Need hosting? DreamHost is the best! Use coupon code M9FREE to get a free domain name for life.

Friday, July 06, 2007

Cracking WPA

1. Get yourself a good Linux distribution and download the newest aircrack-ng suite ( Also download Kismet.

I would warmly recommend you to use back|track because it already has everything installed. Check the cracking WEP tutorial for information about the back|track installation.

2. Put your wireless card in monitor mode.

There are many different ways to do this. Some may not work with your drivers/card. I will explain one here: Type ‘iwconfig’ in a terminal to see your wireless interfaces (mine is ath0). After that, type ‘iwconfig [interface] mode Monitor’ to put your interface in monitor mode.

3. Start Kismet and wait a few seconds to find all networks in your area. First press ’s’ and then ’f’ to sort the networks and navigate to a WPA enabled network with your arrow keys. Press enter to get more information about the highlighted network. Do this in order to make sure that the network is protected with a WPA encryption. Also remember on which channel the network is running.

4. Now start airodump, by opening a terminal window (you can use the one from the previous step) and typing:

airodump-ng -c [channel] -w wpa [interface]

5. Airodump will find all networks in the area using the channel you entered. Wait for ‘your’ network to show up and wait for a client connecting to that access point. Clients are shown in the list below the list of AP’s.

6. Open a new terminal window and type:

aireplay-ng [interface] –deauth 25 -a [MAC address of the AP*] -h [MAC of the client]

* The MAC address: The number that airodump calls ‘BSSID’. It usually looks like this: 12:34:45:78:89:56

7. The deauth attack will kick the client off the network and force him to reconnect. During this reconnect airodump captures the so called ‘handshake’. To crack the key, start a new terminal window. Keep airodump running. In the new terminal, type:

aircrack-ng -w [full path to dictionary file**] wpa-01.cap

** Search the web for a good dictionary file (try Google with the term “security wordlist”, please post good dictionaries in the comments). If you are using back|track, open a new terminal window and type (HD install only!):

cd /pentest/password/dictionaries
gunzip wordlist.txt.Z

After unzipping, the “full path to dictionary file” is /pentest/password/dictionaries/wordlist.txt.

8. Now wait a long time. This can take hours if you aren’t lucky and if the keyphrase isn’t in the dictionary you’ll never find the key. If the key is found it shows up in aircrack. I’m currently figuring out how rainbow Tables work. From what I read these Rainbow Tables can crack a WPA key in 10 minutes (wow!). Expect a tutorial about how this works within a few days.

1 comment:

James said...

Actually, a rainbow table can't be used to crack WPA auth hashes, due to the fact that the hash is salted by the SSID.