through:
Put your wireless interface in monitor mode on the specific AP channel
Start airodump-ng to collect authentication handshake from the AP
Use aireplay-ng to deauthenticate the wireless client to force a handshake with the AP
Run aircrack-ng to crack the pre-shared key using a dictionary file
Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.
BackTrack Konsole
Run the following command to get a list of your network interfaces:
airmon-ng
You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface.
In my case: (interface)=wlan0 (see image below)
Now run the following command to put your interface in monitor mode.
airmon-ng start (interface)
In my case
airmon-ng start wlan0
WPA2 Cracking 01
Now we can use the monitor interface which appears below the Driver column, call it (monitor). Most of the time (monitor)=mon0 as shown in the image above.
It’s time to view the list of available networks and pick one for cracking. Run:
airodump-ng (monitor)
In my case
airodump-ng mon0
Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WPA” or “WPA2″ encryption in the “ENC” column, and “PSK” in the “AUTH” column. “OPN” means that the network is open and you can connect to it without a key, WEP will not work here but you can check How to Crack WEP Wireless with BackTrack 4 running on Windows which takes less than 5 minutes to crack.
After selecting the network that you want to crack take note of the BSSID, and the channel (CH) values. In my case: (bssid)=68:7F:74:06:69:C7, and (channel)=11 as shown in the image below.
Now we are going to monitor and record the data passing through that network to a file. Run:
airodump-ng (monitor) --channel (channel) --bssid (bssid) -w (filename)
In my case
airodump-ng mon0 --channel 1 --bssid 68:7F:74:06:69:C7 -w linksys
Replace (monitor), (channel), and (bssid) with their respective values noted before. (filename) can be any name. I usually use a name similar to the name of the network which is “linksys” in this case.
WPA2 Cracking 02
The data is being collected and recorded now and you should get an output similar to the window in the background shown in the picture below. Leave that window running.
We now need to record the 4-way handshake that happens between the targeted wireless router (AP) and a client that is already authenticated.
We can either wait for a client to connect or disconnect an already connected user to force him to reconnect. In our case we are going to disconnect an already connected user. Don’t forget to note down the client mac address which we’ll call station. In my case (station)=00:C0:CA:25:AC:68. Launch a second Konsole window now and run:
aireplay-ng -0 1 -a (bssid) -c (station) (monitor)
In my case
aireplay-ng -0 1 -a 68:7F:74:06:69:C7 -c 00:C0:CA:25:AC:68 mon0
WPA2 Cracking 03
After you run this command you should see “WPA handshake: (bssid)” in the upper right corner of the first Konsole, in my case it is “WPA handshake: 68:7F:74:06:69:C7″. This means that you have collected the 4-way handshake, and you don’t need to be connected to the network anymore.
In case you didn’t see the handshake message try to run the same command again. It’s time to start cracking the collected password.
Cracking the Password
To crack the password you will need a file that contains list of passwords, this file is called a dictionary file. The more accurate the dictionary file and less complex the WPA or WPA2 wireless password; the better chance you have to crack the password. There are lots of dictionary files on the internet that you can download, for the purpose of the demo I am going to use the dictionary file that comes with aircrack-ng. It can be found under “/pentest/wireless/aircrack-ng/test”.
You can close all the Konsoles if you want and open a new one. Run:
aircrack-ng -w (passwordsfile) -b (bssid) (filename-01.cap)
In my case
aircrack-ng -w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F:74:06:69:C7 linksys-01.cap
The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.
This command will start trying the passwords listed in the dictionary file that you provided until it finds a match. If the password wasn’t found then you need to use a better dictionary file. It is possible that the password can not be found at all in case it was long and complex enough! But in case there was a match then you should see something like:
WPA2 Cracking 04
The WPA or WPA2 password is what you see besides “KEY FOUND!” inside the brackets. In my case: thisisatest
Conclusion
The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you have. Another brute force attack method would be to try all possible permutations of letters, numbers, and symbols possible to crack the password. Although it will surely find the password in the end but it might take hundreds of years for the cracking process to complete which is why a dictionary attack is considered more efficient approach, you can check John the Ripper if you are interested in this method.
Feel free to ask questions or let me know if I have missed something by leaving a comment below.
Comments