Crack WPA for Dummies

Before starting this guide, you will need the proper tools:

  • Kali Linux in Virtual Box (May work on other distros with proper tooling. To simplify, try to use Kali)
    • Kali comes included, but the Aircrack-ng suite of hacking tools is what we will be using
  • A proper wireless card.
    • Supports monitor (promiscuous) mode.
    • Ability to inject and capture packets simultaneously
    • http://www.aircrack-ng.org/doku.php?id=compatibility_drivers
      • This link is provided by the suite creators. I do not guarantee that everyone on this list works but the list is very thorough.
    • For the guide I will be using an Alfa Network Card Model: AWUS036NH.

Setting up your card

  1. Type
    iwconfig

    in a terminal located in Kali.

Should see something similar to this.

  1. Then go ahead and connect your adapter

The Alfa Network Card is plug and play with Kali Linux

  1. Route the Network Card to Kali through virtual box

  1. Type
    iwconfig

    again and you should get something like this

C:\Users\Graham\Pictures\WPA Cracking Article\3.png

Entering monitor mode

In order to enter monitor (promiscuous) mode, we need to make sure there are no programs conflicting with the potential use of the Aircrack-ng Suite.

  1. Run the command
    airmon-ng check kill

This will automatically detect and kill all processes

C:\Users\Graham\Pictures\WPA Cracking Article\4.png

If you don’t do this step, you the Network Card may work for a little bit but it will cease to work at some point.

  1. Run the command airmon-ng start <network interface>

In my case, the <network interface> is wlan0. You can determine yours based on what appeared when you plugged in you network card and run

iwconfig

.

NOTE: If you start to have issues later in the guide with airodump-ng. Try using this command instead to put it into monitor mode

iwconfig <network interface> mode monitor

This may take about 30 seconds to run.

C:\Users\Graham\Pictures\WPA Cracking Article\5.png

  1. Run the command
    iwconfig

    to ensure your card is in monitor mode.

C:\Users\Graham\Pictures\WPA Cracking Article\6.png

As you can see the network interface name has changed and “Mode: Monitor”

Scanning for networks

NOTE: Never attempt this on access points you don’t own and/or have permission.

Once you have the SSID (or name) of the network you want to crack…

  1. Run the command
    airodump-ng --band bg wlan0mon
    1. Where –band refers to the IEEE 802.11 protocol (ex. b/g/n/ac)
    2. wlan0mon is our monitoring network interface.

This step can cause a couple problems.

If you run the command and nothing seems to be showing up, attempt the following

  • Don’t be so impatient (Give it a minute)
  • Ensure that the “[CH #]” is rotating channels
    • If not, retry the “Enter Monitor Mode” section
  • Try to reboot/unplug/replug.
    • Usually some combination of these 3 actions gets it to work.

C:\Users\Graham\Pictures\WPA Cracking Article\7.png

After you get this working, take down the BSSID and the CH # of the network you want to crack. You’re going to need it.

Get ready to catch the handshake

A handshake is the method an access point (router) authenticates a client to allow access to the network.

C:\Users\Graham\Pictures\WPA Cracking Article\8.jpg

In simple terms, this next step will start monitoring for a handshake packets passing between the network and the access point.

When a client connects to the access point, it will send these packets through the network. We need these to attempt to crack the password.

  1. Run the command
airodump-ng --bssid <BSSID of your target network> -c <CH of your target network> --write WPACrackAttempt1 <your network interface>

Similar to the last command, this one can be temperamental. I’ve found these methods help fix it.

  • Chill. (Give it time)
  • Run the basic airodump-ng command
    airodump-ng --band bg wlan0mon
    • I don’t know why this works, but it seems to wake up the card.
    • If it wakes up on this command, quickly run the first command and it should pop up.
    • If this doesn’t work then refer back the fixes for this command.
  • Make sure you BSSID and CH are correct. Double check them by following the “Scanning for networks” section.

C:\Users\Graham\Pictures\WPA Cracking Article\8.png

This is now waiting for a handshake, let it do its work.

LEAVE THIS OPEN – Open another terminal to do the rest

Forcing a handshake

In the last section I mentioned that when a client connects, it will capture a handshake. But when is a client going to connect? If you want to leave airodump-ng open long enough, you can simply wait for someone to connect to the network (ex. Someone coming home from work or Someone turning on a network device).

However, if you’re too impatient for that, you can force one of the clients to reconnect by sending a DEAUTHENTICATION packet through the network. In simple terms, you are telling a computer to get off my network, it gets off, and then you go away so it gets back on like a rebellious teenager.

When that client reenters the network the airodump, which was monitoring for the handshake, will catch it and save it.

For the next step, only do one of the two Deauth methods.

Deauth One Client – Recommended Method.

  1. Run the command
    aireplay.ng --deauth # -a <BSSID> <network monitoring interface> -c <SESSION OF CLIENT>
    1. Where <BSSID> is the bssid of your target network
    2. <network monitoring interface> is the network interface of your monitoring device.
    3. # is number of deauth packets to send (Increase if no results)
    4. <SESSION OF CLIENT> looks just like the <BSSID>. Move over to you airodump terminal, and look under the SESSION column and pick one.

C:\Users\Graham\Pictures\WPA Cracking Article\10.png

Deauth Whole Network – If you don’t have any clients in airodump

  1. Run the command
    aireplay-ng --deauth 5 -a <BSSID> <network interface>
    1. Where <BSSID> is the bssid of your target network
    2. <network interface> is the network interface of your monitoring device.
    3. –deauth #. This number may need to increase if you don’t have any results.

C:\Users\Graham\Pictures\WPA Cracking Article\9.png

Check for Handshake

Following your deauth packets, take a look at your airodump terminal.

C:\Users\Graham\Pictures\WPA Cracking Article\11.png

If a “WPA handshake” has appeared, that means you were successful in capturing a handshake!

Brute Force the Handshake

So now for the biggest caveat of this whole process. The handshake isn’t the password, and it isn’t going to give it to you either, unfortunately. The handshake is like a lock and you have a bucket of 2 billion keys (passwords) right next to you. So you need to try them until the lock turns. Then you have your working password.

However, in order for this to happen, the correct password needs to be in your wordlist.

  1. Run the ls command to see if your handshake is there.

C:\Users\Graham\Pictures\WPA Cracking Article\12.png

You may have way more files than you were supposed to if you had to try a bunch of times. Go ahead and remove all but the latest one (denoted by the number tacked on the end).

  1. Find a wordlist. In the default kali install there is the most common wordlist known as rockyou.txt. Locate this at /usr/share/wordlists/rockyou.txt.gz.
    1. Extract it to wherever you want, I chose the desktop.
    2. If you can’t find it for some reason, download it here https://wiki.skullsecurity.org/Passwords
  2. Run this command
aircrack-ng <.cap File of your handshake> -w <your wordlist>

Example Command:

aircrack-ng WPACrackAttempt1-04.cap -w Desktop/rockyou.txt

If you get an error saying there are no handshakes present, try the monitor and deauth again to attempt to recapture.

C:\Users\Graham\Pictures\WPA Cracking Article\13.png

The cracking speed will depend on the available resources allocated to your Kali Linux Virtual machine. As you can see I can test about three thousand keys a second. I had 6 gb of ram and 4 processors allocated. If the passphrase is not found in your handshake, then try a different word list.

Leave a Reply

Your email address will not be published. Required fields are marked *