Need hosting? DreamHost is the best! Use coupon code M9FREE to get a free domain name for life.

Friday, July 06, 2007

Cracking WPA

1. Get yourself a good Linux distribution and download the newest aircrack-ng suite (www.aircrack-ng.org). Also download Kismet.

I would warmly recommend you to use back|track because it already has everything installed. Check the cracking WEP tutorial for information about the back|track installation.

2. Put your wireless card in monitor mode.

There are many different ways to do this. Some may not work with your drivers/card. I will explain one here: Type ‘iwconfig’ in a terminal to see your wireless interfaces (mine is ath0). After that, type ‘iwconfig [interface] mode Monitor’ to put your interface in monitor mode.

3. Start Kismet and wait a few seconds to find all networks in your area. First press ’s’ and then ’f’ to sort the networks and navigate to a WPA enabled network with your arrow keys. Press enter to get more information about the highlighted network. Do this in order to make sure that the network is protected with a WPA encryption. Also remember on which channel the network is running.

4. Now start airodump, by opening a terminal window (you can use the one from the previous step) and typing:

airodump-ng -c [channel] -w wpa [interface]

5. Airodump will find all networks in the area using the channel you entered. Wait for ‘your’ network to show up and wait for a client connecting to that access point. Clients are shown in the list below the list of AP’s.

6. Open a new terminal window and type:

aireplay-ng [interface] –deauth 25 -a [MAC address of the AP*] -h [MAC of the client]

* The MAC address: The number that airodump calls ‘BSSID’. It usually looks like this: 12:34:45:78:89:56

7. The deauth attack will kick the client off the network and force him to reconnect. During this reconnect airodump captures the so called ‘handshake’. To crack the key, start a new terminal window. Keep airodump running. In the new terminal, type:

aircrack-ng -w [full path to dictionary file**] wpa-01.cap

** Search the web for a good dictionary file (try Google with the term “security wordlist”, please post good dictionaries in the comments). If you are using back|track, open a new terminal window and type (HD install only!):

cd /pentest/password/dictionaries
gunzip wordlist.txt.Z

After unzipping, the “full path to dictionary file” is /pentest/password/dictionaries/wordlist.txt.

8. Now wait a long time. This can take hours if you aren’t lucky and if the keyphrase isn’t in the dictionary you’ll never find the key. If the key is found it shows up in aircrack. I’m currently figuring out how rainbow Tables work. From what I read these Rainbow Tables can crack a WPA key in 10 minutes (wow!). Expect a tutorial about how this works within a few days.

4 comments:

James said...

Actually, a rainbow table can't be used to crack WPA auth hashes, due to the fact that the hash is salted by the SSID.

Unknown said...

I m a good hacker contact me alexanderwilliam2019@gmail.com

Unknown said...

I m a good hacker contact me alexanderwilliam2019@gmail.com

Brackettjames said...

Hello my name is Brackett James I lived in Miami, couple of months ago I and my son moved to a friend’s place in Arizona due to a judgment which was on my rental history but wasn’t recorded on my credit report. I was looking to move out of her apartment and get a new place suited for me and my 6years old son and also start a business but the judgment on my rental history was a hindrance, I contacted Lexington firm for assistance and after paying some amount of money for the service it was like a waste of time. One beautiful morning I decided to check online how I could go through it myself then I came across ALEX having read good reviews about him on different websites, how he deleted negative items on people’s report and raised their scores. I decided to email him on “ALEXGHACKLORD@GMAIL. COM I told him exactly what I want him to do and also told him I already contacted Lexington firm, after series of questions from him and a down payment he started the job and within 1 working days he texted me the job is done and also sent me prove before I complete the payment. They erased the judgment on my rental history and also raised my credit score from 854 to 967 I’m very excited about this breakthrough and now I have a better place for myself and my son. I’m sure most of you have similar problem, contact him now he will be willing to help. He also told me he can fix a Chexsystem and a DUI report as well.